Effective Date: June 14, 2026
Last Updated: June 14, 2026
Ivy Socrates (“we,” “our,” or “us”) is committed to protecting the privacy and security of our international users, parents, and students. This Privacy Policy outlines our strict data collection, localization, processing, and security practices for the website located at https://ivysocrates.com (the “Site”) and all associated digital academic resources, strategic consulting services, and premium educational software tiers (collectively, the “Services”).
1. DEFINITIONS & SCOPE OF CONTROLLERSHIP
To ensure absolute legal clarity regarding your data, this Policy distinguishes between different operational layers of our Services:
- Ivy Socrates as Data Controller: For all information collected via newsletter signups, diagnostic tool submissions, free tier evaluations, voluntary contact forms, and our self-hosted Customer Relationship Management (CRM) infrastructure, Ivy Socrates acts as the primary Data Controller under global data protection frameworks.
- Merchant of Record (MoR) as Independent Financial Controller: All commercial transactions and premium tier software purchases on the Site are processed exclusively via an external Merchant of Record (such as Paddle or Lemon Squeezy). The MoR acts as the legal principal retail seller of the licenses granted by Ivy Socrates. Consequently, the MoR operates as an Independent Data Controller for all financial, billing, fraud-detection, and local sales tax/VAT compliance data. Ivy Socrates does not collect, view, route, or store any credit card, debit card, or banking infrastructure details on its local servers.
2. DATA MINIMIZATION: WHAT WE COLLECT & WHAT WE EXPLICITLY EXCLUDE
We enforce a strict policy of data minimization. We only collect the minimal personal information necessary to deliver high-quality academic consulting and digital resources.
A. Data We Intentionally Collect
- Identity & Contact Data: First name, last name, and email address, provided voluntarily when subscribing to our newsletters or creating an account.
- Diagnostic & Academic Data: Grade level, academic goals, exam tracking inputs (e.g., AP Calculus diagnostic metrics), and voluntary textual descriptions submitted through our secure form fields.
- Technical & Routing Data: Anonymized IP addresses, approximate geographic location data derived via server-side routing, and basic device properties necessary for security monitoring and localized code execution.
B. Data We Explicitly Exclude and Never Collect
We do not request, process, or store any of the following categories of data:
- Biometric or genetic data.
- Criminal records or histories.
- Sensitive personal identifiers (e.g., Social Security Numbers, National IDs).
- Health, physical, or mental condition disclosures.
- Financial Account Credentials: As stated in Section 1, all financial transactions are processed entirely off-site by our MoR.
3. INFRASTRUCTURE & DATA LOCALIZATION CLARITY
Ivy Socrates operates out of Nairobi, Kenya, entirely as a digital exporter of services. We do not sell to, market to, or collect data from domestic consumers within Kenya.
A. Global Infrastructure Routing
Our technical infrastructure is optimized for international security and speed:
- Hosting Enviornment: The Site is built on a self-hosted WordPress architecture running entirely on secure, dedicated Hostinger enterprise servers.
- Data Center Locations: All data pipeline routes and databases are physically hosted in enterprise-grade data centers located in the United States and the European Union. Your personal information does not touch, pass through, or reside on servers located within Kenya or India.
- First-Party Isolation: Our email marketing and CRM infrastructure run locally via FluentCRM on our isolated Hostinger database. Your data is never synced to third-party multi-tenant SaaS marketing clouds.
B. Lawful Cross-Border Data Transfer Mechanisms
For European Union (EU) and United Kingdom (UK) residents, transfers of personal data out of the European Economic Area (EEA) to our enterprise server infrastructure are governed by Standard Contractual Clauses (SCCs) executed with our hosting providers, ensuring data protection thresholds match or exceed GDPR requirements. For compliance with the Kenyan Data Protection Act (KDPA), all cross-border movements of operational configurations are protected by hardware-level AES-256 encryption.
4. UNITED STATES STATE PRIVACY RIGHTS COMPLIANCE MATRIX
(Complying with CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, and UCPA)
This section applies solely to residents of United States jurisdictions.
A. Consumer Rights Framework
If you reside in a US state with comprehensive privacy legislation, you possess specific legal rights regarding your personal data:
| Right | Description |
| Right to Know / Access | You have the right to request a disclosure of the specific pieces of personal information we have collected about you. |
| Right to Correction | You have the right to request that we correct inaccuracies in your personal information. |
| Right to Deletion | You have the right to request the total erasure of personal data collected via our CRM and form modules. |
| Right to Data Portability | You have the right to receive your data in a portable, technically feasible, and readily usable format. |
| Right to Non-Discrimination | We will never deny services, vary prices, or provide a different level of quality if you choose to exercise your privacy rights. |
B. Advertising Disclosures, Analytics, and Your Right to Opt-Out
We utilize Google Analytics 4 (GA4) to analyze site traffic and user behavior. Our optimization frameworks differ based on your geographic region:
- European Union & UK Traffic: Google Signals and cross-device tracking are entirely disabled.
