Privacy Policy

Last updated: January 17, 2025

Effective date: January 17, 2025

1. Introduction and Scope

educraft ("we," "our," "us," or "the Company") is committed to protecting your privacy and being transparent about how we collect, use, disclose, and safeguard your personal information. This Privacy Policy explains our practices regarding personal information when you use our AI-powered slide generation service for NCEA teachers, accessible at https://educraft.co.nz and https://app.educraft.co.nz (collectively, the "Service").

This Privacy Policy is designed to comply with:

• New Zealand Privacy Act 2020 and its 13 Information Privacy Principles (IPPs)
• General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA)
• Other applicable privacy and data protection laws in jurisdictions where we operate

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

Data Controller: educraft, Auckland, 0930, New Zealand. For questions about this policy, contact us at rumiawais@gmail.com.

2. Information We Collect

We collect information that identifies, relates to, describes, references, or is reasonably capable of being associated with you ("Personal Information"). The categories of Personal Information we collect depend on how you interact with our Service.

2.1 Information You Provide Directly

When you register for an account, use our Service, or communicate with us, you may provide the following categories of Personal Information:

• Identity Information: Full name, username, and any other identifier you choose to provide
• Contact Information: Email address, phone number (if provided), and mailing address (if provided for billing)
• Account Credentials: Password (stored in encrypted form), security questions, and authentication information
• Professional Information: School or educational institution name, teaching subject areas, NCEA levels you teach, years of teaching experience (if provided), and professional qualifications (if provided)
• Profile Information: Profile picture (if uploaded), bio, preferences, and any other information you choose to include in your user profile
• Content and User-Generated Data: Slides you generate, prompts you create, customizations you make, saved templates, annotations, notes, and any other content you create or upload through the Service
• Communication Data: Messages you send to us through contact forms, email, or other communication channels, including support requests, feedback, and survey responses
• Payment and Billing Information: Billing address, payment method details (processed securely by third-party payment processors - we do not store full credit card numbers), subscription plan details, transaction history, and invoice information
• Marketing Preferences: Your preferences regarding marketing communications, newsletter subscriptions, and promotional offers

2.2 Information Collected Automatically

When you use our Service, we automatically collect certain information about your device and how you interact with our Service:

• Technical Information: Internet Protocol (IP) address, device type (mobile, tablet, desktop), device identifiers, operating system, browser type and version, screen resolution, language preferences, time zone, and device settings
• Usage Information: Pages visited, features used, time spent on pages, click patterns, search queries, date and time of access, session duration, frequency of use, navigation paths, and interaction with content
• Performance Data: Service response times, loading times, error messages, crash reports, performance metrics, and system logs
• Location Information: General location information derived from your IP address (country, region, city level - not precise GPS coordinates)
• Referral Information: Website or source that referred you to our Service, search terms used to find our Service, and campaign identifiers

2.3 Cookies and Similar Tracking Technologies

We use cookies, web beacons, pixel tags, local storage, and similar technologies (collectively, "Cookies") to collect and store information about your use of our Service. Cookies are small text files placed on your device when you visit a website.

Types of Cookies We Use:

• Essential Cookies: Required for the Service to function properly. These include authentication cookies, security cookies, and cookies that remember your preferences and settings. These cannot be disabled.
• Functional Cookies: Enhance functionality and personalization, such as remembering your language preferences, login status, and previously viewed content.
• Analytics Cookies: Help us understand how visitors use our Service, including which pages are most popular, how users navigate the site, and where they encounter errors. We use these to improve our Service.
• Performance Cookies: Collect information about how you use our Service to help us improve performance and optimize user experience.

Third-Party Cookies: We may use third-party services that set their own cookies, including:

• Vercel Analytics: For website analytics and performance monitoring
• Payment Processors: For secure payment processing (cookies are set by the payment provider)
• Formspree: For contact form submissions (if applicable)

You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Service.

2.4 Information from Third Parties

We may receive information about you from third-party sources, including:

• Payment Processors: Confirmation of payment transactions, subscription status, and billing information
• Authentication Services: If you choose to log in using third-party authentication (e.g., Google, Microsoft), we may receive your name, email address, and profile picture
• Publicly Available Sources: Information from publicly available sources, such as educational directories or professional networks, if relevant to providing our Service

3. Legal Basis for Processing (GDPR Compliance)

For users located in the EEA, we process your Personal Information based on the following legal grounds under GDPR:

• Contractual Necessity: To perform our contract with you (providing the Service, processing payments, managing your account)
• Legitimate Interests: To improve our Service, ensure security, prevent fraud, analyze usage patterns, and communicate important service updates (we balance our interests against your privacy rights)
• Consent: When you have given clear consent for specific processing activities (e.g., marketing communications, optional analytics)
• Legal Obligation: To comply with legal requirements, such as tax obligations, record-keeping requirements, and responding to lawful requests from authorities
• Vital Interests: To protect your vital interests or those of another person (e.g., in emergency situations)

