Lyceum Protocol ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Learn-to-Earn education platform ("Platform").
By using the Platform, you consent to the data practices described in this policy.
2. Information We Collect
2.1 Information You Provide
Wallet Address: When you connect your cryptocurrency wallet via Sign-In with Ethereum (SIWE), we collect your public wallet address
Email and Password: If you register with email authentication, we collect your email address and store a securely hashed version of your password
Profile Information: Display name, avatar, and other optional profile details you choose to provide
Academy Content: If you are a Deployer, course content, quiz questions, and academy configuration data
Security Data: IP addresses, browser fingerprints, and behavioral patterns for anti-fraud purposes
Transaction Data: On-chain transaction hashes, reward distribution records, and payment information
Device Information: Browser type, operating system, and device identifiers
2.3 Blockchain Data
Please be aware that blockchain transactions are public and permanent. Wallet addresses, token transfers, SBT diploma mints, and proof registry entries recorded on the Kasplex L2 zkEVM network are publicly visible and cannot be deleted or modified by us.
3. How We Use Your Information
We use collected information for the following purposes:
Platform Operation: To provide, maintain, and improve the Platform's functionality
Authentication: To verify your identity and manage your session
Reward Distribution: To process and deliver token rewards, points, badges, and diplomas
Anti-Fraud: To detect, prevent, and investigate suspicious activity, reward farming, and abuse
Analytics: To generate aggregated analytics for academy Deployers and platform improvement
Billing: To process subscription payments and manage invoicing
Communications: To send essential service notifications, including email verification and password reset emails
Leaderboards: To display public rankings based on XP, points, and achievements
4. Data Sharing and Disclosure
We do not sell your personal information. We may share data in the following circumstances:
Academy Deployers: Deployers can view aggregated analytics and learner progress data for their academy. This includes completion rates, scores, and point balances, but not personal authentication credentials
Public Blockchain: Transaction data, proof hashes, and SBT metadata are recorded on public blockchains and are permanently visible
Public Leaderboards: Display names and XP totals may appear on public leaderboard pages
Service Providers: We use third-party services for email delivery (Resend), payment processing (KasperoPay), and file storage (Replit Object Storage)
Legal Requirements: We may disclose information when required by law or to protect our rights and safety
5. Data Isolation
Academy data is isolated. Deployers can only access analytics, learner data, and content for their own academy. Cross-academy data is never shared between Deployers. Platform-level XP and leaderboards are global but contain only public display information.
6. Data Security
We implement security measures to protect your information, including:
Encrypted session management (HttpOnly cookies with iron-session)
Password hashing with bcrypt
CSRF protection on all mutating API endpoints
Database-backed rate limiting to prevent abuse
Server-side session validation
Input sanitization to prevent injection attacks
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.
7. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Specifically:
Account Data: Retained until account deletion is requested
Progress Data: Retained for the lifetime of the associated academy
Security Logs: Retained for up to 12 months for anti-fraud purposes
Blockchain Data: Permanent and immutable — cannot be deleted
Billing Records: Retained as required by applicable tax and accounting regulations
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your account and associated off-chain data (note: on-chain data cannot be deleted)
Data Export: Request an export of your data in a portable format
Objection: Object to processing of your data for certain purposes
To exercise these rights, please contact us through the Platform's support channels.
9. Cookies and Session Management
We use encrypted session cookies (lyceum_protocol_session) to manage your authentication state. These are:
HttpOnly (not accessible to JavaScript)
Encrypted using iron-session
Expire after 24 hours of inactivity
Essential for Platform operation and cannot be disabled
We do not use third-party tracking cookies or advertising cookies.
10. Children's Privacy
The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that information.
11. International Data Transfers
Your information may be processed and stored in locations outside your country of residence. By using the Platform, you consent to the transfer of your information to these locations, which may have different data protection laws than your jurisdiction.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of the Platform after any changes constitutes acceptance of the revised policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us through the Platform's support channels or at the contact information provided on our website.