Privacy Policy
Last updated: 10 May 2026
This Privacy Policy explains how EduBook Tech (“EduBook Pro”, “we”) handles personal data in connection with the EduBook Pro service. It applies to the desktop application, our cloud services, the parent and admin dashboards, the public booking site, the online exams platform, and the documentation site.
1. Roles
- Data Controller for the staff accounts and tenant metadata we hold on you (the educational center): EduBook Tech.
- Data Processor for the student / parent / teacher records you upload to the Service (“Customer Data”): EduBook Tech, processing on your instructions as the Customer is the controller of that data with respect to its own students, parents, and staff.
The roles distinction matters because some of the rights described in section 7 must be exercised against the relevant controller.
2. Personal data we collect
a. Account & subscription data
- Name, email, phone, language and country of the person who registers a tenant.
- Center / business name, slug, address (where provided).
- Subscription plan, billing currency, renewal dates.
b. Customer Data uploaded by the Customer
- Student records: name, contact details, parent contact, grade, enrollment history, attendance code, payments.
- Parent records: name, phone (used as the login key), email, relationship to student.
- Staff records: name, email, role, permission set.
- Schedule, group, subject, semester, and lesson data.
- Exam content (questions, correct answers) and student attempts (chosen answers, score, timing).
- Notes and free-text fields filled in by staff.
c. Payment data
- For online payments via PayPal or Paymob: only the transaction metadata (amount, currency, reference, status) returned to us by the gateway. Card numbers and payment credentials are never stored on our infrastructure.
d. Technical data
- IP address, user-agent, device fingerprint, login times.
- Application logs and error reports.
- Usage telemetry: which features are opened, performance metrics.
e. Communications data
- WhatsApp message metadata when the Customer uses the UltraMSG integration (sender, recipient, delivery status — message bodies may be retained for delivery audit only).
- Email metadata for transactional messages we send (OTP codes, cancellation links, exam links).
3. How we use personal data
We process personal data only for the following purposes:
- to provide and operate the Service for the Customer;
- to authenticate users and protect against unauthorized access;
- to bill subscriptions and process payments;
- to send transactional messages (OTP codes, cancellation confirmations, exam access links, etc.);
- to comply with legal obligations under Egyptian law;
- to improve product quality through aggregated, non-identifying analytics;
- to respond to support requests from the Customer.
We do not:
- sell personal data to advertisers or data brokers;
- use Customer Data to train machine-learning models or to feed any AI service outside the Customer’s tenant;
- profile data subjects to target advertising.
4. Lawful bases
Under Law No. 151 of 2020 we rely on the following bases:
- Performance of a contract (Art. 5(1)(b)) — to deliver the Service the Customer has subscribed to.
- Legitimate interests (Art. 5(1)(f)) — for fraud prevention, security, and product reliability, balanced against the rights of data subjects.
- Legal obligation (Art. 5(1)(c)) — to retain records required by tax, accounting, or anti-money-laundering legislation.
- Consent (Art. 5(1)(a)) — for optional features such as WhatsApp notifications, where the data subject (parent) is given a clear opt-in.
5. Subprocessors
We use the following third parties to deliver the Service. Each is contractually bound to process data only on documented instructions and to maintain appropriate security:
| Subprocessor | Purpose | Location |
|---|---|---|
| Neon | Primary database hosting | United States / Europe |
| Vercel | Web frontend + serverless function hosting | Multi-region |
| PayPal | Payment processing (international) | United States |
| Paymob | Payment processing (Egypt) | Egypt |
| UltraMSG | WhatsApp Business API gateway | Multi-region |
| Zoom Video Communications | Online groups + auto-attendance | United States |
| Microsoft (Graph API) | Teams integration | Multi-region |
| Google (Workspace / Gmail SMTP) | Transactional email | Multi-region |
A current list is available on request to
service@edubookapp.com.
6. Cross-border transfers
Some subprocessors store data outside Egypt. We rely on the exceptions in Article 14 of Law No. 151 of 2020 (performance of a contract, the data subject’s explicit consent for parents who opt in to WhatsApp notifications, and standard contractual safeguards with the subprocessor) to support these transfers. Where the Personal Data Protection Center publishes adequacy decisions, we align with them.
7. Data subject rights
Egyptian law grants data subjects the following rights, which you can exercise by contacting the relevant controller (see Section 1):
- Right of access — get a copy of your data we hold.
- Right to rectification — correct inaccurate data.
- Right to erasure — request deletion, subject to retention requirements.
- Right to restrict processing — pause our processing of your data in specific situations.
- Right to portability — receive your data in a structured, machine-readable format.
- Right to object — to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior processing.
For Customer Data (your students, parents, staff), the data subject must contact the Customer (the educational center) — we will assist the Customer in fulfilling the request as their processor.
For account data (your own data as a Customer), write to service@edubookapp.com.
We aim to respond within thirty (30) days.
8. Retention
- Active subscription: we retain Customer Data for as long as the subscription is active.
- Cancelled subscription: Customer Data is retained for up to ninety (90) days to allow data export; after that period it is deleted from active systems.
- Backups: encrypted backups are retained for up to thirty (30) days for disaster recovery.
- Billing records: retained for at least five (5) years to comply with Egyptian tax and commercial law obligations.
- Application logs and security logs: retained for ninety (90) days.
9. Security
We apply technical and organizational measures appropriate to the risk, including:
- encryption in transit (TLS 1.2+) for all network traffic;
- encryption at rest for sensitive credentials (Zoom client secrets, Teams secrets, OAuth tokens are AES-256-GCM encrypted with a server-side master key);
- least-privilege access — production database access is limited to a small number of authorized engineers;
- audit logs for administrative actions;
- regular security updates of dependencies;
- a device-binding mechanism so a leaked staff password cannot be used from an unauthorized machine without first being approved by the tenant admin.
No system is perfectly secure. In the event of a personal-data breach affecting your data, we will notify you in accordance with the timelines required by Law No. 151 of 2020.
10. Children’s data
EduBook Pro is designed for educational centers, where the Customer (the center) controls the student records. Where a student is a minor under Egyptian law, the Customer is responsible for obtaining the appropriate consent from a parent or legal guardian before uploading the minor’s data to the Service. We do not market the Service directly to children.
11. Cookies and similar technologies
The web surfaces of EduBook Pro use a small number of cookies and
local-storage entries strictly necessary for the Service to
function (session tokens, language preference, exam session token).
We do not set advertising or third-party tracking cookies. The
documentation site (documentation.edubookapp.com) may use
privacy-respecting analytics to count visits per page; no
identifiers are linked to individuals.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via in-product notice or email at least thirty (30) days before they take effect.
13. Complaints
You have the right to lodge a complaint with the Personal Data Protection Center of the Ministry of Communications and Information Technology if you believe our processing of your data infringes Egyptian law.
14. Contact
Data protection inquiries should be addressed to service@edubookapp.com, attention “Privacy”.