1. Introduction

1.1. Academy is committed to protecting your privacy and handling personal data in a transparent, secure and lawful manner in accordance with applicable privacy laws (including Sri Lankan laws and, where applicable, GDPR/UK GDPR principles for persons in those jurisdictions).

1.2. This Privacy Policy applies to: visitors to our website and landing pages; individuals who register for or purchase our Courses or Services; attendees of our events and webinars; prospective customers; vendors and business contacts; and users of our community or support channels.

1.3. By using our website, purchasing Courses, registering for events, or otherwise interacting with Academy, you agree that we will process your personal data in accordance with this Privacy Policy.

2. Categories of personal data we collect

Depending on the activity and the relationship, we may collect one or more of the following categories:

• Identity data: name, date of birth (where required for identity checks), gender, nationality.
• Contact data: email address, postal address, telephone/mobile number.
• Account data: username, password hashes, profile, subscription status, enrolment records.
• Payment data: billing address and payment method details (processed via our payment providers; we do not store full card data).
• Communications: support tickets, email correspondence, chat transcripts, call recordings (where recorded).
• Usage & course interaction data: progress, quiz results, course completion, timestamps, video watch history, device/browser data.
• Technical data / digital identifiers: IP address, device identifiers, browser type, operating system, connection logs, geolocation data where permitted.
• Verification documents: where required for identity verification for some Academy services (copy of ID, proof of address).
• User content: forum or chat posts, questions, feedback, homework submissions, uploaded files.
• Marketing & preference data: opt-in/opt-out preferences, campaign engagement.
• Other information: any other personal data you provide to us.

3. Sensitive personal data

3.1. Unless required and notified at the point of collection, please do not send sensitive personal data (e.g., health information, racial or ethnic origin, political opinions, trade union membership, sexual orientation, criminal convictions) to Academy.

3.2. If we need to collect sensitive personal data (for example, accessibility requirements for an event), we will: (a) clearly explain the reason; (b) obtain explicit consent or rely on another lawful basis permitted by applicable law; and (c) handle it in accordance with stricter protections.

4. Sources of personal data

We obtain personal data from:

• Directly from you when you register, purchase, complete forms, contact support, attend events, participate in live sessions, or upload materials.
• Automatically when you use our website or learning platform (cookies, analytic logs, telemetry).
• From third parties such as payment processors, marketing providers, identity verification providers, event platforms (Zoom/Teams), or when you sign in using third-party services.
• From public sources (e.g., publicly available social media profiles) where relevant and lawful.
• From partners (e.g., referral partners, corporate clients) where you have been referred.

5. Lawful bases & purposes of processing

We process personal data where we have a lawful basis, including one or more of:

• Performance of a contract / pre-contractual steps to provide Courses, subscriptions, coaching, fulfil orders, deliver certificates, process payments and provide customer support.
• Legal compliance to comply with applicable laws and regulatory obligations (e.g., tax, anti-fraud, recordkeeping).
• Legitimate interests for product improvement, fraud prevention, security, platform operation, internal analytics, protecting our business and users, direct marketing to subscribers (balanced against your rights). We document and assess these interests.
• Consent where you opt in to marketing, profiling, or non-essential cookies; you may withdraw consent at any time.
• Legal claims & defence to establish, exercise, or defend legal claims.

Purposes include (but are not limited to): delivering Courses and learning materials; processing payments and refunds; communicating important service messages; personalising learning recommendations; fraud prevention and security; administering events and webinars; marketing and offers (where consented or permitted); measuring and improving services; responding to legal requests.

Note about KYC / Deriv: Academy is an education provider and does not (as a matter of course) perform KYC for trading accounts. If you request Academy assistance to set up a third-party trading account (e.g., Deriv), any KYC/identity documents required by that third party are submitted to and processed by that third party under its own privacy policy. If Academy collects identity documents for Academy verification (for certification, proctoring, or special compliance), we will explain the purpose and lawful basis at the point of collection.

6. Disclosure & sharing of personal data

We may share personal data with:

• Service providers & subprocessors: payment processors, cloud hosting providers, LMS platforms, email and marketing platforms, analytics providers, customer support platforms, video/webinar hosts (Zoom, Teams), CRM, and other suppliers that perform services on our behalf.
• Professional advisers: lawyers, auditors, insurers, accountants where necessary.
• Event partners or co-hosts: where you register for an event run jointly with third parties (we will notify you where necessary).
• Legal & regulatory authorities: where required by law, court order, or to respond to lawful requests by public authorities.
• Acquirers & business partners: in connection with a reorganisation, sale, merger, joint venture, or transfer of assets.
• With your consent: to third parties you specifically direct us to share your data with.

We require third parties to provide sufficient guarantees regarding security, confidentiality and compliance with applicable law before they process personal data on our behalf.

