Privacy Policy

1. Data Controller and Contact

Responsible Entity

2. Data Collection and Processing

2.1 Personal Data We Collect

We collect and process the following categories of personal data:

Account Data:

• Email address, username
• First name, last name
• Profile picture
• Account creation and last sign-in dates
• Account preferences

Profile Information (Optional):

• Professional title
• Date of birth
• Address, postal code, city, country
• Phone and mobile numbers
• Professional bio and expertise areas
• Gender

Enrollment and Workshop Data:

• Workshop registration information
• Enrollment method (direct, code, or administrative)
• Payment status and history
• Workshop attendance records
• Participant checklist completion status

Learning Progress Data:

• Lecture and task completion status
• Exercise submissions and solutions
• Workshop participation and engagement metrics
• Chat messages and discussion forum posts

Payment Data:

• Billing information
• Payment method details (processed securely via third-party processors)
• Invoice history and transaction records

Technical Data:

• IP address
• Browser type and version
• Device information
• Operating system
• Session data and cookies
• Platform usage logs

Communication Data:

• Support requests and correspondence
• Feedback and survey responses
• Chat messages within workshop sessions
• Email interactions

2.2 Workshop Content and Recordings

Workshop sessions may be recorded for participant review and quality assurance. Recordings may include:

• Trainer presentations and screen shares
• Participant video and audio (when cameras/microphones are enabled)
• Chat messages and collaborative activities

Participants are notified when recording is active and can disable their camera/microphone. Recordings are accessible only to enrolled participants and authorized trainers.

2.3 Data We Do Not Collect

We do not:

• Collect sensitive personal data (e.g., health, religion, political opinions) unless voluntarily provided
• Track browsing behavior across other websites
• Sell personal data to third parties
• Use personal data for unrelated marketing without consent

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Art. 6(1)(b) GDPR):

• Creating and managing your account
• Processing workshop enrollments and payments
• Delivering workshop content and materials
• Facilitating trainer-participant interactions
• Issuing certificates of completion

Legitimate Interest (Art. 6(1)(f) GDPR):

• Platform security and fraud prevention
• Service improvement and feature development
• Analytics and usage patterns (anonymized when possible)
• Technical troubleshooting and support
• Internal business operations

Consent (Art. 6(1)(a) GDPR):

• Marketing communications and newsletters
• Optional profile enhancements
• Participation in surveys and feedback programs
• Recording of workshop sessions with video/audio

Legal Obligation (Art. 6(1)(c) GDPR):

• Tax and accounting requirements
• Compliance with German commercial law
• Response to legal requests and court orders

4. Data Sharing and Third Parties

4.1 Service Providers

We work with trusted third-party providers who assist in delivering our services:

• Clerk: Authentication and user management services
• Payment Processors: Secure payment processing (Stripe, PayPal)
• Cloud Infrastructure: Database hosting (PostgreSQL), application hosting (Vercel)
• Communication Services: Email delivery (Resend), video conferencing (Zoom, Microsoft Teams)

4.2 Data Protection Measures

All third-party processors are:

• Bound by data processing agreements (DPAs)
• Required to maintain GDPR compliance standards
• Subject to regular security and privacy assessments
• Contractually obligated to protect personal data
• Restricted from using data for their own purposes

4.3 Data Sharing with Trainers and Organizations

Workshop Trainers have access to:

• Participant names and email addresses for their workshops
• Learning progress and task completion status
• Workshop chat and discussion content
• Enrollment and attendance information

Corporate Clients (for private workshops) receive:

• Participant enrollment and attendance records
• Aggregate learning progress metrics
• Completion certificates
• Individual learner data only with participant consent or as contracted

4.4 No Sale of Personal Data

We do not sell, rent, or trade personal data to third parties for marketing purposes.

5. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17) - "Right to be Forgotten": Request deletion of your personal data
• Right to Restrict Processing (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent for consent-based processing at any time
• Right Not to Be Subject to Automated Decision-Making (Art. 22): We do not use automated decision-making or profiling with legal or significant effects

5.1 How to Exercise Your Rights

To exercise these rights, contact us at:

Email: privacy@nextacademy.io
Subject: "GDPR Data Subject Request"

We will respond within 30 days of receiving your request.

6. Data Retention and Deletion

6.1 Retention Periods

• Account Data: Retained while your account is active, plus 3 years for legal obligations (tax, contracts)
• Workshop Enrollment and Learning Data: Duration of enrollment + 90 days minimum
• Progress Tracking: Retained while account is active
• Certificates: Retained indefinitely for verification purposes
• Recordings and Session Data: 90 days after workshop end date
• Chat Logs: Duration of workshop + 1 year
• Payment and Billing Data: 10 years for German tax and accounting law
• Technical Logs: 12 months (anonymized after 6 months)
• Communication Data: Support correspondence (3 years), Marketing (until consent withdrawn)

6.2 Secure Deletion

When data is deleted, we ensure:

• Secure removal from active databases
• Purging from backups within 6 months
• Irreversible deletion using secure methods
• Third-party processors also delete data
• Verification that deletion is complete

6.3 Exceptions to Deletion

We may retain data longer when:

• Required by law (tax, legal, regulatory)
• Necessary for active legal claims or disputes
• Needed to prevent fraud or abuse
• Anonymized for research or analytics (no longer personal data)

7. Security Measures

We implement comprehensive security measures to protect your personal data:

Technical Measures:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest (AES-256)
• Secure database access controls
• Regular security patches and updates
• Automated threat detection
• DDoS protection and firewalls

Organizational Measures:

• Access controls based on least privilege principle
• Multi-factor authentication for administrative access
• Regular security awareness training for staff
• Background checks for employees with data access
• Confidentiality agreements for all personnel

Operational Security:

• Regular security assessments and penetration testing
• Incident response plan and procedures
• Data breach notification procedures
• Secure development practices (code review, testing)
• Regular backups with encryption

8. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Encryption during transfer
• Restricted access controls

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use essential cookies necessary for platform functionality:

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• User preferences and settings

These cookies do not require consent as they are strictly necessary for the service.

9.2 Analytics and Optional Cookies

We may use analytics cookies to improve our service:

• Usage patterns and feature adoption
• Performance monitoring
• Error tracking
• A/B testing of features

You can control optional cookies through your browser settings or our cookie consent banner.

9.3 Third-Party Cookies

Third-party services (e.g., video conferencing, payment processors) may set their own cookies. These are governed by the respective third party's privacy policy.

10. Children's Privacy

Our service is intended for professional education and training. We do not knowingly collect personal data from children under 16 years of age without parental consent.

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours
• You will be notified without undue delay if the breach poses a high risk
• Notification will include nature of breach, likely consequences, and mitigation measures
• We will document all breaches and our response

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Feedback from users and regulators

Material changes will be notified via email or platform notice at least 30 days in advance. Continued use after notification constitutes acceptance of the updated policy.

Last Updated: January 2025

13. Contact & Data Protection Officer

13.1 Data Controller

For all privacy-related inquiries, data subject requests, or to exercise your GDPR rights, please contact us at privacy@nextacademy.io

13.2 Complaints and Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data appropriately.

German Supervisory Authority:

We encourage you to contact us first to resolve any concerns before filing a complaint with the supervisory authority.