Privacy Policy

Questcademy ("we", "us", or "our") provides a mastery-first K-12 learning platform that helps students across Ghana, Sierra Leone, Nigeria, and the United States achieve academic excellence and examination readiness. This Privacy Policy explains how we collect, process, store, and protect personal information when you use our website, applications, and related services (collectively, the "Platform").

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform.

Questcademy is an education technology company headquartered in Accra, Ghana. We act as the data controller for personal data processed through the Platform. For the purposes of the EU General Data Protection Regulation (GDPR), UK GDPR, Ghana Data Protection Act 2012 (Act 843), Nigeria Data Protection Regulation (NDPR) / Nigeria Data Protection Act (NDPA), and U.S. federal regulations including COPPA and FERPA, Questcademy is responsible for the processing of your personal data.

3.1 Information You Provide

• Account Registration: Email address, display name, password (stored as an irreversible hash), and user role (student, teacher, parent, school administrator, or system administrator).
• Google OAuth Sign-In: If you choose to sign in with Google, we receive your name, email address, and profile picture URL from Google.
• Student Profile: Grade/year level, school affiliation, regional context (country and curriculum), and optional display name.
• Parent–Student Linking: Parents provide class codes or teacher invitation keys to associate their accounts with their children's accounts.
• Communications: Any information you submit when contacting our support team.

3.2 Information Generated Through Use

• Learning Data: Lesson progress, quiz and assessment responses, mastery scores, spaced-repetition schedules, concept graph traversals, and diagnostic results.
• Behavioural Analytics: Session durations, feature usage frequency, and interaction patterns (anonymised and aggregated where possible).
• Notification Preferences: Your chosen channels for receiving academic notifications (email, push, in-app).

3.3 Technical Data Collected Automatically

• IP address (used for session security, audit logging, and approximate geolocation for regional content).
• Browser type and version, operating system, and device type.
• Cookies and similar technologies (see Section 12).

We process your personal data for the following purposes:

• Service Delivery: Providing personalised lesson recommendations, adaptive assessments, mastery tracking, and examination readiness tools.
• Account Management: Creating and maintaining your account, authenticating sessions, and authorising access based on role.
• Parent Oversight: Enabling parents and legal guardians to monitor their children's academic progress and manage assignments.
• Teacher & School Tools: Allowing teachers and school administrators to manage classrooms, review student performance, and configure academic settings.
• Regional Adaptation: Delivering curriculum-specific content, localised terminology, and examination alignment relevant to your region (Ghana, Sierra Leone, Nigeria, or United States).
• Communication: Sending transactional notifications (password resets, assignment reminders, session alerts) and, with your consent, educational updates.
• Safety & Security: Detecting fraud, enforcing our Terms of Service, and maintaining audit trails as required by law.
• Research & Improvement: Analysing aggregated, de-identified usage data to improve the Platform's educational effectiveness.

Depending on your jurisdiction, we rely on the following lawful bases:

Questcademy is designed for use by K-12 students, many of whom are under the age of 13 (or the applicable age of digital consent in their jurisdiction). We take children's privacy seriously and comply with:

• COPPA (U.S.): We do not knowingly collect personal information from children under 13 in the United States without verifiable parental consent. Schools and teachers using Questcademy in the U.S. may act as agents of parents/guardians for the purpose of providing consent under COPPA.
• FERPA (U.S.): When Questcademy is used by schools as a school official under FERPA, student education records are used solely for the educational purposes authorised by the school.
• Ghana DPA / NDPR / NDPA: We obtain appropriate consent from parents or guardians before collecting personal data from children. Data is processed only for legitimate educational purposes.

Parents and guardians can review, correct, or request deletion of their child's personal information by contacting us at the address in Section 14.

