Privacy Policy

1. Introduction

This Privacy Policy describes how Shiminly Inc. (“Shiminly,” “we,” “our,” or “us”) collects, uses, shares, and protects information when you visit our website (shiminly.com), use our learning platform (courses.shiminly.com, powered by LearnWorlds), or otherwise interact with our services.

Shiminly is an education company headquartered at 293 Boston Post Road, Suite 301, Marlborough, MA 01752, USA. We provide human skills education programs for K–12 students, higher education learners, educators, families, and institutions worldwide across 20+ countries in the Americas, EMEA, and APAC.

Our Platform

Shiminly operates through two connected platforms:

• shiminly.com (“Marketing Site”): Our public website where visitors learn about programs, sign up for free trial lessons, request demos, contact us, and explore course information. Personal data is collected through forms, cookies, and analytics tools.
• courses.shiminly.com (“Course Platform”): Our learning platform powered by LearnWorlds, where enrolled students create accounts, make payments, access lessons, complete assessments, and earn certificates. Shiminly is the data controller and LearnWorlds is a data processor under a Data Processing Agreement.

Educational Services Only

Shiminly provides educational content and human skills training. Our programs are not a substitute for professional medical advice, psychological counselling, therapy, or any form of clinical treatment. If you or your child require mental health support, please consult a qualified healthcare professional.

2. Information We Collect

2.1 Information Collected on shiminly.com

When you interact with our Marketing Site, we may collect:

• Free Trial Signups: Name, email address, child’s age group, and any information you provide to start a free lesson.
• Demo and Quote Requests: Name, email, phone number, role, institution name, state, country, and details about your educational needs.
• Contact Forms: Name, email, and message content.
• Newsletter Signups: Email address.
• Automatic Data: IP address, browser type, device information, pages visited, time spent, referral source, and other usage data collected through cookies and analytics tools.

2.2 Information Collected on courses.shiminly.com (LearnWorlds)

When you enroll and use our Course Platform, we may collect:

• Account Information: Name, email address, password, and profile details.
• Payment Information: Credit card or payment details processed securely through Stripe or PayPal. Shiminly does not store credit card numbers directly.
• Learning Data: Course progress, lesson completion, quiz scores, assessment results, time spent on lessons, and engagement metrics.
• Assessment and Reporting Data: Pre-assessment and post-assessment results, life skills reports, and certificate records processed through our proprietary NovaTrax platform.
• Communication Data: Messages, support requests, and email interactions.

2.3 Information from Children

Shiminly serves learners ages 7 and older. We take the privacy of children seriously and comply with the Children’s Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR) provisions for children, India’s Digital Personal Data Protection Act (DPDPA), and applicable international child protection laws.

• Children Under 13: We require verifiable parental consent before collecting personal information from children under 13. A parent or guardian must create the account and manage access. See Section 9 for our COPPA compliance details and consent mechanisms.
• Children Ages 13–17: Minors ages 13–17 may create accounts with parental knowledge and consent. We encourage parents to supervise their children’s use of the platform.

Parents and guardians may review, update, or request deletion of their child’s personal information at any time by contacting privacy@shiminly.com.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our educational programs and platform
• Process enrollments, payments, and issue certificates
• Generate life skills reports, assessments, and progress tracking through NovaTrax
• Communicate with you about your account, programs, and support requests
• Send educational updates, program information, and promotional materials (with your consent)
• Respond to demo requests, quote requests, and general inquiries
• Manage customer relationships through our CRM (HubSpot)
• Analyze website usage to improve user experience and content
• Serve relevant advertising through Facebook Pixel and similar tools
• Comply with legal obligations and protect our rights

3.1 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions requiring a legal basis, we process personal data on the following grounds:

• Consent: Where you have given explicit consent, such as opting in to marketing emails, accepting cookies, or providing parental consent for children under 13.
• Contract Performance: Where processing is necessary to fulfill our agreement with you, including providing access to courses, processing payments, and issuing certificates.
• Legitimate Interest: Where processing is necessary for our legitimate business interests, such as improving our platform, preventing fraud, and analyzing usage, provided these interests do not override your rights.
• Legal Obligation: Where processing is necessary to comply with applicable laws and regulations.

4. Third-Party Service Providers

We share personal information with the following service providers who process data on our behalf. We maintain Data Processing Agreements (DPAs) or equivalent contractual protections with each processor to ensure they handle personal data in accordance with applicable privacy laws.

4.1 Course Delivery and Learning

• LearnWorlds: Learning management system hosting our Course Platform. Processes account information, course progress, and learning data. Data processor under DPA with Shiminly. Based in the EU (Greece).
• NovaTrax (Proprietary): Shiminly’s proprietary assessment and reporting platform. Processes student assessment results, life skills reports, and engagement metrics. Data remains under Shiminly’s direct control as data controller.

