Privacy Statement | IT Learn
Effective date: 2026-01-03
Last updated: 2026-01-03
Controller: IT Learn | contact email: contact.itlearn@gmail.com
1. What personal data do we process?
We only process the following personal data:
- Account information: email address, chosen username, and password (hashed).
- Authentication information: data provided by third-party authentication services including Google OAuth (email address and account ID), GitHub (username, email, profile information), and Discord (username, email, Discord ID).
- Technical information: IP address and server logs (temporary, for security and debugging purposes).
- Chat data: When you use the Tawk.to chat feature, we process your messages, name (if provided), and metadata for customer support purposes.
We do not ask for date of birth, address, phone number, ID photos, or sensitive categories (health, race, religion, criminal record). Avatar uploads and other upload features are currently disabled; if this functionality is added later, we will update this statement.
2. Purposes and Legal Basis
We process personal data for the following purposes, in accordance with Article 6 of the GDPR:
- Account creation and login (authentication) - Legal basis: Performance of contract (Article 6(1)(b) GDPR). This is necessary to provide you with access to our educational platform.
- Security and misuse prevention - Legal basis: Legitimate interest (Article 6(1)(f) GDPR), specifically fraud detection, abuse prevention, and technical troubleshooting to protect our platform and users.
- Communication and processing of requests - Legal basis: Performance of contract and legitimate interest to respond to user inquiries and provide customer support.
- Legal compliance - Legal basis: Legal obligation (Article 6(1)(c) GDPR) to comply with applicable laws and regulations.
We do not use personal data for newsletters without explicit consent, targeted advertising, profiling for marketing purposes, or selling data to third parties.
3. Processors / External Service Providers
We use the following third-party service providers to operate our platform:
- Supabase - Database and authentication services; our project is located in Ireland (EU). Supabase complies with GDPR and provides data processing agreements.
- Google (OAuth) - Third-party authentication service for user login. When you sign in with Google, we receive your email address and Google account ID. Subject to Google's Privacy Policy.
- GitHub (OAuth) - Third-party authentication service for user login. When you sign in with GitHub, we receive your GitHub username, email address, and public profile information. Subject to GitHub's Privacy Policy.
- Discord (OAuth) - Third-party authentication service for user login. When you sign in with Discord, we receive your Discord username, email address, and Discord user ID. Subject to Discord's Privacy Policy.
- Cloudflare - Content delivery network (CDN) and hosting services. Cloudflare operates globally but complies with GDPR and EU data protection standards. Cloudflare may process IP addresses and technical data.
- PythonAnywhere - Backend server infrastructure for running application logic. Servers are typically located in the US; Standard Contractual Clauses (SCCs) apply for data transfers outside the EU.
- Tawk.to - Live chat support widget. When you use the chat feature, Tawk.to processes your messages, name (if provided), and metadata. Tawk.to complies with GDPR; you can choose not to use the chat feature.
All third-party processors have been selected based on their security standards and GDPR compliance. Where a provider processes data outside the EU, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or rely on adequacy decisions to ensure your data remains protected according to EU standards.
Your choices: You can choose which authentication method to use (email/password, Google, GitHub, or Discord). The use of the Tawk.to chat feature is optional.
4. Retention Periods
- Account data: as long as the account is active + 1 year after deletion.
- Server logs/IP addresses: 30 days (security and debugging).
- Uploads (if added later): as long as the account is active or up to 1 year after deletion.
5. Minors and Age Policy
IT Learn allows registration for those aged 13 and over. In Belgium, the digital age limit is 13. We never ask for ID photos and do not perform ID verification.
6. User Rights (GDPR Rights)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Article 15) - You can request a copy of your personal data we hold.
- Right to rectification (Article 16) - You can request correction of inaccurate or incomplete data.
- Right to erasure/"right to be forgotten" (Article 17) - You can request deletion of your personal data under certain conditions.
- Right to restriction of processing (Article 18) - You can request that we limit how we use your data.
- Right to data portability (Article 20) - You can request your data in a structured, machine-readable format.
- Right to object (Article 21) - You can object to processing based on legitimate interests.
- Right to withdraw consent (Article 7(3)) - Where processing is based on consent, you can withdraw it at any time.
- Right not to be subject to automated decision-making (Article 22) - Protection against solely automated decisions with legal effects.
To exercise any of these rights, please contact us at: contact.itlearn@gmail.com. We will respond to your request within one month, as required by GDPR.
If you are not satisfied with how we handle your request or have concerns about our data practices, you have the right to lodge a complaint with the Belgian Data Protection Authority (APD/GBA):
Address: Rue de la Presse 35, 1000 Brussels, Belgium
Email: contact@apd-gba.be
Phone: +32 2 274 48 00
Website: www.dataprotectionauthority.be
7. Account Deletion
Once the feature is available, users can delete their account themselves through their settings. Until then, a request can be sent to contact.itlearn@gmail.com; we will delete the data according to the retention periods.
- HTTPS/TLS encryption - All data transmitted between your browser and our servers is encrypted
- Secure authentication - Supabase, Google OAuth, GitHub OAuth, and Discord OAuth for secure login
- Password protection - Passwords are hashed using industry-standard algorithms and never stored in plain text
- Limited data retention - Server logs and IP addresses are retained for a maximum of 30 days
- Access controls - Restricted access to personal data on a need-to-know basis
- Regular security reviews - Ongoing monitoring and updates to security practices
- Third-party security - All service providers are vetted for GDPR compliance and security standards
While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.Hashed passwords
9. Cookies and Trackers
Only necessary cookies for login and site functionality. No ads or analytics. Supabase or the hosting provider may place functional cookies.
10. Transfer outside the EU
Supabase operates in Ireland (EU). If data is processed outside the EU in the future, we will use appropriate safeguards (SCCs).
11. Data Breaches
If we suspect a data breach, we will investigate it and report it if legally required.
12. Changes
We may amend this statement; if material changes are made, we will publish a new version with an effective date.
13. Contact Information
Data Controller: IT Learn
General inquiries and data protection requests: contact.itlearn@gmail.com
Abuse and security reports: abuse-ithelp-be@googlegroups.com
For data protection inquiries, privacy rights requests, or legal matters, please use contact.itlearn@gmail.com. We aim to respond to all inquiries within 30 days. For official or legal processing, authorized representatives will handle your request and provide appropriate contact details upon request.