Privacy Policy

Draft — pending legal review. Wording is not final and is subject to change.

Last updated: pending launch.

Effective Date: [Pending — set at republication] | Last Reviewed: [Pending] Haddee Education, LLC · 2006 Kala Bagai Way SPC10, Berkeley, CA 94704

This Privacy Policy describes how Haddee Education, LLC (doing business as HADDEE, "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you visit HADDEE.com or use our educational services. It is designed to comply with applicable privacy laws in the United States (including CCPA/CPRA, COPPA, FERPA, CalOPPA, CAN-SPAM, and FTC regulations), the European Union and United Kingdom (GDPR and UK GDPR), the People's Republic of China (PIPL, Cybersecurity Law, and Data Security Law), Canada (PIPEDA / Québec Law 25), Brazil (LGPD), and other jurisdictions. Please read this policy carefully.

Quick Reference — Your Jurisdiction

US Residents (all states): See Sections 1–11, 14, 15, 16.
California Residents (CCPA/CPRA): See Section 14 for full California privacy rights.
EU / EEA Residents (GDPR): See Section 15 for full GDPR rights and lawful bases.
UK Residents (UK GDPR): See Section 15 (applies equally to UK users).
China Residents (PIPL): See Section 16 for full China PIPL rights.
Canadian Residents (PIPEDA / Québec Law 25): See Section 17.
Brazilian Residents (LGPD): See Section 18.
Other International Users: See Section 19.

1. Definitions

Personal Data / Personal Information: Any information that relates to an identified or identifiable natural person ("Data Subject"), including but not limited to name, email address, phone number, IP address, device identifiers, location data, and financial information. In the US context this includes Personally Identifiable Information (PII). In China, this includes personal information as defined under PIPL.
Sensitive Personal Information: A subset of personal data that warrants heightened protection, including financial account data, government-issued identification numbers (SSN, EIN, passport), health data, biometric data, racial or ethnic origin, religious beliefs, precise geolocation, and, for children, any personal data.
Processing: Any operation performed on personal data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction.
Data Controller / Business: The entity that determines the purposes and means of processing personal data. Haddee Education, LLC is the data controller/business for personal data processed through HADDEE.com.
Data Processor / Service Provider: An entity that processes personal data on behalf of the data controller pursuant to a data processing agreement.
User / You: Any person who visits, registers for, or uses HADDEE.com or the HADDEE Services.
Child / Minor: A person under the age of 13 (US/COPPA), under 16 (EU/GDPR default), or under 14 (China/PIPL), as further described in Section 8.
Services: The HADDEE.com website, mobile applications, educational platform, and all related products and services offered by Haddee Education, LLC.

2. Who We Are and How to Contact Us

Data Controller / Business: Haddee Education, LLC (doing business as HADDEE), 2006 Kala Bagai Way SPC10, Berkeley, CA 94704. Email: hello@haddee.com | Phone: 858-449-9689 | Website: https://www.haddee.com

EU/UK Representative (GDPR Art. 27): As HADDEE may process personal data of EU/UK residents, we are in the process of designating an EU/UK representative. In the interim, EU/UK residents may direct all privacy-related inquiries to hello@haddee.com. We will update this section with representative contact information upon designation.

China PIPL Representative: For users in the People's Republic of China, please direct PIPL-related inquiries to hello@haddee.com.

Privacy Contact: For all privacy questions, rights requests, or complaints: hello@haddee.com | Subject line: "Privacy Request — [Your Country]".

3. What Personal Data We Collect

3.1 Information You Provide Directly

When you register, purchase a class, contact us, or use our Services, you may provide:

Identity Data: Full name, username, date of birth, gender, profile photo.
Contact Data: Email address, mailing address, phone number (for Teachers who opt in, the phone number is used to send SMS session alerts — see Section 13), WeChat ID (for users who provide it).
Account Data: Username, password (stored in hashed form), account preferences.
Payment Data: Billing address and payment method details. Note: credit/debit card numbers are processed directly by our PCI-DSS-compliant payment processor and are NOT stored on HADDEE servers.
Educational Data: Class enrollments, grades, progress data, assignments, and feedback. We do not record tutoring sessions (they take place on third-party video tools).
Communications: Messages, survey responses, feedback, or any other content you send to us.
Tax & Identity Documents (EDUCATORS only): IRS Form W-9 (US taxpayers) including Social Security Number (SSN) or Employer Identification Number (EIN), or IRS Form W-8BEN (non-US taxpayers), collected as required for IRS reporting (Form 1099-NEC). These are handled off-platform by authorized personnel and are not entered or stored in the Service's systems — we do not store SSNs or EINs in our application database.
Internship/Career Data: Résumé data, work history, skills, and application information for internship programs.

