Edumentis

Privacy Policy

Preamble

Thank you for choosing Edumentis, a platform operated by Edumentis Inc. ("us", "we", "our"). Our website and mobile applications (together referred to as the "Services") are built to support and enrich your learning journey. This Privacy Policy explains how we gather, use, and share information (also referred to as "data") about our users ("you", "your") in connection with the Service, as well as the choices available to you regarding your data. This statement covers all personal data processing carried out by us, whether in delivering our services, on our websites, within mobile applications, or through external online channels such as our social media pages (collectively referred to as "Online Services").

The language used in this document is gender-neutral.

Last Update: March 21, 2026

Table of contents

Authorised Representatives:
Sofia Andersen
Marcus Reid

Phone:  +48732127432
Email Address:  info@nordroute.com

Overview of processing operations

This section offers a high-level summary of the categories of data we handle, the reasons for which they are processed, and who is affected.

Categories of Processed Data

  • Inventory Data: Such as names and addresses, primarily for registered users.
  • Contact Data: Including email addresses and, where applicable, phone numbers.
  • Meta/Communication Data: Device information and IP addresses, anonymized wherever possible.
  • Usage Data: Information about how our services — such as websites or apps — are accessed and used, including content interactions and access times.
  • Payment Data: Details needed to process payments, including billing addresses and payment information, particularly for subscribers.
  • Contract Data: Information related to agreements between you and us, covering user terms, subscriptions, and service usage.
  • Public Profile Data: Your username (always visible), and — depending on your visibility preferences — profile picture, full name, short bio, selected exam(s), and chosen public indicators such as badges or rank.

Categories of Data Subjects

  • Prospective Customers: People who have expressed interest in our service.
  • Customers: Users who have subscribed to or purchased our services.
  • Users: Anyone who interacts with our services, including website visitors and app users.
  • Communication Partners: People who receive communications, emails, or other messages in relation to our service, regardless of whether they are users or customers.

Purposes of Processing

  • Provision of Our Online Services: Including website and app functionality, authentication, and user support.
  • User Communication: Handling contact requests, user feedback, and correspondence with users.
  • Content Delivery Network (CDN): Using CDNs to serve content efficiently, reduce loading times, and improve the user experience across our website and apps.
  • Analytics and Improvement: Employing tools such as PostHog and Amplitude for traffic analysis, usage insights, and ongoing service enhancement.
  • Security Measures: Preserving the integrity and security of our services.
  • Personalization: Building user profiles to tailor the experience, such as recommending relevant learning content.
  • Payment Processing: Handling subscriptions and transactions through Stripe.
  • Automatic Account Deletion: Removing dormant accounts to keep the service running efficiently and manage data responsibly.
  • Community Features and Public Profiles: Supporting leaderboards, study groups, public search, and other social functions. Usernames are always public; the visibility of other profile details depends on your settings and can be updated at any time in Settings.

This section describes the legal grounds under the General Data Protection Regulation (GDPR) on which we rely when processing personal data. Please be aware that, beyond the GDPR, applicable national data protection laws in your country or ours may also apply.

  • Consent (Article 6 (1) (a) GDPR): You have given your explicit agreement to the processing of your personal data for one or more defined purposes. This covers services that depend on your consent, such as receiving newsletters or targeted advertising.
  • Performance of a Contract and Pre-contractual Inquiries (Article 6 (1) (b) GDPR):: Processing is required to fulfill a contract to which you are party, or to take steps at your request before a contract is entered into. This includes delivering the services you use or registering your account.
  • Compliance with a Legal Obligation (Article 6 (1) (c) GDPR): Processing is necessary to comply with a legal obligation that applies to us as the data controller.
  • Protection of vital interests (Article 6 (1) (d) GDPR): Processing is necessary to meet a legal obligation we are subject to. This may include statutory requirements to retain data for tax compliance or other regulatory purposes.
  • Protection of Vital Interests (Article 6 (1) (d) GDPR): Processing is necessary to safeguard your vital interests or those of another individual. This may arise in emergency scenarios where handling personal data is essential to protect life or health.
  • Legitimate Interests (Article 6 (1) (f) GDPR): Processing is necessary to pursue legitimate interests of ours or a third party, provided those interests do not outweigh your rights and fundamental freedoms. This encompasses data management, service optimization, and user privacy improvements — for example, automatically removing inactive accounts. Accounts with no activity for over one year may be deleted automatically in order to maintain an efficient and secure service.

