header-logo

DhatuAcademy — Privacy Policy

1. Scope & Roles

This Policy explains how we collect, use, disclose, and protect Personal Data and Sensitive Data processed via: (1) public websites (e.g., landing pages, documentation); (2) DhatuAcademy accounts and dashboards; and (3) support/sales interactions.

For marketing, sales, support, and billing, DFOLDS is the Data Controller (GDPR/UK GDPR) / Business (CPRA).

For Customer Content processed in DhatuAcademy (e.g., configuration data, evidence, audit logs, scan results), DFOLDS acts as a Data Processor / Service Provider on behalf of the customer (the Controller/Business), processing only under customer instructions and the MSA/DPA/BAA.

2. Definitions (Plain Language)

  • Personal Data: Information that identifies or can reasonably be linked to an individual (e.g., name, email, identifiers).
  • Sensitive Data: Includes health data/PHI, precise geolocation, government IDs, financial data, and other sensitive categories defined by law.
  • Customer Content: Data uploaded, Connected, or generated in your tenant (evidence, findings, audit trails, documents, tickets).
  • Processing: any operation on data (collecting, storing, using, sharing, deleting).

3. International Transfers

We use EU SCCs and UK IDTA/Addendum with supplementary measures for cross‑border transfers. Regional data residency (US/EU/India) may be available by configuration/contract.

4. Security

Controls include encryption in transit/at rest, RBAC/SSO/MFA, network isolation, vulnerability management, third-party pen tests, secure SDLC, audit logging, immutable backups, and vendor risk management.

For HIPAA BA relationships, safeguards align to the Security Rule; breach notification will be made without unreasonable delay andno later than 60 days after discovery, as required by HITECH.

5. Retention

We retain Personal Data only as long as necessary or as required by law/contract. Typical defaults (customizable by agreement): account/profile—life of account + 12 months; telemetry/audit—12–24 months; backups—30–45 days; support—24 months.

Upon contract end, we delete/return Customer Content per DPA/BAA and purge backups per schedule.

6. Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, object, port,and withdraw consent. Certain US states (e.g., CA/CPRA) add rights to opt‑out of sale/sharing(we do not sell/share for cross‑context behavioral ads) and to limit use of Sensitive Personal Information.

7. Children

Business‑use only; not directed to children under 16. If a child’s Personal Data is identified, contact contactus@dfolds.com for deletion.

8. Third‑Party Links & Integrations

Linked services are governed by their own policies. Review them carefully; we are not responsible for third‑party practices.

9. Changes

We may update this Policy; the date above reflects the latest version. Material changes will be notified via email or in‑app.

Continued use after the effective date constitutes acceptance.