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect:

Device & Technical Data: IP address, browser type and version, operating system, device type, device identifiers (including mobile device IDs), screen resolution, CPU model, graphics card model, memory specifications.
Usage Data: Pages visited, features used, session duration, clicks, searches performed, URLs of pages you navigate from/to, date and time of access.
Location Data: General geographic location derived from IP address. We do not collect precise GPS location without your explicit consent.
Connectivity Data: Wi-Fi access point identifiers, Bluetooth identifiers, base station information (where applicable for mobile apps).
Cookies & Tracking Data: See Section 10 (Cookies Policy) for full details.

3.3 Information From Third Parties

We may receive personal data about you from: social networking services (e.g., Google, Facebook, X/Twitter) when you log in using a social account — subject to your settings on those platforms; payment processors, for transaction confirmation; identity verification or background check providers (for EDUCATORS, in compliance with applicable law); and employer partners, for internship program administration.

3.4 Information We Do Not Collect

We do not collect credit/debit card numbers directly — all payments are processed by our third-party PCI-DSS-certified payment processor.
We do not collect SSNs or tax identification numbers from general users — only from EDUCATORS pursuant to signed contract and applicable tax law, and these are handled off-platform, not stored in the Service.
We do not collect personal data from children under 13 — they are blocked at sign-up by the age gate.

4. How We Use Your Personal Data

We use your personal data only for lawful purposes and only to the extent necessary for those purposes:

Purpose	Data Used	Legal Basis (GDPR / PIPL)
Provide and operate the Services (account creation, class delivery, payment processing)	Identity, Contact, Payment, Educational Data	Contract performance; Legitimate interest
Process payments and prevent fraud	Payment, Identity, Technical Data	Contract performance; Legal obligation; Legitimate interest
Send transactional communications (receipts, class reminders, account notices)	Contact Data	Contract performance
Send marketing and promotional communications	Contact, Identity Data	Consent (opt-in required; opt-out available)
Respond to inquiries and provide customer support	Identity, Contact, Communications Data	Contract performance; Legitimate interest
Improve and develop our Services	Usage, Technical, Educational Data (anonymized where possible)	Legitimate interest
Comply with legal obligations (tax reporting, mandatory disclosures)	Identity, Tax Data (SSN/EIN for EDUCATORS)	Legal obligation
Ensure security, detect fraud, and prevent abuse	Technical, Usage, Identity Data	Legitimate interest; Legal obligation
Administer surveys, contests, or promotions	Identity, Contact Data	Consent
Comply with FERPA (educational records for enrolled students)	Educational Data	Legal obligation
Internship program administration	Identity, Contact, Career Data	Contract performance; Consent

We do not sell your personal data. We do not sell, rent, or trade your personal data to third parties for their independent marketing or advertising purposes. For California residents, see Section 14 regarding CCPA/CPRA opt-out rights.

5. How We Share Your Personal Data

We share personal data only in the following limited circumstances:

5.1 Service Providers / Data Processors

We share personal data with trusted third-party service providers who perform services on our behalf under written data processing agreements, including:

Payment processors (e.g., Stripe, PayPal, VEEM) — for payment processing only;
Cloud hosting providers — for data storage and platform infrastructure;
Video conferencing platforms (e.g., Zoom) — for class delivery;
Email service providers — for transactional and marketing communications;
Analytics providers (e.g., Google Analytics, Microsoft Clarity) — for usage analytics and website session replay;
Error-monitoring providers (e.g., Sentry) — to detect and fix application errors; configured not to capture personal data;
SMS providers (e.g., Twilio) — to send text alerts to Teachers who opt in;
Background check providers — for EDUCATOR verification (with separate consent); and
Tax reporting services — for IRS Form 1099-NEC filing (EDUCATORS only).

All service providers are contractually prohibited from using your personal data for any purpose other than providing services to us.

