Privacy Policy

1. Information We Collect

1.1 Account Information

• Email address (required for account creation)
• Name (optional, from OAuth providers)
• Profile picture (optional, from OAuth providers)
• Authentication tokens (encrypted, for session management)

1.2 Usage Data

• Lab activity: labs completed, progress, XP earned, time spent
• Terminal commands executed in practice environments (for grading)
• Lab progress snapshots: filesystem state saved to allow resuming labs where you left off
• Technical data: IP address, browser type, device type, operating system
• Performance data: page load times, error logs, API response times

1.3 Payment Information

Payment processing is handled by our payment service provider. We never store credit card numbers, CVV codes, or full payment details. We receive only:

• Last 4 digits of card
• Card brand (Visa, Mastercard, etc.)
• Subscription status
• Transaction IDs

2. How We Use Your Information

• Service delivery: provide access to labs, track progress, award XP, manage subscriptions
• Grading and feedback: evaluate lab submissions, provide hints, track completion
• Product improvement: analyze usage patterns, fix bugs, optimize performance
• Security: detect abuse, prevent unauthorized access, enforce rate limits
• Communication: service updates, payment receipts, account notifications
• Legal compliance: comply with applicable laws, respond to legal requests

Legal Bases for Processing (GDPR)

We process your personal data based on:

• Contract: Account and authentication data to provide the Service
• Legitimate Interests: Usage analytics to improve labs and detect abuse
• Legal Compliance: Payment records for tax compliance
• Consent: Analytics cookies (you can opt out via cookie settings)

3. Service Providers

We use third-party service providers to operate our platform under data processing agreements (DPAs) and Standard Contractual Clauses (SCCs) for international transfers.

Service categories: learning infrastructure, payment processing, data storage, hosting and CDN, authentication, analytics. For the complete vendor list, contact privacy@dobrilab.com or see subprocessors.

4. International Data Transfers

Dobri Lab is operated by "DOBRI LAB" LTD (Bulgaria, EU). Some service providers are located outside the European Economic Area (EEA), primarily in the United States.

All international transfers are protected by:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• Data Processing Agreements (DPAs) with all processors
• Industry-standard security certifications

5. Data Retention

• Account data: retained while account is active + 90 days after deletion
• Lab progress: retained while account is active
• Lab progress snapshots: 90 days of inactivity, then auto-deleted
• Terminal session logs: 30 days
• Payment records: 7 years (legal requirement for tax compliance)
• Analytics data: aggregated and anonymized after 2 years

6. Cookies & Tracking

Essential Cookies (No Consent Required)

• Authentication: next-auth.session-token (login sessions)
• Security: CSRF tokens, rate limiting
• Preferences: Theme selection (dark/light mode)

Analytics Cookies (No Consent Required)

We use Vercel Web Analytics to understand how users interact with our platform:

• Privacy-first (no personal data collected)
• No tracking across websites
• No cookies stored
• GDPR Article 6(1)(f) compliant (legitimate interest)

Marketing Cookies (Consent Required)

With your consent, we use marketing cookies to show relevant ads:

• Facebook Pixel: Conversion tracking, remarketing
• Google Ads: Conversion tracking, campaign measurement

These cookies track your activity across websites for advertising purposes. You can opt out at any time by changing your cookie preferences below.

7. Your Rights (GDPR & CCPA)

You have the right to:

• Access: request a copy of your personal data
• Rectification: correct inaccurate or incomplete data
• Deletion: request deletion of your account and data
• Portability: export your data in machine-readable format (JSON)
• Restriction: limit how we process your data
• Object: object to processing based on legitimate interests
• Withdraw consent: opt out of marketing communications

To exercise your rights, contact privacy@dobrilab.com. We will respond within 30 days.

8. Security

• Encryption: data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Isolation: practice environments run in isolated containers with resource limits
• Access control: role-based access, multi-factor authentication for staff
• Monitoring: real-time security monitoring, automated vulnerability scanning
• Audits: regular security audits and penetration testing

9. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect data from children. If you believe your child has provided us with personal information, contact us immediately at privacy@dobrilab.com.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice on the website. Continued use of the service after changes constitutes acceptance.

11. Contact