This Policy describes the principles of personal data processing carried out by BFB LTD in accordance with GDPR, Cyprus Law 125(I)/2018 and guidance issued by the Office of the Commissioner for Personal Data Protection.
1. Data Controller and DPO
BFB LTD, registration number HE 482961, with registered office at Dodonis, 7, Kolossi, 4632, Limassol, Cyprus, acts as the data controller. We have appointed a Data Protection Officer who can be reached at dpo@edme.pro for any privacy-related inquiry.
2. Legal Bases for Processing
Depending on the context, processing relies on one or more of the legal bases set out in Article 6 GDPR: consent (e.g. marketing communications), performance of a contract (delivery of courses and support), compliance with legal obligations (tax, accounting, anti-money laundering rules in Cyprus), protection of vital interests, and our legitimate interests in improving and safeguarding the platform, provided such interests do not override your rights.
3. Purposes of Processing
We process data to enrol and support learners, personalise curricula, conduct assessments, provide mentoring, manage payments, perform analytics, prevent fraud, maintain security logs, send regulatory notices, and document compliance with educational and consumer protection laws.
4. Retention and Storage
Data is stored on secure servers located in the EU/EEA. Contract and billing data is retained for seven years to satisfy Cyprus tax legislation, learning history is kept for five years after the last activity to provide certificates, technical logs are stored for up to twenty-four months, and marketing preferences are kept until you opt out. After the applicable period the data is anonymised or securely deleted, with backups overwritten on a rolling schedule.
5. Rights of Data Subjects
Data subjects may exercise their GDPR rights at any time: access, rectification, erasure, restriction, data portability, objection to processing, and the right not to be subject to automated decisions with legal effects. Requests are handled within one month unless complexity allows an additional two months as permitted by Article 12 GDPR.
6. Security and Governance Measures
We maintain layered security including encryption, network segmentation, MFA for staff, periodic audits of processors, background checks for mentors, incident response plans, and documented policies reviewed at least annually. Staff with data access sign confidentiality agreements under Cyprus employment law.
7. International Transfers and Supervisory Authority
International transfers occur only when necessary and subject to EU Standard Contractual Clauses, Binding Corporate Rules or adequacy decisions. You may request copies of relevant safeguards. You also have the right to contact the Office of the Commissioner for Personal Data Protection in Cyprus if you believe your rights have been infringed.
8. Direct Marketing and Newsletter Consent
Marketing emails and push notifications are sent only with your explicit consent or, where permitted, on the basis of a pre-existing customer relationship. You can withdraw consent or object to marketing at any time and we will log the withdrawal in accordance with GDPR record-keeping obligations.
Company: BFB LTD, Registration Number: HE 482961, Address: Dodonis, 7, Kolossi, 4632, Limassol, Cyprus | Email: edme@edme.pro