5.2 EDUCATORS and Educational Partners

To facilitate class delivery, we share relevant USER information (name, contact, and class enrollment data) with the EDUCATOR teaching the applicable class. We share student educational data only to the extent necessary for educational services.

5.3 Employer Partners (Internships)

For internship programs, we share applicant data (résumé, contact information, application materials) with employer partners, with your consent at the time of application.

5.4 Legal Compliance and Safety

We may disclose personal data: (a) to comply with applicable law, regulation, legal process, or enforceable governmental request; (b) to enforce our Terms of Service; (c) to detect, prevent, or address fraud, security, or technical issues; or (d) to protect the rights, property, or safety of HADDEE, our users, or the public.

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Site before personal data is transferred and becomes subject to a different privacy policy.

5.6 With Your Consent

We may share personal data for other purposes with your explicit prior consent.

5.7 Aggregated / Anonymized Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you with third parties for research, analytics, or other purposes.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our general retention schedule is:

Data Category	Retention Period	Reason
Account and identity data	Duration of account + 3 years after closure	Legal obligation; dispute resolution
Educational records (class data, grades)	5 years from date of service	FERPA; legal obligation
Payment transaction records	7 years from transaction date	Tax/accounting law (IRS requirements)
Tax documents (W-9, W-8BEN for EDUCATORS)	7 years from last tax year reported	IRS legal obligation
Marketing consent records	3 years from consent or last interaction	CAN-SPAM; GDPR accountability
Security and access logs	12 months	Security; fraud prevention
Cookie/tracking data	Up to 13 months (analytics); session (functional)	ePrivacy Directive; CCPA
Internship application data	2 years from application	Legitimate interest; legal obligation

When you ask us to delete your account, we permanently delete your personal information — your name, email, profile photo, bio, school, city/state, phone, and any guardian name/email — and your account can no longer be signed into or linked to you. We keep only the limited records we are legally required to retain (such as the transaction and tax records in the table above), and only in a de-identified form that can no longer be linked to you.

7. International Data Transfers

HADDEE is headquartered in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, which may have different data protection laws than your country.

7.1 EU/UK Transfers (GDPR Art. 44–49 / UK GDPR)

For transfers of personal data from the EU/EEA or UK to the United States, HADDEE relies on the following safeguards: EU Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914); UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs; and/or the EU-US Data Privacy Framework (DPF) and/or UK Extension, where applicable. To obtain a copy of applicable transfer mechanisms or for further information, contact hello@haddee.com.

7.2 China Transfers (PIPL Art. 38–43)

For transfers of personal information out of the People's Republic of China ("cross-border transfer"), HADDEE complies with PIPL requirements, which may include: passing a security assessment organized by the Cyberspace Administration of China (CAC), if applicable; obtaining personal information protection certification from a CAC-approved institution, if applicable; or executing standard contracts issued by the CAC with overseas recipients. We will obtain your separate consent for any cross-border transfer of your personal information from China, as required by PIPL.

7.3 Other Jurisdictions

For transfers from other jurisdictions, we implement appropriate safeguards as required by applicable local law, which may include standard contractual clauses, binding corporate rules, or your explicit consent.

8. Children's Privacy

HADDEE's platform is designed for students in Grades 7–12 (and college/adult); users must be at least 13. Children's privacy is a top priority. Please read this section carefully.

8.1 COPPA (USA — Under 13)

HADDEE complies with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §6501 et seq., enforced by the Federal Trade Commission. We do not knowingly collect personal information from children under 13. If a parent or guardian becomes aware that their child under 13 has provided personal data to HADDEE, please contact us immediately at hello@haddee.com. We will delete such information within a reasonable period.

The Service requires users to be at least 13. We collect a date of birth at sign-up and block anyone under 13 from creating an account, so we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we delete it.

For students aged 13–17, we additionally collect a parent/guardian name and email, and store a timestamp of any parent email confirmation (parentEmailVerifiedAt) along with a derived minor/adult indicator (we store this indicator, not your full date of birth). The parent/guardian is the responsible party for the account and may review, manage, or request closure or deletion of it at any time by contacting hello@haddee.com. A parent/guardian deletion request is honored the same way as the user's own (see Section 12): we permanently delete the personal data and keep only de-identified legally-required records.

