Privacy Policy (GDPR Compliant)

This privacy policy has been written to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. We collect, store and use your information in accordance with both US laws and the GDPR regulation to the European Union. Please read our privacy policy carefully to get a clear understanding of how we collect, store, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

Who are we?

The legal entity behind CodeBerry is a Hungarian Ltd. Full name, address and contact details:

CodeBerry School Kft.
1119 Budapest, Fehérvári út 149. II/8.
Company registration number: 01-09-298399
Tax number: 25955828-2-43
Bank account: 11711010-21452756

What personal information do we collect from you?

We may collect personal information from you when you register on our website, sign up to our newsletter, submit an assignment, pay for a subscription, fill out a survey, use our live chat, provide us with feedback on our service, or write an email to our Customer Support. To apply our transparency principle, here is the complete list of data we may collect and store that’s related to you:

  • User identification (To know who you are)
    • First and last name
    • Facebook / Google / Slack OAuth tokens, ids, names and email addresses
    • Email address and password SHA512 hash
  • Locale (To know how to display our sites to you)
    • Country and preferred language
  • Permissions (To know what you can access)
    • User’s feature access and admin permissions
    • Emailing permissions
    • Policy consent info for different policies
    • User data deletion request history
  • Learning activity (To know where you are in your studies, and show you the proper kitten gifs)
    • Assignment submissions, points and badges, activity on the website
  • Traffic source data (To know which of our marketing campaign works well)
    • UTM source, medium, term, content and campaign
    • Coupon code, referrer code
  • Subscriptions (To know what you paid and how)
    • Subscription period counts (active, refunded, discounted)
    • Current and past plan details (type, name, gross amount, currency, period)
    • Transaction details (type, amount, currency, invoice language, invoice identifier number, request and fulfillment date/time)
    • Transaction handler (Braintree / PayPal, Paymentwall) name, merchant ID, plan ID, subscription ID, token ID, customer ID), reference ID
    • Invoiced person or company name, postal code, street address, city, country, company tax number, EU VAT compliance

We have an even more complete description of the collection, storage and usage of your data.
It is called a Data Protection Impact Assessment (or just DPIA) document, and is required by GDPR.
But actually, we found it a very useful tool to keep track of our usage of your data. In it we list:

  • our exact reasons on why we collect and store each piece of your data,
  • our legal basis for storing each piece of your data,
  • any third-parties we’re sharing your data with,
  • how we protect your data from breaches,
  • and what other, non-obvious purposes we use your data for.

Please find our Data Protection Impact Assessment (DPIA) document here.

What other companies do we share your data with?

We do not sell or trade your data to third parties. There are some companies however, who assist us in operating our service. We trust that all these third parties keep your information confidential. But in case you want to review their own data handling policies, we compiled a complete list for you of the third parties we are affiliated with, and linked their data handling policies. We also described what information we are sharing with them and our reasons for it. Here is the complete list:

  • Intercom
    • We send our emails through Intercom, so we share your name and email address with them, to personalize the emails sent to you. We also share with them your subscription data  and progress in our learning materials, to let them personalize automated emails sent to you.
  • Google
    • We send anonymous data to Google Analytics to get marketing insights.
    • We use Google AdSense Advertising to show you ads based on your interests. Google’s Advertising Principles are here.
    • We use Google Sheets to store accounting data, and anonymous statistics. These documents are only accessible to a limited number of CodeBerry staff, who are required to keep your information confidential.
  • Facebook
    • We use a Facebook Pixel and send anonymous data to Facebook, to track your usage of our service and get some heuristics.
  • Braintree / PayPal
    • Braintree is a service of PayPal. We use both Braintree and PayPal directly. Actually, we don’t share any of your personal information with PayPal, nor Braintree. But we embed their payment service to our payment website, so be aware that you may be sharing personal information with them when you pay for CodeBerry through their service.
  • Paymentwall
    • We don’t share any of your personal information with Paymentwall, but we embed their payment service to our payment website, so be aware that you may be sharing personal information with them when you pay for CodeBerry through their service.
  • Mixpanel
    • We send anonymous data to Mixpanel to get marketing insights. We’ve stopped using Mixpanel, so if you signed up to CodeBerry after January 2018, then your anonymous data was never shared with Mixpanel.

