Skip to main content
Learn
Veehax logo
Sign In
Draft for review
Version 1.0
Veehax Learn only

Privacy Policy

This Privacy Policy explains how Veehax collects, uses, shares, secures, and retains personal information in connection with Veehax Learn.

Visitors to learn.veehax.com and Veehax Learn public pagesRegistered learners, exam candidates, certificate holders, and account administratorsSupport requests, security events, AI study-assistant use, and public certificate verification workflows

Effective date

April 1, 2026

Last updated

April 1, 2026

Operating entity

Veehax

Negombo, Western Province, Sri Lanka · Sri Lanka

Change summary

  • Initial structured legal document framework for Veehax Learn.
  • Aligned to the current free-learning and paid-exam operating model.
  • References the current payment, security, proctoring, and certificate flows visible in the codebase.

On this page

Controller and scopeWhat data we collectHow we collect dataHow we use dataAI, proctoring, and certificate verificationSharing and service providersCookies, sessions, and notificationsData retentionInternational users and your rightsSecurity safeguardsChanges to this policy and contact

Key facts

Product

Veehax Learn

Operator

Veehax

Governing law

Sri Lanka

Review owner

Veehax product, operations, and legal review owners

Controller and scope

Link

Who operates Veehax Learn and which activities this privacy policy covers.

Veehax operates Veehax Learn and is responsible for the personal information handled through the platform, subject to the role of service providers and the limits described in this Privacy Policy.

This policy applies to Veehax Learn public pages, learner accounts, exam registration and proctoring workflows, public certificate verification, notifications, and support interactions. It does not automatically apply to separate Veehax products unless they link to or incorporate this policy.

Global use with Sri Lanka operations

Veehax operates from Sri Lanka and serves a global audience. Some service providers may process data in jurisdictions outside the learner's home country.

What data we collect

Link

The categories of information Veehax Learn may process in normal operations.

Identity and account data
Name, email address, account identifiers, username, avatar, and other profile details provided directly by the learner or through a supported sign-in provider.
Authentication and security data
Password or login events, magic-link actions, OAuth details, MFA status, verified phone status, device/session history, IP address, and security alerts.
Profile data
Country, phone number, biography, username, profile edits, and similar account preferences.
Learning and platform activity
Enrollments, module completion, progress, points, badges, dashboard metrics, and related learning interactions.
Exam and payment data
Exam registrations, attempt numbers, coupon codes, payment references, payment status, receipts, and operational billing data.
Proctoring event metadata
Flags, counts, timestamps, session warnings, termination reasons, and other exam-integrity signals generated during secure exam monitoring.
Certificate and verification data
Certificate numbers, hashes, PDF URLs, IPFS CIDs, blockchain references, issuance dates, and revocation status.
Communications and support data
Email messages, support requests, notice history, and records required to answer a request or resolve a dispute.
AI study assistant data
Learner prompts, concept requests, and module-context text sent to the configured AI provider so the study assistant can return explanations or answers.
Push notification data
Web push subscription endpoints and related cryptographic keys used to deliver browser notifications.

How we collect data

Link

The sources from which personal information enters the platform.

  • Directly from learners when they create an account, edit a profile, verify a phone number, ask for support, register for an exam, or use the AI study assistant.
  • Automatically from the browser, device, and platform when the learner signs in, studies, starts an exam session, or interacts with public pages.
  • From supported providers when the learner signs in using OAuth, completes hosted payment checkout, or receives SMS or email communications.
  • From public certificate verification actions and certificate lifecycle operations performed inside the platform.

Veehax does not currently describe the platform as an advertising network and does not position Veehax Learn around third-party ad tracking.

How we use data

Link

The main operational purposes behind the information Veehax collects.

  • To create and manage learner accounts, authenticate users, and protect the platform against abuse or fraud.
  • To provide access to free learning content, track progress, award badges or points, and manage learner experience features.
  • To validate exam eligibility, collect exam fees, manage attempts, run secure exam sessions, and maintain integrity controls.
  • To issue, store, and verify certificates, including public authenticity checks where certificate data is intentionally exposed for verification.
  • To provide support, respond to requests, send service messages, and investigate security or payment issues.
  • To run the AI study assistant, including sending prompts and relevant module context to the configured AI provider.
  • To comply with legal obligations, enforce the Terms & Conditions, and resolve billing or refund matters under the Refund Policy.

AI, proctoring, and certificate verification

Link

Special privacy considerations for the secure-exam and verification features.

Veehax Learn includes an AI-powered study assistant and a high-security exam environment. Those features involve different privacy expectations and are handled separately in the platform design.

