Privacy policy
foyl Learn (learn.foyl.io, operated by foyl — "we") is a free cybersecurity learning platform. This policy explains what we collect when you create an account, why, and what rights you have. Short version: we collect the minimum needed to run accounts and progress tracking, we sell nothing, and we run no third-party trackers.
What we collect
| Data | Source | Why (lawful basis) |
|---|---|---|
| Email address | You, or your GitHub account | Account identity, sign-in links (contract) |
| Display name & avatar | Your GitHub profile (GitHub sign-in only) | Showing you your account (contract) |
| GitHub account ID | GitHub (GitHub sign-in only) | Linking your login (contract) |
| Account type (student / instructor) | Your choice at sign-up | Tailoring the platform (contract) |
| Learning progress (labs, tools, scenarios, certs — status, scores, checkpoints) | Your activity on the platform | Progress tracking — the point of the account (contract) |
| Class membership (if you join an instructor's class with an invite code) | Your choice | Letting your instructor see your progress (contract) |
| Sign-in events and session timestamps | Your activity | Security, abuse prevention (legitimate interest) |
We never collect passwords, because there are none: sign-in is by GitHub or single-use email links only.
What we deliberately do not store: IP addresses (raw or hashed) and browser user-agents are never written to sessions, tokens, or audit logs. Hashed IPs exist only inside transient rate-limit counters that are purged within 24 hours. Site analytics are aggregate daily counters per page with no link to any account.
Instructor visibility: if you join a class, that class's instructor can see your name/email, your progress, checkpoints, and certificates — that's the feature. Leave the class (or ask the instructor to remove you) to stop sharing; your progress itself stays yours.
Processors
- Cloudflare — hosting, database, and email delivery infrastructure.
- GitHub — only if you choose "Continue with GitHub"; GitHub's own privacy policy governs what GitHub does.
- Google Fonts — typefaces are loaded from Google's CDN; Google may see your IP in that request.
No analytics providers, no advertising networks, no data brokers.
Retention
- Account and progress data: kept while your account exists.
- Sessions: expire after 30 days of inactivity and are then deleted.
- Sign-in links: expire after 15 minutes; consumed or expired tokens are purged.
- Security audit events: kept up to 12 months, then purged.
Your rights
Under GDPR/UK GDPR you can access, export, correct, and erase your data. Both core rights are self-service on the privacy & data page: Export my data downloads everything as JSON (profile, progress, checkpoints, classes, activity); Delete my account permanently erases progress, checkpoints, class memberships, and sessions, and anonymizes your profile and activity log. For anything else, contact support@foyl.io.
Cookies
Covered in the cookie policy. All cookies are strictly necessary; there are no advertising or analytics cookies.
Changes
Material changes to this policy will be flagged on the sign-in page and the consent banner will re-prompt.