7. International data transfers

Academy may transfer or store personal data outside your country of residence (for example, our cloud providers’ servers may be located in other jurisdictions). Where transfers occur to countries that do not have equivalent data protection laws, we implement appropriate safeguards such as standard contractual clauses, contractual assurances with subprocessors, and technical/organisational measures to protect your personal data.

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, to comply with legal obligations (e.g., tax, accounting), to resolve disputes, and to enforce our agreements. Specific retention periods depend on the category of data and purpose (e.g., transactional and financial records are generally retained for statutory periods; marketing lists are retained until consent is withdrawn). When no longer needed, personal data will be securely deleted or anonymised.

9. Your rights

Subject to applicable law, you may have the following rights:

• Access: request a copy of your personal data we hold.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of personal data in certain circumstances (subject to legal retention obligations).
• Restriction: ask us to restrict processing in certain situations.
• Portability: request a portable copy of your data where the processing is based on consent or contract and is carried out by automated means.
• Objection: object to processing based on legitimate interests or direct marketing.
• Withdraw consent: where processing is based on consent.
• Complain: to a supervisory authority (you may lodge a complaint in your country of residence or the jurisdiction where the controller is established).

To exercise these rights, contact info@aob.lk. We will verify your identity prior to responding. We may be required to retain certain records or decline requests where permitted by law.

10. Marketing & communications

10.1. If you opt in, we may send promotional materials about Academy Courses, webinars, events, and related services. You can unsubscribe at any time via the unsubscribe link in emails, or by contacting info@aob.lk.

10.2. We will continue to send transactional or administrative messages (e.g., service updates, invoices) even if you unsubscribe from marketing, where necessary to provide the service.

10.3. Where we rely on legitimate interests to send marketing to existing customers, you can object at any time and we will stop sending direct marketing based on legitimate interests.

11. Security of your personal data

11.1. We implement reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. These measures include secure hosting, encryption in transit, role-based access control, regular patching, backups, and security testing.

11.2. While we aim to protect your information, no system is 100% secure. If we become aware of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities as required by applicable law.

11.3. You are responsible for maintaining the secrecy of your account credentials and for logging out after using shared devices. Use strong, unique passwords and enable two-factor authentication if available.

12. Automated decision-making & profiling

12.1. We may use automated tools to analyse your usage (e.g., progress, course preferences) to personalise course recommendations, display relevant content, and to detect fraud. Such profiling is used to improve user experience and service delivery.

12.2. Where automated decisions would have a legal or similarly significant effect on you, we will provide information about the logic, significance and envisaged consequences and ensure there is a human review where required by law.

13. Cookies & website analytics

13.1. We and our third-party service providers use cookies and similar technologies to operate the site, remember preferences and provide analytics. Cookie categories: strictly necessary, performance/analytics, functionality, and marketing/targeting.

13.2. Non-essential cookies are only set if you consent (where required by law). You can manage cookie preferences through the cookie banner or your browser settings (note that disabling cookies may affect functionality).

13.3. We use third-party analytics and advertising platforms (e.g., Google Analytics, Meta Pixel) which may set their own cookies — these providers’ activities are subject to their own privacy policies.

14. Links to other websites & third-party services (including Deriv)

14.1. Our website or course materials may contain links or references to third-party websites, tools or platforms (including trading platforms such as Deriv). Those third parties process personal data according to their own privacy policies. When you visit or use third-party services, including opening an account with Deriv, you should read and accept the third party’s privacy policy. Academy is not responsible for third-party privacy practices.

14.2. To be clear: Academy is not the data controller for Deriv accounts and does not control how Deriv processes your information. If you open or use an account on Deriv, your data will be handled by Deriv under Deriv’s Privacy Policy (and Deriv’s consent/retention/transfers will apply). Academy may assist with onboarding guidance, but any KYC or account verification occurs with the third party and that third party is independently responsible for its own compliance.

15. Data controller & contact information

15.1. Controller: Academy Of Binary Pvt Ltd is the data controller in respect of the personal data collected through our website, courses and services (unless we explicitly notify you otherwise at the point of collection).

15.2. Contact: For questions, requests or complaints contact:

15.3. We will acknowledge requests promptly and respond within applicable statutory timeframes (where required).

16. Governing law, updates & versioning

16.1. This Privacy Policy is governed by the laws of Sri Lanka. If you are located in another jurisdiction and local law provides greater protection, that law may apply to you in addition to this Policy.

16.2. We may update this Policy from time to time to reflect changes in law, our processing practices, or product innovations. We will publish the revised Policy on our website and update the “Last updated” date. Material changes affecting existing account holders will be notified by email where required.

16.3. Acceptance: By using our website or Services after updates are posted, you accept the updated Policy.