Privacy Policy - S2 Academy

1. Introduction

Welcome to S2 Academy ("we", "our", "us"). We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains:

What personal data we collect
Why we collect it
How we use it
How long we keep it
Your rights regarding your data
How to contact us

By using S2 Academy, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller

S2 Academy is the data controller responsible for your personal data.

Contact Information:

Email: contact@s2academy.net
For data protection queries: contact@s2academy.net (subject: "Data Protection Request")

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

Email address (required for OAuth authentication)
Name (provided by OAuth provider)
Account creation date
Account status (active, suspended, deleted)

3.2 Authentication Data

OAuth provider information (Google or GitHub)
Login timestamps
Authentication tokens (encrypted, stored securely)
Session identifiers (secure, HTTP-only cookies)

Note: We do not store passwords. Authentication is handled by trusted third-party OAuth providers (Google, GitHub).

3.3 Session and Usage Data

Lawful basis: Processing of session logs and activity is necessary for performance of the contract (to provide the Service) and for our legitimate interests in security and preventing abuse (Article 6(1)(b) and (f) UK GDPR).

Login and logout times
Session duration
Device information (browser type, operating system)
IP addresses
Geographic location (approximate, based on IP address)
Lab device assignments
Commands entered on lab devices
Configuration changes made
Device resource usage metrics

3.4 Communication Data

Support emails and correspondence
Feedback submissions
Bug reports

3.5 Payment Data (When Paid Plans Launch)

Payment method type (credit card, PayPal, etc.)
Billing address
Transaction history
Subscription status

Important: We do NOT store full credit card numbers. Payment processing is handled by third-party providers (Stripe, PayPal) who are PCI-DSS compliant.

3.6 Cookies and Tracking Data

Session cookies (essential for login)
Preference cookies (optional)
Analytics cookies (optional, with consent)

See our Cookie Policy for detailed information.

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

4.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide the Service you've requested:

Creating and managing your account
Providing access to lab devices
Processing payments (when applicable)
Customer support

4.2 Consent (Article 6(1)(a))

Where you have given explicit consent:

Marketing communications (opt-in)
Non-essential cookies
Optional data collection for service improvement

4.3 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

Security monitoring and fraud prevention
Service improvement and analytics
Technical troubleshooting
Compliance with legal obligations

4.4 Legal Obligation (Article 6(1)(c))

Processing required by law:

Tax and accounting records
Responding to legal requests
Compliance with regulatory requirements

5. How We Use Your Personal Data

5.1 Service Delivery

Creating and managing your account
Authenticating your login via OAuth providers
Providing access to lab devices
Tracking session usage and time limits
Monitoring device isolation and security

5.2 Communication

Sending service-related notifications
Responding to support requests
Providing important updates about the Service

5.3 Payment Processing (Future)

Processing subscription payments
Managing billing and invoicing
Handling refunds

5.4 Security and Fraud Prevention

Detecting and preventing unauthorized access
Monitoring for suspicious activity
Preventing abuse of the Service
Enforcing Terms and Conditions

5.5 Service Improvement

Analyzing usage patterns
Identifying technical issues
Improving platform performance
Developing new features

5.6 Legal Compliance

Responding to legal requests
Complying with tax and accounting obligations
Enforcing our legal rights

6. Data Sharing and Disclosure

We do not sell your personal data to third parties. We share your data only in the following circumstances:

6.1 Third-Party Service Providers

We share data with trusted service providers who process data on our behalf:

Amazon Web Services (AWS)

Purpose: Hosting and infrastructure
Data shared: All service data
Location: United States (us-west-2 region)
Safeguards: UK-approved Standard Contractual Clauses, AWS Data Processing Agreement, encryption in transit and at rest

OAuth Providers (Google, GitHub)

Purpose: User authentication
Data shared: Email address, name, authentication tokens
Safeguards: OAuth 2.0 protocol, encrypted token storage

Email Service Provider (to be specified)

Purpose: Transactional emails, support communications
Data shared: Email address, name, communication content
Safeguards: Data Processing Agreement

Payment Processors (Stripe, PayPal - when applicable)

Purpose: Payment processing
Data shared: Payment information, billing address
Location: United States and EU
Safeguards: PCI-DSS compliance, Standard Contractual Clauses

All third-party providers are contractually obligated to:

Process data only as instructed
Implement appropriate security measures
Comply with data protection laws
Not use data for their own purposes

6.2 Legal Requirements

We may disclose your data when required by law:

In response to court orders or legal process
To comply with regulatory requirements
To protect our rights, property, or safety
To prevent fraud or illegal activity

6.3 Business Transfers

If S2 Academy is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

7. International Data Transfers

7.1 Data Location

S2 Academy operates from the United Kingdom, but parts of our infrastructure are hosted in the United States (AWS us-west-2 region).

