1. Data categories processed

Identification data (parents / legal guardians)

First name, last name, email, phone, login identifiers, password (hashed).

Children's data

First name, last name, class, school, date of birth, medical information (allergies, medical plans), parental authorizations.

Module-related data

• Extra-curricular activities (AES): activity registrations, attendance, season history.
• Eshop: orders, purchased products (uniforms, class photos, event tickets), amounts.
• Holiday camp: stay registrations, health records, emergency contacts.
• School registrations: registration files, supporting documents.

Billing data

Issued invoices, amounts, payment history.

Payment data

No online payment is currently processed by the Ekydi platform. No banking data is collected or stored. Payments are made outside the platform, directly between parents and the institution.

Technical data

IP addresses, connection logs, cookies, browsing information.

2. Retention principles

Data is retained for the entire duration of the contractual relationship between the client institution and Nuben LTD, in accordance with the purpose of the service provided.

3. Deletion upon request

In accordance with the GDPR and the Data Protection Act 2017 (Mauritius), any request for deletion of personal data is handled:

• Upon user request (right to erasure): deletion carried out within 30 days, except where there is a legal obligation to retain data (billing data retained for 7 years).
• Upon institution request: deletion of all or part of the data is possible at any time via Ekydi support.

4. End of contract

At the end of the contract between the institution and Nuben LTD, data will be:
- either returned to the institution in a usable format (export),
- or deleted from Ekydi servers,
within 30 days, except for legally required retention (billing: 7 years).

5. Hosting and security

Data is stored on Heroku Europe servers operated by Salesforce.com EMEA Limited, located in Ireland (European Union). No transfer outside the EU takes place in the context of the standard operation of the platform.

Security measures implemented:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (Heroku Postgres)
• Hashed passwords (never stored in plaintext)
• Automatic daily backups
• Administrator access control

6. Sub-processors

Note on Postmark: Transactional emails (registration confirmations, notifications) are routed through Postmark, based in the United States. This transfer is carried out on the basis of the standard contractual clauses of the European Commission. Only the data strictly necessary for sending the email (recipient's email address, message content) is transmitted.

7. User rights

In accordance with the GDPR and the Data Protection Act 2017 (Mauritius), every user has the following rights:

• right of access, rectification and erasure
• right to restriction and objection to processing
• right to data portability
• right to withdraw consent at any time

To exercise your rights, contact: contact@ekydi.com

8. Legal references

• GDPR (EU Regulation 2016/679)
• Data Protection Act 2017 (Mauritius)
• Companies Act 2001 (Mauritius) — retention of accounting documents: 7 years

See also:

• Privacy Policy
• Terms of Use
• Legal mentions