- United States & Global Traffic: Google Signals and advanced settings for ads personalization are active. Google Analytics collects information about your traffic via Google advertising cookies and anonymous identifiers, enabling cross-device audience insights and remarketing optimization.
Under specific US state privacy frameworks (including California and Texas), the activation of these cross-device tracking mechanisms for tailored marketing is legally classified as “Sharing” or processing personal data for targeted or cross-context behavioral advertising.
- No Monetary Sale: Ivy Socrates does not sell your personal information to third parties for monetary compensation.
- Right to Opt-Out of Targeted Advertising: You have the absolute right to direct us not to process or share your data for cross-context behavioral marketing. To exercise your opt-out rights, you can utilize standard browser-level Global Privacy Control (GPC) signals, adjust your localized device ad settings, or contact our privacy desk directly at hezron@ivysocrates.com with the subject line “Do Not Share My Personal Info for Targeted Advertising”. We will process your request free of charge within standard statutory timelines.
To exercise any of your US state rights, please submit a verifiable request to our security endpoint: hezron@ivysocrates.com.
5. GDPR & EUROPEAN ePRIVACY COMPLIANCE MODULE
For citizens and residents of the European Union, European Economic Area, and the United Kingdom, we strictly process data under the legal bases outlined in Article 6 of the General Data Protection Regulation (GDPR).
A. Geolocation Privacy Shield & Consent Architecture
We utilize an automated Geolocation Privacy Shield via custom server scripts running on our Content Delivery Network (Cloudflare):
- EEA / UK Traffic: Visitors detected within the EU/UK are immediately presented with a symmetrical, granular cookie banner. All tracking scripts, including anonymized GA4 tracking, are entirely blocked from executing until you provide explicit, affirmative opt-in consent.
- Symmetrical Control: Rejecting cookies is as simple as accepting them via a single-click “Reject All” interaction.
- Non-EEA Traffic: Visitors outside the EEA/UK bypass the opt-in banner and are tracked under standard, anonymized analytics opt-out frameworks.
B. Your Rights Under the GDPR
You have the right to access, rectify, or erase your personal data, the right to restrict processing, the right to data portability, and the right to object to processing. Where processing is based on your explicit consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To enforce these rights, please contact our data controller at hezron@ivysocrates.com. You also retain the right to lodge a formal complaint with your local European Supervisory Authority.
6. DATA RETENTION, CYBERSECURITY FRAMEWORKS, & LIABILITY PROTECTION
A. Retention Metrics
Data collected via our secure Fluent Forms and managed inside our self-hosted FluentCRM pipeline is kept only for as long as necessary to fulfill academic consultation obligations or maintain active newsletter delivery. If an account or communication sequence remains entirely inactive for a continuous period of twelve (12) months, your identity profile is automatically pruned and permanently deleted from our active databases.
B. Cybersecurity Infrastructure
Because we run a self-hosted environment, we deploy rigorous defense-in-depth protocols to isolate and protect your data:
- Encryption: All data in transit is forced over Hypertext Transfer Protocol Secure (HTTPS) using TLS 1.3 encryption.
- Server Firewalls: Our Hostinger application layer is guarded by enterprise-grade Web Application Firewalls (WAF) coupled with active security monitoring (via Wordfence Security configurations) to instantly block brute-force attacks and unauthorized database injections.
- Database Isolation: Our CRM database operates on isolated relational tables with randomized prefixes and strict access tokens, ensuring it is unreachable by standard web directory sweeps.
C. Total Liability Limitation for Third-Party Links & Financial Handshakes
Our Site contains links to external platforms and utilizes an embedded handshake with our chosen Merchant of Record for billing. Ivy Socrates exercises zero administrative or architectural control over the security frameworks of these third-party entities. Once you transition to an external checkout interface managed by the MoR, you are bound by their independent privacy policies, and Ivy Socrates disclaims all legal liability for data processing activities occurring within those payment environments.
7. CONTACT AND COMPLIANCE ENFORCEMENT
For all inquiries, verification requests, or exercises of statutory privacy rights across any global jurisdiction, please direct your communication to our dedicated technical privacy desk:
Email: hezron@ivysocrates.com
Corporate Platform: Ivy Socrates
Operational Nexus: Nairobi, Kenya (Digital Service Export Branch)
