Privacy Policy
Effective date: 20 May 2026
Last updated: 20 May 2026
This Privacy Policy explains how AI Literacy Academy Ltd. ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use our learning platform at ailiteracyacademy.org (the "Platform"). This policy applies to all users of the Platform, including students, alumni, and visitors.
By creating an account or using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.
1. Information We Collect
1.1 Information You Provide Directly
| Category | Data Collected | When Collected |
|---|---|---|
| Account information | Name, email address, password (hashed) | Registration |
| Profile information | Phone number, country, timezone, industry, learning goals, biography, profile photo | Onboarding and profile settings |
| Community content | Posts, comments, reactions | Community participation |
| Student work | Project submissions (files, text, URLs), reflections, student notes | Course activities |
| AI interactions | Prompts and AI-generated responses in the AI Sandbox | AI Sandbox usage |
| Survey responses | Answers to course feedback and satisfaction surveys | Survey participation |
| Support requests | Ticket subject, category, message content | Support ticket submissions |
| Alumni profile | Cohort name, graduation date, role, portfolio URL, public biography | Alumni programme participation |
1.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Session data | IP address, browser user agent string | Security, session management, rate limiting |
| Learning progress | Activity completion status, percentage progress, timestamps, last playback position | Course delivery, progress tracking |
| Transaction records | Payment reference, amount, currency, payment method name (e.g., "card"), status | Financial record-keeping |
| Notification logs | Notification type, delivery time, read status | Communication delivery |
| Referral tracking | Your referral code, referral conversions | Referral programme administration |
1.3 Information from Third Parties
If you sign in using Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
2. How We Use Your Information
We use your personal information for the following purposes:
- Providing the service: Creating your account, delivering course content, tracking progress, issuing certificates, processing payments, and facilitating community interaction.
- Communication: Sending enrolment confirmations, session reminders, project review notifications, badge awards, and course announcements via email and in-platform notifications.
- AI Sandbox: Sending your prompts to our AI provider to generate responses and storing conversation history to provide contextual follow-up within sessions.
- Security: Detecting and preventing fraud, unauthorized access, and abuse through rate limiting, session monitoring, and webhook verification.
- Improvement: Analysing aggregated, de-identified usage data to improve course content, platform features, and student experience.
- Legal compliance: Meeting our obligations under applicable Nigerian law, including financial record-keeping requirements.
3. Third-Party Service Providers
We share limited personal data with the following third-party providers who process it on our behalf under contractual obligations to protect your data:
| Provider | Purpose | Data Shared |
|---|---|---|
| Paystack (Nigeria) | Payment processing | Email, payment amount, currency, transaction reference. Card details are entered directly on Paystack's checkout page and are never transmitted to or stored on our servers. |
| Amazon Web Services (SES) (US) | Transactional email delivery | Email address, email content (enrolment confirmations, reminders, etc.) |
| Groq (US) | AI language model inference for the AI Sandbox | Prompts you type into the AI Sandbox. We advise you not to include personal or sensitive information in your prompts. |
| Cloudflare R2 (Global) | Cloud file storage for course media and student submissions | Uploaded files (videos, documents, images, project submissions) |
| Google (US) | OAuth authentication | Authentication tokens (if you choose Google Sign-In) |
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
4. Payment Information
When you make a payment, you are redirected to Paystack's secure checkout page. Your credit or debit card number, CVV, and expiration date are entered directly into Paystack's PCI DSS-compliant environment. We never receive, process, or store your card details.
We store only the transaction reference, amount, currency, payment status, and the name of the payment method used (e.g., "card," "bank_transfer") for our financial records.
5. Cookies and Session Management
We use a single essential authentication cookie to maintain your logged-in session. This cookie is:
- HTTP-only: Cannot be accessed by client-side JavaScript.
- Secure: Transmitted only over HTTPS connections.
- SameSite: Restricted to same-site requests to prevent cross-site request forgery.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or behavioural advertising.
6. Data Storage and Security
6.1 Where Your Data Is Stored
Your data is stored on servers located in Germany (database and application server) and globally distributed edge locations (Cloudflare R2 for media files). Transactional emails are processed via AWS infrastructure in the United States.
6.2 Security Measures
We implement the following technical measures to protect your data:
- All data in transit is encrypted using TLS/HTTPS with HSTS enforcement.
- Passwords are hashed using bcrypt before storage; we never store plaintext passwords.
- Webhook signatures are verified using HMAC-SHA512 with timing-safe comparison.
- API endpoints are protected by rate limiting (Redis-backed with in-memory fallback) to prevent brute-force attacks.
- Content Security Policy, X-Frame-Options, and other HTTP security headers are enforced on all responses.
- User-generated HTML content is sanitised to prevent cross-site scripting (XSS) attacks.
- Administrative access requires a separate admin role verified on every request. Regular student accounts cannot access admin endpoints.
- Database is backed up nightly with encrypted backups retained for disaster recovery.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Retained while your account is active. Deleted upon account deletion request. |
| Course progress and submissions | Retained while your account is active for your reference and certificate validity. |
| Transaction records | Retained for a minimum of 6 years after the transaction date as required by Nigerian financial record-keeping regulations. |
| AI Sandbox history | Retained while your account is active. Deleted upon account deletion request. |
| Session logs (IP, user agent) | Automatically expire when the authentication session ends. |
| Community posts and comments | Retained while the associated cohort is active. May be anonymised after. |
| Support tickets | Retained for 2 years after resolution for quality assurance. |
8. Your Rights
Under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR), you have the following rights:
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may update your profile information at any time through the Platform settings, or request corrections by contacting us.
- Right to deletion: You may request deletion of your account and associated personal data, subject to our legal obligations to retain certain records (e.g., financial transactions).
- Right to object: You may object to the processing of your personal data for certain purposes.
- Right to data portability: You may request an export of your personal data in a structured, machine-readable format.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email info@ailiteracyacademy.org with the subject line "Data Rights Request." We will respond within 30 days.
9. Children's Privacy
The Platform is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. Students between 16 and 17 years old must have verifiable parental or guardian consent before creating an account. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.
10. International Data Transfers
Your personal data may be transferred to and processed in countries outside Nigeria, including the United States (for email delivery via AWS SES and AI processing via Groq) and Germany (for server hosting). These transfers are necessary for the performance of our contract with you and are conducted in accordance with applicable Nigerian data protection law.
11. AI Sandbox Privacy Considerations
When you use the AI Sandbox, your prompts are transmitted to Groq, a third-party AI inference provider, for processing. Please be aware that:
- You should avoid including personal, confidential, or sensitive information in your prompts (e.g., passwords, financial details, health information).
- Your prompts and the AI's responses are stored in our database so you can review your conversation history. This data is deleted when you delete your account.
- We do not use your AI Sandbox interactions to train AI models. Groq's use of data transmitted through their API is governed by their own privacy policy.
- AI Sandbox usage is subject to daily limits per student and global daily limits to manage costs and prevent abuse.
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email to your registered address or through a prominent notice on the Platform at least 14 days before taking effect. Your continued use of the Platform after the revised policy takes effect constitutes your acceptance of the changes.
13. Complaints
If you believe your data protection rights have been violated, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. We encourage you to contact us first so we can address your concerns directly.
14. Contact Us
For questions, concerns, or data rights requests regarding this Privacy Policy, contact us at:
AI Literacy Academy Ltd.
Email: info@ailiteracyacademy.org
Website: ailiteracyacademy.org