Privacy Policy

Last Updated: October 16, 2025

Version: 1.0

---

1. Introduction

Welcome to the Course Enrollment System. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

We are committed to protecting your privacy and ensuring the security of your personal data. This policy applies to all users of our platform.

2. Data Controller

The data controller responsible for your personal data is:

Course Enrollment System
[Organization Address]
Email: privacy@example.com

3. What Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

• Email address (from authentication provider)
• Name (given name and family name)
• User ID from authentication provider (SOI Asia IdP)

3.2 Profile Information

• Gender
• University name and department
• Course/Major of study
• Academic status (undergraduate, graduate, etc.)
• Grade/Year
• Student ID number (optional)
• FutureLearn account email
• Google account email
• Additional notes/memo (optional)

3.3 Enrollment Information

• Programs/courses you enroll in
• Enrollment dates and status
• Completion and withdrawal information

3.4 Technical Data

• IP address (for consent logging)
• User agent (browser information)
• Login timestamps
• Session information

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: You have given explicit consent for processing your data for course enrollment and related purposes (GDPR Article 6(1)(a))
• Contract: Processing is necessary for the performance of our services to you (GDPR Article 6(1)(b))
• Legal Obligation: We may process data to comply with legal requirements (GDPR Article 6(1)(c))
• Legitimate Interest: For system security, fraud prevention, and improving our services (GDPR Article 6(1)(f))

5. How We Use Your Data

We use your personal data for the following purposes:

• Managing your account and authentication
• Processing course enrollments and tracking progress
• Communicating with you about your enrollments
• Providing access to learning platforms (FutureLearn, Google Classroom)
• Generating anonymized reports and statistics
• Improving our services and user experience
• Complying with legal obligations
• Preventing fraud and ensuring security

6. Data Sharing and Third Parties

We may share your data with the following third parties:

6.1 Authentication Provider

• SOI Asia IdP (idp.soi.asia): For authentication and user identity management

6.2 Learning Platforms

• FutureLearn: Your FutureLearn account email for course access
• Google: Your Google account email for accessing course materials

6.3 Service Providers

• Hosting providers for our infrastructure
• Email service providers for communications

Note: We do not sell your personal data to third parties. All data sharing is done with your consent or as necessary to provide our services.

7. Data Retention

We retain your personal data for the following periods:

• Active users: 5 years from last activity
• Inactive users: 2 years from last activity
• Completed enrollments: 3 years after completion
• Withdrawn enrollments: 1 year after withdrawal
• Consent logs: 7 years (legal requirement)
• Deletion requests: 7 years (audit trail)

After these periods, your data will be automatically anonymized while preserving statistical value for research and analytics.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: Data in transit is encrypted using TLS/SSL
• Authentication: Secure authentication via SOI Asia IdP (OIDC)
• Access Control: Role-based access control for admin functions
• Pseudonymization: Hash-based identifiers for privacy-preserving analytics
• Audit Logging: Comprehensive audit trails for consent and data access
• Input Sanitization: Protection against XSS and injection attacks

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses (SCCs) with service providers
• Adequacy decisions by the European Commission
• Privacy Shield certification (where applicable)

12. Children's Privacy

Our services are intended for users aged 16 and above. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we have collected data from a child under 16, please contact us immediately.

13. Cookies and Tracking

We use session cookies for authentication and site functionality. These cookies are essential for the operation of our service. We do not use third-party tracking cookies or analytics without your consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending you an email notification (for material changes)
• Displaying a notice on the website

Your continued use of our services after changes constitutes acceptance of the updated policy.

15. Contact and Complaints

If you have questions, concerns, or complaints about this Privacy Policy or our data practices:

Contact Us

Email: privacy@example.com
[Physical Address]

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

---