4.2 Payment Processing

• Stripe: Processes credit card payments on our Course Platform. PCI DSS Level 1 certified. Stripe’s privacy policy and DPA govern payment data handling. Based in the USA.
• PayPal: Alternative payment processing on our Course Platform. PayPal’s privacy policy and data processing terms govern payment data handling. Based in the USA.

4.3 Customer Relationship Management

• HubSpot: CRM platform used to manage leads, demo requests, institutional inquiries, and customer communications. Processes contact information submitted through shiminly.com forms. DPA in place. Based in the USA.

4.4 Website and Email

• WordPress: Content management system for shiminly.com. Form submissions are stored in the WordPress database hosted by our web hosting provider.
• SendGrid: Email delivery service used for transactional emails, account notifications, and communications. DPA in place. Based in the USA (Twilio).

4.5 Analytics and Advertising

• Google Analytics: Website analytics tracking visitor behavior, traffic sources, and usage patterns on shiminly.com. IP anonymization is enabled where required. Based in the USA. Google’s data processing terms apply.
• Facebook Pixel (Meta): Advertising tracking pixel used to measure ad effectiveness, build advertising audiences, and serve relevant ads. You may opt out through your browser settings, our cookie consent banner, or Facebook’s privacy controls. Based in the USA. Meta’s data processing terms apply.

4.6 Authentication

• OTP Credentials: One-time password service used for account verification and secure authentication.

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

5. Cookies and Tracking Technologies

5.1 What We Use

shiminly.com uses cookies and similar tracking technologies to:

• Remember your preferences and settings (essential cookies)
• Analyze website traffic and usage patterns (Google Analytics — analytics cookies)
• Measure advertising effectiveness (Facebook Pixel — advertising cookies)
• Improve website performance and user experience (performance cookies)

5.2 Cookie Consent

When you first visit shiminly.com, a cookie consent banner will appear asking you to accept or decline non-essential cookies. Essential cookies (required for basic website functionality) are always active. Analytics and advertising cookies are only set after you provide consent.

You can change your cookie preferences at any time through:

• Our cookie settings link in the website footer
• Your browser settings (blocking or deleting cookies)
• Facebook’s Ad Preferences for Facebook Pixel opt-out
• Google’s Analytics opt-out browser add-on

For full details, see our Cookies Policy at shiminly.com/cookies/.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy:

• Account and Learning Data: Retained for the duration of your enrollment plus 3 years for certificate verification and record-keeping.
• Payment Records: Retained as required by tax and accounting regulations (typically 7 years).
• Marketing and CRM Data: Retained until you unsubscribe or request deletion.
• Website Analytics: Retained in anonymized or aggregated form for up to 26 months.
• Children’s Data: Deleted promptly upon parental request or when no longer needed for educational purposes.
• Assessment and Report Data (NovaTrax): Retained for the duration of enrollment plus 3 years for verification and research purposes (in anonymized form for research).

7. Data Security

We implement appropriate technical and organizational measures to protect personal information:

• SSL/TLS encryption for all data in transit
• Secure authentication, access controls, and OTP verification
• PCI DSS compliant payment processing (Stripe and PayPal)
• Regular security reviews of third-party processors
• Data Processing Agreements with all processors handling personal data
• Limited access to personal data on a need-to-know basis
• Periodic review of data retention and deletion practices

No method of electronic transmission or storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security.

7.1 Data Breach Notification

In the event of a data breach affecting your personal information, Shiminly will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR)
• Notify affected users without unreasonable delay (as required by CCPA, DPDPA, and other applicable laws)
• For breaches involving children’s data, notify parents or guardians directly and prioritize response
• Provide details of the breach, the data affected, the measures taken, and steps users can take to protect themselves
• Document all breaches internally, including those that do not meet the threshold for notification, as part of our compliance records

Shiminly maintains an incident response plan that is reviewed and tested annually.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request your data in a portable, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Opt-Out of Marketing: Opt out of marketing communications at any time via unsubscribe links or by contacting us.
• Opt-Out of Advertising Tracking: Opt out of Facebook Pixel and Google Analytics tracking through cookie settings or browser controls.
• Parental Rights: Parents may access, review, correct, or delete their child’s information at any time.
• Lodge a Complaint: File a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact privacy@shiminly.com. We will respond within 30 days (or sooner as required by applicable law).

9. COPPA Compliance (United States)

Shiminly complies with the Children’s Online Privacy Protection Act (COPPA) for children under 13 in the United States.