8.2 California — Minors (Under 18) (Cal. Bus. & Prof. Code §22581)

California residents under 18 who are registered users may request removal of content or information they have publicly posted on the Service. To submit a removal request, contact hello@haddee.com. Please note that removal does not ensure complete removal in all circumstances (e.g., if content was re-shared by a third party).

HADDEE complies with the California Age-Appropriate Design Code Act (AB 2273, Cal. Civ. Code §1798.99.28 et seq.): we do not deploy dark patterns, default-on location sharing, or behavioral advertising targeted at users we know to be under 18.

8.3 EU/EEA — Minors (Under 16) (GDPR Art. 8)

For users in the EU/EEA, HADDEE does not rely on consent as a lawful basis for processing personal data of children under 16 (or the applicable lower age threshold in certain EU member states, but not below 13) without the consent of their parent or legal guardian. Where a parent provides consent, they accept these terms on the child's behalf. EU users between 13 and 15 must have a parent or guardian provide consent.

8.4 China — Minors (Under 14) (PIPL Art. 31)

Under China's PIPL, the processing of personal information of minors under 14 years of age is subject to special rules. HADDEE will: (a) formulate a special personal information processing policy for minors under 14; (b) obtain consent from the minor's parent or legal guardian; and (c) apply heightened protection to such data. If you are a parent in China and believe your child under 14 has provided personal data to HADDEE without proper consent, contact hello@haddee.com immediately.

8.5 FERPA (USA — Student Educational Records)

To the extent HADDEE is a "school official" or processes "education records" under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g, HADDEE will use student education records solely for the purpose of providing educational services and will not disclose such records without appropriate consent, except as permitted by FERPA (e.g., to school officials with legitimate educational interest, in emergencies, or as otherwise required by law). Parents of students under 18, and eligible students (age 18 or older), have the right to access, review, and request correction of education records.

9. Data Security

HADDEE implements appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

Encryption: All data transmitted between your browser and HADDEE.com is encrypted using TLS 1.2 or higher (SSL). Sensitive data is encrypted in transit and at rest. We do not store SSNs or tax identification numbers in our application database — Educator tax forms are handled off-platform.
Web Application Firewall (WAF): We deploy a WAF to protect our website from common web attacks.
Access Controls: Access to personal data is restricted on a need-to-know basis. Personnel with access are subject to confidentiality obligations.
Malware Scanning: We perform regular malware scanning of our systems.
Payment Security: Credit/debit card transactions are processed through our PCI-DSS-certified third-party payment processor. HADDEE does not store payment card numbers.
Privacy by Design: We integrate data protection into our systems and processes from the design stage, following the principle of data minimization — collecting only the data strictly necessary for each purpose.
Incident Response: We maintain an incident response plan for data breaches (see Section 11).

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the secrecy of your account credentials.

10. Cookies and Tracking Technologies

10.1 What We Use Cookies For

We use cookies and similar technologies (web beacons, pixel tags, local storage) for the following purposes:

Cookie Type	Purpose	Can You Opt Out?
Strictly Necessary	Login sessions, shopping cart, security (CSRF tokens). Required for the Site to function.	No (required for Site function)
Functional / Preference	Remember language, region, and display preferences.	Yes (via Cookie Manager)
Analytics / Performance	Understand how visitors use the Site (aggregated, anonymized). We use tools such as Google Analytics and Microsoft Clarity (session replay, with masking).	Yes (via Cookie Manager or browser settings)
Marketing / Advertising	Serve relevant content and track campaign performance. Only with explicit consent.	Yes (opt-out or withdraw consent at any time)

10.2 Your Cookie Choices

You may manage your cookie preferences through our Cookie Consent Manager accessible from our website footer. You may also control cookies through your browser settings; however, disabling certain cookies may affect the functionality of the Site.

EU/UK Users (ePrivacy Directive / GDPR): We will not place non-essential cookies (analytics, marketing) on your device without your prior consent. You may withdraw consent at any time through the Cookie Consent Manager.

California Users (CCPA/CPRA): Cookies that constitute "sharing" of personal information for cross-context behavioral advertising require your opt-in consent or are subject to your opt-out rights. See Section 14.

China Users (PIPL): Non-essential cookies that involve personal information processing require your separate consent under PIPL.

How you control tracking (Do Not Track): We use a Cookie Consent Manager — a consent banner shown to all visitors. Non-essential analytics and tracking load only after you accept, and you may decline. Because this consent control governs all non-essential tracking, it — not a browser "Do Not Track" signal — is how you control tracking on our site.

