Privacy & Security Policy

This Privacy and Security Policy explains in detail how personal data is collected, processed, protected, and stored while using the services offered by the Dux platform. Dux adopts the highest standards to ensure the security and privacy of all user data, including data belonging to educational institutions, administrators, teachers, and students.

Dux adheres to the principle of transparency when collecting user data and informs users about what data is processed and for what purposes. Data processing occurs only when strictly necessary and is protected against unauthorized access through robust technical and organizational security measures. Procedures are in place to give users full control over their data and to enable them to exercise their rights at any time.

This policy applies to all individuals and institutions that access or use the Dux platform and should be read alongside the Platform Terms of Use. By using the Dux platform, you confirm your acceptance of the practices described in this policy.

Dux collects personal data in several categories to ensure user safety, improve service quality, enhance user experience, and comply with applicable legal regulations. The data collection process is transparent, and users are informed accordingly.

Identity and account data includes full name, email address, phone number, job title, institutional affiliation, user role (administrator, teacher, or student), username, profile photo, account security settings, and user preferences. This data is collected during account registration and maintained for the duration of the active subscription.

Usage and activity data includes login and logout records, platform interactions, features used, session duration, task and content activity within the platform, AI feature prompts and responses, and error reports. This data is collected automatically as users interact with the platform.

Content data includes materials, documents, lesson plans, assessments, and any other files uploaded to the platform by users. Users retain ownership of this content, and Dux processes it solely to deliver the platform's services.

Technical data includes IP address, device type, operating system, browser information, session identifiers, and cookie preferences. This data is collected automatically to maintain platform security and performance.

All data is processed solely to deliver services, fulfill legal obligations, and improve user experience, while maintaining the highest standards of privacy and data security.

Collected personal data may be processed for the following purposes: account creation and management, including identity verification, security configuration, and access control; delivery of educational services, including curriculum support, lesson planning tools, content management, and AI-assisted features; user experience improvement, including the analysis of platform usage patterns, collection of feedback, and continuous service enhancement; legal and regulatory compliance, including meeting obligations under applicable Turkish and international law, responding to regulatory authority requests, and maintaining audit records; and communication, including sending service updates, policy change notifications, and support responses.

Dux does not use personal data for advertising, commercial profiling, or any purpose unrelated to the delivery of educational services. Student data in particular is processed only as necessary to support the educational functions of the platform.

Dux processes personal data only for clear and legitimate purposes and in accordance with applicable law. The legal bases for processing include the performance of a contract, where processing is necessary to deliver the services agreed upon with the subscribing institution; compliance with a legal obligation, where processing is required under Turkish or applicable international law; the legitimate interests of Dux, where processing is necessary for platform security, fraud prevention, or service improvement, provided those interests are not overridden by the rights of the data subject; and consent, where users or institutions have explicitly agreed to specific processing activities.

Users are informed about the purposes of processing and may object to processing based on legitimate interests where applicable. Dux processes personal data transparently and with full respect for user rights under the Turkish Personal Data Protection Law (KVKK No. 6698).

Personal data is shared with third parties only under strict conditions. Dux does not sell user data to any third party under any circumstances.

Data may be shared with service providers engaged to support platform infrastructure, data hosting, technical operations, or customer support. In such cases, only the minimum data necessary is shared, and all third-party providers are contractually bound to maintain confidentiality and data protection standards equivalent to those applied by Dux.

Data may be disclosed to legal authorities, regulatory bodies, or government institutions where required by applicable law or a valid legal order. Such disclosures are always limited to what is strictly necessary to fulfill the legal obligation.

Where explicit institutional consent has been obtained, data may be shared with trusted partners involved in the delivery or integration of approved educational services. Users retain the right to request information about the scope and recipients of any shared data at any time.

Where personal data is transferred outside Turkey or the European Economic Area, appropriate safeguards will be applied to ensure that data protection standards are maintained, including the use of Standard Contractual Clauses or equivalent mechanisms where applicable.

The protection of student data is a priority for Dux. Student data is collected and processed only to the extent necessary to deliver the educational services for which access has been granted. Dux does not use student data for advertising, commercial profiling, or any purpose beyond the direct educational function of the platform.

