Privacy Policy

Effective Date: December 21, 2025

This Privacy Policy describes how BENED ("we," "our," or "us") collects, uses, and protects your information when you use our platforms and mobile applications, including bened.works, civic.bened.works, and BENED mobile apps such as Teach Me Daddy.

1. Data Collection and Storage

Locally Stored Data (Moodle Database)

We collect and store the following information in our local database:

  • User identification: User IDs for students and instructors
  • Course information: Course IDs associated with payments/subscriptions
  • Payment records: Transaction amounts, commission amounts, payment status, timestamps
  • Subscription records: Active subscriptions, subscription status, billing period dates, cancellation status
  • Stripe account information: Stripe Connect account IDs for instructors, account status (charges/payouts enabled)
  • Authentication tokens: Stripe access tokens and refresh tokens (stored securely, never displayed)
  • Webhook logs: Event data from Stripe for auditing and troubleshooting
  • Group assignments: Automatic group assignments based on subscription tiers

Authentication Data (Keycloak Identity Server)

We use Keycloak as our central identity provider for single sign-on (SSO) across our platforms. Keycloak stores and manages the following authentication data:

  • User account information: Email address, first name, last name, username/handle (preferred_username)
  • Authentication credentials: Encrypted passwords (never stored in plain text)
  • User identifier: Unique user ID (sub claim) for account identification
  • Session data: Active authentication sessions and tokens
  • User roles: Platform roles and permissions (e.g., member, founding_member, creator, admin)

This authentication data enables single sign-on access to both bened.works and civic.bened.works (Moodle) without requiring separate logins.

Data Sent to Stripe

When processing payments, we share the following information with Stripe:

  • Customer information: Email address, full name
  • Payment information: Payment amounts, currency, payment method details (via Stripe.js)
  • Metadata: Moodle user ID, course ID, subscription ID, invoice ID, customer ID, Stripe account ID, Moodle site URL
  • Billing details: Payment method information (processed securely by Stripe)

2. Purpose of Data Collection

We collect and use your data for the following purposes:

  • Authentication and account management: Providing secure login, user registration, and single sign-on (SSO) access across bened.works and civic.bened.works (Moodle)
  • User identification: Identifying users across our platform ecosystem using unique identifiers
  • Processing payments for course access
  • Managing recurring subscriptions
  • Calculating and distributing commissions between platform and course creators
  • Enrolling users in courses upon successful payment
  • Assigning users to course groups based on subscription tiers
  • Compliance and record-keeping for financial transactions
  • Troubleshooting payment issues via webhook event logs
  • Verifying Stripe Connect account status for course creators

3. Third-Party Services

Keycloak (Bened Identity Server)

Keycloak: We use Keycloak as our central identity provider (hosted at auth.bened.works) for authentication and single sign-on (SSO) across our platform ecosystem. Keycloak stores and manages your authentication credentials, user profile information, and enables seamless access to bened.works and civic.bened.works (Moodle) with a single login.

Data shared with Keycloak includes: email address, first name, last name, username/handle, encrypted password, and user roles. Keycloak operates on our infrastructure and is subject to the same security and privacy standards as our platform.

Keycloak uses industry-standard OAuth2/OpenID Connect protocols for secure authentication. For more information about Keycloak, visit keycloak.org.

Stripe, Inc.

Stripe, Inc.: We use Stripe for payment processing and subscription management. Data is shared with Stripe for payment processing purposes.

Stripe Connect enables course creators to receive payments directly through our platform.

For more information about how Stripe handles your data, please review Stripe's Privacy Policy.

4. Data Sharing

We share your data in the following circumstances:

  • With Keycloak (Bened Identity Server): Authentication credentials, user profile information (email, name, username), and session data for the purpose of providing secure authentication and single sign-on access across our platforms
  • With Stripe: Payment data, customer information, subscription details
  • With course creators: Payment amounts, commission splits, subscription status (for their courses only)
  • With platform administrators: All transaction data for accounting and compliance
  • Cross-platform SSO: When you use single sign-on, your authentication data (user ID, email, name, username) is shared between bened.works and civic.bened.works (Moodle) to enable seamless access without requiring separate logins

5. Data Retention

  • Authentication data: Retained in Keycloak while your account is active. You may request account deletion, subject to legal and compliance requirements
  • Transaction records: Retained for accounting and compliance (typically 7+ years)
  • Subscription records: Maintained while active and after cancellation for historical records
  • Webhook events: Stored for auditing and troubleshooting
  • Stripe account information: Retained while account is active

6. User Rights

You have the following rights regarding your data:

  • Account management: Users can update their profile information (name, email, username) through their account settings or by contacting support
  • Access: Users can view their subscription history via "My Subscriptions"
  • Cancellation: Users can cancel subscriptions at any time
  • Account deletion: Users can request deletion of their authentication account and associated data (subject to legal/compliance requirements)
  • Data deletion: Users can request deletion of their data (subject to legal/compliance requirements)
  • Payment method: Users can update payment methods through Stripe's interface

7. Security Measures

  • Authentication: All authentication is handled through Keycloak using industry-standard OAuth2/OpenID Connect protocols with encrypted password storage
  • Single Sign-On (SSO): Secure token-based authentication enables access across platforms without storing credentials locally
  • Payment data: Never stored locally; processed securely through Stripe
  • Authentication tokens: Stored securely and never displayed
  • SSL/TLS: All data transmission encrypted
  • PCI compliance: Handled by Stripe (platform does not store card details)

8. Payment Processing Details

  • Payment methods: Credit/debit cards (processed by Stripe)
  • Recurring payments: Automatic billing for subscriptions
  • Refunds: Processed according to course creator policies and Stripe's terms
  • Commission: Platform receives a percentage of each payment; remainder goes to course creator

9. International Data Transfers

Data may be transferred to Stripe's servers, which may be located outside your country of residence. Stripe complies with applicable data protection regulations, including GDPR and other relevant laws.

