Chattina logo

Legal

Privacy Policy

Last updated: 25 March 2026

1. Data Controller

Chattina Educational CMS ("Chattina", "we", "us", or "our") is the data controller responsible for your personal data.

  • Registered address: [Your registered address in Malta]
  • Email: support@chattina.io
  • Data Protection Officer: support@chattina.io

We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), the Data Protection Act (Cap. 586 of the Laws of Malta), and subsidiary legislation S.L. 586.01 on the processing of personal data in the electronic communications sector.

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Data you provide directly

  • Account data: display name, email address, password (hashed), and role (educator or student)
  • Educational content: HTML artefacts, course titles, and descriptions uploaded by educators. All uploaded HTML artefacts are automatically processed by a server-side sanitization pipeline that scans for security threats; the original upload and a sanitized copy are both stored in Firebase Cloud Storage, along with a security audit report.
  • Enrolment data: course enrolments and access codes entered by students
  • Profile data: display name, username, bio, institution, profile visibility preference, and role-specific details (educators: title, department, specializations, office hours, website; students: year of study, field of study, interests)
  • Profile images: uploaded profile photos (JPEG, PNG, or WebP, max 5 MB)
  • Student identifier: institutional student ID (optional, stored privately and never displayed publicly)
  • Contact form data: name, email address, subject, and message submitted through the contact support form. This data is used solely to respond to your enquiry and is not stored in our database.

2.2 Data collected automatically

  • Technical data: IP address, browser type, device information, and operating system
  • Usage data: pages visited, features used, timestamps of access, and interaction patterns
  • Authentication tokens: session data managed by Firebase Authentication
  • Third-party authentication data: when signing in via Google, we receive your Google display name, email address, and profile photo URL; when signing in via Microsoft, we receive the equivalent Microsoft account display name, email address, and profile photo URL
  • Learning engagement data (students only, per artefact): time spent viewing, scroll depth (whether the student reached the end of the page), number of interactions (clicks), and session count. See Section 17 for full details.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the educational platform services you have registered for, including account management, course enrolment, and content delivery.
  • Consent (Art. 6(1)(a)) — for optional analytics cookies and any processing beyond what is strictly necessary for service delivery. You may withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — for platform security, fraud prevention, and service improvement, where these interests are not overridden by your fundamental rights.
  • Legal obligation (Art. 6(1)(c)) — where we are required to process data by Maltese or EU law.

4. Purposes of Processing

  • Providing and maintaining the Chattina platform
  • Authenticating users and managing accounts
  • Enabling course creation, enrolment, and artefact delivery
  • Scanning and sanitizing uploaded HTML artefacts to protect students from malicious content
  • Tracking learning engagement (time spent, scroll depth, interactions) to support course completion tracking and educator insight
  • Communicating service-related notices
  • Responding to support enquiries submitted via the contact form
  • Ensuring platform security and preventing misuse
  • Improving the platform based on aggregated, anonymised usage patterns

5. Data Sharing and International Transfers

5.1 Third-party processors

We use the following third-party data processors:

  • Google Firebase (Google Ireland Ltd) — authentication, database (Firestore), and file storage (Cloud Storage). Google acts as a data processor under the Google Cloud Data Processing Addendum.
  • Microsoft Corporation — optional Sign-In authentication provider. Microsoft acts as an independent data controller for data held within your Microsoft account. See Microsoft's Privacy Statement for details.

5.2 International transfers

We configure Firebase to use the europe-west1 (Belgium) region where available to minimise transfers outside the EU. Where data is transferred to the United States (e.g., for Google support or sub-processing), the following safeguards are in place:

  • EU-US Data Privacy Framework (DPF): Google LLC is certified under the DPF, for which the European Commission adopted an adequacy decision in July 2023 under Article 45 of the GDPR.
  • Standard Contractual Clauses (SCCs): Google's Data Processing Amendment includes the EU SCCs as a fallback safeguard in the event the DPF adequacy decision is invalidated.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

6. Data Retention

  • Account data: retained for the duration of your account. Upon account deletion, personal data is erased within 30 days, except where retention is required by law.
  • Educational content: artefacts uploaded by educators are retained until the educator deletes them or their account is terminated.
  • Usage logs: automatically deleted after 12 months.
  • Backups: purged within 90 days of data deletion from the live system.
  • Profile images: retained until the user replaces or removes them, or their account is deleted. Default avatars are generic illustrations and contain no personal data.