10.3 Analytics — Google Analytics and Microsoft Clarity

We use Google Analytics to analyze website traffic. Google Analytics may set cookies on your device. For information on how Google uses data collected through our site, see https://policies.google.com/technologies/partner-sites. You may opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-On at https://tools.google.com/dlpage/gaoptout.

We also use Microsoft Clarity to understand how visitors use the Site, including session replay and heatmaps that record on-screen interactions (cursor movements, clicks, scrolling). Clarity is configured to mask sensitive on-screen content, and — like all non-essential analytics — loads only after you accept analytics cookies through our Cookie Consent Manager. We do not record your tutoring sessions, which take place on third-party video tools.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, HADDEE will:

EU/UK (GDPR Art. 33–34): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible), and notify affected EU/UK individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
California (Cal. Civ. Code §1798.29 / §1798.82): Notify affected California residents in the most expedient time possible and without unreasonable delay, in compliance with California data breach notification law.
China (PIPL Art. 57 / CSL Art. 42): Immediately take remedial measures and notify the relevant competent authority and affected individuals in accordance with Chinese law.
Other US States: Notify affected individuals and regulators as required by applicable state data breach notification laws.
General: Notify affected users via email within 7 business days of confirming a breach that poses a material risk to personal data, even where not required by law.

Notifications will include: the nature of the breach; the categories and approximate number of records affected; the likely consequences; the measures taken or proposed; and how to contact us for further information.

12. General Privacy Rights — All Users

Regardless of your location, you have the following privacy rights with respect to your personal data:

Right to Access: You may request confirmation of whether we process your personal data and obtain a copy of the data we hold about you.
Right to Correct: You may request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.
Right to Delete: You may request deletion of your personal data, subject to our legal obligations and legitimate interests (e.g., tax record retention). Deletion is handled manually — contact hello@haddee.com. When we honor a deletion request we permanently delete your personal information; we keep only the records we must retain by law (e.g., transaction/tax records), de-identified so they can no longer be linked to you, and the account can no longer sign in.
Right to Object: You may object to the processing of your personal data for direct marketing at any time, and in certain other circumstances.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. To withdraw consent, log in to your account settings or contact hello@haddee.com.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at hello@haddee.com with the subject line "Privacy Rights Request — [Your Country]." We will respond within the timeframe required by applicable law.

13. Email and SMS Communications

HADDEE complies with the CAN-SPAM Act (15 U.S.C. §7701 et seq.) and, for EU/UK users, GDPR and the ePrivacy Directive for marketing communications.

We collect your email address to: send transactional communications (class confirmations, receipts, account notices); respond to inquiries; and, with your consent, send marketing and promotional communications.

In all commercial emails, we will: clearly identify the message as a commercial communication; include HADDEE's full physical address (2006 Kala Bagai Way SPC10, Berkeley, CA 94704); use truthful and non-misleading subject lines and sender information; include a clearly visible, one-click unsubscribe link; and honor unsubscribe requests promptly (within 10 business days for CAN-SPAM; without undue delay for GDPR).

To unsubscribe from marketing emails: click the "Unsubscribe" link at the bottom of any marketing email, or contact hello@haddee.com. Unsubscribing from marketing emails will not affect transactional communications related to your account or classes. For EU/UK users: marketing emails are sent only on the basis of your prior opt-in consent or, where applicable, a legitimate interest (soft opt-in for existing customers). You may withdraw consent at any time.

Text messages (SMS). For the tutoring service, Teachers (never students) may opt in to text alerts about their sessions, delivered via Twilio. Message frequency varies; message and data rates may apply; reply STOP to opt out or HELP for help. Your mobile opt-in data is never shared or sold for marketing. See the separate SMS Terms.

14. California Residents — CCPA/CPRA Privacy Rights

This section supplements our general Privacy Policy and applies only to California residents. It is provided pursuant to the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) and the California Privacy Rights Act (Prop. 24) (collectively, "CCPA/CPRA"), effective January 1, 2023.

