Controller and scope
LinkWho operates Veehax Learn and which activities this privacy policy covers.
Veehax operates Veehax Learn and is responsible for the personal information handled through the platform, subject to the role of service providers and the limits described in this Privacy Policy.
This policy applies to Veehax Learn public pages, learner accounts, exam registration and proctoring workflows, public certificate verification, notifications, and support interactions. It does not automatically apply to separate Veehax products unless they link to or incorporate this policy.
Global use with Sri Lanka operations
Veehax operates from Sri Lanka and serves a global audience. Some service providers may process data in jurisdictions outside the learner's home country.
What data we collect
LinkThe categories of information Veehax Learn may process in normal operations.
- Identity and account data
- Name, email address, account identifiers, username, avatar, and other profile details provided directly by the learner or through a supported sign-in provider.
- Authentication and security data
- Password or login events, magic-link actions, OAuth details, MFA status, verified phone status, device/session history, IP address, and security alerts.
- Profile data
- Country, phone number, biography, username, profile edits, and similar account preferences.
- Learning and platform activity
- Enrollments, module completion, progress, points, badges, dashboard metrics, and related learning interactions.
- Exam and payment data
- Exam registrations, attempt numbers, coupon codes, payment references, payment status, receipts, and operational billing data.
- Proctoring event metadata
- Flags, counts, timestamps, session warnings, termination reasons, and other exam-integrity signals generated during secure exam monitoring.
- Certificate and verification data
- Certificate numbers, hashes, PDF URLs, IPFS CIDs, blockchain references, issuance dates, and revocation status.
- Communications and support data
- Email messages, support requests, notice history, and records required to answer a request or resolve a dispute.
- AI study assistant data
- Learner prompts, concept requests, and module-context text sent to the configured AI provider so the study assistant can return explanations or answers.
- Push notification data
- Web push subscription endpoints and related cryptographic keys used to deliver browser notifications.
How we collect data
LinkThe sources from which personal information enters the platform.
- Directly from learners when they create an account, edit a profile, verify a phone number, ask for support, register for an exam, or use the AI study assistant.
- Automatically from the browser, device, and platform when the learner signs in, studies, starts an exam session, or interacts with public pages.
- From supported providers when the learner signs in using OAuth, completes hosted payment checkout, or receives SMS or email communications.
- From public certificate verification actions and certificate lifecycle operations performed inside the platform.
Veehax does not currently describe the platform as an advertising network and does not position Veehax Learn around third-party ad tracking.
How we use data
LinkThe main operational purposes behind the information Veehax collects.
- To create and manage learner accounts, authenticate users, and protect the platform against abuse or fraud.
- To provide access to free learning content, track progress, award badges or points, and manage learner experience features.
- To validate exam eligibility, collect exam fees, manage attempts, run secure exam sessions, and maintain integrity controls.
- To issue, store, and verify certificates, including public authenticity checks where certificate data is intentionally exposed for verification.
- To provide support, respond to requests, send service messages, and investigate security or payment issues.
- To run the AI study assistant, including sending prompts and relevant module context to the configured AI provider.
- To comply with legal obligations, enforce the Terms & Conditions, and resolve billing or refund matters under the Refund Policy.
AI, proctoring, and certificate verification
LinkSpecial privacy considerations for the secure-exam and verification features.
Veehax Learn includes an AI-powered study assistant and a high-security exam environment. Those features involve different privacy expectations and are handled separately in the platform design.
Proctoring privacy note
Secure exam sessions require camera and microphone permissions. Based on the current product design and SRS, raw video frames are not transmitted to Veehax servers during AI-assisted proctoring; instead, the platform stores analysis event metadata such as flags, counts, timestamps, and termination reasons.
The AI study assistant sends learner questions, requested concepts, and limited module-context text to the configured AI provider so it can generate a response. Learners should avoid entering unnecessary sensitive personal data into study-assistant prompts.
Certificate verification is intentionally designed to be publicly accessible. A certificate number, issuance status, hashes, IPFS references, and blockchain references may be displayed or checked so employers and third parties can verify authenticity.