7. Cookies and Similar Technologies

In accordance with S.L. 586.01 (transposing the ePrivacy Directive into Maltese law), we use the following categories of cookies:

  • Strictly necessary cookies: essential for authentication and platform functionality. These do not require consent under Regulation 5(3) of S.L. 586.01.
  • Analytics cookies (optional): used to understand how the platform is used at a product level. Provided by Firebase Analytics (Google Analytics). These cookies — _ga, _gid, and _ga_<ID> — are only placed with your explicit consent and can be rejected or withdrawn at any time via the cookie settings banner. See Section 18 for full details.

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of any page.

8. Your Rights Under GDPR

Under the GDPR and the Data Protection Act (Cap. 586), you have the following rights:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18) — restrict processing in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
  • Right to profile privacy — make your profile private at any time via profile settings, preventing public visibility
  • Right to remove profile image — delete your uploaded profile image at any time

To exercise any of these rights, contact us at support@chattina.io. We will respond within 30 days, as required by Article 12(3) of the GDPR.

9. Children's Data

Chattina is intended for use by students aged 13 and above. Under Article 8 of the GDPR, as implemented by Malta's national derogation (which sets the age of digital consent at 13), we do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent.

For users between the ages of 13 and 17, we process only the minimum data necessary for educational service delivery. Educators and educational institutions using Chattina are responsible for obtaining appropriate parental consent where required by their institutional policies or applicable law.

If you believe we have inadvertently collected data from a child under 13 without proper consent, please contact us immediately at support@chattina.io and we will promptly delete such data.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Firebase Authentication with secure password hashing
  • Role-based access controls (educator vs. student permissions)
  • Firestore security rules restricting data access by user role
  • Regular security reviews and dependency updates

11. Data Breach Notification

In the event of a personal data breach, we will notify the Information and Data Protection Commissioner (IDPC) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34.

12. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in Malta:

Information and Data Protection Commissioner (IDPC)

Floor 2, Airways House

High Street, Sliema SLM 1549, Malta

Email: idpc.info@idpc.org.mt

Website: https://idpc.org.mt

13. Profile Information & Visibility

Users have a profile containing their display name, avatar, bio, role, and institution. Profiles are public by default — accessible via a unique profile URL (/profile/{username}). Users can switch their profile to private at any time via profile settings. When private, profile information is only visible to the account holder.

Email addresses are never displayed publicly regardless of privacy setting. Other users cannot search for or discover private profiles.

14. Profile Images

Users may upload a profile image or select from default avatars. Uploaded images are stored in Firebase Cloud Storage. Images are processed client-side (cropped) before upload — no server-side processing occurs.

Accepted formats: JPEG, PNG, WebP (max 5 MB). Images are retained until the user replaces or removes them, or deletes their account. Default avatars are generic illustrations and contain no personal data.

15. Google Account Integration

Users may optionally sign in or link their account using Google Sign-In. Data accessed from Google: display name, email address, profile photo URL. This data is used solely for authentication and initial profile setup.

No additional Google account data (contacts, calendar, drive, etc.) is accessed. Users can unlink their Google account at any time. Google's privacy policy applies to data held by Google: https://policies.google.com/privacy.

16. Microsoft Account Integration

Users may optionally sign in or register using Microsoft Sign-In. Data accessed from Microsoft: display name, email address, and profile photo URL. This data is used solely for authentication and initial profile setup.

No additional Microsoft account data (OneDrive, contacts, calendar, etc.) is accessed. Users can unlink their Microsoft account at any time. Microsoft's privacy policy applies to data held by Microsoft: https://privacy.microsoft.com/en-us/privacystatement.