9.1 Parental Consent Mechanism

Before collecting personal information from a child under 13, we obtain verifiable parental consent through one of the following methods:

• Email verification: Parent receives a consent confirmation email and must reply or click a verification link to confirm consent
• During enrollment: The parent or guardian creates the account on behalf of the child, providing their own contact information and confirming they are the child’s parent or legal guardian
• Institutional consent: When Shiminly is used through a school or educational institution, the institution may provide consent on behalf of parents under COPPA’s school exception, where the institution has obtained appropriate parental consent or operates under an applicable exception

9.2 COPPA Commitments

• We collect only the minimum information necessary to provide educational services
• We do not condition a child’s participation on providing more information than reasonably necessary
• We do not serve behavioral advertising to children under 13
• We do not share children’s personal information with third parties except as necessary to provide educational services (as described in Section 4)
• All third-party processors handling children’s data maintain adequate privacy protections under DPAs
• Parents may review, update, or request deletion of their child’s information at any time by contacting privacy@shiminly.com
• Parents may refuse further collection of their child’s information and request deletion of existing data

10. FERPA Compliance (United States)

When Shiminly is used by schools or educational institutions, student education records may be protected under the Family Educational Rights and Privacy Act (FERPA). In these cases:

• Shiminly acts as a “school official” with a legitimate educational interest under FERPA
• We process student data under the institution’s direction and subject to FERPA requirements
• We do not use student education records for any purpose other than providing the educational services contracted by the institution
• We do not disclose student education records to third parties without the institution’s authorization, except as permitted by FERPA

11. US State Student Privacy Laws

When Shiminly contracts with schools or districts in US states with specific student data privacy laws, we comply with applicable requirements including but not limited to:

• New York Education Law 2-d: Data security and privacy plan for student data, supplemental DPA requirements.
• California SOPIPA: Student Online Personal Information Protection Act — prohibition on using student data for non-educational purposes, advertising, or profiling.
• Connecticut Student Privacy: Additional protections for student data collected through educational technology.

Institutional agreements with schools and districts include state-specific provisions as required. Contact legal@shiminly.com for state-specific compliance documentation.

12. GDPR Compliance (European Economic Area and United Kingdom)

For users in the European Economic Area (EEA) and United Kingdom, Shiminly complies with the General Data Protection Regulation (GDPR).

12.1 Data Controller

Shiminly Inc. is the data controller for personal data collected through shiminly.com and courses.shiminly.com. Our contact details are provided in Section 18.

12.2 Legal Basis for Processing

We process personal data on the legal bases described in Section 3.1: consent, contract performance, legitimate interest, and legal obligation.

12.3 Your GDPR Rights

In addition to the rights listed in Section 8, EEA and UK users have the right to:

• Request a copy of any Data Processing Agreements we have with processors handling your data
• Be informed about the existence of automated decision-making, including profiling (Shiminly does not currently use automated decision-making that produces legal or similarly significant effects)
• Lodge a complaint with your local supervisory authority (data protection authority)

12.4 International Data Transfers

Shiminly is based in the United States. When we transfer personal data from the EEA or UK to the US or other countries, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission in our DPAs with processors
• Adequacy decisions where applicable
• Binding Corporate Rules where applicable

Our key processors and their locations: LearnWorlds (EU/Greece), HubSpot (USA, SCCs), Stripe (USA, SCCs), PayPal (USA, SCCs), SendGrid/Twilio (USA, SCCs), Google (USA, SCCs), Meta (USA, SCCs).

12.5 Children Under GDPR

Under GDPR, the age of digital consent varies by EU member state (generally 13–16). Where a child is below the applicable age of consent, we require parental or guardian consent before processing their data. The parental consent mechanisms described in Section 9.1 apply.

13. India Digital Personal Data Protection Act (DPDPA 2023)

For users in India, Shiminly complies with the Digital Personal Data Protection Act, 2023 (DPDPA).

13.1 Shiminly as Data Fiduciary

Shiminly acts as a Data Fiduciary under the DPDPA, determining the purpose and means of processing personal data of Indian users.

13.2 Consent

We obtain free, specific, informed, unconditional, and unambiguous consent from Indian users before processing their personal data. Consent is obtained through clear affirmative action during enrollment or form submission. You may withdraw consent at any time by contacting privacy@shiminly.com. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

13.3 Children’s Data Under DPDPA

The DPDPA requires verifiable parental consent before processing personal data of children (persons under 18 in India). Shiminly:

• Requires verifiable parental consent for all Indian users under 18
• Does not undertake tracking, behavioral monitoring, or targeted advertising directed at children
• Does not process children’s personal data in any manner that could cause detrimental effect to the child

13.4 Rights of Indian Data Principals

Indian users have the right to:

• Access a summary of their personal data and processing activities
• Correct inaccurate or incomplete personal data
• Erase personal data that is no longer necessary for the purpose for which it was collected
• Nominate another individual to exercise their rights in case of death or incapacity
• Lodge a grievance with Shiminly and, if unresolved, with the Data Protection Board of India

13.5 Grievance Officer

For Indian users, our Grievance Officer can be reached at privacy@shiminly.com. We will acknowledge grievances within 48 hours and resolve them within 30 days.