Sharing and service providers
LinkThe main categories of third parties that help operate Veehax Learn.
Veehax does not describe Veehax Learn as a marketplace for selling personal data. Instead, Veehax shares information with service providers and infrastructure partners where needed to deliver the platform, secure transactions, and support learners.
Service
Supabase
Role
Authentication, database, and storage infrastructure
Data categories
Account records, profile data, session data, certificate files, and application data stored by the platform
Why used
To operate authentication, persistent application data, and certificate storage.
Region
Configured by Veehax; the SRS references Singapore for core data residency.
Service
Dialog Genie Business
Role
Hosted payment checkout and payment status events
Data categories
Payment references, checkout metadata, transaction status, and limited customer identifiers such as learner ID, email, and name
Why used
To process paid certification exam registration fees without Veehax handling raw card details.
Region
Provider-controlled
Service
Twilio
Role
SMS delivery for phone verification and SMS-based MFA
Data categories
Phone numbers, one-time passcodes, and delivery metadata
Why used
To verify phone ownership and deliver additional authentication challenges.
Region
Provider-controlled
Service
Resend
Role
Transactional email delivery
Data categories
Email addresses, notification content, and delivery metadata
Why used
To deliver verification, certificate, and security-related email messages.
Region
Provider-controlled
Service
Google and GitHub OAuth
Role
Optional third-party sign-in providers
Data categories
Basic identity information made available by the provider, such as email, name, and avatar
Why used
To let learners sign in using supported third-party identity providers.
Region
Provider-controlled
Service
Configured AI provider
Role
AI study assistant responses
Data categories
Learner prompts, module context, content snippets, and generated responses
Why used
To answer learner questions and explain module concepts inside the study assistant.
Region
Provider-controlled; depends on the configured AI provider in production.
Service
Vercel
Role
Hosting and edge delivery
Data categories
Standard request metadata, logs, and application delivery data
Why used
To host and deliver the Veehax Learn web application.
Region
Provider-controlled
Service
Upstash Redis
Role
Rate limiting and short-lived verification storage
Data categories
Rate-limit counters, OTP values, temporary challenge state, and anti-abuse metadata
Why used
To protect authentication and other sensitive routes against abuse.
Region
Provider-controlled
Service
IP geolocation lookup
Role
Adaptive security and suspicious-login checks
Data categories
IP address and derived location or proxy indicators
Why used
To trigger extra verification for unusual sign-in behavior.
Region
Provider-controlled
Service
YouTube / YouTube No-Cookie
Role
Embedded learning media when Veehax uses hosted video content
Data categories
Video request metadata and device/browser details associated with embedded playback
Why used
To display supported video learning content.
Region
Provider-controlled
Service
IPFS and blockchain anchoring services
Role
Certificate integrity and public verification
Data categories
Certificate hashes, IPFS CIDs, blockchain transaction references, and public verification metadata
Why used
To support public authenticity checks for issued certificates.