17. Learning Analytics and Engagement Tracking

When a student views an artefact, Chattina automatically records the following engagement signals to support course progress tracking and educator insight:

  • Time spent: total seconds actively viewing the artefact (paused while the browser tab is in the background)
  • Scroll depth: the highest percentage of the artefact page reached, including whether the student scrolled to the bottom
  • Interaction count: total number of clicks made inside the artefact
  • Session count: number of times the artefact was opened
  • Timestamps: date and time of first and most recent viewing

Who can see this data: the student themselves (via their course progress view) and the educator of the course to which the artefact belongs. No other users can access this data.

Legal basis: performance of the educational service contract (Art. 6(1)(b) GDPR) for the purpose of activity completion tracking; legitimate interests (Art. 6(1)(f)) for educator engagement insight, where these interests are not overridden by the student's rights.

Retention: engagement records are deleted when the student's account is deleted, or upon a valid erasure request submitted to support@chattina.io.

Technical implementation: a minimal script is injected into the artefact page that uses IntersectionObserver and a click counter to report signals to the Chattina host page via postMessage. No script within the artefact can read data outside of its sandboxed iframe.

17b. Behavioural Interaction Tracking (Heatmaps)

With your explicit consent (via the "Behavioural Tracking" toggle in the cookie preferences panel), Chattina may record how you interact with individual learning artefacts to help educators improve content layout and design.

What is collected:

  • Cursor position: sampled at 10 Hz and normalised to a relative coordinate grid (0–100% of the document width and height). Absolute screen coordinates are never stored.
  • Click coordinates: position of each click within the artefact, normalised as above. The HTML element tag (e.g. button, a) is recorded; the text content is not.
  • Scroll depth: how far down the artefact page you scrolled, captured as a percentage in 20 equal bands.

What is NOT collected: form field inputs, textarea content, or any events from interactive inputs — a privacy filter in the tracking script explicitly excludes <input>, <textarea>, <select>, and contenteditable elements.

How data is processed: raw interaction events are pre-aggregated in your browser into a compact grid before being written to our database. No raw event sequences, timestamps, or IP addresses are stored in session documents. Educator dashboards display only aggregated density data across all students — individual student sessions are not identifiable in the heatmap view.

Legal basis: consent (Art. 6(1)(a) GDPR). Behavioural tracking is disabled until you explicitly enable the "Behavioural Tracking" toggle in the cookie preferences panel. This consent is separate from and independent of the analytics cookies consent.

Retention: per-session tracking documents are automatically deleted after 90 days. Aggregated heatmap data (which contains no personal identifiers) is retained for as long as the associated course exists.

Withdrawing consent: open the "Cookie Preferences" link in the site footer at any time, toggle off "Behavioural Tracking", and save. Tracking stops immediately. You may also request deletion of your historical session data by emailing support@chattina.io or using the "Delete Tracking Data" option in your account settings (if available). Note: aggregated heatmaps derived from your data cannot be individually un-merged but contain no personal information.

18. Product Analytics (Firebase Analytics)

With your consent (via the cookie banner), we use Firebase Analytics, a product analytics service provided by Google Ireland Ltd. Firebase Analytics collects anonymised usage events to help us understand how the platform is used and guide product improvements.

What is collected: anonymised event data such as page views, feature interactions (e.g. artefact opened, course enrolled), device type, and approximate geographic region. Firebase Analytics does not collect your name, email address, or any data that directly identifies you.

Cookies placed (consent required): _ga, _gid, and _ga_<ID>. These are only set after you click "Accept All" on the cookie banner.

Legal basis: consent (Art. 6(1)(a) GDPR). Analytics is disabled until consent is granted and can be withdrawn at any time by clicking "Reject Optional" in the cookie banner.

Data transfer: Firebase Analytics data may be transferred to Google servers in the United States under the EU-US Data Privacy Framework adequacy decision. Google's privacy policy applies to data processed through Firebase Analytics: https://policies.google.com/privacy.

Opt-out: you may also opt out of Google Analytics across all websites using the Google Analytics opt-out browser add-on.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Where required by law, we will obtain your renewed consent.

20. Contact Us

For any questions about this Privacy Policy or our data practices, please visit our contact page.