National Data Protection Regulations in Romania: Alongside the GDPR, data protection in Romania is governed by Law 190/2018, which implements the GDPR and sets out specific national rules for personal data processing. The EU e-Privacy Directive has also been incorporated into Romanian law through Law 506/2004, which addresses personal data handling in electronic communications. For matters relating to e-commerce privacy, Law 365/2002, which transposes the EU E-Commerce Directive, applies. Together with guidance from the National Supervisory Authority for Personal Data Processing (ANSPDCP), these laws form a comprehensive data protection framework in Romania, covering areas such as data protection impact assessments, certification bodies, complaint procedures, and breach reporting.

Security Precautions

Protecting the personal data of our users is a priority for us. We put in place appropriate technical and organizational safeguards in keeping with legal requirements, taking into account current technology, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to individuals' rights and freedoms. Our security measures are designed to uphold the confidentiality, integrity, and availability of data. These include:

  • Access Control: We limit physical and electronic access to data to authorized staff only, ensuring personal data cannot be accessed, disclosed, altered, or destroyed without proper authorization.
  • Data Management: We maintain policies governing data input, transfer, storage, and deletion to ensure data is handled securely at every stage of its lifecycle.
  • Data Separation: Data is processed in a way that keeps it segregated, preventing it from being used for unauthorized purposes.
  • Incident Response: We maintain established procedures to respond swiftly to potential data security threats and ensure the ongoing protection of personal data.
  • Privacy by Design and Default: We incorporate data protection principles into the development and selection of our hardware, software, and third-party providers, in line with the principles of privacy by design and by default.
  • SSL Encryption (HTTPS): We use SSL encryption to secure data transmitted through our Online Services. You can identify this by the "https://" prefix in your browser's address bar, which indicates that the connection between your device and our services is encrypted and protected.

Transmission and Disclosure of Personal Data

In the course of processing personal data, it may be necessary to transfer or disclose data to other locations, companies, or individuals. Recipients may include, for example, payment providers in the context of financial transactions, IT service providers, or suppliers of services and content embedded within our website. In such cases, we comply with all applicable legal requirements and conclude the necessary agreements or contracts with recipients to ensure your data is adequately protected.

Data Processing in Third Countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where such processing occurs through the use of third-party services or the transfer of data to other persons, bodies, or organizations, this will only take place in accordance with applicable legal requirements.

Absent explicit consent or a contractual or legal obligation to transfer, we process or have processed data in third countries only where an adequate level of data protection is recognized — including US processors certified under the "Privacy Shield" — or on the basis of specific safeguards such as contractual commitments through standard data protection clauses issued by the EU Commission, recognized certifications, or binding internal data protection rules (Articles 44 to 49 GDPR; see also the EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Use of Cookies

Cookies are small text files containing data from websites or domains you visit, stored by your browser on your device. A cookie is primarily used to retain information about a user during or after a visit to an online service. Stored information may include, for example, language preferences on a website, login status, a shopping cart, or the playback position of a video. The term "cookies" also encompasses other technologies that serve the same function (e.g. when user information is stored using pseudonymous online identifiers, also known as "user IDs").

We distinguish between the following types and functions of cookies:

  • Temporary/Session Cookies: These are removed once you close your browser. They maintain your session and keep track of your actions during a single visit.
  • Permanent Cookies: These persist on your device after your browser is closed, enabling us to recall your preferences and settings for future visits.
  • First-Party-Cookies: These are set directly by us to ensure the proper functioning and security of our service.
  • Third-Party-Cookies: Set by service providers and partners — such as analytics tools like PostHog and Amplitude — to offer additional features or to help us understand how our service is being used.
  • Necessary/Essential Cookies: Indispensable for operating our service, enabling core functions such as page navigation and access to secure sections.
  • Statistics, Marketing, and Personalization Cookies: Used to collect analytics data, support marketing activities, and deliver personalized content based on your interests and engagement with our service.

Information on Legal Basis: The legal basis on which we process your personal data via cookies depends on whether we request your consent. Where we do, and you agree, the legal basis for processing is your given consent. Otherwise, data processed through cookies is handled on the basis of our legitimate interests (e.g. in the operation and improvement of our online service), or where cookie use is required to fulfill our contractual obligations.