Proctoring privacy note

Secure exam sessions require camera and microphone permissions. Based on the current product design and SRS, raw video frames are not transmitted to Veehax servers during AI-assisted proctoring; instead, the platform stores analysis event metadata such as flags, counts, timestamps, and termination reasons.

The AI study assistant sends learner questions, requested concepts, and limited module-context text to the configured AI provider so it can generate a response. Learners should avoid entering unnecessary sensitive personal data into study-assistant prompts.

Certificate verification is intentionally designed to be publicly accessible. A certificate number, issuance status, hashes, IPFS references, and blockchain references may be displayed or checked so employers and third parties can verify authenticity.

Sharing and service providers

Link

The main categories of third parties that help operate Veehax Learn.

Veehax does not describe Veehax Learn as a marketplace for selling personal data. Instead, Veehax shares information with service providers and infrastructure partners where needed to deliver the platform, secure transactions, and support learners.

Named service providers and infrastructure partners

Service

Supabase

Role

Authentication, database, and storage infrastructure

Data categories

Account records, profile data, session data, certificate files, and application data stored by the platform

Why used

To operate authentication, persistent application data, and certificate storage.

Region

Configured by Veehax; the SRS references Singapore for core data residency.

Service

Dialog Genie Business

Role

Hosted payment checkout and payment status events

Data categories

Payment references, checkout metadata, transaction status, and limited customer identifiers such as learner ID, email, and name

Why used

To process paid certification exam registration fees without Veehax handling raw card details.

Region

Provider-controlled

Service

Twilio

Role

SMS delivery for phone verification and SMS-based MFA

Data categories

Phone numbers, one-time passcodes, and delivery metadata

Why used

To verify phone ownership and deliver additional authentication challenges.

Region

Provider-controlled

Service

Resend

Role

Transactional email delivery

Data categories

Email addresses, notification content, and delivery metadata

Why used

To deliver verification, certificate, and security-related email messages.

Region

Provider-controlled

Service

Google and GitHub OAuth

Role

Optional third-party sign-in providers

Data categories

Basic identity information made available by the provider, such as email, name, and avatar

Why used

To let learners sign in using supported third-party identity providers.

Region

Provider-controlled

Service

Configured AI provider

Role

AI study assistant responses

Data categories

Learner prompts, module context, content snippets, and generated responses

Why used

To answer learner questions and explain module concepts inside the study assistant.

Region

Provider-controlled; depends on the configured AI provider in production.

Service

Vercel

Role

Hosting and edge delivery

Data categories

Standard request metadata, logs, and application delivery data

Why used

To host and deliver the Veehax Learn web application.

Region

Provider-controlled

Service

Upstash Redis

Role

Rate limiting and short-lived verification storage

Data categories

Rate-limit counters, OTP values, temporary challenge state, and anti-abuse metadata

Why used

To protect authentication and other sensitive routes against abuse.

Region

Provider-controlled

Service

IP geolocation lookup

Role

Adaptive security and suspicious-login checks

Data categories

IP address and derived location or proxy indicators

Why used

To trigger extra verification for unusual sign-in behavior.

Region

Provider-controlled

Service

YouTube / YouTube No-Cookie

Role

Embedded learning media when Veehax uses hosted video content

Data categories

Video request metadata and device/browser details associated with embedded playback

Why used

To display supported video learning content.

Region

Provider-controlled

Service

IPFS and blockchain anchoring services

Role

Certificate integrity and public verification

Data categories

Certificate hashes, IPFS CIDs, blockchain transaction references, and public verification metadata

Why used

To support public authenticity checks for issued certificates.

Region

Public or provider-controlled networks

Cookies, sessions, and notifications

Link

How browser-state, session, and notification data are used inside the platform.

Veehax Learn uses authentication and session mechanisms to keep users signed in, protect privileged actions, and remember necessary application state. These mechanisms may rely on cookies, browser storage, or similar browser features.

Veehax also uses push-subscription data when learners choose to enable web push notifications. Learners can revoke browser notification permissions and unsubscribe from notifications through supported platform flows.

The platform may embed media from supported providers such as YouTube or YouTube No-Cookie when learning content requires it. Those providers may receive standard request metadata when the learner opens embedded media.

Data retention

Link

Retention standards by category, including areas that should be finalized during legal review.

Retention categories

Category

Profile and account records

Retention standard

Retained while the account remains active and for a reasonable operational or legal period after closure.

Trigger

Retention is reviewed when an account is deactivated or anonymized.

