Privacy Policy
DeepLXP is built for learning — and learning depends on trust. This Privacy Policy explains what personal information we collect when you use our LMS platform, how we use it, who we share it with, and the choices and rights you have.
In plain English: we collect only what we need to run DeepLXP for you, we never sell your data, we encrypt it in transit and at rest, and we give you the controls to access, export, or delete it.
01 Scope & roles
This Policy applies to (a) visitors to our marketing website, (b) trial and paid customers of DeepLXP ("Customers"), and (c) end-users of LMS workspaces operated by our Customers ("Learners").
- For visitor and Customer account data, DeepLXP acts as a data controller.
- For Learner data inside a Customer's workspace, DeepLXP acts as a data processor on behalf of the Customer. The Customer is the controller and decides what data is collected and why.
If you are a Learner, please contact the organization that invited you to its DeepLXP workspace for questions about how it uses your data.
02 Information we collect
Information you give us
- Account & signup: company name, workspace name, admin full name, email address, phone number, country, plan choice, billing cycle, and the verification code we email to confirm your address.
- Billing: payment instrument details handled by our PCI-compliant payment processor; we receive only tokenized references and limited metadata (last 4 digits, brand, country).
- Support: messages and attachments you send to our support team.
Information we collect automatically
- Usage logs: IP address, browser, device, pages visited, feature interactions, timestamps, and approximate location derived from IP.
- Diagnostic data: error reports, performance metrics, and crash logs used to keep the Service stable.
- Cookies & similar technologies: see Cookies & tracking below.
03 How we use information
We use personal information to:
- Provision and operate your workspace and deliver the Service.
- Verify identity (for example, email OTPs during signup) and prevent fraud, abuse, and unauthorized access.
- Process payments and manage subscriptions.
- Send service announcements, security alerts, billing notices, and support replies.
- Send product updates and marketing — only where you have opted in or where permitted by law, and always with an easy way to unsubscribe.
- Diagnose issues, monitor performance, and improve the Service.
- Comply with legal obligations and enforce our Terms of Service.
04 Legal bases (GDPR)
If you are in the European Economic Area, United Kingdom, or another region with similar laws, we process personal data on one or more of the following bases:
| Activity | Legal basis |
|---|---|
| Creating and operating your workspace | Performance of a contract |
| Email verification & account security | Legitimate interests / legal obligation |
| Billing & tax compliance | Legal obligation |
| Marketing emails | Consent (you can withdraw at any time) |
| Improving and securing the Service | Legitimate interests |
05 Learner data we process for customers
When a Customer uses DeepLXP to run their LMS, they typically upload or generate the following Learner Data, which we host and process strictly on their behalf:
- Name, email, profile picture, role, and group/cohort membership.
- Enrolments, progress, quiz attempts, scores, certificates, and completion records.
- Discussion posts, comments, and submitted assignments.
- Login timestamps and the IP/device used to access the workspace.
DeepLXP does not access Learner Data except to (a) operate the Service, (b) respond to a Customer's support request, (c) investigate a security incident, or (d) comply with a binding legal request. We do not sell Learner Data and we do not use it to train AI models.
06 When we share information
We share personal information only in these limited cases:
- With your organization: if you are a Learner, your Admins can see your activity within the workspace.
- With sub-processors who help us run the Service (hosting, email delivery, payments, analytics, customer support) — see the list in Sub-processors.
- In a corporate transaction (merger, acquisition, financing) — with prior notice and protections consistent with this Policy.
- For legal reasons, when required by law, court order, or to protect rights, safety, or property.
07 Sub-processors
We engage a small number of vetted vendors to deliver the Service. Examples of categories include cloud infrastructure, transactional email, payment processing, error monitoring, and customer support tooling. Each sub-processor is bound by written contracts that include confidentiality, security, and data-protection obligations.
A current list of sub-processors is available on request at privacy@deeplxp.com.
08 International data transfers
DeepLXP operates from the United States and may transfer personal data to countries other than your own. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented with technical and organizational measures.
09 Data retention
- Active workspaces: we retain Customer and Learner Data for as long as the workspace is active.
- After cancellation: we retain workspace data for up to 30 days so you can export it, then delete or anonymise it.
- Billing & tax records: retained for the period required by applicable law (typically 7 years).
- Backups: encrypted backups roll out of our systems within 35 days of deletion from production.
10 How we protect your data
We take security seriously. Our safeguards include:
- TLS 1.2+ encryption for data in transit and AES-256 encryption for data at rest.
- Per-tenant isolation, role-based access controls, and least-privilege principles for our staff.
- Hashed and salted passwords (we never see them in plain text) and one-time codes for sensitive flows such as signup verification.
- Continuous monitoring, vulnerability scanning, and regular penetration tests.
- Documented incident-response procedures with a 72-hour notification commitment for material breaches.
No system is perfectly secure. If you believe your account or workspace has been compromised, contact us immediately at contact@deeplxp.com.
11 Cookies & tracking
We use a minimal set of cookies and similar technologies:
- Strictly necessary: session, CSRF, and load-balancing cookies required to log you in and serve pages securely.
- Preferences: remember your language, theme, and workspace settings.
- Analytics: aggregated, privacy-friendly metrics that help us understand how the Service is used. Where required by law, we ask for your consent before setting these.
You can control cookies through your browser settings. Blocking strictly necessary cookies may prevent parts of the Service from working.
12 Your privacy rights
Depending on your jurisdiction (such as the GDPR, UK GDPR, or California's CCPA/CPRA), you have rights regarding the personal data we hold about you, including the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your personal data ("right to be forgotten").
- Restrict or object to certain processing.
- Port your data to another service in a structured format.
- Withdraw consent at any time, where processing relies on consent.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@deeplxp.com. We respond to verified requests within 30 days. Learners should first contact the organization that runs their workspace; we will forward requests to the relevant Admin where appropriate.
13 Children & minors
DeepLXP is not directed at children under 13 (or the equivalent age in your jurisdiction). Customers who use the Service to deliver learning to minors must obtain verifiable parental or guardian consent and comply with all applicable laws (such as COPPA and FERPA in the US, and equivalent local regulations). Specific protections can be negotiated as part of an Enterprise agreement.
14 Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our practices. If a change is material we will notify Admins by email or in-product banner at least 30 days before it takes effect. The "Effective date" at the top of this page always shows when it was last updated.
15 Contact us
For privacy questions, data-subject requests, or to reach our Data Protection team, contact:
- Privacy: privacy@deeplxp.com
- General support: contact@deeplxp.com
- Data controller: DeepLXP, Inc.
Ready to Transform Your Learning?
Book a demo and see how DeepLXP can power your learning programmes.