Privacy Policy

This Privacy Policy describes how ULEARNA TECHNOLOGY LTD ("Clast", "we", "us", or "our"), operator of Clast.io, collects, uses, stores, and protects personal data when you use our Platform. We are committed to protecting the privacy of all users — with particular care given to students, minors, and educational data.

This policy applies to all users worldwide, including users in Afghanistan, Pakistan, the United Kingdom, and any other jurisdiction in which Clast.io operates.

By using the Platform, you agree to the practices described in this Privacy Policy.

Company: ULEARNA TECHNOLOGY LTD

Registration: Company No. 14799798 (England & Wales)

Contact: legal@clast.io

Website: https://www.clast.io

• Identity data: full name, date of birth, gender, nationality
• Contact data: email address, phone number, physical address
• Account credentials: username, hashed password, assigned role
• Academic data: grades, attendance, assessments, academic history, library records
• Financial data: fee payment records, invoices, payroll (staff), transaction history
• HR data: employment records, performance reviews, schedules
• Communications: messages sent through the Platform's internal messaging system
• Documents and files: reports, forms, and uploads submitted to the Platform

When you connect your Google account to Clast.io, we access the following Google user data based on the permissions you grant:

• Google Sign-In: your name, email address, and profile picture, used solely to authenticate your identity and create or link your Clast account
• Google Calendar (read/write): we read and create calendar events on your behalf to schedule classes, exams, meetings, and institutional events within the Platform
• Google Meet: we create and manage Google Meet video sessions linked to scheduled events and classes

We access only the minimum Google data scopes necessary to provide these features. We do not access Google Drive, Gmail, Google Contacts, or any other Google service unless explicitly listed above.

• Device and browser information (type, OS, browser version)
• IP address and approximate location
• Usage data: pages visited, features used, session duration
• Log data: access times, error logs, system activity
• Cookies and similar tracking technologies (see Section 10)

If your institution connects Clast to services such as WhatsApp, Microsoft 365, Zoom, Stripe, PayPal, or Amazon Web Services (AWS), we may receive limited data from those services as authorised by your institution to enable that integration.

We process personal data for the following purposes:

• Providing, operating, and improving the Platform and its features
• Authenticating users via Google Sign-In or native Clast credentials
• Scheduling and managing institutional events via Google Calendar integration
• Creating and hosting video sessions via Google Meet and Zoom integrations
• Sending automated notifications via in-app, email, SMS (via AWS SNS/SES), or WhatsApp
• Processing payments via Stripe and PayPal
• Delivering AI-powered tutoring assistance and administrative support
• Generating analytics and institutional performance reports
• Improving the Platform using anonymised and aggregated data only
• Complying with applicable legal obligations
• Detecting and preventing fraud, abuse, and security incidents

In compliance with the Google API Services User Data Policy, we make the following specific disclosures:

• Google Sign-In: name, email address, profile picture
• Google Calendar: calendar events (read and write access)
• Google Meet: meeting creation and management

• Google Sign-In data is used solely to verify your identity and populate your Clast profile. It is not used for advertising or shared with third parties for marketing.
• Google Calendar data is used to create, read, update, and delete scheduled events (classes, exams, meetings) on behalf of the user within Clast.io. We do not read calendar data beyond what is necessary to perform this function.
• Google Meet data is used to generate and manage meeting links associated with scheduled events in Clast.io.

We do not sell, rent, or share Google user data with third parties except:

• With trusted infrastructure providers (DigitalOcean) solely for the purpose of storing and processing data to deliver our services
• As required by law or valid legal process

Google user

• All Google user data is stored on secure DigitalOcean infrastructure
• Data is encrypted in transit using TLS/HTTPS and encrypted at rest
• Access is restricted to authorised Clast personnel via role-based controls
• Google OAuth tokens are stored securely and never exposed to other users
• Regular security assessments and access audits are conducted

• Google user data is retained for the duration of your active Clast account
• Deletion requests are processed within 7 days of receipt
• Upon account deletion, all associated Google user data is permanently removed within 7 days
• Users and institutions can initiate deletion via account settings or by contacting legal@clast.io

For users in the UK and EU, we rely on the following legal bases under UK GDPR / GDPR:

• Contract performance: processing necessary to deliver the services your institution has subscribed to
• Legitimate interests: Platform improvement, security monitoring, and fraud prevention
• Legal obligation: compliance with applicable laws and regulations
• Consent: for optional features such as Google Sign-In and Google Calendar integration

Clast.io integrates with the following third-party services and sub-processors. Each involves limited data sharing solely to deliver that functionality:

