Privacy Policy

1. Who We Are

Evensiva Technologies operates the Codevensiva learning platform ("Service"). We are the data controller for the personal data we collect through the Service, meaning we are responsible for deciding how and why your data is processed.

For privacy enquiries or to exercise your rights, please use the contact details available in your account settings or on the platform.

2. Personal Data We Collect

2.1 Email sign-up

When you create an account using email and password, we collect:

• First name and last name — used to personalise your experience and, where relevant, displayed to other users.
• Username — a unique, publicly visible handle (3–32 characters; letters, digits, underscores, hyphens). Checked in real time for availability during sign-up.
• Email address — used for account authentication, OTP verification, and transactional communications.
• Password — stored only as a bcrypt hash. We never store or transmit your plaintext password.

Email OTP verification. Before your account is created in our database, we store a temporary pending registration record (including your name, username, email, and hashed password) in an encrypted Redis cache for up to 10 minutes. This record is used solely to complete verification and is automatically deleted afterwards, whether or not you complete sign-up.

2.2 OAuth sign-up and sign-in (Google / GitHub)

When you register or sign in with Google or GitHub, the provider shares with us: your provider-assigned identifier, your email address, your display name, and (optionally) your profile image. We use this data solely to create or authenticate your Codevensiva account. We do not receive your password from the OAuth provider. Your use of Google or GitHub is governed by their respective privacy policies.

2.3 Learning and activity data

While you use the Service, we collect: your progress through courses and assessments, bookmarks, goals, achievements, certificates and badges earned, code submissions, answers to practice questions, and your participation in discussions or study groups.

2.4 Technical and session data

We collect strictly necessary technical data to operate and secure the Service, including: session tokens (stored in secure HTTP-only cookies), IP address (used for rate-limiting and abuse prevention), and server-side logs containing request timestamps, routes accessed, and error information. We do not set analytics or advertising cookies without your explicit consent.

2.5 Two-factor authentication (2FA)

If you enable 2FA, we store an encrypted TOTP secret linked to your account. Individual one-time codes you enter are verified and immediately discarded; we do not log them.

3. How We Use Your Data

• To create and manage your account, including verifying your email address via OTP.
• To authenticate you on each sign-in, including verifying 2FA codes where enabled.
• To check username availability in real time during registration (no query data is persistently logged).
• To send transactional emails essential to the Service — OTP codes, security alerts, and account notifications — via our email delivery provider (Resend).
• To deliver personalised learning content and track your progress.
• To detect and prevent fraud, abuse, and security incidents.
• To improve the Service through aggregated, anonymised analytics.
• To comply with legal obligations.

4. Legal Basis for Processing (GDPR)

Where the GDPR or equivalent legislation applies, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the Service you have requested (e.g. account creation, authentication, learning progress).
• Legitimate interests — security monitoring, abuse prevention, rate-limiting, and service improvement analytics, provided these do not override your rights.
• Legal obligation — retaining data where required by applicable law.
• Consent — for any non-essential cookies or marketing communications. You may withdraw consent at any time.

We do not sell your personal data to third parties.

5. Data Sharing & Processors

We share your personal data only with trusted sub-processors who help us operate the Service, and only to the extent necessary for that purpose:

• Resend — transactional email delivery. Receives your email address to send OTP and security emails on our behalf.
• Google OAuth / GitHub OAuth — identity verification for OAuth sign-in. Data shared is limited to what the provider returns during the OAuth flow.
• Cloud infrastructure providers — hosting, database, and caching services (including Redis for temporary session and OTP data). Data is stored in encrypted form.
• Error monitoring services (e.g. Sentry) — may receive anonymised stack traces and request metadata to help diagnose errors. Personal data is minimised.

All sub-processors are contractually bound to handle your data in accordance with applicable data-protection law and only for the purpose we instruct.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Pending registration data (OTP flow) — automatically purged from Redis after 10 minutes.
• Session tokens — expire on sign-out or after the configured session lifetime.
• Account and profile data — retained while your account is active and deleted or anonymised within 30 days of account deletion.
• Learning activity data — retained while your account is active; deleted or anonymised on account deletion, except where aggregated for anonymous analytics.
• Server logs — retained for up to 90 days for security and debugging purposes.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion of your personal data.
• Restriction — ask us to restrict processing of your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights:

For requests that cannot be fulfilled through self-service, or to lodge a complaint, please contact us using the details in your account settings. You also have the right to lodge a complaint with your local data-protection supervisory authority.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Passwords stored exclusively as bcrypt hashes — plaintext passwords are never persisted.
• OTP codes and pending registration data stored in Redis with short TTLs and discarded after use.
• HTTPS enforced for all client-server communication.
• HTTP-only, Secure session cookies to mitigate XSS and session-hijacking risks.
• Rate limiting on authentication and OTP endpoints to prevent brute-force and enumeration attacks.
• Optional two-factor authentication (TOTP) for additional account security.
• Server-side input validation and sanitisation on all API routes.

No method of transmission over the internet or electronic storage is 100% secure. We strive to use commercially acceptable means to protect your data, but cannot guarantee absolute security.

9. Cookies & Local Storage

We use strictly necessary cookies for authentication and session management. These cookies are essential to the Service and cannot be disabled while you are signed in.

We do not currently set analytics, advertising, or performance cookies without your consent. If we introduce such cookies in the future, we will update this policy, display a consent banner, and only set non-essential cookies after you have given explicit consent.

You can manage or delete cookies through your browser settings at any time. Disabling strictly necessary cookies will prevent you from signing in.

10. Children's Privacy

The Service is not directed at children under 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children below this age. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will notify you via email or a prominent notice on the Service. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised policy.

12. Contact & Data Requests

For privacy-related questions, data access or deletion requests, or to report a potential data incident, please use the contact details provided in your account settings or on the platform. We aim to respond to all requests within 30 days.