7.2 Safeguards for International Transfers

When we transfer personal data outside the UK/EEA (for example to AWS in the United States), we implement appropriate safeguards such as UK-approved Standard Contractual Clauses (SCCs), data processing agreements, and technical measures (encryption in transit using TLS 1.2/1.3, secure credential management). Transfers to jurisdictions that do not offer an "adequacy decision" may be subject to these safeguards. You may request more details about the safeguards by contacting contact@s2academy.net.

Important: Data transferred to the United States may be subject to different government access laws than those in the UK/EEA. We implement additional technical and organizational measures to protect your data, including encryption and access controls.

7.3 Your Rights

You have the right to obtain information about the safeguards in place for international transfers. Contact us at contact@s2academy.net for details.

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy.

8.1 Retention Periods

Account Data:

Active accounts: Retained while account is active
Deleted accounts: Personal data deleted within 30 days from the date of deletion request
Exceptions: Data retained for legal/accounting purposes (up to 7 years from last activity)

Session Logs:

Retained for 90 days from session end for security and troubleshooting
Anonymized data may be retained longer for analytics

Communication Records:

Support emails: Retained for 2 years from last communication
Legal correspondence: Retained as long as legally required

Payment Data:

Transaction records: Retained for 7 years from transaction date (tax/accounting requirement)
Payment method details: Stored by payment processors, not by us

Cookies:

Session cookies: Deleted when browser closes
Preference cookies: Retained until you delete them or opt-out
Analytics cookies: Typically 2 years or until you opt-out

8.2 Deletion After Retention Period

When retention periods expire, we:

Securely delete personal data
Anonymize data for statistical purposes
Archive data that must be retained for legal reasons

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

9.1 Technical Measures

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.2/1.3 protocols with SSL certificates. All HTTP connections are automatically redirected to secure HTTPS connections.
Encryption at Rest: Application secrets and credentials (API keys, authentication tokens, database passwords) are encrypted and stored in AWS Systems Manager Parameter Store using AWS SecureString encryption.
Secure Authentication: We use OAuth 2.0 authentication through trusted third-party providers (Google, GitHub). Authentication tokens and session identifiers are protected using secure cookie settings including Secure flag (HTTPS-only), HttpOnly flag (XSS protection), and SameSite policy (CSRF protection).
Database Security: User data is stored in a managed PostgreSQL database. Database connection credentials are encrypted in AWS Parameter Store and transmitted over encrypted connections.
Regular security updates and patches
Firewall and intrusion detection systems
Access controls and authentication

9.2 Organizational Measures

Limited access to personal data (need-to-know basis)
Employee confidentiality agreements
Security awareness training
Incident response procedures
Regular security audits

9.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) in accordance with applicable law and notify affected individuals where required. We will provide information about the nature of the breach, likely consequences, and measures taken in response.

No security is perfect. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

10.1 Right of Access (Article 15)

You can request a copy of your personal data
First copy is free; additional copies may incur a fee

10.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete data
Update your account information directly in your account settings
Or contact us to make changes

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data
We will comply unless we have legal grounds to retain it
Contact us at contact@s2academy.net to request deletion

10.4 Right to Restriction of Processing (Article 18)

You can request we limit how we use your data
Applicable in specific circumstances (e.g., during a dispute)

10.5 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format
You can request we transfer your data to another service

10.6 Right to Object (Article 21)

You can object to processing based on legitimate interests
You can object to direct marketing at any time

10.7 Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making or profiling that produces legal effects.

10.8 How to Exercise Your Rights

To exercise any of these rights:

Email: contact@s2academy.net
Subject line: "Data Protection Request"
Include: Your name, email address, and specific request

How we respond: We will respond to requests to exercise your rights without undue delay and in any event within 30 days of receipt. Where requests are complex or numerous, we may extend this period by a further two months; we will inform you of any extension and the reason for it within one month of receipt. We may request information to verify your identity before fulfilling a request.

11. Cookies

S2 Academy uses only essential cookies necessary to provide our Service. We do not use analytics, marketing, or tracking cookies.

11.1 What Cookies We Use

Essential Cookies

Session Cookie (session)

Purpose: Maintains your authenticated login session
Type: First-party, HTTP-only, Secure
Duration: Session (deleted when you close your browser)
Data stored: Encrypted session identifier (no personal data stored in cookie)
Security measures:
- HTTPS-only transmission (Secure flag)
- Protected from JavaScript access (HttpOnly flag)
- CSRF protection (SameSite=Lax)
Legal basis: Strictly necessary for service operation (Article 6(1)(b) UK GDPR)

This cookie cannot be disabled as it is essential for logging in and accessing lab devices. The cookie itself only contains an encrypted session identifier; all actual session data (email address, authentication status, OAuth provider information) is stored securely on our servers.

