Privacy Policy

Last updated: 2026-07-17

1. Who we are

learnfeed ("we", "us") is a platform that lets independent instructors and teaching centers ("academies") run their own online academy: student enrollment, attendance, manual payment tracking, quizzes, session recordings, and certificates. The data controller for this website and for academy (instructor) accounts is: Abdelrahman Elsharkawi, UNI Campus H3.01.12, 66123 Saarbrücken, Germany — abdelrhmanbdlhlm@gmail.com. See also our Impressum at /impressum.

2. The two roles we play (important)

For instructor accounts and this marketing site, we are the data controller. For student data inside an academy (names, emails, phone numbers, attendance, quiz results, manually recorded payments, certificates), the academy is the data controllerand we process that data on the academy's behalf as a processor under Art. 28 GDPR. Students should direct privacy requests about their course data to their academy first; we support academies in fulfilling them.

3. What we process

  • Instructor account data — name, email, password (hashed by our auth provider), academy name, branding, billing status.
  • Student data (processed for academies) — name, email, phone (optional), cohort membership, attendance, quiz attempts and scores, manually recorded payment entries (amount, method, status — never card numbers), issued certificates.
  • Billing data — subscription payments are handled by Stripe (EUR) or Paymob (EGP). We store your plan, subscription status, and provider customer references. We never see or store full card numbers.
  • Technical data — server logs (IP address, timestamps, requested URLs) for security and abuse prevention, e.g. rate limiting.

4. Legal bases

  • Performance of a contract (Art. 6(1)(b) GDPR) — providing the platform, billing, support.
  • Legitimate interests (Art. 6(1)(f) GDPR) — securing the service, preventing abuse and fraud.
  • Legal obligations (Art. 6(1)(c) GDPR) — tax and commercial record-keeping.

Academies are responsible for having a lawful basis for the student data they enter or collect through their academy pages, including where students are minors (parental consent where required by local law).

5. Cookies

We use only strictly necessary cookies: authentication/session cookies and a language preference. We do not use advertising or third-party analytics cookies, which is why you don't see a cookie consent banner.

6. Processors and recipients

We use the following service providers (processors) to run the platform:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting and content delivery.
  • Stripe — subscription billing (EUR).
  • Paymob — subscription billing for Egyptian payment methods (EGP).
  • Resend — transactional email (invites, password resets).
  • Upstash — rate limiting (short-lived technical keys).

Where instructors publish session recordings, videos are embedded from YouTube or Google Drive; opening such a page transmits your IP address to Google. Some providers process data outside the EU/EEA; transfers rely on EU Standard Contractual Clauses or an adequacy decision.

7. Certificate verification

When an academy issues a certificate, its verification page (reachable via the certificate's link or code) shows the student's name, the course, and the issue date so third parties can verify authenticity. Academies can revoke certificates, which disables verification.

8. Retention

Account and academy data are kept for as long as the account exists. Academies can export their data (CSV) at any time and can edit or delete student records. When an account is deleted, associated data is deleted except where statutory retention duties (e.g. invoices under German tax law: up to 10 years) require keeping it. Technical logs are kept only as long as needed for security.

9. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on legitimate interests. You can also lodge a complaint with a supervisory authority — in Germany, the data protection authority of your federal state. To exercise your rights, contact us via the details in the Impressum. If your request concerns your data inside a specific academy, we may refer you to that academy as the controller, and we will assist them in responding.

10. Changes

We will update this policy as the product evolves and note the date above. Material changes will be announced to account holders by email or in-app notice.