You have the right to withdraw consent at any time where we rely on consent as the legal basis. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

4. How We Use Your Information

We use the Personal Information we collect for the following purposes, in accordance with applicable law:

4.1 Service Provision and Account Management

• Create and manage your account
• Authenticate your identity and provide secure access to the Service
• Process and fulfill your requests for slide generation and other features
• Store and organize your generated content, templates, and preferences
• Provide customer support and respond to your inquiries
• Send service-related communications (account updates, security alerts, feature announcements)
• Process payments, manage subscriptions, and handle billing inquiries

4.2 AI Content Generation

• Process your prompts and requests to generate educational slides
• Customize content based on your preferences, subject areas, and NCEA levels
• Improve AI model performance through analysis of usage patterns (in anonymized form where possible)
• Ensure content quality and relevance to New Zealand curriculum standards

Important: When you use our AI features, your prompts and generated content are processed through OpenAI's API services. We do not share your personal identifying information (name, email, etc.) with OpenAI, but the content you generate may be processed through their systems. Please review OpenAI's Privacy Policy for information about their data practices.

4.3 Service Improvement and Analytics

• Analyze usage patterns, trends, and user behavior to improve our Service
• Conduct research and development to enhance features and functionality
• Test new features and gather feedback
• Monitor and improve Service performance, reliability, and security
• Identify and fix bugs, errors, and technical issues
• Optimize user experience and interface design

4.4 Communication

• Send important service updates, security notifications, and account information
• Respond to your support requests, questions, and feedback
• Send marketing communications (with your consent, where required by law)
• Notify you about changes to our Terms of Service or Privacy Policy
• Send newsletters, educational content, and promotional offers (you can opt-out at any time)

4.5 Security and Fraud Prevention

• Detect, prevent, and investigate fraud, abuse, unauthorized access, and security threats
• Verify your identity and prevent account takeover
• Monitor for suspicious activity and violations of our Terms of Service
• Protect the rights, property, and safety of educraft, our users, and the public
• Comply with security and fraud prevention requirements from payment processors

4.6 Legal Compliance and Enforcement

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from government authorities, courts, and law enforcement
• Enforce our Terms of Service and other agreements
• Protect our legal rights and interests
• Comply with tax, accounting, and record-keeping obligations
• Resolve disputes and investigate potential violations

4.7 Business Operations

• Manage our business operations and internal administration
• Conduct business analytics and reporting
• Plan and execute business strategies
• Facilitate mergers, acquisitions, or other business transactions (with appropriate privacy protections)

5. Information Sharing and Disclosure

We do not sell, rent, or trade your Personal Information to third parties for their marketing purposes. We may share your Personal Information in the following circumstances:

5.1 Service Providers and Business Partners

We share Personal Information with trusted third-party service providers who perform services on our behalf, subject to strict confidentiality obligations:

• Cloud Hosting and Infrastructure: To host and operate our Service (e.g., Vercel, cloud storage providers)
• Payment Processing: To process payments and manage subscriptions (e.g., Stripe, PayPal, or other payment processors)
• AI Services: OpenAI API for content generation (content only, not personal identifying information)
• Analytics and Monitoring: Vercel Analytics and other analytics services to understand usage patterns
• Email and Communication Services: To send emails and other communications
• Customer Support Tools: To provide customer support and manage support tickets
• Form Processing: Formspree or similar services for contact form submissions
• Security Services: For fraud detection, security monitoring, and threat prevention

These service providers are contractually obligated to:

• Use Personal Information only for the purposes we specify
• Implement appropriate security measures
• Comply with applicable privacy laws
• Not disclose or use Personal Information for their own purposes

5.2 Legal Requirements and Law Enforcement

We may disclose Personal Information when required by law, regulation, legal process, or government request, including:

• In response to a subpoena, court order, or other legal process
• To comply with applicable laws and regulations
• To respond to requests from government authorities, including law enforcement
• To protect our legal rights and interests
• In connection with legal proceedings or potential legal claims

5.3 Protection of Rights and Safety

We may disclose Personal Information to:

• Protect the rights, property, or safety of educraft, our users, or others
• Prevent or investigate fraud, abuse, or security threats
• Enforce our Terms of Service or other agreements
• Respond to emergencies or urgent situations

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Information may be transferred to the acquiring entity or successor organization. We will notify you of any such change in ownership or control and ensure appropriate privacy protections are in place.

5.5 With Your Consent

We may share Personal Information with third parties when you have given us explicit consent to do so for specific purposes.

5.6 Aggregated and Anonymized Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information may be used for research, analytics, or other business purposes.