General Information on Withdrawal of Consent and Objection (Opt-Out): Regardless of whether processing is based on consent or a legal permission, you may at any time object to the processing of your data via cookie technologies or withdraw your consent (collectively referred to as "opt-out"). You can exercise your objection through your browser settings — for example, by disabling cookies (though this may affect the functionality of our Online Services). An objection to the use of cookies for online marketing, particularly tracking, can be raised for a wide range of services via the websites http://www.aboutads.info/choices/ and http://www.youronlinechoices.com. You can also find further opt-out information within the details of each service provider and cookie described in this policy.

Processing Cookie Data on the Basis of Consent: We place your privacy and control over your personal data at the forefront. Except for cookies that are strictly necessary for operating our Online Services, we request your consent before processing any cookie-related data. Your consent is freely given and may be withdrawn at any time, giving you full control over your personal data.

  • Processed Data Types: Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
  • Data Subjects: Users (e.g. website visitors, users of Online Services).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Commercial Services

We process data of our contractual and business partners — such as customers and prospective customers (collectively referred to as "contractual partners") — in the context of contractual and comparable legal relationships, as well as related activities and communications, including pre-contractual inquiries such as responding to requests.

We process this data to meet our contractual obligations, protect our rights, and carry out the administrative tasks associated with these relationships and day-to-day business operations. Data of contractual partners is only shared with third parties within the bounds of applicable law, to the extent required for the purposes outlined above, to fulfill legal obligations, or with the contractual partner's consent (e.g. in connection with telecommunications, logistics, and other ancillary services, as well as subcontractors, banks, tax and legal advisors, payment processors, or tax authorities). Contractual partners are informed about any further processing — such as for marketing purposes — within this privacy policy.

We communicate to contractual partners which data is required for the purposes described, either before or at the time of data collection — for example, by marking mandatory fields in online forms (e.g. using color coding or symbols such as asterisks), or by informing them directly.

We delete data once statutory warranty and comparable obligations have expired — generally after four years — unless the data is held in a customer account or must be retained for legal archiving purposes (e.g. typically ten years for tax-related records). Data disclosed to us by a contractual partner in the context of an assignment is deleted in accordance with the terms of that assignment, generally upon its completion.

Where we use third-party providers or platforms to deliver our services, the terms and conditions and privacy policies of those providers apply to the relationship between users and the respective platform.

Customer Account: Contractual partners may create a customer or user account. Where a customer account is required for registration, contractual partners will be informed of this requirement and the details needed to complete it. Customer accounts are not publicly accessible and cannot be indexed by search engines. During registration and ongoing use of the account, we may store IP addresses and access timestamps to verify the registration and prevent unauthorized use of the account.

When customers close their customer account, the associated data will be deleted, unless retention is required by law. Customers are responsible for backing up their data prior to account closure.

Mobile Application: We process data of our service users, including registered and trial users (collectively referred to as "users"), to provide our contractual services and — based on legitimate interests — to maintain security and continue developing our services. Mandatory data fields are clearly marked at the point of contract conclusion or order placement, and may include information required for service delivery, invoicing, and any necessary consultations. Where our apps are downloaded from third-party app platforms (e.g. Apple's App Store or Google Play), the terms and privacy notices of those platforms govern the relationship between users and the respective platform.

  • Processed Data Types: Inventory Data (e.g. names, addresses), Contact Data (e.g. e-mail, telephone numbers), Payment Data (e.g. bank details, invoices, payment history), Contract Data (e.g. contract object, duration, customer category), Usage Data (e.g. websites visited, interest in content, access times), Meta/Communication Data (e.g. device information, IP addresses).
  • Special Categories of Data: Health Data (Article 9 (1) GDPR), Data related to sexual preferences, sex life, and/or sexual orientation (Article 9 (1) GDPR), Religious or philosophical beliefs (Article 9 (1) GDPR), Data revealing racial or ethnic origin, Biometric data (Article 9 (1) GDPR), Genetic data (Article 9 (1) GDPR), Political opinions.
  • Data subjects: Prospective Customers, Customers.
  • Purposes of Processing: Contractual services and support, contact requests and communication, Office and organisational procedures, Managing and responding to inquiries, Security measures, Conversion Tracking, Interest-based and behavioral marketing, Profiling (Creating user profiles).
  • Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Provision of Online Services and Web Hosting

To deliver our Online Services reliably and securely, we rely on one or more web hosting providers whose servers — or servers they manage — make the Online Services accessible. For these purposes, we may make use of infrastructure and platform services, computing capacity, storage, and database services, as well as security and technical maintenance services.

