Privacy Policy (GDPR)

Last updated: 12/20/2025

1. Data Controller

The controller within the meaning of Art. 4(7) GDPR is:

[Company Name GmbH]
[Street and Number]
[Postal Code] [City], [Country]
Email: [privacy@example.com]
Phone: [+43 123 456 789]

Please replace the placeholders with your actual company and contact details.

2. Scope of this Privacy Policy

This Privacy Policy explains how we process personal data when you use our website and services, including our quiz, flashcard, essay and mind-map features (the "Service").

3. Categories of Personal Data Processed

We may process the following categories of personal data:

  • Account data: name, email address, password hash, role, subscription data.
  • Usage data: quiz attempts, generated content, timestamps, feature usage.
  • Communication data: messages you send to us (e.g. support requests).
  • Payment data: billing identifiers, subscription status, limited payment metadata (processed via third-party payment providers).
  • Technical data: IP address, browser type, device information, server log files, cookies and similar identifiers.

4. Purposes of Processing and Legal Bases (Art. 6 GDPR)

We process your personal data on the following legal bases and for the following purposes:

  • Performance of a contract (Art. 6(1)(b) GDPR): to provide and operate the Service, create and manage user accounts, generate and store study content, and provide customer support.
  • Compliance with legal obligations (Art. 6(1)(c) GDPR): to comply with tax, accounting and retention obligations, as well as requests from competent authorities.
  • Legitimate interests (Art. 6(1)(f) GDPR): to ensure IT security, prevent abuse, improve and optimise our Service, and to compile aggregated usage statistics (in a privacy‑ preserving way).
  • Consent (Art. 6(1)(a) GDPR): for non-essential cookies/analytics and optional email communication, where required. You can withdraw consent at any time with effect for the future.

5. Cookies & Tracking Technologies

Our Service uses cookies and similar technologies. Cookies are small text files stored on your device by your browser.

  • Essential cookies: required for core functionality (e.g. authentication, security, remembering cookie choices). These are processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) and your contract (Art. 6(1)(b) GDPR).
  • Analytics / performance cookies (optional): used to understand how the Service is used and to improve it. These cookies are only set with your consent (Art. 6(1)(a) GDPR).

You can control cookies through your browser settings and (where implemented) our cookie banner. If you disable cookies, some features of the Service may not work properly.

6. Server Log Files

When you access our Service, we automatically collect and store information in server log files that your browser automatically transmits to us. This may include:

  • IP address (shortened or pseudonymised where possible)
  • Date and time of the request
  • Requested URL and HTTP status code
  • Browser type and version, operating system
  • Referrer URL

This data is processed to ensure the stability and security of the Service and is based on our legitimate interests (Art. 6(1)(f) GDPR). Log files are usually retained for a short period of time and then deleted or anonymised, unless longer retention is required for security or evidence purposes.

7. Recipients and Third-Party Services

We may share personal data with carefully selected processors and service providers, for example:

  • Hosting and infrastructure providers (e.g. cloud platforms, database hosting)
  • Payment processors (for subscription billing)
  • Email and communication providers
  • Analytics and monitoring tools (where enabled)

These providers process data on our behalf based on data processing agreements in accordance with Art. 28 GDPR. Where data is transferred outside the EU/EEA, we implement appropriate safeguards such as Standard Contractual Clauses (Art. 46 GDPR), where required.

Please adapt this section to list your actual providers (e.g. hosting, analytics, payment).

8. Data Retention

We only store personal data for as long as necessary to fulfil the purposes described above or as required by law. In particular:

  • Account and profile data are stored for the duration of the contractual relationship and thereafter as long as legal retention obligations apply.
  • Usage and analytics data are stored for a limited period and are then anonymised or deleted.
  • Billing and accounting records are stored in accordance with statutory retention periods (usually 7–10 years, depending on jurisdiction).

9. Your Rights Under the GDPR

As a data subject within the meaning of the GDPR, you have the following rights (subject to the statutory requirements):

  • Right of access (Art. 15 GDPR): to obtain confirmation as to whether we process personal data and to receive a copy of such data.
  • Right to rectification (Art. 16 GDPR): to request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): to request the deletion of personal data, in particular if it is no longer necessary or processed unlawfully.
  • Right to restriction of processing (Art. 18 GDPR): to request that processing be limited in certain cases.
  • Right to data portability (Art. 20 GDPR): to receive personal data in a structured, commonly used and machine-readable format and to have it transmitted to another controller.
  • Right to object (Art. 21 GDPR): to object to processing based on legitimate interests, on grounds relating to your particular situation, and to object to direct marketing at any time.
  • Right to withdraw consent (Art. 7(3) GDPR): where processing is based on your consent, you may withdraw it at any time with effect for the future.

To exercise your rights, please contact us using the details provided in section 1. We may need to verify your identity before responding to your request.

10. Right to Lodge a Complaint

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR).

Insert the contact details of your competent supervisory authority here (e.g. Austrian Data Protection Authority, German State Data Protection Authority).

11. Children's Privacy

Our Service is not directed to children under 13 years of age (or a higher age where required by local law), and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will delete such data without undue delay.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will inform you of significant changes, for example via the website or by email, and adjust the "Last updated" date at the top of this page.

13. Disclaimer

This Privacy Policy template is provided for informational purposes and must be adapted to your actual processing activities and reviewed by qualified legal counsel to ensure full compliance with applicable law.