Notes

The current application supports account anonymization through the authenticated account deletion flow.

Category

Authentication, device, and session security records

Retention standard

Retained for security monitoring, fraud prevention, and audit purposes for a limited operational period.

Trigger

Retention may be extended when Veehax investigates abuse, fraud, or policy violations.

Notes

Reviewed operationally.

Category

Payments and billing records

Retention standard

Retained for accounting, dispute handling, fraud review, and legal compliance obligations.

Trigger

Retention follows Veehax accounting and statutory record-keeping needs.

Notes

Reviewed operationally.

Category

Exam registrations and attempt records

Retention standard

Retained while a registration remains relevant to eligibility, audit, certification, or dispute handling.

Trigger

Reviewed after the exam lifecycle ends and related obligations expire.

Notes

Reviewed operationally.

Category

Proctoring event metadata

Retention standard

Retained only as long as necessary to investigate exam integrity, resolve disputes, and enforce exam rules.

Trigger

Retention may continue for an active integrity investigation, appeal, or regulatory requirement.

Notes

The platform stores event metadata such as flags, counts, timestamps, and termination reasons rather than raw video footage.

Category

Certificates and public verification data

Retention standard

Retained for as long as Veehax offers certificate verification or needs to preserve an authenticity trail.

Trigger

Records may remain available even after an account closes so certificate status can still be validated.

Notes

Reviewed operationally.

Category

Support and communications records

Retention standard

Retained for a limited period needed to resolve support issues, enforce terms, and improve operations.

Trigger

Reviewed after a support thread is closed unless a dispute or legal hold applies.

Notes

Reviewed operationally.

Category

AI study assistant interactions

Retention standard

Handled according to the configured production AI workflow and Veehax operational settings.

Trigger

Retention should be reviewed before final legal publication if prompt logging is expanded.

Notes

The current product sends prompt and module-context data to the configured AI provider to generate responses.

Category

Push notification subscriptions

Retention standard

Retained until the learner unsubscribes, the browser invalidates the subscription, or Veehax removes stale endpoints.

Trigger

Automatically or manually removed when a push subscription is revoked or invalid.

Notes

Reviewed operationally.

International users and your rights

Link

Rights, choices, and transfer considerations for a global user base.

Because Veehax serves a global audience, personal information may be processed in jurisdictions outside the learner's home country when Veehax or its providers operate services internationally.

  1. Authenticated users can request access to an export of core account data through GET /api/user/export.
  2. Authenticated users can request account closure through DELETE /api/user/account, which currently anonymizes and deactivates profile information instead of purging every related operational record.
  3. Learners can update core profile data through the profile-management experience and related account endpoints.
  4. Learners can disable or revoke web push notifications through browser controls or the platform unsubscribe flow.
  5. Privacy-related questions and rights requests can be sent to hello@veehax.com.

Veehax may need to keep certain records even after a deletion or objection request when the data remains necessary for security, accounting, certificate verification, dispute resolution, or legal compliance.

Security safeguards

Link

Operational and technical controls that protect the platform today.

Veehax uses a mix of technical and organizational controls to protect Veehax Learn, including transport security, content security restrictions, rate limiting, authentication controls, audit logging, and environment-variable based secret handling.

  • HTTPS, HSTS, and browser security headers are part of the current platform stack.
  • Administrative actions are logged so Veehax can review sensitive changes.
  • Authentication flows support MFA, verified email requirements for admin access, and optional verified phone workflows.
  • No internet service is perfectly secure, so Veehax cannot promise absolute security.

Changes to this policy and contact

Link

How updates are published and where learners should direct privacy questions.

Veehax may update this Privacy Policy when platform features, providers, or compliance expectations change. The current version is the version posted on learn.veehax.com.

Questions, complaints, or privacy requests may be sent to hello@veehax.com. General support remains available at hello@veehax.com.

Related legal documents

These policies work together. Review the related documents that govern payments, privacy, and account use across Veehax Learn.

Terms & Conditions

These Terms & Conditions govern access to Veehax Learn, including free learning access, paid exam registrations, account security, certificate issuance, and acceptable use.

Open Terms

Refund Policy

Veehax Learn keeps learning content broadly accessible and charges only for secure certification exam registrations. This policy explains when those exam fees may or may not be refunded.

Open Refunds

Contact and support

Use the most relevant channel below when you need billing, privacy, or legal help.

Privacy requests

hello@veehax.com

Use for access, correction, deletion, and privacy concerns.

General support

hello@veehax.com

Use for account help, course questions, and general platform support.