Privacy Policy (GDPR Compliant)

This privacy policy has been written to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. We collect, store and use your information in accordance with both US laws and the GDPR regulation in the European Union. Please read our privacy policy carefully to get a clear understanding of how we collect, store, use, protect, or otherwise handle your Personally Identifiable Information in accordance with our website.

Who Are We?

The legal entity behind CodeBerry is a Hungarian Ltd. Full name, address and contact details:

CodeBerry School Inc.
1119 Budapest, Fehérvári út 149. II/8.
Company registration number: 01-09-298399
Tax number: 25955828-2-43
Bank account: 11711010-21452756

What personal information do we collect from you?

We may collect personal information from you when you register on our website, sign up to receive our newsletter, submit an assignment, pay for a subscription, fill out a survey, use our live chat, provide us with feedback on our service, or write an email to our Customer Support team. In accordance with our transparency principle, we have provided a complete list of data we may collect and store that’s related to you:

  • User identification (To know who you are)
    • First and last name
    • Facebook / Google / Slack OAuth tokens, IDs, names, and email addresses
    • Email address and password SHA512 hash
  • Locale (To know how to display our site to you)
    • Country and language of preference
  • Permissions (To know what you can access)
    • User’s feature access and admin permissions
    • Emailing permissions
    • PPolicy consent info for different policies
    • User data deletion request history
  • Learning activity (To know where you are in your studies and display the proper kitten GIFs)
    • Assignment submissions, points and badges, and additional activity on the website
  • Traffic source data (To know how well our marketing campaigns are performing)
    • UTM source, medium, term, content, and campaign
    • Coupon code and referrer code
  • Subscriptions (To know how much you paid and how)
    • Subscription Status (active, refunded, discounted)
    • Current and past plan details (type, name, payment amount, currency, and period)
    • Transaction details (type, amount, currency, invoice language, invoice identifier number, request and fulfillment date/time)
    • Transaction handler name (Braintree / PayPal, Paymentwall), merchant ID, plan ID, subscription ID, token ID, customer ID, and reference ID.
    • Name of company or individual on invoice, postal code, street address, city, country, company tax number, EU VAT compliance

We have an even more complete description of how your data is collected, stored and used.
It is called a Data Protection Impact Assessment (or just DPIA) document, and is required by GDPR.
But actually, we found it a very useful tool to keep track of our usage of your data. In it we list:

  • Our exact reasons for collecting and storing each piece of your data
  • Our legal basis for storing each piece of your data
  • Any third-parties we’re sharing your data with
  • How we protect your data from breaches
  • Other, non-obvious purposes for using your data

Please find our Data Protection Impact Assessment (DPIA) document here.

Who else do we share your data with?

We do not sell or trade your data with third parties. There are some companies, however, who assist us in operating our service. We trust that all these third parties keep your information confidential. But in case you want to review their own data handling policies, we compiled a complete list for you of the third parties we are affiliated with and linked their data handling policies. We also described what information we are sharing with them and our reasons for it. Here is the complete list:

  • Google
    • We send anonymous data to Google Analytics to receive marketing insights.
    • We use Google AdSense Advertising to show you ads based on your interests. Google’s Advertising Principles can be found here.
    • We use Google Sheets to store accounting data and anonymous statistics. These documents are accessible only to key members of CodeBerry staff, who are required to keep your information confidential.
  • Facebook
    • We use Facebook Pixel and send anonymous data to Facebook to track your usage of our services and receive statistics.
  • Braintree / PayPal
    • We use both PayPal and Braintree (a PayPal product) directly. We don’t share any of your personal information with PayPal, nor Braintree. But we do embed their payment service into our payment website, so be aware that you may be sharing personal information with them when you pay for CodeBerry through their service.
  • MailMunch
    • We collect email addresses with MailMunch in the exit popup window on our main website. This data is not stored with MailMunch.
  • HotJar
    • WWe send anonymous data to HotJar to get usage insights. We even go so far as to delete this anonymized data every couple weeks.
  • Mixpanel
    • Prior to January 2018, we sent anonymous data to Mixpanel to receive marketing insights. However, we no longer use their services. If you signed up for CodeBerry after January 2018, your anonymous data was never shared with Mixpanel.