Data processed as part of the provision of hosting services may encompass all information relating to users of our Online Services that is generated during use and communication. This typically includes the IP address — necessary to deliver Online Service content to browsers — as well as all input submitted within our Online Services or from linked websites.

E-Mail Sending and Hosting: The web hosting services we use also cover the sending, receiving, and storage of emails. For these purposes, the addresses of senders and recipients, as well as other information relating to the email transmission (e.g. the providers involved) and the content of emails, are processed. This data may additionally be processed for spam detection. Please note that emails on the internet are generally not transmitted in encrypted form. While emails are typically encrypted in transit, they are not encrypted on the servers from which they are sent and received — unless end-to-end encryption is used. We are therefore unable to accept liability for the transmission path of emails between the sender and our server.

Collection of Access Data and Log Files: We, or our web hosting provider, collect data each time the server is accessed (so-called server log files). Server log files may contain the address and name of web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user's operating system, the referrer URL (the page previously visited), and, as a general rule, IP addresses and the requesting provider.

Server log files may be used for security purposes, for instance to prevent server overload (particularly in the case of abusive attacks such as DDoS attacks) and to ensure the stability and optimal load distribution across servers.

Content-Delivery-Network: We make use of a "Content Delivery Network" (CDN). A CDN is a service that enables content from our Online Services — in particular large media files such as images or scripts — to be delivered more quickly and reliably through a network of regionally distributed servers connected via the internet.

  • Processed Data Types: Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
  • Data Subjects: Users (e.g. website visitors, users of Online Services).
  • Purposes of Processing: Provision of our Online Services and usability, Content Delivery Network (CDN).
  • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

Registration and Login

Users may create a user account. During registration, the required information is communicated to users and processed for the purpose of maintaining the account in fulfillment of our contractual obligations. The data processed includes in particular login credentials (name, password, and email address). Information provided at registration is used for the operation of the user account and its intended purposes.

Users may receive email notifications regarding matters relevant to their account, such as technical updates. Upon account termination, user data will be deleted in relation to that account, subject to any statutory retention obligations. Users bear responsibility for backing up their data before terminating their account. We are entitled to permanently delete all user data stored during the contract period.

In connection with registration, login, and use of the user account, we store the IP address and timestamp of each relevant user action. This storage is based on our legitimate interests and on protecting users against misuse or unauthorized access. This data will not be passed to third parties unless necessary to enforce our rights or required by law.

  • Processed Data Types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Meta/communication data (e.g. device information, IP addresses).
  • Data Subjects: Users (e.g. website visitors, users of Online Services).
  • Purposes of Processing: Contractual services and support, Security measures, Managing and responding to inquiries.
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Single Sign-On Authentication

"Single Sign-On" or "Single Sign-On Authentication or Logon" refers to a method that allows users to access our Online Services using an existing account held with a Single Sign-On provider (e.g. a social network). To use Single Sign-On, users must be registered with the relevant provider and either enter their credentials in the designated form, or already be logged in with the provider and confirm the login via the corresponding button.

Authentication occurs directly with the respective Single Sign-On provider. During this process, we receive a user ID confirming that the user is logged in with that provider under the given ID, along with a non-reusable identifier (a so-called "user handle"). Whether any additional data is shared depends on the Single Sign-On procedure used, the data release settings selected during authentication, and the privacy or account settings the user has configured with the provider. Depending on the provider and the user's choices, different data may be shared — typically an email address and username. Passwords entered through the Single Sign-On provider are neither visible to us nor stored by us.

Users should be aware that data stored with us may be automatically synchronized with their account at the Single Sign-On provider, though this is not always possible or guaranteed. If, for example, a user's email address changes, they must update it manually in their account with us.

We may use Single Sign-On authentication where it has been agreed with users in a pre-contractual or contractual context, in the context of consent-based processing, or otherwise on the basis of our legitimate interests and those of users in an efficient and secure authentication system.

If users no longer wish to use their account link with the Single Sign-On provider for login purposes, they must remove this connection within their account at the Single Sign-On provider. To have their data deleted from our systems, users must cancel their registration with us.

