EdukoEduko← Back to Login

Privacy Policy

Effective Date: 15 February 2026 Last Updated: 15 February 2026

Important: This Privacy Policy has been prepared in accordance with the Prevention of Electronic Crimes Act (PECA) 2016 of Pakistan and international data protection best practices. This document should be reviewed by a qualified legal professional before enforcement.

1. Who We Are

Eduko.ai (Learning & Understanding in Medical Intelligence Systems) is an AI-powered medical education platform developed and operated by Eduko.ai ("we", "us", "the Platform") on behalf of Client University, Karachi, Pakistan ("the Institution", "the University").

  • Data Controller: Client University — determines the purposes and means of processing student data.
  • Data Processor: Eduko.ai — processes data on behalf of the Institution to operate and maintain the Platform.

2. Data We Collect

We collect the following categories of data when you use the Platform:

a) Account Information

Full name, email address, password (stored in hashed form only), assigned role (Student or Admin), and profile avatar.

b) Academic & Learning Data

Course enrolment records, lesson completion status, time spent on lessons, quiz and assessment scores, quiz answers and attempt history, grade records, and spaced repetition review data.

c) Gamification Data

Professional Development Unit (PDU) balances and transaction history, badges earned, streak records, and leaderboard rankings.

d) Usage & Technical Data

Login timestamps, IP addresses, browser type and version, device information, pages visited within the Platform, and notification interaction records.

e) Uploaded Content

Course materials, documents, images, and video files uploaded by faculty and administrators in the course of creating educational content.

3. How We Use Your Data

  • Delivering education services: providing course content, tracking your progress, recording assessment results, and calculating grades.
  • Engagement & motivation: operating the gamification system including PDU awards, badges, streaks, and leaderboards.
  • Personalised learning: powering the spaced repetition review system to optimise your retention of medical knowledge.
  • Institutional reporting: providing Client University with aggregated and individual academic progress reports.
  • Platform security: detecting and preventing unauthorised access, fraud, and abuse.
  • Communication: sending you notifications about course updates, quiz results, badge achievements, and platform announcements.
  • Improvement & analytics: analysing usage patterns to improve the Platform's features and user experience.

4. Legal Basis for Processing

  • Contractual necessity: processing is necessary to provide you with the educational services you have enrolled in at Client University.
  • Consent: where you provide explicit consent, such as opting into email notifications or accepting these terms upon account creation.
  • Legitimate interest: ensuring platform security, preventing academic dishonesty, and improving the learning experience.
  • Legal obligation: compliance with applicable Pakistani laws, including the Prevention of Electronic Crimes Act (PECA) 2016 and any directives from the Pakistan Telecommunication Authority (PTA).

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data to third parties. Your data may be shared only in the following circumstances:

  • Client University: academic progress, assessment results, and enrolment data are shared with the Institution as the Data Controller.
  • Infrastructure providers: we use Amazon Web Services (AWS) for hosting, storage, and email delivery. AWS processes data in accordance with their data processing agreement and applicable security certifications.
  • Error monitoring: anonymised error reports may be sent to Sentry for platform stability monitoring. No personal academic data is included.
  • Legal requirements: we may disclose data if required by Pakistani law, court order, or lawful request from the Federal Investigation Agency (FIA) or other competent authority under PECA 2016.

6. Data Security

We implement industry-standard security measures to protect your data:

  • All passwords are hashed using bcrypt before storage — we never store passwords in plain text.
  • All data in transit is encrypted using TLS/HTTPS.
  • All data at rest is encrypted using AES-256 encryption on AWS.
  • Access to production systems is restricted to authorised Eduko.ai personnel on a need-to-know basis.
  • Security headers (CSP, HSTS, X-Frame-Options) are enforced on all responses.
  • Rate limiting is applied to authentication endpoints to prevent brute-force attacks.
  • Audit logs record all administrative actions for accountability.

While we take all reasonable precautions, no system is completely secure. If you become aware of any security vulnerability or unauthorised access to your account, please contact us immediately.

7. Your Rights

As a user of the Platform, you have the following rights regarding your personal data:

  • Right of access: you may request a copy of the personal data we hold about you.
  • Right of correction: you may request correction of any inaccurate personal data.
  • Right to withdraw consent: you may withdraw consent for optional processing (such as email notifications) at any time through your notification preferences.
  • Right to complain: you may lodge a complaint with the Pakistan Telecommunication Authority (PTA) or other relevant regulatory body if you believe your data is being processed unlawfully.

Note: Academic records and assessment data are retained by the Institution as part of your official academic record and cannot be deleted upon individual request. Requests relating to academic records should be directed to Client University's registrar office.

8. Data Retention

  • Academic records (enrolment, grades, assessment scores) are retained for the duration of your academic relationship with the Institution and for a minimum of 7 years after graduation or departure, in line with standard educational record-keeping practices in Pakistan.
  • Account data is retained for as long as your account is active. Deactivated accounts are retained for 1 year before permanent deletion.
  • Usage & technical data (logs, IP addresses) is retained for 90 days for security and diagnostic purposes.
  • Uploaded content is retained for as long as the associated course is active. Content from archived courses is retained for 1 year after archival.

9. Cookies & Tracking

The Platform uses only essential cookies required for authentication and session management. We do not use advertising cookies, marketing trackers, or third-party analytics cookies. Specifically:

  • Session cookie: a secure, HTTP-only cookie that maintains your login session. Expires after 24 hours of inactivity.
  • CSRF token: a security cookie that prevents cross-site request forgery attacks.

No third-party cookies are set. We do not participate in cross-site tracking or behavioural advertising.

10. Minors & Parental Consent

The Platform is designed for enrolled medical students at Client University. Most users are expected to be 18 years of age or older. In the event that a user is under 18, the Institution is responsible for obtaining appropriate parental or guardian consent in accordance with Pakistani law prior to account creation.

11. Cross-Border Data Transfers

The Platform is hosted on Amazon Web Services (AWS). While we endeavour to use AWS regions geographically close to Pakistan, your data may be processed in data centres outside Pakistan for infrastructure reliability purposes. Such transfers are governed by AWS's data processing agreements and industry-standard security certifications (SOC 2, ISO 27001).

We ensure that any cross-border data transfer is accompanied by appropriate safeguards and complies with applicable Pakistani regulations.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via an in-app notification and update the "Last Updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact:

Platform Operator Eduko.ai Email: privacy@eduko.ai

Institution Client University 4/B, Shahrah-e-Ghalib, Block 6, Clifton, Karachi, Pakistan Website: www.zu.edu.pk

← Back to LoginTerms of Use →