Privacy Policy

1. Scope

This Privacy Policy applies to:

• visitors to our website;
• users who create accounts;
• users invited to organization workspaces;
• organization owners, administrators, and members;
• people who contact us for support, sales, billing, or security matters.

For organization workspaces, the organization may be the controller of personal data and we may act as processor or service provider, depending on the context.

2. Personal data we collect

Account data

• name, email address, and account status;
• password hash or authentication credentials;
• login and logout activity;
• verification and reset-token status;
• profile information you provide;
• OAuth identifiers when you sign in with Google.

Organization and workspace data

• organization name, slug, and subdomain;
• membership, roles, and invitations;
• admin actions and workspace settings;
• billing relationship to an organization.

Learning activity data

• course enrollment and progress;
• quiz answers and scores;
• completion status and certificates;
• badges, points, ranks, and achievements;
• bookmarks and activity timestamps.

Billing data

• plan name, billing status, and subscription identifiers;
• billing email and tax/billing address when provided.

Payment card details are processed by our payment processor and are not stored as full card numbers on our servers.

Technical and usage data

• IP address, browser, and device information;
• pages viewed, request identifiers, and log data;
• cookie and session information;
• error reports and security events.

3. How we collect data

We collect personal data:

• directly from you when you create an account, use the Service, or contact us;
• from organization administrators who invite or manage users;
• automatically through cookies, logs, and security systems;
• from payment processors when subscription or invoice events occur;
• from authentication, email, hosting, and infrastructure providers used to operate the Service.

4. How we use personal data

We use personal data to:

• provide and operate the Service;
• create and manage accounts, authenticate users, and resolve organization access;
• manage roles and permissions;
• deliver learning, quiz, progress, certificate, and reporting features;
• process subscriptions, invoices, payments, refunds, and tax requirements;
• provide support, secure the Service, and prevent fraud and abuse;
• send service-related communications;
• comply with legal obligations and enforce our Terms of Service.

5. Legal bases for processing

Where the GDPR or similar law applies, our legal bases may include:

• Contract: to deliver the service you or your organization subscribed to.
• Legitimate interest: to secure the platform and prevent abuse.
• Compliance with legal obligations: where tax, accounting, or law enforcement request applies.
• Consent: for optional features that require it; you can withdraw consent at any time.

6. Cookies and similar technologies

We use cookies and similar technologies to maintain secure sessions, remember preferences, protect against CSRF and abuse, and support authentication. More information is available in our Cookie Policy.

7. Sharing personal data

We may share personal data with:

• hosting, infrastructure, database, and storage providers;
• email delivery and authentication providers;
• payment processors (Stripe);
• professional advisers;
• authorities, courts, or regulators where legally required;
• another party in connection with a merger, acquisition, or sale of assets.

We do not sell personal data.

8. Processors and sub-processors

• Stripe — payment processing and subscription management.
• Google — optional OAuth sign-in.
• SMTP email provider — transactional email delivery.
• Hosting / database provider — infrastructure for the application and PostgreSQL database.

A current sub-processor list is available on request.

9. International transfers

Personal data may be processed in countries other than where you live. Where required, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

10. Data retention

We keep personal data only as long as needed for the purposes described in this Privacy Policy, including providing the Service, complying with tax, accounting, legal, and security obligations, resolving disputes, and maintaining backups for a limited period.

On account deletion, personal identifiers are removed and learning records are anonymized or deleted in line with the owning organization's contract.

11. Security

Traffic is served over TLS. Passwords are hashed with bcrypt. Authentication uses HttpOnly, Secure, SameSite=Lax cookies. CSRF protection is enforced for state-changing browser requests. Access to production data is limited to personnel with a specific operational need.

No system is completely secure. Contact us promptly at security@aksusnet.eu if you believe your account or data has been compromised.

12. Your rights

Under GDPR / UK GDPR you may request access, rectification, erasure, restriction of processing, objection, and portability.

Self-service from your account. When signed in, the Privacy & data page lets you download a signed JSON export of the personal data we hold about you and submit an account-deletion request.

For other GDPR requests or questions, email privacy@aksusnet.eu. You also have the right to lodge a complaint with your local supervisory authority.

13. Organization-administered accounts

If your account was created or invited by an organization, your organization may be able to view your profile, learning progress, quiz results, and certificates; manage your role; and remove your access.

We are not responsible for how an organization uses learning records outside the Service.

14. Children

The Service is not intended for children under 16. Organizations must not invite children or process children's data through the Service unless they have all required permissions and legal bases.

15. Changes

We may update this policy. Material changes will be announced in the application and/or by email to account holders. The effective date is shown at the top of this page.

16. Contact

Questions about this policy? Email privacy@aksusnet.eu. See also our Terms of Service, Cookie Policy, and Data Use Policy.