  • Processed Data Types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Usage data (e.g. websites visited, interest in content, access times), Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
  • Data Subjects: Users (e.g. website visitors, users of Online Services).
  • Purposes of Processing: Provision of contractual services and customer support, Security measures, Authentication processes.
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Community Features and Public Profiles

Usernames are always publicly visible to enable identification on leaderboards and within community features. Depending on your visibility settings, additional profile details (such as profile picture, full name, short bio, selected exam(s), and public indicators like badges or rank) may be displayed to other users. You can adjust your visibility preferences at any time in your profile settings.

  • Processed Data Types: Public Profile Data (e.g., username, profile picture, chosen exam(s), short description), Usage data (e.g., participation in leaderboards/groups), Meta/communication data (e.g., device information, IP addresses) where necessary for delivery and abuse prevention.
  • Data Subjects: Users who enable public visibility.
  • Purposes of Processing: Enabling community features, discovery, fair rankings and social interactions related to learning.
  • Legal Basis: Consent (Article 6 (1) (a) GDPR) for public visibility; Legitimate Interests (Article 6 (1) (f) GDPR) for ensuring service integrity and preventing abuse.

Services and service providers being used:

Special Notes on Applications (Apps)

We process user data from our application to the extent needed to provide the app and its features, monitor its security, and continue developing it. We may also contact users in accordance with statutory requirements where communication is necessary for administrative or operational purposes. For further details on the processing of user data, please refer to the relevant sections of this privacy policy.

Legal Basis: Processing data required to provide the app's features serves to fulfill contractual obligations. This also applies where app functionality requires user permissions (e.g. access to device features). Where data processing is not required for core functionality but serves to secure the app or support our business interests (e.g. data collection for optimization or security purposes), it is carried out on the basis of our legitimate interests. Where users are explicitly asked to consent to processing, the data covered by that consent is processed on its basis.

Commercial Use: We process data of our application users, including registered and trial users (collectively referred to as "users"), to deliver our contractual services and — on the basis of legitimate interests — to maintain the security of our application and develop it further. Required data fields are clearly indicated when concluding a contract, placing an order, or entering into a comparable agreement, and may include information needed for service delivery, invoicing, and consultations.

Storage of the Universally Unique Identifier (UUID): The application stores a Universally Unique Identifier (UUID) for the purpose of analyzing application usage and functionality, as well as saving user settings. This identifier is generated upon installation, persists across app restarts and updates, and is deleted when the user removes the application from their device.

  • Processed Data Types: Inventory data (e.g. names, addresses), Meta/communication data (e.g. device information, IP addresses).
  • Data Subjects: Users (e.g. website visitors, users of Online Services).
  • Purposes of Processing: Contractual services and support.
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Payment Procedure

In the context of contractual and other legal relationships, due to legal requirements, or otherwise on the basis of our legitimate interests, we offer data subjects convenient and secure payment options, working with banks and credit institutions as well as other service providers (collectively referred to as "payment service providers"). Data processed by payment service providers includes personal information such as name and address, financial data such as account or credit card numbers, passwords, TANs and checksums, as well as contract, total, and recipient-related details. This information is necessary to carry out transactions. However, such data is processed and stored solely by the payment service providers — we do not receive account or credit card details, only confirmation or rejection of the payment. Under certain circumstances, payment service providers may forward data to credit agencies for identity and creditworthiness verification. Please consult the terms and data protection information of the relevant payment service providers, which govern all payment transactions and are accessible on their respective websites or transaction applications. We direct you to these resources for further information and for exercising your rights, including the right to revoke consent, request access, and assert other data subject rights.

  • Processed Data Types: Inventory data (e.g. names, addresses); Payment Data (e.g. bank details, invoices, payment history); Contract data (e.g. contract object, duration, customer category); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time information, identification numbers, consent status).
  • Data Subjects: Customers; Prospective customers.
  • Purposes of Processing: Provision of contractual services and customer support.
  • Legal Basis: Performance of a contract and prior requests (Article 6(1)(1)(b) GDPR; Article 31(1) and 2(b) Swiss Data Protection Act).

Further information on processing methods, procedures and services used:

  • Stripe: Payment-Service-Provider (technical integration of online-payment-methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal Basis: Performance of a contract and prior requests (Article 6(1)(1)(b) GDPR; Article 31(1) and 2(b) Swiss Data Protection Act); Website: https://stripe.com/en; Privacy Policy: https://stripe.com/en/privacy.

