PDPL playbook for Egyptian EdTech, K-12 platforms and online tutoring. Children's data, parental consent, school B2B contracts, proctoring and analytics.
The Executive Regulations treat anyone under 18 as a child requiring guardian consent. You need a verifiable consent flow, not a self-declared age check-box.
Yes, with explicit notice and consent (or guardian consent), a clear opt-out, and minimisation — don't keep a longer behavioural profile than the personalisation actually needs.
If a school enrols its students into your product under a contract, the school is the controller and you are the processor. If parents sign up directly, you are the controller. The contract type drives the answer.
Treat them as third-party processors handling minors' data. Use first-party identifiers only, sign a DPA, disable advertising features, and disclose the tool by name in your privacy notice.
Maybe — but only after a robust anonymisation review. Aggregated school-level statistics are usually fine; per-student 'anonymised' records often re-identify and stay regulated.