Privacy Policy

1. Introduction

DDactic ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at ddactic.net.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (hashed and encrypted)
• Account creation timestamp
• Email verification status

2.2 OAuth Authentication Data

If you sign up or log in using Google or GitHub OAuth, we collect:

• Google OAuth: Your Google account email address, name, profile picture (if provided), and Google account ID
• GitHub OAuth: Your GitHub username, email address, profile information, and GitHub account ID
• OAuth provider (Google or GitHub)
• OAuth account linking information (if you link multiple accounts)

We only access the minimum information required for authentication. We do not access or store your OAuth provider passwords or other sensitive data from your OAuth accounts.

2.3 Authentication and Security Data

• Multi-factor authentication (MFA) settings and backup codes
• Login attempts and timestamps
• IP addresses and user agents for security monitoring
• Session information (encrypted session tokens)
• Password reset tokens (temporary, expired after use)

2.4 Usage Data

• Pages visited and features used
• Time spent on the platform
• Device and browser information
• IP addresses (for security and analytics)

2.5 Contact Information

If you contact us through our contact form, we collect:

• Name
• Email address
• Company name (optional)
• Message content

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Authenticate your identity and secure your account
• Send you account-related communications (verification emails, password resets, security alerts)
• Monitor for security threats and suspicious activity
• Respond to your inquiries and support requests
• Comply with legal obligations
• Analyze usage patterns to improve our platform

4. Data Storage and Security

We implement industry-standard security measures to protect your data:

• Password Hashing: Passwords are hashed using PBKDF2-SHA-256 with 100,000 iterations
• Encryption: Sensitive data is encrypted in transit (HTTPS) and at rest
• Session Security: Session tokens are stored securely with HttpOnly, Secure, and SameSite cookies
• Multi-Factor Authentication: MFA is mandatory for all accounts
• Rate Limiting: Login attempts are rate-limited to prevent brute force attacks
• Account Lockout: Accounts are temporarily locked after multiple failed login attempts
• Audit Logging: Security events are logged for monitoring and compliance

Data is stored on Cloudflare's secure infrastructure, which complies with industry security standards.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: We use third-party services (Resend, Mailgun) for email delivery. These providers have access only to the information necessary to perform their functions.
• Legal Requirements: We may disclose information if required by law or to protect our rights and safety.
• Business Transfers: In the event of a merger, acquisition, or sale, your information may be transferred to the new entity.

6. OAuth Provider Data

When you use Google or GitHub OAuth:

• We receive only the information you authorize (email, name, profile picture)
• We do not have access to your OAuth provider password
• We do not access or store additional data from your OAuth accounts beyond what is necessary for authentication
• You can unlink OAuth accounts at any time through your account settings
• OAuth providers have their own privacy policies governing how they handle your data

7. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct your information
• Deletion: Request deletion of your account and data
• Portability: Request your data in a portable format
• Opt-Out: Unsubscribe from non-essential communications

To exercise these rights, contact us at [email protected].

8. Cookies and Tracking

We use cookies and similar technologies for:

• Session management (authentication)
• Security (CSRF protection)
• Analytics (usage statistics)

For detailed information about cookies, see our Cookie Policy.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Audit logs are retained for 90 days for security monitoring. When you delete your account, we delete your personal data within 30 days, except where retention is required by law.

10. Children's Privacy

Our services are not intended for users under 18 years of age. We do not knowingly collect personal information from children.

11. International Data Transfers

Your data may be processed and stored in the United States or other countries where our service providers operate. By using our services, you consent to the transfer of your data to these countries.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. The "Last Updated" date at the top indicates when this policy was last revised.

13. Contact Us

If you have questions about this Privacy Policy, please contact us:

Email: [email protected]
Website: ddactic.net