Region
Public or provider-controlled networks
| Service | Role | Data categories | Why used | Region |
|---|---|---|---|---|
| Supabase | Authentication, database, and storage infrastructure | Account records, profile data, session data, certificate files, and application data stored by the platform | To operate authentication, persistent application data, and certificate storage. | Configured by Veehax; the SRS references Singapore for core data residency. |
| Dialog Genie Business | Hosted payment checkout and payment status events | Payment references, checkout metadata, transaction status, and limited customer identifiers such as learner ID, email, and name | To process paid certification exam registration fees without Veehax handling raw card details. | Provider-controlled |
| Twilio | SMS delivery for phone verification and SMS-based MFA | Phone numbers, one-time passcodes, and delivery metadata | To verify phone ownership and deliver additional authentication challenges. | Provider-controlled |
| Resend | Transactional email delivery | Email addresses, notification content, and delivery metadata | To deliver verification, certificate, and security-related email messages. | Provider-controlled |
| Google and GitHub OAuth | Optional third-party sign-in providers | Basic identity information made available by the provider, such as email, name, and avatar | To let learners sign in using supported third-party identity providers. | Provider-controlled |
| Configured AI provider | AI study assistant responses | Learner prompts, module context, content snippets, and generated responses | To answer learner questions and explain module concepts inside the study assistant. | Provider-controlled; depends on the configured AI provider in production. |
| Vercel | Hosting and edge delivery | Standard request metadata, logs, and application delivery data | To host and deliver the Veehax Learn web application. | Provider-controlled |
| Upstash Redis | Rate limiting and short-lived verification storage | Rate-limit counters, OTP values, temporary challenge state, and anti-abuse metadata | To protect authentication and other sensitive routes against abuse. | Provider-controlled |
| IP geolocation lookup | Adaptive security and suspicious-login checks | IP address and derived location or proxy indicators | To trigger extra verification for unusual sign-in behavior. | Provider-controlled |
| YouTube / YouTube No-Cookie | Embedded learning media when Veehax uses hosted video content | Video request metadata and device/browser details associated with embedded playback | To display supported video learning content. | Provider-controlled |
| IPFS and blockchain anchoring services | Certificate integrity and public verification | Certificate hashes, IPFS CIDs, blockchain transaction references, and public verification metadata | To support public authenticity checks for issued certificates. | Public or provider-controlled networks |
Cookies, sessions, and notifications
LinkHow browser-state, session, and notification data are used inside the platform.
Veehax Learn uses authentication and session mechanisms to keep users signed in, protect privileged actions, and remember necessary application state. These mechanisms may rely on cookies, browser storage, or similar browser features.
Veehax also uses push-subscription data when learners choose to enable web push notifications. Learners can revoke browser notification permissions and unsubscribe from notifications through supported platform flows.
The platform may embed media from supported providers such as YouTube or YouTube No-Cookie when learning content requires it. Those providers may receive standard request metadata when the learner opens embedded media.
Data retention
LinkRetention standards by category, including areas that should be finalized during legal review.
Category
Profile and account records
Retention standard
Retained while the account remains active and for a reasonable operational or legal period after closure.
Trigger
Retention is reviewed when an account is deactivated or anonymized.
Notes
The current application supports account anonymization through the authenticated account deletion flow.
Category
Authentication, device, and session security records
Retention standard
Retained for security monitoring, fraud prevention, and audit purposes for a limited operational period.
Trigger
Retention may be extended when Veehax investigates abuse, fraud, or policy violations.
Notes
Reviewed operationally.
Category
Payments and billing records
Retention standard
Retained for accounting, dispute handling, fraud review, and legal compliance obligations.
Trigger
Retention follows Veehax accounting and statutory record-keeping needs.
Notes
Reviewed operationally.
Category
Exam registrations and attempt records
Retention standard
Retained while a registration remains relevant to eligibility, audit, certification, or dispute handling.
Trigger
Reviewed after the exam lifecycle ends and related obligations expire.
Notes
Reviewed operationally.
Category
Proctoring event metadata
Retention standard
Retained only as long as necessary to investigate exam integrity, resolve disputes, and enforce exam rules.
Trigger
Retention may continue for an active integrity investigation, appeal, or regulatory requirement.
Notes
The platform stores event metadata such as flags, counts, timestamps, and termination reasons rather than raw video footage.
Category
Certificates and public verification data
Retention standard
Retained for as long as Veehax offers certificate verification or needs to preserve an authenticity trail.
Trigger
Records may remain available even after an account closes so certificate status can still be validated.
Notes
Reviewed operationally.
Category
Support and communications records
Retention standard
Retained for a limited period needed to resolve support issues, enforce terms, and improve operations.
Trigger
Reviewed after a support thread is closed unless a dispute or legal hold applies.
Notes
Reviewed operationally.
Category
AI study assistant interactions
Retention standard
Handled according to the configured production AI workflow and Veehax operational settings.
Trigger
Retention should be reviewed before final legal publication if prompt logging is expanded.