• Stripe — payment processing. stripe.com/privacy
• PayPal — alternative payment processing. paypal.com/privacy
• Google Meet — video conferencing. policies.google.com/privacy
• Google Calendar — event scheduling. policies.google.com/privacy
• Google Sign-In — authentication. policies.google.com/privacy
• Zoom — video conferencing. zoom.us/privacy
• Microsoft 365 — productivity and collaboration. microsoft.com/privacy
• WhatsApp Business API (Meta) — automated notifications. whatsapp.com/legal/privacy-policy
• Amazon Web Services (AWS) — SMS and email notification delivery via AWS SNS and AWS SES. aws.amazon.com/privacy
• DigitalOcean — cloud infrastructure and data storage. digitalocean.com/legal/privacy-policy

We do not control the privacy practices of these third-party services and encourage you to review their respective privacy policies.

All Clast.io data — including Google user data, institutional data, and user-generated content — is stored on secure servers provided by DigitalOcean LLC. Data may be stored in data centres in multiple regions. DigitalOcean's data processing terms apply to infrastructure-level handling.

• Active account data: retained for the duration of the subscription
• Academic and institutional records: retained as directed by the institution, in compliance with applicable educational record-keeping laws
• Financial records: retained as required by UK accounting and tax law (typically 6 years)
• Google user data: deleted within 7 days of account deletion request
• Post-termination: all institution data retained for 30 days after subscription ends, then permanently deleted
• Anonymised analytics data: may be retained indefinitely as it cannot identify individuals

Deletion requests can be submitted via account settings or by emailing legal@clast.io. All requests are processed within 7 days.

Clast.io is used by educational institutions that serve students, including minors. We treat student data with the highest standard of care:

• We do not use student data for advertising, marketing, or profiling
• We do not sell or disclose student data to third parties except as described in this Policy
• Data collection from students is limited to what is educationally necessary
• Institutions are responsible for obtaining appropriate parental or guardian consent before enrolling minors
• We support institutions in complying with applicable student data protection laws including UK GDPR, FERPA, COPPA, and equivalent regional laws

Clast.io uses cookies and similar technologies to operate and improve the Platform. This section explains what cookies we use, why, and how you can control them.

Cookies are small text files placed on your device when you visit a website. They allow us to recognise your device and remember certain information about your visit.

STRICTLY NECESSARY COOKIES

These cookies are essential for the Platform to function. They cannot be disabled.

Examples: session tokens, login authentication, security cookies, CSRF protection.

Legal basis: Legitimate interests (essential service operation).

FUNCTIONAL COOKIES

These cookies remember your preferences and personalise your experience.

Examples: language preference, dashboard layout, notification settings.

Legal basis: Consent (you may disable these in your browser settings).

ANALYTICS COOKIES

These cookies help us understand how the Platform is used so we can improve it.

Examples: page visit frequency, feature usage, session duration.

Legal basis: Consent. We use anonymised, aggregated data only.

MARKETING / TRACKING COOKIES

Clast.io does not use marketing or advertising cookies within the logged-in Platform.

Our public-facing marketing website (clast.io) may use analytics tools.

We do not serve targeted ads inside the Platform.

Some third-party integrations (e.g., Google Sign-In, Zoom, Stripe) may set their own cookies when their services are loaded within the Platform. These are governed by the respective third-party privacy policies.

You can control and delete cookies through your browser settings at any time. Note that disabling strictly necessary cookies will affect Platform functionality. Most browsers allow you to:

• Block all cookies
• Delete cookies when you close your browser
• Allow cookies only from specific sites

For more information on managing cookies, visit: allaboutcookies.org

Clast.io serves institutions globally. Data may be processed in countries outside your home jurisdiction. For UK users, any international transfers are conducted under appropriate safeguards including Standard Contractual Clauses or UK adequacy decisions.

Depending on your jurisdiction, you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data
• Right to restriction: request that we limit processing of your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: withdraw consent for Google integrations or optional processing at any time

To exercise any of these rights, contact us at legal@clast.io. We will respond within 30 days.

We implement appropriate technical and organisational measures to protect personal data, including:

• TLS/HTTPS encryption for all data in transit
• Encryption of sensitive data at rest
• Role-based access controls and multi-factor authentication
• Secure cloud infrastructure via DigitalOcean
• Regular security assessments
• Staff training on data protection and security practices

In the event of a data breach posing a risk to your rights, we will notify affected parties and relevant authorities as required by applicable law.

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For privacy questions, data requests, or complaints:

ULEARNA TECHNOLOGY LTD

Company No. 14799798

Email: legal@clast.io

Website: https://www.clast.io

If you are located in the UK and are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.