6. Data Security and Protection Measures

We implement comprehensive technical, administrative, and physical security measures designed to protect your Personal Information from unauthorized access, disclosure, alteration, and destruction. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

6.1 Technical Security Measures

• Encryption: We use industry-standard encryption protocols (TLS/SSL) to encrypt data in transit. Sensitive data at rest is encrypted using strong encryption algorithms (AES-256 or equivalent)
• Secure Authentication: Passwords are hashed using secure hashing algorithms (bcrypt or equivalent). We support multi-factor authentication (MFA) where available
• Secure Infrastructure: Our Service is hosted on secure cloud infrastructure with regular security updates, monitoring, and intrusion detection systems
• Network Security: Firewalls, network segmentation, and DDoS protection to prevent unauthorized access
• Regular Security Updates: We apply security patches and updates promptly to address known vulnerabilities
• Security Monitoring: Continuous monitoring for suspicious activity, unauthorized access attempts, and security threats
• Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning

6.2 Administrative Security Measures

• Access Controls: Strict access controls based on the principle of least privilege. Only authorized personnel with a legitimate business need can access Personal Information
• Employee Training: Regular training for employees and contractors on data protection, privacy best practices, and security awareness
• Background Checks: Background checks for employees and contractors with access to sensitive Personal Information
• Confidentiality Agreements: All employees and contractors are bound by confidentiality agreements
• Incident Response Plan: Documented procedures for responding to security incidents and data breaches

6.3 Physical Security Measures

• Our Service is hosted on secure cloud infrastructure with physical security measures managed by our hosting providers
• Any physical access to our offices or equipment is restricted and monitored

6.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities (e.g., the New Zealand Privacy Commissioner, relevant EU data protection authorities) within 72 hours, where required by law
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
• Provide clear information about the nature of the breach, the data affected, and steps we are taking to address it
• Take immediate steps to contain the breach and prevent further unauthorized access

7. Your Privacy Rights and Choices

You have certain rights regarding your Personal Information, which may vary depending on your location and applicable law. We are committed to honoring these rights.

7.1 Rights Under New Zealand Privacy Act 2020

If you are located in New Zealand, you have the following rights under the Privacy Act 2020:

• Right to Access (IPP 6): Request access to the Personal Information we hold about you
• Right to Correction (IPP 7): Request correction of inaccurate, incomplete, or out-of-date Personal Information
• Right to Object: Object to certain processing of your Personal Information
• Right to Complain: Lodge a complaint with the New Zealand Privacy Commissioner if you believe we have breached the Privacy Act

7.2 Rights Under GDPR (EEA Users)

If you are located in the EEA, you have the following rights under GDPR:

• Right of Access (Article 15): Request a copy of your Personal Information and information about how it is processed
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete Personal Information
• Right to Erasure ("Right to be Forgotten") (Article 17): Request deletion of your Personal Information in certain circumstances
• Right to Restrict Processing (Article 18): Request restriction of processing in certain circumstances
• Right to Data Portability (Article 20): Request a copy of your Personal Information in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority

7.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at rumiawais@gmail.com with:

• Your full name and email address associated with your account
• A clear description of the right you wish to exercise
• Any additional information that may help us process your request

We will respond to your request within:

• 30 days for requests under New Zealand Privacy Act 2020
• One month (30 days) for requests under GDPR (may be extended by two months for complex requests, with notification)

We may request additional information to verify your identity before processing your request. We may refuse or charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive.

7.4 Additional Choices

• Account Settings: Update your account information, preferences, and profile through your account settings
• Marketing Communications: Opt-out of marketing emails by clicking the unsubscribe link in any marketing email or updating your preferences in your account settings
• Cookies: Manage cookies through your browser settings (note: disabling certain cookies may affect Service functionality)
• Location Information: Disable location services through your device settings

8. Data Retention and Deletion

We retain your Personal Information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

• Account Information: Retained while your account is active and for a reasonable period after account closure (typically 90 days) to allow for account recovery, unless you request earlier deletion
• Content and User-Generated Data: Retained while your account is active. You can delete your content at any time through the Service
• Payment and Billing Information: Retained for 7 years from the last transaction to comply with tax and accounting obligations under New Zealand law
• Communication Records: Retained for 3 years from the date of last communication, unless longer retention is necessary for legal purposes
• Usage and Analytics Data: Retained in anonymized or aggregated form for up to 2 years for service improvement purposes
• Legal and Compliance Records: Retained as required by applicable law, which may be longer than other data categories

8.2 Account Deletion

When you request account deletion:

• We will delete or anonymize your Personal Information from our active systems within 30 days
• Your generated content, templates, and preferences will be permanently deleted
• We will retain minimal information necessary for legal compliance (e.g., payment records for tax purposes) as required by law
• Backup copies may be retained for up to 90 days before permanent deletion
• Anonymized or aggregated data that cannot identify you may be retained for analytics purposes

To request account deletion, contact us at rumiawais@gmail.com or use the account deletion feature in your account settings (if available).