14.1 Categories of Personal Information Collected (Past 12 Months)

CCPA Category	Examples	Purpose
Identifiers	Name, email, IP address, username, device IDs	Account; Services; Security
Personal Info (§1798.80)	Name, address, phone, payment info	Account; Payment processing
Commercial Info	Classes purchased, payment history	Services; Accounting
Internet / Network Activity	Browsing history on Site, search queries, clicks	Analytics; Security
Geolocation Data	General location from IP address	Analytics; Fraud prevention
Professional / Education Info	Educational records, credentials (Educators)	Services; Tax compliance
Audio / Visual	Profile photos; website session-replay recordings (analytics, with sensitive content masked). We do not record tutoring sessions.	Services; Analytics
Inferences	Preferences, interests derived from usage	Personalization
Sensitive: SSN/Tax ID	EDUCATORS only; collected off-platform for IRS reporting; not stored in the Service	Legal obligation (IRS)

14.2 Sources of Personal Information

Directly from you; automatically through your use of the Service; from third-party social networks (with your authorization); from payment processors; and from employer partners (internship program).

14.3 Sale or Sharing of Personal Information

HADDEE does not sell your personal information for monetary consideration. HADDEE may "share" personal information (as defined by CCPA/CPRA) with analytics providers for cross-context behavioral advertising purposes. You have the right to opt out of this sharing. To opt out: click the "Do Not Share My Personal Information" link in our website footer, or contact hello@haddee.com with subject line "CCPA Opt-Out."

14.4 Your CCPA/CPRA Rights

Right to Know (§1798.100, 1798.110, 1798.115): Request disclosure of the categories and specific pieces of personal information collected, the sources, the business/commercial purposes, and the categories of third parties with whom we share it.
Right to Delete (§1798.105): Request deletion of personal information we have collected, subject to exceptions (e.g., completing transactions, legal obligations, security). See Section 12 for how a deletion request is honored.
Right to Correct (§1798.106): Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing (§1798.120): Opt out of the sale or sharing of your personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information (§1798.121): Limit HADDEE's use and disclosure of sensitive personal information (e.g., SSNs, financial data) to what is necessary to provide the Service.
Right to Non-Discrimination (§1798.125): HADDEE will not discriminate against you for exercising your CCPA/CPRA rights.

14.5 Exercising Your Rights

Submit a verifiable consumer request by: (a) emailing hello@haddee.com with subject "CCPA Rights Request"; or (b) writing to Haddee Education, LLC, 1569 Solano Ave #275, Berkeley, CA 94707. We will verify your identity and respond within 45 days (extendable by another 45 days with notice). You may authorize an agent to make requests on your behalf with written authorization.

14.6 Shine the Light (Cal. Civ. Code §1798.83)

California residents may request information about disclosures of personal information for third-party direct marketing once per year. Contact: hello@haddee.com | Subject: "Shine the Light Request."

14.7 CalOPPA Compliance

Pursuant to the California Online Privacy Protection Act (CalOPPA): you may visit HADDEE.com anonymously; our Privacy Policy is linked prominently from our homepage; we will notify you of material Privacy Policy changes by posting the updated policy with a new effective date; and you may change your personal information by logging into your account settings.

15. EU and UK Residents — GDPR / UK GDPR Rights

This section applies to residents of EU/EEA member states and the United Kingdom. Haddee Education, LLC is the data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

15.1 Lawful Bases for Processing (GDPR Art. 6)

Lawful Basis	When We Rely on It	Your Rights Affected
Contract performance (Art. 6(1)(b))	Account creation, class delivery, payment processing — processing necessary to perform our contract with you.	You cannot object; without it we cannot provide the Service.
Legal obligation (Art. 6(1)(c))	Tax reporting, mandatory disclosures, law enforcement requests.	Cannot be withdrawn.
Legitimate interests (Art. 6(1)(f))	Fraud prevention, security, improving the Service, internal analytics — where not overridden by your rights.	You may object (Art. 21); we will balance interests.
Consent (Art. 6(1)(a))	Marketing communications, non-essential cookies, Social Networking integrations.	You may withdraw consent at any time (Art. 7(3)).
Vital interests (Art. 6(1)(d))	Emergency situations involving risk to life.	Rarely used.

For sensitive personal data (GDPR Art. 9 special categories), we rely on your explicit consent or another applicable Art. 9 basis. HADDEE generally does not process Art. 9 special category data unless explicitly provided by you.

