Privacy Policy

Last updated: March 2026 · Effective immediately upon publication

RGPD/GDPRLOPDGDDLSSICECEFRCOPPA

SEBA ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information about you when you use the PROP English learning platform. It is written in compliance with EU Regulation 2016/679 (RGPD/GDPR), Spanish Organic Law 3/2018 (LOPDGDD), and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:
SEBA
Catalonia, Spain
Email: [email protected]

2. Personal Data We Collect

We collect the following categories of personal data:

Account Data

  • Full name and email address (provided at registration)
  • Authentication method (e.g., Google OAuth)
  • Account creation date and last sign-in timestamp
  • User role (student or teacher/admin)

Learning Data

  • CEFR level assignments and placement assessment results
  • Exercise completion records, scores, and response history
  • XP points, streaks, badges earned, and leaderboard position
  • Written exercise submissions and AI-generated feedback
  • Native language and preferred UI language settings

Technical Data

  • IP address and approximate geolocation (country/region)
  • Browser type, device type, and operating system
  • Session cookies and authentication tokens
  • Pages visited, features used, and interaction timestamps

3. Legal Basis for Processing

We process your personal data on the following legal bases (Article 6 RGPD/GDPR):

  • Contract performance — to provide the educational services you have registered for.
  • Legitimate interests — to improve the Platform, detect fraud, and ensure security.
  • Legal obligation — to comply with applicable laws (e.g., tax, education regulations).
  • Consent — for optional features such as marketing communications and non-essential cookies.

For users under 14 years of age, processing is based on parental consent as required by Article 8 RGPD/GDPR and Article 7 LOPDGDD.

4. How We Use Your Data

We use your personal data to:

  • Create and manage your account and authenticate your identity.
  • Deliver personalised learning paths, exercises, and assessments.
  • Track your progress and generate performance reports for teachers.
  • Award XP, badges, and streaks as part of the gamification system.
  • Provide AI-powered feedback on written exercises.
  • Send notifications about assignments, assessments, and achievements.
  • Improve the Platform's content, features, and user experience.
  • Comply with legal obligations and respond to lawful requests.

5. Data Sharing and Third Parties

We do not sell your personal data. We may share data with trusted third-party service providers who assist us in operating the Platform, including:

  • Authentication provider — SEBA OAuth (for secure login)
  • Database hosting — TiDB / MySQL (EU-hosted, encrypted at rest)
  • File storage — Amazon S3 (EU region, encrypted)
  • AI services — for writing feedback generation (no data retained by AI provider)

All third-party processors are bound by data processing agreements (DPAs) compliant with RGPD/GDPR Article 28. We do not transfer personal data outside the European Economic Area (EEA) without appropriate safeguards (e.g., Standard Contractual Clauses).

6. Data Retention

We retain your personal data for the following periods:

  • Account data — for the duration of your account, plus 2 years after deletion.
  • Learning data — for the duration of your enrolment, plus 1 year for academic records.
  • Technical/log data — up to 90 days.
  • Legal compliance data — as required by applicable law (typically 5–7 years).

7. Your Rights Under RGPD/GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — limit how we process your data.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent — at any time, without affecting prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es or the Catalan Data Protection Authority (APDCAT) at apdcat.gencat.cat.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including: TLS/HTTPS encryption for all data in transit; AES-256 encryption for data at rest; bcrypt password hashing; role-based access controls; regular security audits; and session token expiry and rotation.

9. Children's Privacy

The Platform may be used by students aged 12 and over. For users under 14 (Spain) or under 13 (USA, per COPPA), we require verifiable parental consent before account creation. Teachers and administrators are responsible for obtaining and documenting this consent. We do not knowingly collect data from children without parental consent.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or in-app notification at least 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

Terms & ConditionsPrivacy PolicyCookie PolicyUser Agreement← Back to PROP