A note about links: We, or even other students may link to third-party websites other than the ones listed above. These third-parties have their independent privacy policies, and we can take no responsibility for their data handling policies. Nonetheless, we seek to protect the integrity of our service, so if you find a link on CodeBerry that points to a website that you have doubts about, please report it at hello@codeberryschool.com.

How do we use your information?

We may use the information we collect from you in the following ways:

  • To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
  • To improve our website in order to better serve you.
  • To allow us to better service you in responding to your customer service requests.
  • To follow up with your inquiries via live chat or email.

How do we protect your information?

  • We keep your personal information in closed systems that are only accessible to a limited number of CodeBerry staff, who have special access rights to such systems, and are required to keep your information confidential. We transmit all your data via channels encrypted by TLS 1.2 or higher. We store all our passwords securely, with 256-bit AES keys, and two-step authentication.
  • We handle all our Credit Card and other payment transactions via external, PCI-compliant payment gateways.
  • All financial transactions are processed through a gateway provider and are not stored or processed on our servers.

We’ve also appointed a Data Protection Officer to make sure this policy, the Data Protection Impact Assessment document, data-handling policies, processes and documentation is kept up-to-date.

How long do we retain your information?

If you are just a visitor on the website, we don’t retain personal information about you.

If you are a registered CodeBerry user but you never paid, we retain your data for 26 months.

If you are or were a paying CodeBerry student, we retain your invoicing data for 10 years (because of a legal obligation) and all all other data for 26 months.

In accordance with GDPR, you may request us (in email) to delete your personal information, and we will comply in maximum 30 days. In such cases we also initiate data deletion at our affiliated third-parties. Note: Please understand that if you are or were a paying student, we are not legally allowed to delete your invoicing data for 10 years.

Also in accordance with GDPR, you may request (in emailall the data we store about you to be sent to you in a raw format. We reply to such requests in maximum 30 days.

Third-parties: Intercom, the only third-party we share non-anonymous data with, stores user data for 9 months. Our user-related Google Analytics data is being retained for 26 months.

Do we use cookies?

Yes. Cookies are small files that we send you through your web browser, that are saved to your computer if you allow it. They enable us to recognize your browser and remember you later. For example, we use cookies to know that you are logged in to our service and your preferred language to view our website.

Google, as a third-party vendor, also uses cookies to serve ads on our site. Google’s use of the DART cookie enables it to serve ads to you based on your previous visits to CodeBerry and other websites. You can set your Google advertising preferences, or even opt out on the Google Ad Settings page or by using the Google Analytics Opt-out Browser Add-on.

You can choose to have your computer warn you each time a cookie is sent, or you can even turn off all cookies. You do this in your browser settings. Each browser is a little different, so look at your browser’s Help menu to find out how to modify your cookie-related preferences.

If you turn cookies off, you won’t be able to log in to CodeBerry, and we will display the pages in the language of the country you’re visiting the website from.

Does our site handle Do Not Track signals?

Yes. We honor Do Not Track signals. We don’t track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

How do we handle data breaches?

Our data breach handling policies comply with both the Fair Information Practices in the US, and GDPR in the EU.

Should a data breach occur, we will notify you about it via email, within 72 hours of finding out about the breach, or do a public announcement. If the leaked data was unencrypted and is seen to pose a danger to your rights or freedoms, we will also report the breach to the relevant regulatory body within 72 hours.

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

Complaints

If you believe there is a problem with the way we are handling your data, and if you are an EU citizen, you have the right to complain to the data protection supervisory authority of your country. To help you find your local supervisory authority, here is a list of such authorities in the EU for each country, as well as a central one at the very bottom of the list.

Compliance with US data protection laws

California Online Privacy Protection Act

CalOPPA is the first state law in the USA to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any company in the world that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. According to CalOPPA, we agree to the following:

  • Users can visit our site anonymously.
  • We added a link to this Privacy Policy to our home page. Our Privacy Policy link includes the word ‘Privacy’ and can easily be found on the home page.
  • You will be notified of any Privacy Policy changes.
  • You can change your personal information by emailing us.

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

  • We do not specifically market to children under the age of 13 years old.
  • Do we let third-parties, including ad networks or plug-ins collect PII from children under 13?

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.