9. International Data Transfers

Our Service is primarily hosted in New Zealand, but we may transfer, store, and process your Personal Information in other countries where our service providers operate, including the United States, European Union, and other jurisdictions.

9.1 Safeguards for International Transfers

When we transfer Personal Information internationally, we implement appropriate safeguards to protect your privacy rights:

• Contractual Safeguards: We use standard contractual clauses approved by relevant data protection authorities (e.g., EU Standard Contractual Clauses for GDPR compliance)
• Service Provider Agreements: All service providers are contractually obligated to protect Personal Information and comply with applicable privacy laws
• Adequacy Decisions: We may transfer to countries that have been recognized as providing adequate data protection (e.g., New Zealand has an adequacy decision from the European Commission)
• Binding Corporate Rules: Where applicable, we ensure service providers have appropriate binding corporate rules or equivalent safeguards

9.2 Specific Transfer Information

• OpenAI (United States): Content you generate is processed through OpenAI's API. OpenAI has implemented appropriate safeguards for international data transfers. Please review OpenAI's Privacy Policy for details
• Payment Processors: Payment information is processed by third-party payment processors that may operate in various jurisdictions. These processors are PCI-DSS compliant and have appropriate safeguards
• Cloud Hosting: Our Service may be hosted on cloud infrastructure in multiple jurisdictions. We ensure our hosting providers have appropriate security measures and data protection agreements

By using our Service, you consent to the transfer of your Personal Information to these countries, subject to the safeguards described above.

10. Children's Privacy

Our Service is designed for teachers and educational professionals who are at least 18 years of age. We do not knowingly collect Personal Information from children under 13 years of age (or under 16 in the EEA) without verifiable parental consent.

If you are a parent or guardian and believe that your child has provided us with Personal Information without your consent, please contact us immediately at rumiawais@gmail.com. We will take steps to delete such information promptly.

If we become aware that we have collected Personal Information from a child under the applicable age without parental consent, we will take steps to delete that information as soon as possible, except where retention is required by law.

11. Automated Decision-Making and Profiling

We use automated processing, including AI-powered content generation, to provide our Service. This may involve:

• Analyzing your prompts and preferences to generate personalized educational content
• Recommending features or content based on your usage patterns
• Detecting fraud or security threats through automated systems

We do not use automated decision-making that produces legal effects or similarly significantly affects you without human intervention, except:

• As necessary to provide the Service (e.g., content generation based on your inputs)
• With your explicit consent
• As permitted by applicable law

If you are subject to automated decision-making and wish to contest the decision or request human review, please contact us.

12. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access.

We are not responsible for the privacy practices, content, or security of third-party services. Your interactions with third-party services are subject to their respective privacy policies and terms of service.

13. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no uniform standard for responding to DNT signals. We do not currently respond to DNT browser signals or mechanisms.

However, you can control tracking through your browser settings and by managing cookies as described in Section 2.3.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons.

When we make changes to this Privacy Policy:

• We will update the "Last updated" date at the top of this policy
• For material changes, we will notify you by email (to the email address associated with your account) or through a prominent notice on our Service
• We will provide at least 30 days' notice before material changes take effect, where required by law
• Your continued use of our Service after changes become effective constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your Personal Information. If you do not agree with the updated policy, you may close your account and stop using the Service.

Previous versions: If you would like to review previous versions of this Privacy Policy, please contact us.

15. Contact Us

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

15.1 Data Protection Officer (if applicable)

If you are located in the EEA and wish to contact our Data Protection Officer (if we have designated one), please use the contact information above and specify that your inquiry is for the Data Protection Officer.

15.2 Complaints

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with:

• New Zealand: Office of the Privacy Commissioner (if you are located in New Zealand)
• EEA: Your local data protection authority (if you are located in the EEA). A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en

We encourage you to contact us first so we can try to resolve your concerns directly.

16. Additional Information and Resources

16.1 New Zealand Privacy Resources

• Office of the Privacy Commissioner - Information about privacy rights in New Zealand
• Privacy Act 2020 - Full text of New Zealand's Privacy Act
• How to Make a Privacy Complaint - Guide for making privacy complaints in New Zealand

16.2 GDPR Resources (for EEA Users)

• GDPR.eu - Information about GDPR
• European Data Protection Board - EU data protection authority

16.3 Related Documents

• Terms of Service - Our terms and conditions for using the Service
• Contact Us - General contact information

17. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Information, including collection, storage, use, disclosure, and deletion
• "Service" means the educraft website and application accessible at educraft.co.nz and app.educraft.co.nz
• "You" or "User" means the individual accessing or using the Service
• "We," "Us," "Our" means educraft and its operators

This Privacy Policy was last updated on January 17, 2025. We reserve the right to update this policy at any time. Please check this page periodically for updates.