Purchase of Applications via App Stores

Our apps are purchased through dedicated online platforms operated by third parties (so-called "app stores"). In this context, the privacy notices of the respective app store apply in addition to our own, particularly with regard to web analytics methods used on those platforms, interest-based marketing, and any applicable fees.

  • Processed Data Types: Inventory data (e.g. names, addresses), Payment Data (e.g. bank details, invoices, payment history), Contact data (e.g. e-mail, telephone numbers), Contract data (e.g. contract object, duration, customer category), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers.
  • Purposes of Processing: Contractual services and support.
  • Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

Contacting us

When you reach out to us (e.g. via a contact form, email, phone, or social media), the data of the person making the inquiry is processed to the extent required to respond to the request and carry out any resulting actions.

Responses to inquiries arising within a contractual or pre-contractual relationship are handled in order to fulfill our contractual obligations or address (pre)contractual requests, and otherwise on the basis of our legitimate interest in responding to queries.

  • Processed Data Types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. text input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses).
  • Data Subjects: Communication partner (Recipients of e-mails, letters, etc.).
  • Purposes of Processing: Contact requests and communication.
  • Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Web analysis, Monitoring and Optimization

Web analysis is used to evaluate visitor traffic on our website and may include behavioral data, interests, or demographic information such as age or gender in pseudonymous form. Through web analysis we can determine, for example, at what times our Online Services or specific features are most frequently used or requested, and identify areas that need improvement.

Beyond web analysis, we may also use various tracking technologies — including pixels and cookies from third-party providers such as social media platforms and advertising networks — to better understand user behavior, measure the effectiveness of our marketing activities, and deliver more relevant content and advertisements.

In addition to web analysis, we may run test procedures to compare and optimize different versions of our Online Services or their individual components.

Unless stated otherwise below, user profiles — i.e. data aggregated across a usage session — may be created for these purposes, and information may be stored in and read from a browser or end device. The information collected includes, in particular, pages visited and elements interacted with, as well as technical details such as the browser used, device type, and usage timestamps. Where users have consented to the collection of location data — by us or by the providers of services we use — location data may also be processed.

Unless stated otherwise below, usage profiles — that is, data compiled for a session or individual user — may be created for these purposes and stored in a browser or end device (e.g. via "cookies"), or similar technologies may be used to the same end. The data collected includes, in particular, pages visited and elements used, as well as technical details like browser type, device, and access times. Where users have consented to the collection of location or profile data — to us or the providers of services we use — such data may also be processed, depending on the provider.

IP addresses are also stored in this context. However, we apply IP masking (i.e. pseudonymization through partial truncation of the IP address) where possible to protect users. In general, web analysis, A/B testing, and optimization processes do not involve storing identifiable user data (such as email addresses or names) but rather pseudonyms. This means that neither we nor the software providers involved know the actual identities of users — only the information stored in their profiles for the respective processes.

Note: Exceptions include services like Sentry, used for monitoring system stability and detecting code errors. For such services, data such as email addresses, user IDs, and pseudonymized IP addresses may be stored to facilitate error resolution.

Information on Legal Basis: Where we ask users for consent to use third-party providers, that consent forms the legal basis for processing. Processing may also form part of our (pre)contractual services where use of a third party was agreed in that context. Otherwise, user data is processed on the basis of our legitimate interests (i.e. our interest in operating efficient, cost-effective services that serve users well). We also refer you to the cookie section of this privacy policy in this regard.

  • Processed Data types: Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses), Contact data (e.g., email addresses), Identifiers (e.g., user IDs).
  • Data subjects: Users (e.g. website visitors, users of Online Services).
  • Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors), Conversion Tracking, Server monitoring and error detection, Provision of our Online Services and usability.
  • Security measures: IP Masking (Pseudonymization of the IP address).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

