Privacy Policy

TECHBOX (“TECHBOX”, “we”, “us”, or “our”) respects your privacy. This Privacy Policy explains what personal data we collect about you when you use techbox-aec.com, how we use it, who we share it with, how long we keep it, and the rights you have over it.

This Policy is written to align with the EU General Data Protection Regulation (GDPR), where applicable to our visitors, and with the data protection laws applicable at our principal place of business.

1. Who we are

The data controller is TECHBOX, an official professional training centre providing vocational and technical training for working professionals — including industry protocols (such as KNX building and home automation), engineering software tools, and applied workplace skills.

TECHBOX is not a university, college, school, institute, academy, or any other accredited academic body, and we do not award academic degrees, diplomas, or formal academic qualifications. Our certificates are professional training certificates issued under our authority as a recognised training partner of the relevant official industry certification bodies, and they confirm completion of professional training — not academic study.

You can reach us at:

• Email: academy@techbox-aec.com
• Website: techbox-aec.com

2. Data we collect

We collect personal data in the following situations:

2.1 When you create an account

• Email address
• Display name (chosen by you)
• Password (stored as a one-way salted hash — we never see your plaintext password)
• If you sign in with Google: your Google account email, public profile name, and profile picture

2.2 When you purchase a course or session

• Billing first name and last name
• Email address (for receipts and access)
• Phone number (optional)
• Country (for tax compliance only)
• Payment information — handled directly by our payment processors (Stripe, PayPal). We never see or store your credit card number, CVV, or banking credentials.

2.3 When you enrol in courses or sessions

• Course/session enrolment records
• Lesson completion progress
• Quiz attempts and scores
• Certificate issuance records

2.4 When you visit our website

• IP address (used for security and to detect spam — anonymised after 30 days)
• Browser and device information
• Pages visited and time spent
• Cookies (see Section 7)

3. How we use your data

We use your personal data only for the following purposes, each with a lawful basis under the GDPR (where applicable):

• To provide the Service — manage your account, deliver courses, issue certificates (contractual necessity).
• To process payments — fulfil purchases and process refunds (contractual necessity).
• To send transactional emails — order receipts, course access details, certificate notifications, password resets (contractual necessity).
• To send marketing emails — newsletters and updates, only if you opt in (consent — you can withdraw any time).
• To improve the Service — analyse aggregated usage patterns to make courses better (legitimate interest).
• To prevent fraud and abuse — detect and prevent unauthorised access and payment fraud (legitimate interest).
• To comply with legal obligations — tax records, accounting, responding to lawful requests (legal obligation).

4. Certificates & public verification

Each professional training certificate we issue is publicly verifiable at techbox-aec.com/verify/{code}. The public verification page displays:

• The holder’s display name
• The course or session title
• The issue date
• The unique credential ID

This information is intentionally public so that employers and other interested parties can verify authenticity. It is the same model used by widely-adopted credentialing services such as LinkedIn Certifications and Credly. The verify page does not expose your email address, phone number, address, or any payment information.

If you do not want your certificate to be publicly verifiable, you may request anonymisation by emailing academy@techbox-aec.com. Note that anonymisation reduces the certificate’s value as a verifiable professional credential.

5. Who we share data with

We never sell your personal data. We share it only with the following categories of processors, who handle it on our behalf under strict contractual terms:

• Payment processors — Stripe and PayPal handle card data. They are PCI-DSS Level 1 certified.
• Email delivery — our hosting provider’s SMTP service for transactional emails.
• Hosting infrastructure — our website hosting provider stores our website and database.
• Google — only if you choose to sign in with Google (OAuth login).
• Zoom — for live sessions delivered via Zoom (subject to Zoom’s privacy policy).
• Legal authorities — when required by law or to enforce our Terms.

6. International data transfers

Some of our processors operate internationally, which may mean your personal data is transferred outside the jurisdiction where you live. Where such transfers involve users in the European Economic Area, they are protected by the EU Standard Contractual Clauses and equivalent safeguards.

7. Cookies

We use cookies for the following purposes:

• Strictly necessary — to keep you signed in, remember your cart, and provide secure checkout. Cannot be disabled.
• Functional — to remember preferences such as language. You can disable these in your browser settings.
• Analytics — we currently do not use third-party analytics cookies. If we add them in future, you will be asked to consent first.

8. How long we keep your data

• Account data — for as long as your account is active. Deleted within 30 days of you requesting account deletion.
• Enrolment & certificate records — retained indefinitely so that issued certificates remain verifiable. You may request anonymisation as described in Section 4.
• Order & payment records — kept for 7 years to comply with tax and accounting obligations.
• Email logs — 90 days.
• Security logs — 30 days.

9. Your rights

Under the GDPR and equivalent local laws, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate or incomplete data. You can update most fields directly from your account dashboard.
• Erasure — request deletion of your account and associated data. We will retain only what is legally required.
• Restrict processing — ask us to pause certain processing while we investigate a concern.
• Portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interest.
• Withdraw consent — unsubscribe from marketing emails at any time using the link in each email or by emailing us.
• Lodge a complaint — file a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, email academy@techbox-aec.com. We will respond within 30 days.

10. Security

We protect your data with industry-standard measures, including:

• HTTPS encryption for all data in transit (TLS 1.2+);
• Salted password hashing (bcrypt);
• Web application firewall and brute-force protection (Wordfence);
• Regular software updates and security patches;
• Encrypted backups with limited access;
• Principle of least privilege for staff access.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but we will notify affected users without undue delay if a data breach poses a risk to their rights.

11. Children

Our Service is intended for working professionals aged 16 and over. We do not knowingly collect data from children under 16. If you believe we have collected data from a child, please contact us so we can delete it.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced via email to registered users. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact us

Questions, requests, or concerns about your privacy? Reach us at academy@techbox-aec.com. We aim to respond to all enquiries within 5 business days.