Posted: 13 September 2018
Effective from: 13 September 2018
Welcome to Crash Course
Thanks for using Crash Course!
Privacy of our user data
Information we collect
We collect information to provide better services to all of our users - from figuring out basic stuff like which topics you like to learn about to more complex things like which learning methodologies are best suited for you.
How we collect information
We collect information in the following ways:
- Information you give us: For example, when you sign up with us, we ask for your full name, and email ID. We use secure payment gateways and as such we don't store your credit card / debit card numbers either in plain text or encrypted format. We might, however, store fingerprints of these cards so we can identify any suspicious activity.
- Information we get from 3rd parties: For example, when you sign up using your Google account, we might store your profile information from Google.
- Log information: When you use our website, we automatically collect and store certain information in server logs. This includes details of how you used our services, IP addresses, device related details (such as screen size, operating system, browser type and version etc.,) referral URLs, cookies and browser-level information.
- To gather website statistical data to analyze how our users use the website, such as which pages are visited, how long pages were visited and the paths taken by visitors to our website as they move from page to page.
- To provide authentication (i.e. to keep you logged in between sessions). The information collected using local storage is stored on your browser and persists after your browser is closed.
For the purpose listed under 1), we use Google Analytics, Heap Analytics and our own Analytics engine.
Data transfers outside the EEA
We may transfer the personal data we obtain to third parties in countries outside the European Economic Area (EEA). The laws in those countries may not offer an adequate level of data protection. In particular, personal data may be transferred to India & the United States.
When we transfer your personal data outside the EEA, we will protect your personal data as described in this Privacy Statement. If you have concerns about the way we handle your data, you should stop using us and intimate us at email@example.com to get your account deleted. Although we would be sad to see you stop using us.
How we use information we collect
We use the information we collect to offer you and all of our users with better services and experiences. However, here are a few things that we want to highlight:
- We do NOT sell or rent your personal information to anyone. Never ever.
- We do NOT share your personal information with anyone outside of Crash Course for their marketing or promotions. We, however, share personal information with our 3rd party analytics or other service providers to analyze the traffic, user behavior and enhance your learning experience. While we don't guarantee it, we put in efforts to see to it that these 3rd party providers do not use your information for their own purposes.
- If the code you submit for evaluation, or the person details you give inside your project (including but not limited to comments, variable names etc.,), will be shared with other vendors who offer those services. If you don't want us to do so, refrain from using your PII as variable names or in comments.
- We will share personal information with companies, organizations or individuals outside of Crash Course when we have your consent to do so.
- We use your personal information to manage your account, to contact you and to improve certain aspects of our services and website. We also use your personal information in processing orders, clearing waitlists or to contact your college for collaboration and other purposes.
- We might share summarized information with people outside of Crash Course. While we put in efforts to summarize data in such a way that an individual user will not be identified, this is NOT guaranteed.
- We may access and/or disclose your information if it is necessary to comply with the law or legal process, to protect or defend Crash Course, an employee of Crash Course or a certain stakeholder of Crash Course. For example, we may be required to cooperate with regulators or law enforcement action such as a court order, subpoena or search warrant.
How we protect personal data
We maintain appropriate technical and organizational security safeguards designed to protect your personal data against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. However, due the inherent open nature of the Internet, we cannot guarantee that communications between you and us or the personal information stored is absolutely secure. We will notify you of any data breach that is likely to have unfavorable consequences for your privacy.
Crash Course and the EU General Data Protection Regulation (GDPR)
At Crash Course, we’re committed to privacy—that’s why our privacy policies already adhered to the the high standard of the new European data protection law known as GDPR, and why we’re ensuring we maintain those rights and extend them to all our users, inside and outside the EU.
Information Security & Data Safety
We work hard to protect Crash Course and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:
- We encrypt many of our services using SSL.
- We review our information collection, storage and processing practices, including physical security measures where possible, to guard against unauthorized access to systems.
- We change the security credentials for our systems frequently at a random time to break any brute-force attempts by the bad people.
- We restrict access to personal information to Crash Course employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
Whenever you use our Services to make your resume / CV or your online profile public, you have an option to decide if anyone with the link can view your profile or details. Remember that changing the option midway wouldn't prevent the bad people to misuse your information which they obtained prior to your change.
- We also prevent direct file downloads by using temporary URLs for your documents.
- We require your login to download certain files, and the origin of the file is protected behind your login.
- We also use signed URLs, which will expire automatically. After a signed URL has expired a new URL will be generated for each file, which will be the only valid URL.
- The URL can not be guessed and all filenames are obfuscated.
Where we store your data
We use Google Cloud platform for our services. We also use Digital Ocean and Amazon Web Services to power certain portions of our Services. All database related is stored in the US (Google Data centers) and in India (Google Data centers). The code you submitted will be stored for a certain time in Digital Ocean and AWS (in the US as well as in India). Read more about Google Cloud Security, Digital Ocean Security and AWS Security.
- All of our servers are within our own virtual private cloud / network (VPC / VPN) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
- Only a handful of people can access data and they only do so in order to improve the services we provide.
- We monitor and audit our usage logs.
Third Party services we use
We use a number of third parties to store user data in order to provide/improve our services:
- We send transactional and administrative emails through Mailgun.
- We use Google Analytics and Heap Analytics to track page views to improve usability of our Services.
- All payments are processed by Razorpay. We don’t currently store any payment information but we do store customer data from these transactions for future purposes (for example when we move to other vendors or when we need to fight disputes with banks).
How Long We Retain Personal Data
We retain personal data for as long as necessary to fulfill the purposes for which we collect or receive the personal data, except if required otherwise by applicable law. Typically, we will retain most of the personal data for the duration of your use of the website and our Services, until you have deleted your account, unless a longer applicable statutory retention period applies. Note that after the deletion of your account your code may be left on our servers, certificates might still be verifiable and the orders you placed are still kept to maintain books. If you would like us to remove your certificates and anonymize your details in invoices, please contact us at firstname.lastname@example.org.
You have the following rights in relation to your personal data:
- The right to obtain, at reasonable intervals and free of charge, information on whether or not your personal data are being processed and to receive the personal data that is being processed in an intelligible form;
- The right to request rectification or erasure of personal data or restriction of or objection to processing of your personal data. You may also request us to provide you your data in a structured, commonly used and machine readable format which can be transmitted to another controller.
- To exercise these rights, please contact us using our contact details set out below. We may request you to provide a copy of your ID card or otherwise evidence your identity. We will respond to your request within the applicable statutory term.
- Moreover, subject to this Privacy Statement, you have the right to lodge a complaint with the competent supervisory authority. Please contact you local data protection authority for more information regarding how to file such a complaint.
To request modifications or withdraw consent, please send an email to the Data Protection Officer.
Data Protection Officer: Sreyantha Chary M