Notes
The current product sends prompt and module-context data to the configured AI provider to generate responses.
Category
Push notification subscriptions
Retention standard
Retained until the learner unsubscribes, the browser invalidates the subscription, or Veehax removes stale endpoints.
Trigger
Automatically or manually removed when a push subscription is revoked or invalid.
Notes
Reviewed operationally.
| Category | Retention standard | Trigger | Notes |
|---|---|---|---|
| Profile and account records | Retained while the account remains active and for a reasonable operational or legal period after closure. | Retention is reviewed when an account is deactivated or anonymized. | The current application supports account anonymization through the authenticated account deletion flow. |
| Authentication, device, and session security records | Retained for security monitoring, fraud prevention, and audit purposes for a limited operational period. | Retention may be extended when Veehax investigates abuse, fraud, or policy violations. | Reviewed operationally. |
| Payments and billing records | Retained for accounting, dispute handling, fraud review, and legal compliance obligations. | Retention follows Veehax accounting and statutory record-keeping needs. | Reviewed operationally. |
| Exam registrations and attempt records | Retained while a registration remains relevant to eligibility, audit, certification, or dispute handling. | Reviewed after the exam lifecycle ends and related obligations expire. | Reviewed operationally. |
| Proctoring event metadata | Retained only as long as necessary to investigate exam integrity, resolve disputes, and enforce exam rules. | Retention may continue for an active integrity investigation, appeal, or regulatory requirement. | The platform stores event metadata such as flags, counts, timestamps, and termination reasons rather than raw video footage. |
| Certificates and public verification data | Retained for as long as Veehax offers certificate verification or needs to preserve an authenticity trail. | Records may remain available even after an account closes so certificate status can still be validated. | Reviewed operationally. |
| Support and communications records | Retained for a limited period needed to resolve support issues, enforce terms, and improve operations. | Reviewed after a support thread is closed unless a dispute or legal hold applies. | Reviewed operationally. |
| AI study assistant interactions | Handled according to the configured production AI workflow and Veehax operational settings. | Retention should be reviewed before final legal publication if prompt logging is expanded. | The current product sends prompt and module-context data to the configured AI provider to generate responses. |
| Push notification subscriptions | Retained until the learner unsubscribes, the browser invalidates the subscription, or Veehax removes stale endpoints. | Automatically or manually removed when a push subscription is revoked or invalid. | Reviewed operationally. |
International users and your rights
LinkRights, choices, and transfer considerations for a global user base.
Because Veehax serves a global audience, personal information may be processed in jurisdictions outside the learner's home country when Veehax or its providers operate services internationally.
- Authenticated users can request access to an export of core account data through
GET /api/user/export. - Authenticated users can request account closure through
DELETE /api/user/account, which currently anonymizes and deactivates profile information instead of purging every related operational record. - Learners can update core profile data through the profile-management experience and related account endpoints.
- Learners can disable or revoke web push notifications through browser controls or the platform unsubscribe flow.
- Privacy-related questions and rights requests can be sent to hello@veehax.com.
Veehax may need to keep certain records even after a deletion or objection request when the data remains necessary for security, accounting, certificate verification, dispute resolution, or legal compliance.
Security safeguards
LinkOperational and technical controls that protect the platform today.
Veehax uses a mix of technical and organizational controls to protect Veehax Learn, including transport security, content security restrictions, rate limiting, authentication controls, audit logging, and environment-variable based secret handling.
- HTTPS, HSTS, and browser security headers are part of the current platform stack.
- Administrative actions are logged so Veehax can review sensitive changes.
- Authentication flows support MFA, verified email requirements for admin access, and optional verified phone workflows.
- No internet service is perfectly secure, so Veehax cannot promise absolute security.
Changes to this policy and contact
LinkHow updates are published and where learners should direct privacy questions.
Veehax may update this Privacy Policy when platform features, providers, or compliance expectations change. The current version is the version posted on learn.veehax.com.
Questions, complaints, or privacy requests may be sent to hello@veehax.com. General support remains available at hello@veehax.com.