Student data will not be shared with third parties except where required by law or where the subscribing institution has provided explicit consent for approved service providers. Institutions retain full control over student data within their environment and may request the deletion or export of that data at any time.

Institutions are responsible for ensuring that the collection and use of student data on the platform complies with applicable national laws and the institution's own data protection obligations, particularly where minors are involved.

Personal data is retained only for as long as necessary for the purpose for which it was collected. Retention periods take into account legal obligations, contractual requirements, and the legitimate interests of Dux and its users.

User and content data is retained for the duration of the Institution's active subscription. Upon termination of a subscription, the Institution may request a full data export within 30 days of termination. After this period, all data associated with the Institution's environment will be securely and permanently deleted from Dux systems using internationally recognized deletion standards.

Users may also request the deletion or anonymization of their personal data before the end of the standard retention period, subject to any overriding legal obligations. Such requests will be processed in accordance with applicable law and within a reasonable timeframe.

Dux implements advanced technical and organizational security measures to protect personal data from unauthorized access, breaches, loss, or alteration. These measures are reviewed and updated regularly to reflect current best practices and emerging threats.

All data transmitted to and from the platform is encrypted using secure protocols, including HTTPS and TLS. Data stored within Dux systems is encrypted at rest using strong encryption algorithms. Access to personal data is restricted to authorized personnel only, enforced through role-based access controls and multi-factor authentication where applicable.

In the event of a data breach or security incident that poses a risk to user rights, Dux will notify affected users and the relevant regulatory authorities promptly and in accordance with legal requirements. An incident response plan is maintained and tested regularly to ensure a rapid and effective response to any security event.

Users are encouraged to support platform security by using strong, unique passwords, keeping login credentials confidential, logging out of shared devices after use, and reporting any suspicious activity to Dux support immediately.

Dux uses cookies and similar tracking technologies to maintain platform functionality, personalize the user experience, and analyze platform performance. Cookies help ensure a secure, stable, and efficient service.

Essential cookies are strictly necessary for the platform to function and cannot be disabled. Functional cookies are used to remember user settings and preferences across sessions. Analytical cookies are used to monitor platform performance, identify technical issues, and support continuous service improvement. These analytical processes use anonymized or aggregated data wherever possible.

Users can manage their cookie preferences through their browser settings or the platform's cookie management interface. Withdrawing consent for non-essential cookies will not affect access to the platform's core educational functions. More detailed information about the cookies used by Dux is available in the platform's Cookie Policy.

Users have several rights regarding their personal data processed by Dux, in accordance with the Turkish Personal Data Protection Law (KVKK No. 6698) and other applicable regulations.

Users have the right to access their personal data and obtain detailed information about what is processed and why. Where personal data is inaccurate or incomplete, users have the right to request its correction. Under appropriate conditions, users may request the deletion or anonymization of their data. Users may object to specific data processing activities based on legitimate grounds, and in such cases processing shall cease unless overriding legal grounds are demonstrated.

Upon request, personal data shall be provided in a structured, commonly used, and machine-readable format and may be transferred directly to another data controller where technically feasible. Consent to data processing activities may be withdrawn at any time without affecting the lawfulness of processing that occurred before withdrawal.

Users have the right to lodge complaints directly with Dux's support team or to escalate the matter to the relevant data protection supervisory authority. Dux has established clear internal procedures to facilitate the prompt and transparent handling of all user rights requests.

This Privacy and Security Policy may be updated periodically to reflect changes in legal requirements, security standards, or platform services. Any updates that materially affect user rights or data processing practices will be communicated in advance through official channels, including email notifications or platform announcements.

Updates shall become effective on the stated effective date. Continued use of the platform after that date constitutes acceptance of the revised policy. Users are encouraged to review this policy regularly to stay informed about how their data is handled.

If you have questions about this Privacy and Security Policy, wish to exercise your data rights, or need to report a security concern, please contact the Dux platform support team at prof.dux@neu.edu.tr.

This document is reviewed annually and updated whenever significant changes to relevant legislation, security standards, or platform features occur. The most current version is always available within the platform's documentation section.