A note about links:We, or even other students, may link to third-party websites other than the ones listed above. These third-party sites have their own independent privacy policies, and we take no responsibility for their data handling policies. Nonetheless, we seek to protect the integrity of our service, so if you find a link on CodeBerry that points to a website that you have doubts about, please report it at hello@codeberryschool.com.

How do we use your information?

We may use the information we collect from you in the following ways:

  • To personalize your experience and deliver the kind of content and product offerings in which you are most interested.
  • To improve our website in order to better serve you.
  • To improve our services and better respond to your customer service requests.
  • To respond to your inquiries via live chat or email.

How do we protect your information?

  • We keep your personal information in closed systems that are only accessible to a limited number of CodeBerry staff, who have special access rights to such systems and are required to keep your information confidential. We transmit all your data via channels encrypted by TLS 1.2 or higher. We store all our passwords securely with 256-bit AES keys and two-step authentication.
  • We handle all Credit Card and other payment transactions via external, PCI-compliant payment gateways.
  • All financial transactions are processed by a gateway provider and are not stored or processed on our servers.

We’ve also appointed a "Data Protection Officer" to ensure that this policy, the Data Protection Impact Assessment document, data-handling policies, processes, and documentation are all kept up-to-date.

How long do we retain your information?

If you are just a visitor} on our website, we won’t retain any of your personal information.

If you are a registered CodeBerry user and you have never begun a paid subscription, we will retain your data for 26 months.

If you are or were a paying CodeBerry student, we will retain your invoicing data for 10 years (due to legal obligations) and all other data for 26 months.

In accordance with GDPR, you may request that we (in email) "delete your personal information", and we will comply in 30 days or less. In such cases, we will also delete data stored by our affiliated third-parties. Note: Please understand that if you are or were a paying student, we are not legally allowed to delete your invoicing data for 10 years.

Also in accordance with GDPR, you may request that (in email) all the data we store about you be sent to you in a raw format. We reply to these requests in 30 days or less.

Third parties: Our user-related Google Analytics data is retained for 26 months.

Do we use cookies?

Yes. Cookies are small files that are sent to you through your web browser and are saved on your computer (if you allow it). Cookies enable us to recognize your browser and remember you later. For example, cookies allow us to know if you are logged in to our service and what language you prefer to use on our website.

Google, as a third-party vendor, also uses cookies to serve ads on our site. Google’s use of the DART cookie enables it to serve ads to you based on your previous visits to CodeBerry and other websites. You can set your Google advertising preferences, or even opt out on the Google Ad Settings page or by using the Google Analytics Opt-out Browser Add-on.

You can choose to have your computer notify you each time a cookie is sent, or you can even turn off all cookies. You can do this in your browser settings. Each browser is a little different, so look at your browser’s help menu to find out how to modify your cookie-related preferences.

If you turn cookies off, you won’t be able to log in to CodeBerry and webpages will be displayed in the language of the country you’re visiting the website from.

Does our site handle “Do Not Track“ signals?

Yes. We honor “Do Not Track“ signals. We don’t track, plant cookies, or use advertising when a “Do Not Track“ (DNT) browser mechanism is in place.

How do we handle data breaches?

Our data breach handling policies comply with both the Fair Information Practices in the US and GDPR in the EU.

Should a data breach occur, we will notify you about it via email within 72 hours of finding out about the breach or make a public announcement. If the leaked data was unencrypted and is thought to pose a danger to your rights or freedoms, we will also report the breach to the relevant regulatory body within 72 hours.

We also comply with the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

Complaints

If you believe there is a problem with the way we are handling your data, and if you are an EU citizen, you have the right to file a complaint to the data protection supervisory authority of your country. To help you find your local supervisory authority, here is a list of such authorities in the EU for each country, as well as a central one at the very bottom of the list.

Compliance with US data protection laws

California Online Privacy Protection Act

CalOPPA is the first state law in the USA to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any company in the world that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. According to CalOPPA, we agree to the following:

  • Users can visit our site anonymously.
  • We added the link to this Privacy Policy on our home page. Our Privacy Policy link includes the word ‘Privacy’ and can easily be found on the home page.
  • You will be notified of any changes to the Privacy Policy.
  • You can edit your personal information by emailing us.

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.
  • We do not specifically market to children under the age of 13 years old.
  • Do we let third parties, including ad networks or plug-ins, collect PII from children under 13?

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.