EduDesk — Privacy Policy
April 2026
Data Controller
EduDesk is operated by Certo e Claro, based in Portugal. We are responsible for the personal data you provide when using this service. For any data-related enquiries, contact us at the email below.
Our Commitment: Your Data Is Yours
EduDesk and Certo e Claro will never sell, rent, or share your personal data — or the data of your students — with any third party for commercial, advertising, or marketing purposes. We do not build advertising profiles, engage in behavioural tracking, or monetise your information in any form. All data and content you create within the platform belongs to you. We access it solely to operate and maintain the service on your behalf.
What we collect
We collect your name and email address when you sign in (via local credentials or Google / Discord OAuth). We store the tutoring session records, student information, and scheduling data you create within the app — including recurring session series (weekly, bi-weekly, or monthly), exam entries, study resources, and learning goals. Where the student portal is enabled, student contact data is stored encrypted at rest. Students may upload file attachments (PDFs and images) linked to exam records; these are stored on our servers and accessible only through authenticated endpoints. Access logs (IP address, browser, timestamps) may be retained for security purposes.
No Payment Processing
EduDesk does not process, handle, or intermediate any payments between teachers and students. All financial transactions — including session fees, invoicing, and cash handling — are exclusively between the teacher and the student. EduDesk bears no responsibility for any payment disputes or financial arrangements made outside the platform.
Student Personal Data
When you use EduDesk, you may enter personal data about your students, including their names and contact information. You are the data controller for that data and are solely responsible for ensuring you have a lawful basis to collect and store it — including obtaining consent from parents or guardians where students are minors. EduDesk processes this data solely on your behalf and does not use it for any other purpose.
How we use your data
Your data is used solely to operate the tutoring session management service. Authentication data is processed on the basis of your consent (OAuth sign-in) or a legitimate interest in providing a secure account system. Session and student records are processed on the basis of legitimate interest to deliver the core service. No data is used for advertising or profiling.
Third-Party Sub-Processors
EduDesk uses third-party authentication providers — Google LLC and Discord Inc. — which may process your name and email address during sign-in. These providers operate under standard contractual clauses or equivalent safeguards in compliance with GDPR. Your use of their sign-in services is also governed by their respective privacy policies.
File Storage
Students with portal access may upload exam-related file attachments (PDFs and images, up to 10 MB per file). Files are stored on our servers outside the public web root and are only accessible through authenticated API endpoints. Each student is subject to a storage quota. Files are stored with randomised names to prevent path traversal. Uploaded images may be automatically resised and compressed for efficiency. All files linked to a student record are permanently deleted when that student is removed from the platform.
Third-Party Links
Study resources, session notes, and other content created by users within EduDesk may contain links to external websites and services. EduDesk and Certo e Claro have no control over, and take no responsibility for, the content, privacy practices, or accuracy of any external sites. Accessing external links is entirely at your own risk.
Your rights under GDPR
As a resident of the European Union you have the right to: access the personal data we hold about you; request rectification of inaccurate data; request erasure of your data; request restriction of processing; receive your data in a portable format; and object to processing based on legitimate interest. To exercise any of these rights, or to lodge a complaint, contact us at the email below. You also have the right to lodge a complaint with the Portuguese supervisory authority: CNPD — Comissão Nacional de Proteção de Dados (www.cnpd.pt).
Cookies & local storage
We use a single httpOnly session cookie to keep you signed in securely. This cookie is strictly necessary for the service to function and cannot be disabled. We do not use any tracking or advertising cookies. In addition, your preferred calendar view (day, week, or month) and colour scheme (light or dark) are stored in your browser's local storage — these never leave your device and are not transmitted to our servers.
Data retention
Your data is retained for as long as your account is active. If you request account deletion, your personal data will be removed within 30 days. Session records may be retained for up to 12 months for audit purposes before deletion. File attachments uploaded through the student portal are deleted immediately when the associated student record is removed.
Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent Portuguese supervisory authority (CNPD) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 of the GDPR, unless the breached data was encrypted or the risk has since been mitigated.
Contact
Questions about this policy or requests to exercise your rights? contact@certoeclaro.pt