We do not sell your personal information. We share data only in the following limited circumstances:

• Within the Platform: Teachers see student performance data within their assigned classes. Parents see their linked children's data. School administrators see aggregate and individual data within their school. All access is controlled through Row-Level Security (RLS) policies.
• Service Providers: We use trusted third-party services for hosting (Google Cloud Platform), database management (Supabase), authentication, email delivery, and analytics. These providers process data solely on our instructions and under strict contractual obligations.
• AI-Assisted Features: When AI is used for question generation, hint delivery, or adaptive learning, we send only de-identified pedagogical context (concept IDs, difficulty tiers, mastery summaries) — never raw student names, emails, or other directly identifiable information.
• Legal Requirements: We may disclose information when required by law, court order, or to protect the safety and rights of our users or the public.

• Active Accounts: We retain your data for as long as your account is active and as necessary to provide services.
• Inactive Accounts: Accounts with no activity for 24 consecutive months may be flagged for deletion after notice.
• Learning Records: Academic progress and mastery data may be retained in anonymised or aggregated form for research and platform improvement even after account deletion.
• Audit Logs: Security-related logs (login events, IP addresses, role changes) are retained for a minimum of 12 months for compliance and security purposes.
• Deletion Requests: Upon verified request (or after the retention period expires), personal data is permanently deleted or irreversibly anonymised within 30 days.

We implement industry-standard technical and organisational measures to protect your data, including:

• Passwords are hashed using Argon2, a memory-hard hashing algorithm resistant to brute-force attacks.
• All data in transit is encrypted via TLS 1.2+.
• Data at rest is encrypted in our database and storage layers.
• Role-based access control (RBAC) and Row-Level Security (RLS) policies ensure users can only access data they are authorised to see.
• Automatic account lockout after repeated failed login attempts.
• Comprehensive audit logging of authentication events, data access, and administrative actions.
• Regular security reviews and infrastructure patching.

While no system is 100% secure, we are committed to promptly investigating and remediating any security incident. In the event of a data breach that affects your rights, we will notify you and relevant authorities within the time frames prescribed by applicable law.

Depending on your country of residence, you may have some or all of the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request that we limit how we process your data in certain circumstances.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us using the details in Section 14. We will respond within 30 days (or the shorter period required by your jurisdiction).

🇬🇭 Ghana — Data Protection Act 2012 (Act 843)

We are registered with the Data Protection Commission of Ghana. You have the right to lodge a complaint with the Commission if you believe your data is being processed unlawfully. Personal data is processed lawfully and in accordance with the eight data protection principles under Act 843.

🇸🇱 Sierra Leone

While Sierra Leone does not yet have a comprehensive data protection statute, Questcademy voluntarily applies the protections in this policy to all Sierra Leonean users equal to those of our most protective jurisdiction. We monitor legislative developments and will update this policy to reflect any new requirements.

🇳🇬 Nigeria — NDPR / NDPA 2023

We comply with the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023 (NDPA). Nigerian users have the right to access, rectify, and delete their data, and to lodge complaints with the Nigeria Data Protection Commission (NDPC). We do not transfer Nigerian users' personal data outside Nigeria unless adequate safeguards are in place, including standard contractual clauses or the receiving country having been deemed adequate by the NDPC.

🇺🇸 United States — COPPA & FERPA

In the United States, we comply with the Children's Online Privacy Protection Act (COPPA) for users under 13 and the Family Educational Rights and Privacy Act (FERPA) when used by schools. We do not use student data for targeted advertising. Schools may consent on behalf of parents/guardians for educational use under COPPA. Student education records are used solely for authorised educational purposes.

🇪🇺 EU/UK — GDPR & UK GDPR

Although our primary markets are in West Africa and the United States, if you access the Platform from the EU or UK, we comply with the General Data Protection Regulation (GDPR) and its UK equivalent. International data transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards. You have the right to lodge a complaint with your local Supervisory Authority.

We use the following types of cookies and similar technologies:

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may prevent some Platform features from functioning.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via an in-app notification or email at least 14 days before the changes take effect. The "Effective date" at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all enquiries within 14 business days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

• Ghana: Data Protection Commission — dataprotection.org.gh
• Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
• United States: Federal Trade Commission (FTC) — ftc.gov