Privacy Policy

Effective date: [Effective Date]
Hau Giang Community College — HGCC Digital Education System
Privacy & Data Protection

1. Introduction

This Privacy Policy explains how Hau Giang Community College ("we", "us", "HGCC") collects, uses, discloses, stores and deletes personal and sensitive data when you use our digital education platform hosted at haugiangcu.com. The platform supports video-based coursework, attendance tracking and student interaction through YouTube integration.

2. Data We Collect

We collect the minimum information necessary to provide the service:

  • Google account info: OpenID user ID, name, email and profile picture (via OAuth).
  • YouTube-related data: video IDs, channel IDs, video metadata (title, description), comment content and statistics (view count, like count) when you interact with assigned videos.
  • Attendance & assignment metadata: timestamps, session IDs, course and assignment identifiers.
  • Technical logs: IP address, browser and device information for security and diagnostics.

3. Why We Use This Data

We process data to provide and improve our educational services:

  • Authenticate users and manage access to the platform.
  • Attach and manage video-based assignments and verify student participation.
  • Allow students to post comments on assigned YouTube videos as part of coursework and to record those submissions for grading.
  • Provide lecturers with analytics and class engagement metrics.
  • Detect and prevent abuse, and maintain platform security.
We do not sell personal data. Data is used strictly for educational purposes within HGCC.

4. YouTube OAuth Scopes — Why We Request Each Scope

Our platform integrates with YouTube APIs to enable teacher uploads, student interactions, and safe content management. We request the following OAuth scopes only for the explicit academic purposes described below:

Requested Scopes (submitted for verification)

  • https://www.googleapis.com/auth/youtube.readonly — Read video metadata, playlists, statistics and comments so students and instructors can view course materials and activity status.
  • https://www.googleapis.com/auth/youtube — Manage comments and perform non-upload write actions required for student engagement and assignment interactions.
  • https://www.googleapis.com/auth/youtube.upload — Allow authorized lecturers to upload video lectures and assignment materials directly from the platform to a connected YouTube account.
  • https://www.googleapis.com/auth/youtubepartner — Retrieve advanced content and ownership metadata that supports safe content management and reporting for instructors (used only when a lecturer's account requires partner-level reporting).

Important: These scopes are used exclusively for educational operations (instructor uploads, student assignment comments, and reporting). We do not use these permissions for advertising, selling or sharing data outside of the institution.

5. Sensitive Data Protection Mechanisms

We maintain strict technical and organizational safeguards to protect sensitive data (including OAuth tokens and YouTube content):

  • Transport encryption: All traffic to and from our site is protected using HTTPS/TLS.
  • Token storage: OAuth access and refresh tokens are stored server-side and encrypted at rest using industry-standard encryption (AES-256). Tokens are never stored in local storage or exposed to client-side JavaScript.
  • Least privilege: The application requests only the scopes necessary for the declared educational features; elevated scopes are limited to lecturer workflows only.
  • Access controls: Database access to personal data is restricted to authorized server processes and designated administrative accounts. Principle of least privilege is enforced.
  • Automatic token lifecycle: Access tokens are refreshed using server-side refresh tokens; refresh tokens are rotated and can be revoked. Tokens are deleted immediately when a user disconnects their account or requests deletion.
  • Logging & monitoring: Logs containing personal identifiers are minimized and retained for a limited period; security logs are monitored for suspicious activity.
  • Data encryption: Data at rest is encrypted where supported by hosting infrastructure. Backups containing personal data are encrypted.

6. How We Use & Store YouTube Comments

When a student posts a comment on an assigned video through our platform:

  1. The comment is sent to the YouTube API using the student's authorized account (with explicit consent), and
  2. A copy of the comment and metadata (timestamp, user id, video id) is stored locally in our database as a record of submission for grading and auditing.

Stored comments are retained according to the retention schedule below and can be deleted upon user request.

7. Data Retention & Deletion

We retain data only as long as necessary for the educational purpose or to meet legal obligations:

  • Account and profile info: kept while the account is active plus 30 days after deletion request.
  • Attendance and assignment logs: retained up to 2 years by default (configurable per academic policy).
  • Comments and submission records: retained for up to 2 years or until a deletion request is processed.
  • OAuth tokens: stored only while the user maintains a connected account; tokens are deleted on disconnect.

8. How to Revoke Access or Request Deletion

Users have full control:

  1. Revoke via Google: Go to Google Account > Security > Third-party apps with account access and remove access for "HGCC Digital Education System".
  2. Disconnect in our app: Visit https://haugiangcu.com/account and choose "Disconnect YouTube" or "Delete account". Disconnect triggers immediate token deletion.
  3. Data deletion request: Email privacy@haugiangcu.com with your request; we will confirm receipt and complete deletion within 30 days (or sooner where possible).

9. Data Sharing & Third-Party Services

We do not sell personal data. We may share limited data with:

  • Authorized service providers who assist with hosting, backups, analytics, or email (under contract and confidentiality obligations).
  • Law enforcement or where required by legal process.
  • Third parties in connection with a business transfer — with prior notice to affected users where practicable.

10. International Transfers

Data may be processed or stored in servers located in countries outside your residence. We take safeguards (encryption, contractual protections) to maintain an adequate level of protection.

11. Children's Data

Our platform is intended for higher education use. We do not knowingly collect personal information from children under 13. If you believe that we have collected such information, please contact privacy@haugiangcu.com and we will promptly delete it.

12. Changes to This Policy

We may update this policy from time to time. We will post the updated policy at https://haugiangcu.com/privacy-policy.html and update the effective date at the top.

13. Contact & Demonstration Materials

If Google verification requires additional evidence (demo video, logs, or scope justification), we will provide a recorded demo showing:

  • Google sign-in flow requesting the specific YouTube scopes listed above.
  • Lecturer uploading a video (using youtube.upload scope).
  • Student viewing a video, posting a comment (using youtube and youtube.readonly).
  • Demonstration of token handling (connect, revoke via Google, disconnect in app).
Contact for privacy requests: haugiangcu@hgec.edu.vn
HGCC Address: 19/8 Street, Area 17, Vi Tan Ward, Can Tho City
Back to Home
Last updated: 05/12/2025
Controller: Hau Giang Community College — Email: haugiangcu@hgec.edu.vn