  • Google Analytics: Web analytics and audience measurement service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the Display of Advertisements: https://adssettings.google.com/authenticated.
  • PostHog: Web analytics and reach measurement — collects information about user interactions, features used, and session duration. Service provider: PostHog Inc., hosted on PostHog's own servers in the EU (not under our direct control). Consent handling: By default, tracking is in memory only and no cookies are set until you provide consent via our cookie banner; if you decline, tracking is disabled. Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR) and Consent (Article 6 (1) (a) GDPR) where required. Website: https://posthog.com; Privacy Policy: https://posthog.com/privacy.
  • Amplitude: Web analytics, experimentation, and session replay — collects information about user interactions, feature usage, session duration, and visual recordings of user sessions for product improvement. Service provider: Amplitude Inc., 201 Third Street, Suite 200, San Francisco, CA 94103, USA; data stored in the EU (AWS Frankfurt). Consent handling: By default, tracking uses in-memory storage only and no persistent cookies are set until you provide consent via our cookie banner; if you decline, tracking is disabled. Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR) and Consent (Article 6 (1) (a) GDPR) where required. Website: https://amplitude.com; Privacy Policy: https://amplitude.com/privacy.
  • Sentry: Monitoring of system stability and identification of code errors; device details and error timestamps are collected pseudonymously and subsequently deleted; Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA; Website: https://sentry.io; Privacy Policy: https://sentry.io/privacy.
  • AppsFlyer: Mobile app attribution and analytics — measures which advertising campaigns lead to app installs and in-app events. On iOS, the app requests your permission via the App Tracking Transparency prompt before accessing the advertising identifier (IDFA). On Android, the Google Advertising ID (GAID) is used for campaign measurement. See the Advertising Identifiers section below for details. Service provider: AppsFlyer Ltd., 14 Maskit Street, Herzliya, Israel; Website: https://www.appsflyer.com; Privacy Policy: https://www.appsflyer.com/privacy-policy/.
  • Other Tracking Technologies: We may employ additional tracking technologies, such as pixels from social media platforms and advertising networks (e.g. Reddit), to strengthen our marketing efforts and deliver more relevant content. These technologies are subject to user consent and can be managed through our cookie consent dialog.

Advertising Identifiers and App Attribution

To evaluate the performance of our advertising campaigns and understand how users find Edumentis, we use advertising identifiers provided by your device's operating system. This data is shared with our attribution partner, AppsFlyer, exclusively for the purpose of campaign measurement and optimization.

iOS (IDFA)

On iOS, we ask for your permission through Apple's App Tracking Transparency (ATT) framework before accessing your device's advertising identifier (IDFA). You may grant or deny this permission when prompted. If you deny it, no advertising identifier is collected. You can change this choice at any time in your device's Settings under Privacy & Security > Tracking.

Android (GAID)

On Android, the Google Advertising ID (GAID) is used for campaign measurement. You can reset or opt out of personalized advertising at any time in your device's Settings under Google > Ads.

  • Processed Data Types: Device advertising identifiers (IDFA on iOS, GAID on Android), app install and in-app event data.
  • Data Subjects: Users of our mobile applications.
  • Purposes of Processing: Measuring advertising campaign effectiveness, attributing app installs to campaigns, optimizing ad spend.
  • Legal Basis: Consent (Article 6 (1) (a) GDPR) for iOS via ATT prompt; Legitimate Interests (Article 6 (1) (f) GDPR) for Android campaign measurement.
  • Third-Party Recipient: AppsFlyer Ltd., 14 Maskit Street, Herzliya, Israel (Privacy Policy).

Erasure of data

Data we process will be erased in accordance with statutory provisions once the processing purpose no longer applies or other legal grounds for processing cease to exist. This includes the automatic deletion of personal data from user accounts that have been inactive for one year or more. Inactivity is defined as the absence of user-initiated actions, such as logging in or engaging with our services. Users will be notified ahead of any planned deletion due to inactivity, giving them the opportunity to re-engage with our services and prevent deletion.

Where data cannot be deleted because it is still required for other lawful purposes, its processing is restricted to those purposes. This means the data is locked and not used for anything else. This applies, for instance, to data that must be retained for commercial or tax purposes, or to data needed for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person.

Further details on the erasure of personal data can be found in the individual sections of this privacy policy. In addition, we offer users the ability to independently delete their accounts and associated data. Step-by-step instructions are available on our dedicated account deletion guide.

Changes and Updates to the Privacy Policy

We encourage you to review this privacy policy regularly to stay informed about how we handle your data. We will update it as changes to our data processing practices require, and will notify you whenever those changes require your action (e.g. consent) or individual notice.

Where this privacy policy contains addresses or contact information for companies and organizations, please be aware that such details may change over time. We ask that you verify them before making contact.