OAuth Provider Cookies (Third-Party)

When you log in using Google or GitHub, these providers may set their own cookies during the authentication process:

Google OAuth Cookies:

Provider: Google LLC
Purpose: Facilitate Google OAuth 2.0 authentication
Duration: Set by Google (typically session-based)
Privacy Policy: https://policies.google.com/privacy
Legal basis: Necessary for authentication service

GitHub OAuth Cookies:

Provider: GitHub, Inc. (Microsoft)
Purpose: Facilitate GitHub OAuth authentication
Duration: Set by GitHub (typically session-based)
Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement
Legal basis: Necessary for authentication service

Note: These cookies are set by the OAuth providers during the authentication redirect flow and are required to complete the login process. We do not control or access these cookies directly. They are managed by the respective OAuth providers.

11.2 Cookies We Do NOT Use

S2 Academy does not use:

Analytics cookies (Google Analytics, Plausible, etc.)
Marketing or advertising cookies (Facebook Pixel, Google Ads, etc.)
Social media cookies (social sharing widgets)
Preference cookies (theme, language settings stored client-side)
Performance cookies (A/B testing, heatmaps)

11.3 How to Control Cookies

Browser Settings:

You can configure your browser to refuse cookies, but this will prevent you from logging in to S2 Academy. Instructions for managing cookies:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data
Edge: Settings → Cookies and site permissions → Cookies and site data

Important: Disabling essential cookies will prevent you from using S2 Academy. You are responsible for logging out when using shared devices to end your session.

11.4 No Consent Required

Under UK GDPR and PECR (Privacy and Electronic Communications Regulations), we are not required to obtain consent for essential cookies that are strictly necessary for the service you have requested. All cookies used by S2 Academy fall into this category.

No cookie consent banner is required or displayed as all cookies are strictly necessary for service operation.

11.5 Analytics and Usage Tracking

We collect usage analytics through server-side logging (not cookies), including:

Session timestamps and duration
Device usage and assignments
IP addresses and browser information
Queue wait times and positions

This data is stored in our secure database and is necessary for service delivery, security monitoring, and service improvement. No client-side tracking cookies are used for this purpose.

11.6 Future Changes

If we introduce non-essential cookies (such as analytics or marketing cookies) in the future, we will:

Update this Privacy Policy
Notify you via email or prominent website notice
Implement a cookie consent banner
Provide options to accept or reject non-essential cookies

12. Children's Privacy

S2 Academy is intended for users aged 13 and above.

12.1 Users Under 13

We do not knowingly collect data from children under 13
If we discover we have collected such data, we will delete it immediately
Parents/guardians can contact us if they believe we have data from a child under 13

12.2 Users Aged 13-17

Users under 18 should have parental/guardian consent
Parents/guardians can request access to or deletion of their child's data

13. Marketing Communications

13.1 Opt-In

We will only send marketing emails if you opt-in
During beta, we send only service-related communications

13.2 Opt-Out

You can unsubscribe from marketing emails at any time
Click "unsubscribe" in any marketing email
Or email contact@s2academy.net with "Unsubscribe" in the subject

13.3 Service Communications

We may send essential service communications regardless of marketing preferences. Examples include security alerts, policy changes, and account notifications.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

14.1 Notification of Changes

Updated policies will be posted with a new "Last Updated" date
Material changes will be notified via email or prominent website notice
We will provide at least 14 days' notice for significant changes

14.2 Your Continued Use

Continued use of the Service after changes take effect constitutes acceptance
If you disagree with changes, you may delete your account

15. Your Right to Complain

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the supervisory authority.

15.1 UK Information Commissioner's Office (ICO)

Contact:

Website: https://ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15.2 Contact Us First

We encourage you to contact us first (contact@s2academy.net) so we can try to resolve your concern directly.

16. Contact Information

For any questions, concerns, or requests about this Privacy Policy or our data practices:

Email: contact@s2academy.net
Subject: "Privacy Inquiry" or "Data Protection Request"
Response Time: We aim to respond within 5 business days

17. Definitions

Personal Data: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).
Data Controller: The entity that determines the purposes and means of processing personal data (S2 Academy).
Data Processor: A third party that processes personal data on behalf of the data controller (e.g., AWS).
UK GDPR: The UK General Data Protection Regulation, as retained in UK law after Brexit.