15.2 Your GDPR / UK GDPR Rights

Right of Access (Art. 15): Request a copy of all personal data HADDEE holds about you, free of charge.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure / 'Right to be Forgotten' (Art. 17): Request deletion of your personal data where: it is no longer necessary for the original purpose; you withdraw consent; you object and there are no overriding legitimate grounds; the data has been unlawfully processed; or deletion is required by law.
Right to Restriction of Processing (Art. 18): Request that we temporarily stop processing your data while accuracy or legitimate grounds are disputed.
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV), and transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
Right to Object (Art. 21): Object at any time to processing based on legitimate interests or for direct marketing purposes (including profiling for marketing).
Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you. HADDEE does not currently make fully automated decisions of this nature.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of processing before withdrawal.

15.3 How to Exercise GDPR Rights

Contact: hello@haddee.com | Subject: "GDPR Rights Request — [Country]". We will respond within one (1) calendar month (extendable by two additional months for complex requests, with notice). We verify identity before processing requests. Requests are free of charge; manifestly unfounded or excessive requests may incur a reasonable fee.

15.4 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority if you believe HADDEE has not complied with GDPR. A list of EU supervisory authorities is at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

15.5 International Transfers from EU/UK

See Section 7.1 for details on safeguards for international data transfers from the EU/UK.

15.6 Legitimate Interests Assessment

Where we rely on legitimate interests as our lawful basis, we have conducted a balancing test and determined that our legitimate interests are not overridden by your rights and interests. You may request a copy of our legitimate interests assessment by contacting hello@haddee.com.

16. China Residents — PIPL, CSL, and DSL Rights

This section applies to users in the People's Republic of China (PRC). HADDEE complies with the Personal Information Protection Law (PIPL, effective November 1, 2021), the Cybersecurity Law (CSL, effective June 1, 2017), and the Data Security Law (DSL, effective September 1, 2021).

16.1 Legal Bases for Processing Under PIPL

Under PIPL, HADDEE processes personal information on the following legal bases (PIPL Art. 13): Consent (Art. 13(1)) — we obtain your separate, informed, voluntary, and explicit consent before collecting, using, and sharing your personal information, except as otherwise permitted by PIPL; Contract performance (Art. 13(2)); Legal obligation (Art. 13(3)); Vital interests (Art. 13(4)); and Legitimate interests (Art. 13(6)) — for legitimate purposes within a reasonable scope.

16.2 Your PIPL Rights

Right to Know and Decide (Art. 44): Know whether and how your personal information is processed, and make decisions about it.
Right to Access (Art. 45): Request access to your personal information held by HADDEE.
Right to Copy (Art. 45): Request a copy of your personal information.
Right to Correct / Supplement (Art. 46): Request correction of inaccurate or incomplete personal information.
Right to Delete (Art. 47): Request deletion where the processing purpose has been achieved or is no longer necessary; you withdraw consent; the processing violates PIPL or agreement; or HADDEE ceases operations.
Right to Restrict or Refuse Processing (Art. 44): Restrict or refuse processing, subject to legal limitations.
Right to Data Portability (Art. 45): Where technically feasible, request transfer of your personal information to another processor you designate.
Right to Withdraw Consent (Art. 15): Withdraw consent at any time; withdrawal does not affect the legality of prior processing.
Right Against Automated Decision-Making (Art. 24): Where HADDEE makes automated decisions that significantly affect your rights, you may request an explanation and reject such decisions.
Rights of Deceased Persons' Relatives (Art. 49): Close relatives may exercise rights over a deceased user's personal information for legitimate purposes.

16.3 Sensitive Personal Information (PIPL Art. 28–32)

Under PIPL, "sensitive personal information" includes: biometric identification, religious beliefs, special identity (e.g., medical, financial), health and medical data, financial account information, location tracking, and information on minors under 14. HADDEE processes sensitive personal information only with your separate and explicit consent, and only to the extent strictly necessary. We will clearly notify you of the purpose, method, and scope of processing sensitive personal information.

16.4 Cross-Border Transfers (PIPL Art. 38–43)

See Section 7.2 for PIPL cross-border transfer compliance details.

16.5 How to Exercise PIPL Rights

Contact: hello@haddee.com | Subject: "PIPL Rights Request." We will respond within 15 working days as required by PIPL. Requests are free of charge; we may decline manifestly unfounded or excessive requests with written explanation.

