GDPR Compliance.

This GDPR statement applies to users of EdEarn located in the European Union (EU), European Economic Area (EEA), or the United Kingdom. When you use EdEarn from those regions, you have specific rights under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page summarizes those rights and how to exercise them. For users outside the EU/EEA, similar rights may apply under your local law (CCPA in California, India DPDP Act, LGPD in Brazil, etc.). Contact privacy@edearn.com for jurisdiction-specific requests.

EdEarn is the data controller for personal data processed through the Platform. Address: EdEarn, Indiranagar 100ft Rd, Bangalore, Karnataka, India 560038 Email: privacy@edearn.com Data Protection Officer: dpo@edearn.com EU Representative: gdpr@edearn.com Where we use sub-processors (e.g., Stripe, AWS, SendGrid), they act as data processors under signed Data Processing Agreements (DPAs).

We rely on the following lawful bases under Article 6 GDPR: • Performance of a contract — operating your account, delivering courses, processing payments • Legitimate interests — security monitoring, fraud prevention, product analytics, internal reporting • Consent — marketing emails, optional analytics, cookies (where required) • Legal obligation — tax records, KYC, court orders You can withdraw consent at any time without affecting prior processing. See section 4.

4.1 In your account Settings → Privacy → Data Export, or Settings → Account → Delete Account. 4.2 By email Send a request to privacy@edearn.com with subject "GDPR Request — [Right]". Include: • Your full name and email on file • The specific right you're invoking • Any supporting context 4.3 Verification We may ask you to confirm your identity via your registered email. We don't ask for sensitive ID documents unless absolutely necessary. 4.4 Response time We respond within 30 days. Complex requests may extend to 60 days, with notice. Free of charge — except for unfounded or repetitive requests.

EdEarn is headquartered in India. Some sub-processors operate in the United States and other countries. For transfers of EU/EEA personal data outside the EU, we rely on: • Standard Contractual Clauses (SCCs) with Module 2 (Controller → Processor) • Adequacy decisions where available • Supplementary measures: encryption in transit and at rest, role-based access, audit logging A list of our sub-processors is available on request from privacy@edearn.com.

We retain personal data only as long as necessary for the purposes described: • Account data — while active, then 90 days • Payment records — 7 years (legal obligation) • Audit logs — 2 years • Marketing consent records — until consent is withdrawn + 3 years (proof) After retention periods, data is deleted or anonymized.

Article 32 GDPR requires appropriate technical and organizational measures. Ours include: • Encryption (TLS 1.3 in transit, AES-256 at rest) • Hashed passwords (bcrypt) and rotating JWTs with refresh tokens • Optional MFA (TOTP) • Database-driven RBAC with audit logging • Sub-processor due diligence and DPAs • Regular penetration tests and vulnerability scans • Breach response within 72 hours per Article 33

If you believe we've handled your personal data unlawfully, please contact privacy@edearn.com first — we want to resolve it. You also have the right to lodge a complaint with your local supervisory authority. Find yours at edpb.europa.eu/about-edpb/about-edpb/members_en (EU), or ico.org.uk (UK).