Rights of Data Subjects

As a data subject, you are entitled to a range of rights under the GDPR, deriving in particular from Articles 15 to 18 and 21:

  • Right to Object: You have the right, on grounds related to your particular situation, to object at any time to the processing of your personal data carried out under Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where your personal data is processed for direct marketing purposes, you have the right to object at any time to that processing, including profiling to the extent it relates to such direct marketing.
  • Right of Withdrawal for Consents: You have the right to withdraw any consent you have given, at any time.
  • Right of Access: You have the right to request confirmation of whether your data is being processed and, if so, to obtain information about that data, along with a copy and additional details as required by law.
  • Right to Rectification: You have the right to request, in accordance with the law, that incomplete data concerning you be completed, or that inaccurate data be corrected.
  • Right to Erasure and Right to Restriction of Processing: You have the right to request the immediate deletion of your data, or to request that its processing be restricted, including in connection with our automatic account deletion policy for inactive accounts, in accordance with statutory provisions.
  • Right to Data Portability: You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format as required by law, or to request that it be transferred directly to another controller.
  • Complaint to the Supervisory Authority: You also have the right, under conditions set out by law, to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work, or where the alleged infringement occurred — if you believe the processing of your personal data violates the GDPR.

Supervisory authority competent for us:

Terminology and Definitions

This section explains the key terms used throughout this privacy policy. Many are drawn from legislation and defined primarily in Article 4 GDPR. The statutory definitions are binding; the explanations below are intended to aid understanding. Terms are listed in alphabetical order.

  • Controller: "Controller" refers to the natural or legal person, public authority, agency, or other body that, alone or together with others, determines the purposes and means of personal data processing.
  • Conversion Tracking: "Conversion Tracking" is a method used to measure the effectiveness of marketing activities. Typically, a cookie is placed on a user's device on the website where the marketing activity takes place, and then read again on the target website (e.g. allowing us to track whether ads placed on other sites resulted in a desired action).
  • Cross-Device Tracking: Cross-Device Tracking is a form of tracking in which user behavior and interest data are recorded across multiple devices and compiled into profiles using an online identifier assigned to the user. This allows user information to be analyzed for marketing purposes regardless of the browser or device used (e.g. smartphone or desktop). In most cases, the online identifier used for Cross-Device Tracking is not linked to identifiable data such as names, postal addresses, or email addresses.
  • IP Masking: IP masking is a technique whereby the last octet — i.e. the final digits of an IP address — is removed, so that the IP address alone can no longer be used to uniquely identify an individual. IP masking is a pseudonymization measure used particularly in the context of online marketing.
  • Interest-based and behavioral marketing: Interest-based and/or behavioral marketing describes the practice of predicting a user's likely interest in advertisements or other content based on information about their prior behavior (e.g. pages visited and time spent, purchasing history, or interactions with other users), compiled into a so-called profile. Cookies are typically used for this purpose.
  • Personal Data: "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly — in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Processing: The term "processing" encompasses a wide range of operations performed on data — from collection and evaluation to storage, transmission, and erasure.
  • Profiling: "Profiling" refers to any automated processing of personal data that uses such data to analyze, evaluate, or predict certain personal aspects of a natural person. Depending on the type of profiling, this may include information on age, gender, location and movement, online interaction patterns, purchasing behavior, and social relationships (e.g. interests in certain content or products, click behavior, or physical location). Cookies and web beacons are commonly used for profiling.
  • Remarketing: "Remarketing" or "retargeting" refers to the practice of tracking which products or content a user has shown interest in on a website, and then displaying related advertisements to that user on other platforms or websites.
  • Server monitoring and error detection: Through server monitoring and error detection, we ensure the availability and integrity of our online service, using the resulting data to technically optimize our Online Services. For this purpose, we process performance, utilization, and comparable technical metrics that reflect the stability and any anomalies of our online offering. In the event of errors or irregularities, individual user requests are logged to help identify and resolve the root cause.
  • Targeting: "Tracking" refers to the ability to trace user behavior across multiple websites. Behavior and interest data from visited sites is typically stored in cookies or on the servers of tracking technology providers (so-called profiling), and can then be used to serve users with advertisements presumed to match their interests.
  • Web Analytics: Web Analytics is used to evaluate traffic to online services and may be used to determine visitor behavior or interests in specific content such as website pages. Using web analytics, website operators can identify, for example, when visitors arrive and what content they engage with — enabling them to optimize their offering to better meet visitor needs. Pseudonymous cookies and web beacons are commonly used in web analytics to recognize returning visitors and produce more accurate usage analyses.