GDPR Compliant

Privacy Policy

How EDORIVA collects, uses, and protects your personal data. We are committed to full transparency and GDPR compliance.

Last updated: March 2026

1. What Data We Collect

Account Information

When you create an account, we collect your full name, email address, and password (stored as a bcrypt hash). Contributors additionally provide their university name, course details, graduation year, and a profile biography.

Booking Details

When you book a session, we collect the selected contributor, date, time, session topic, and any questions you submit in advance. We also store booking status (confirmed, completed, cancelled) and timestamps.

Payment Information

We do not store credit card numbers or bank details on our servers. All payment processing is handled by Stripe, our PCI-DSS compliant payment partner. We store only the Stripe customer ID and transaction reference for record-keeping.

Usage Data

We automatically collect browser type, device information, IP address, pages visited, and session duration through cookies and server logs. This data is anonymised and used solely for service improvement.

2. Why We Collect Your Data

Service Delivery

Your account and booking data is necessary to match you with contributor, schedule sessions, process payments, and deliver the core EDORIVA service. This processing is based on contractual necessity (GDPR Art. 6(1)(b)).

Platform Improvement

Anonymised usage data helps us understand how the platform is used, identify bugs, and improve the user experience. This processing is based on our legitimate interest (GDPR Art. 6(1)(f)).

Communication

We use your email address to send booking confirmations, session reminders, and essential service updates. Marketing communications are only sent with your explicit consent and can be withdrawn at any time.

3. Who We Share Your Data With

Stripe (Payment Processing)

Your payment details are shared with Stripe to process session payments securely. Stripe acts as an independent data controller for payment data. See Stripe’s privacy policy at stripe.com/privacy.

Daily.co (Video Sessions)

Session video calls are facilitated through Daily.co. Your display name and audio/video streams are transmitted through their servers during active sessions. Daily.co does not store recordings unless both parties consent. See Daily.co’s privacy policy at daily.co/legal/privacy.

No Other Third Parties

We do not sell, rent, or share your personal data with any other third parties for marketing purposes. We may disclose data if required by law or to protect the rights and safety of our users.

4. Your Rights Under GDPR

Right of Access

You can request a copy of all personal data we hold about you at any time. We will respond within 30 days.

Right to Deletion

You can request that we delete your account and all associated personal data. We will complete deletion within 30 days, except where data must be retained for legal obligations (e.g. financial records for 6 years).

Right to Portability

You can request your data in a structured, machine-readable format (JSON or CSV) so you can transfer it to another service.

Right to Rectification

If any of your personal data is inaccurate or incomplete, you can update it directly through your account settings or contact us to make corrections.

Right to Withdraw Consent

Where processing is based on consent (e.g. marketing emails), you can withdraw consent at any time by clicking the unsubscribe link or contacting us directly.

5. Cookie Policy

Essential Cookies

We use strictly necessary cookies to maintain your login session and remember your preferences. These cannot be disabled as they are required for the platform to function.

Analytics Cookies

We use anonymised analytics cookies to understand traffic patterns and improve the platform. You can opt out of analytics cookies via the cookie banner displayed on your first visit.

No Third-Party Advertising Cookies

We do not use any advertising cookies or tracking pixels from third-party ad networks.

6. Data Retention

Account Data

Your account data is retained for as long as your account is active. If you delete your account, personal data is removed within 30 days.

Booking Records

Booking and transaction records are retained for 6 years after completion to comply with UK financial record-keeping requirements.

Chat and Session Logs

Session chat logs are retained for 30 days after the session for dispute resolution, then permanently deleted.

7. Contact Us

Data Protection Enquiries

For any questions about this policy or to exercise your data rights, contact our Data Protection Officer at info@edoriva.com. We aim to respond to all requests within 30 calendar days.

Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.