14. UAE Personal Data Protection Law (PDPL)

For users in the United Arab Emirates, Shiminly complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its implementing regulations.

14.1 Processing in the UAE

Shiminly serves schools, educators, and students in the UAE, including KHDA-approved programs. We process personal data of UAE users for legitimate educational purposes with appropriate consent.

14.2 Cross-Border Transfers

When transferring personal data of UAE users outside the UAE, we ensure adequate protections through contractual safeguards and compliance with UAE Data Office requirements.

14.3 Rights of UAE Data Subjects

UAE users have the right to access, correct, and request deletion of their personal data. Requests should be directed to privacy@shiminly.com.

15. Data Processing Agreements

Shiminly maintains Data Processing Agreements (DPAs) or equivalent contractual protections with all third-party processors that handle personal data on our behalf. These agreements ensure:

• Processors only process data on Shiminly’s documented instructions
• Processors implement appropriate technical and organizational security measures
• Processors do not engage sub-processors without Shiminly’s authorization
• Processors assist Shiminly in responding to data subject rights requests
• Processors delete or return data upon termination of services
• Processors submit to audits and inspections as required

DPAs are in place with: LearnWorlds, HubSpot, Stripe, PayPal, SendGrid (Twilio), Google (Analytics), and Meta (Facebook Pixel). Copies of relevant DPA provisions are available upon request to legal@shiminly.com.

16. California Consumer Privacy Act (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected, the sources of collection, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions (such as legal retention requirements or completing a transaction).
• Right to Opt-Out of Sale: Shiminly does not sell personal information. We do not exchange personal data for monetary or other valuable consideration.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or service levels.
• Shine the Light: California residents may request information about personal data shared with third parties for direct marketing. Shiminly does not share personal data with third parties for their direct marketing purposes.

To exercise your CCPA rights, contact privacy@shiminly.com or call us. We will verify your identity before processing requests. You may also designate an authorized agent to submit requests on your behalf.

17. Additional International Privacy Laws

17.1 Brazil — Lei Geral de Proteção de Dados (LGPD)

For users in Brazil, Shiminly processes personal data in accordance with the LGPD. Brazilian users have the right to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent. Contact privacy@shiminly.com to exercise your LGPD rights.

17.2 Canada — PIPEDA

For users in Canada, Shiminly complies with PIPEDA’s 10 fair information principles. Canadian users may file complaints with the Office of the Privacy Commissioner of Canada. For Quebec residents, additional protections under Quebec’s Law 25 apply.

17.3 Australia — Privacy Act 1988

For users in Australia, Shiminly complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Australian users may lodge complaints with the Office of the Australian Information Commissioner (OAIC).

17.4 South Africa — POPIA

For users in South Africa, Shiminly processes personal information in accordance with POPIA. Complaints may be lodged with the Information Regulator of South Africa.

17.5 Saudi Arabia — PDPL

For users in Saudi Arabia, Shiminly processes personal data in accordance with the Saudi PDPL. Saudi users may exercise their data rights by contacting privacy@shiminly.com.

17.6 Singapore — PDPA

For users in Singapore, Shiminly complies with the PDPA’s data protection obligations. Complaints may be directed to the Personal Data Protection Commission (PDPC).

17.7 General

For users in jurisdictions not specifically named above, Shiminly processes personal data in accordance with the highest applicable standard among the frameworks described in this policy. Contact privacy@shiminly.com for country-specific inquiries.

18. Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal. Shiminly currently does not respond to DNT signals. However, you can opt out of tracking through our cookie consent banner and the browser-based controls described in Section 5.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date and notify users through our website or email. Your continued use of our services after changes constitutes acceptance of the updated policy. For material changes affecting children’s data, we will obtain renewed parental consent where required.

20. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us at:

Shiminly Inc.
293 Boston Post Road, Suite 301
Marlborough, MA 01752, USA

• General Privacy Inquiries: privacy@shiminly.com
• Legal and Compliance: legal@shiminly.com
• Accessibility: accessibility@shiminly.com
• Safeguarding: safeguarding@shiminly.com
• Grievance Officer (India): privacy@shiminly.com
• Website: shiminly.com