10. Cookies and Tracking

  • Stripe.js: Uses cookies for payment processing (see Stripe's privacy policy)
  • No additional tracking cookies are set by the plugin

11. Children's Privacy

BENED is committed to protecting children's privacy. Our approach to children's data varies by service and follows the Children's Online Privacy Protection Act (COPPA) and similar regulations worldwide.

Main Platform (bened.works, civic.bened.works)

Our main web platforms are intended for users 18 years of age or older. Account creation and payment processing require users to be of legal age in their jurisdiction. We do not knowingly collect personal information from children under 18 on these platforms.

Mobile Applications (Parent-Mediated Model)

Certain BENED mobile applications, such as Teach Me Daddy, are designed for parents to create educational content for their children. These apps follow a parent-mediated model:

  • Only parents/guardians create accounts: Children do not create accounts, log in, or provide any personal information
  • Children are passive viewers: Children may view content created by their parents but do not input data, create profiles, or interact with data collection features
  • No direct data collection from children: We do not knowingly collect personal information directly from children under 13 (or the applicable age in your jurisdiction)
  • Parent-controlled content: All content creation, sharing decisions, and account management is performed by the adult account holder

Future Applications

Future BENED applications that allow children to interact with educational features will continue to follow the parent-mediated model. Any interactive features for children will:

  • Require parental account oversight
  • Not collect personal information from children without verifiable parental consent
  • Provide parents with full visibility and control over their child's activity
  • Not include targeted advertising or behavioral tracking of children

Parental Rights

Parents and guardians have the right to:

  • Review any information associated with their family account
  • Request deletion of their account and all associated data
  • Control what content is created and shared
  • Revoke access to shared content at any time

If you believe we have inadvertently collected information from a child without appropriate parental consent, please contact us immediately and we will promptly delete such information.

13. Mobile Applications

This section describes data practices specific to BENED mobile applications.

Teach Me Daddy App

Teach Me Daddy is a family education app that enables parents to create personalized learning content (slides, audio/video recordings) for their young children. The app is designed for use by adults; children do not create accounts or input data.

Data Collection

Account Data (Adults Only):

  • Account authentication via Keycloak (same as main platform)
  • Email address, name, username
  • Family circle connections (other users you invite to share content)

User-Generated Content:

  • Educational slides and presentations created by parents
  • Audio/video recordings created by parents
  • Content metadata (titles, descriptions, creation dates)

Device and Usage Data:

  • Device type, operating system version, and app version
  • Push notification tokens (if notifications are enabled)
  • Basic app usage statistics for troubleshooting

Data Storage

Local-First Architecture: Your recordings and educational content are stored locally on your device. You maintain full control over your content.

Temporary Cloud Storage for Sharing: When you choose to share content with family circle members, content is temporarily uploaded to our servers with the following protections:

  • Encrypted: All shared content is encrypted during transfer and storage
  • Time-Limited: Shared content automatically expires and is deleted after 30 days
  • Download-Triggered Deletion: Content is removed sooner once the recipient downloads it
  • No Permanent Storage: We do not retain copies of your content after expiration

This approach ensures your family's content remains yours—we facilitate sharing without warehousing your data.

Children's Privacy in Teach Me Daddy

Teach Me Daddy is designed for parents to create content for their children. Children do not create accounts, log in, or input any personal data. The app includes a "child viewing mode" for watching content, but all account management, content creation, and data entry is performed by the parent account holder.

We do not knowingly collect personal information from children through this app. All data collection occurs through adult parent accounts only.

Family Circle Sharing

You may invite other users to your family circle to share educational content. When you do:

  • Invited users can view content you choose to share
  • You control what content is shared and can revoke access at any time
  • Connection requests require acceptance by both parties
  • Shared content uses our temporary encrypted storage (see above)

What We Don't Do

  • We do not sell your data or user-generated content
  • We do not use your content for advertising or marketing
  • We do not analyze or train AI models on your family's recordings
  • We do not retain content beyond the 30-day sharing window
  • We do not share your content with third parties
  • We do not track or profile children who view content

14. App-Specific Privacy Notices

Individual BENED applications may have additional privacy disclosures specific to their features. When applicable, these will be available at:

All BENED applications follow the same core privacy principles:

  • Minimal data collection—only what's necessary for functionality
  • Local-first storage where possible
  • No selling of user data
  • No targeted advertising
  • Parent-mediated model for family applications
  • Transparent data practices

App-specific privacy pages provide detailed information tailored to each application's features while adhering to this overarching policy.

15. Contact Information

For privacy inquiries, data access requests, data deletion requests, or to report security concerns, please contact us:

Contact Us

Policy Updates: We may update this Privacy Policy from time to time. The effective date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.