16.6 PIPL Complaint

If you believe HADDEE has violated PIPL, you may lodge a complaint with the Cyberspace Administration of China (CAC) or other relevant competent authority.

17. Canadian Residents — PIPEDA and Québec Law 25

HADDEE complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Québec residents, Québec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64, fully in force September 22, 2023).

Your rights under PIPEDA: You have the right to access personal information HADDEE holds about you, challenge its accuracy, and request correction. You may also withdraw consent for non-essential processing, subject to legal and contractual limitations. Complaints may be directed to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Québec Law 25 additional rights: Québec residents have rights to: data portability (in a structured, commonly used technological format); deindexation (removal of access to personal information that is disseminated); and enhanced consent requirements. Québec residents may contact the Commission d'accès à l'information (CAI) at www.cai.gouv.qc.ca.

International transfers from Canada: HADDEE takes contractual and other reasonable steps to ensure personal information transferred outside Canada receives comparable protection to that afforded under PIPEDA/Québec Law 25.

18. Brazilian Residents — LGPD

HADDEE complies with Brazil's Lei Geral de Proteção de Dados (LGPD, Law No. 13.709/2018), effective September 18, 2020.

Your LGPD rights (Art. 18): Brazilian residents have the right to: confirmation of processing; access to data; correction of inaccurate, incomplete, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; information about third parties with whom data has been shared; information about consent denial consequences; withdrawal of consent; and review of automated decision-making.

Legal bases: HADDEE processes personal data under applicable LGPD legal bases, including consent, contract performance, legal obligation, legitimate interest, and exercise of rights in judicial, administrative, or arbitration proceedings.

Complaints: Brazilian residents may direct complaints to the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.

19. Other International Users

HADDEE's Services are primarily directed at users in the United States. If you access the Services from outside the United States, please be aware that your personal data will be transferred to, processed, and stored in the United States. Below is a summary of key jurisdictions:

Country / Region	Applicable Law	Key Contacts / Regulator
Japan	Act on Protection of Personal Information (APPI, 2022 amendments)	Personal Information Protection Commission (PPC): www.ppc.go.jp
South Korea	Personal Information Protection Act (PIPA)	Personal Information Protection Commission (PIPC): www.pipc.go.kr
Australia	Privacy Act 1988 (amended); Australian Privacy Principles	Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
Singapore	Personal Data Protection Act (PDPA)	Personal Data Protection Commission (PDPC): www.pdpc.gov.sg
India	Digital Personal Data Protection Act (DPDPA, 2023)	Data Protection Board of India (to be established)
Mexico	Ley Federal de Protección de Datos Personales (LFPDPPP)	INAI: www.inai.org.mx
Argentina	Personal Data Protection Law 25.326	AAIP: www.argentina.gob.ar/aaip

Users in other jurisdictions may have additional rights under local law. HADDEE respects applicable local privacy laws and will respond to rights requests to the extent required by applicable law. Contact hello@haddee.com for jurisdiction-specific requests.

20. Third-Party Links and Services

The Service may contain links to third-party websites or integrate third-party services (e.g., payment processors, Social Networking Services, video conferencing). HADDEE is not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of every website or service you visit. This Privacy Policy applies solely to HADDEE.com and our Services.

21. Changes to This Privacy Policy

HADDEE may update this Privacy Policy from time to time. When we make material changes, we will: (a) post the revised policy on this page with a new effective date; and (b) provide notice via email and/or a prominent banner on the Site, as required by applicable law (including GDPR and PIPL). We will not materially change how we use previously collected personal data without providing notice and, where required, obtaining your consent.

Your continued use of the Service after the effective date of any update constitutes your acceptance of the updated policy. If you do not agree, you must stop using the Service and may request deletion of your data.

22. Contact Us

For any questions, rights requests, concerns, or complaints regarding this Privacy Policy or HADDEE's data practices:

Haddee Education, LLC (Data Controller) · Attn: Privacy Team 2006 Kala Bagai Way SPC10, Berkeley, CA 94704 Email: hello@haddee.com | Phone: 858-449-9689 | Website: https://www.haddee.com

Please include in your message: (a) your full name; (b) your country of residence; (c) a description of your request or concern; and (d) the subject line "Privacy Request — [Your Country]." We aim to respond within the timeframe required by applicable law in your jurisdiction.