Privacy Policy

2. Personal Data We Collect

We aim to minimize the data we collect. The exact data processed depends on how you use the website (for example, browsing versus submitting a form). The categories below describe the types of data that may be collected.

2.1 Identity and contact information

• Name (for example, the full name you enter in our form)
• Email address
• Phone number (only if you choose to call us or provide it elsewhere)

2.2 Form submissions and communications

• Message content (such as preferred course format, time zone, and scheduling constraints)
• Selected topic or program interest (for example, languages, AI fundamentals, programming)
• Any information you send by email to [email protected]

2.3 Technical and device data

• IP address
• Browser type and version
• Device type, operating system, and language settings
• Date/time of requests and basic request metadata

2.4 Usage data

• Pages viewed and time spent on pages
• Referrer information (the site you came from, if provided by your browser)
• General click paths and interactions needed to measure content performance

2.5 Cookies and identifiers

We use cookies and similar technologies. Some are essential for basic site operation; others are optional and require your consent (analytics and marketing). Details and examples are provided in Section 4 and in our Cookie Policy.

2.6 Data we do not intentionally collect

We do not request special-category data (such as health data, biometric identifiers, religious or political beliefs), government identification numbers, or financial account credentials through our public website forms. Please avoid including sensitive information in free-text fields.

3. Why We Process Personal Data & Legal Basis

We process personal data only when we have a lawful basis under GDPR Article 6. Depending on the context, more than one lawful basis can apply. The primary purposes and legal bases are:

3.1 Responding to inquiries and providing course information

• Purpose: to send schedules, cohort availability, program outlines, and registration steps requested via our forms or email.
• Legal basis: GDPR Art. 6(1)(b) (steps at your request prior to entering into a contract) and, where applicable, Art. 6(1)(a) (consent).

3.2 Website analytics (optional)

• Purpose: to understand how the website is used and to improve pages and learning information.
• Legal basis: GDPR Art. 6(1)(a) (consent).

3.3 Marketing and remarketing (optional)

• Purpose: to measure advertising performance, attribute conversions, and show relevant messages to audiences that have interacted with our site.
• Legal basis: GDPR Art. 6(1)(a) (consent).

3.4 Security, abuse prevention, and fraud prevention

• Purpose: to protect the site, monitor suspicious traffic patterns, and prevent automated submissions.
• Legal basis: GDPR Art. 6(1)(f) (legitimate interests). Our legitimate interest is keeping the site secure and preventing misuse.

3.5 Legal obligations

• Purpose: to comply with applicable laws, respond to lawful requests, and maintain records where required.
• Legal basis: GDPR Art. 6(1)(c) (legal obligation).

3.6 Automated decision-making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of GDPR Article 22.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies such as pixel tags, and some measurement can occur through server-side events (for example, to confirm that a form submission was received). You can control optional cookies through our cookie banner and preferences panel.

4.1 Essential cookies (always active)

Essential cookies are required for the site to function and for basic security. These do not require consent under EU ePrivacy rules when strictly necessary. Examples include:

• _site_session (session continuity and basic site operation)
• cookie_consent (stores your cookie choices)
• Security-related cookies such as CSRF tokens where applicable

Retention is typically session-based up to 12 months depending on the cookie, as described in our Cookie Policy.

4.2 Analytics cookies (consent-based)

With your consent, we may use Google Analytics 4 (GA4) to understand website usage. Where configured, IP anonymization is applied. Typical identifiers include:

• _ga (2 years)
• _ga_XXXXXXXXXX (GA4 session state, 2 years)

Analytics data retention is typically 14 months in GA4 settings (subject to configuration).

4.3 Marketing cookies (consent-based)

With your consent, marketing cookies can be used to measure ad performance and to support remarketing/audience building on advertising platforms. Typical examples include:

• _gcl_au (Google Ads conversion linker, 90 days)
• _fbp (Meta Pixel browser identifier, 90 days)
• _fbc (Meta Pixel click identifier, 90 days when a click ID is present)

4.4 Beyond cookies

In addition to cookies, tracking can involve pixel tags (for example, when a script loads after consent) and server-side measurement (for example, sending a conversion event from our server). Where server-side measurement is used, identifiers may be hashed and used solely for event matching and attribution, depending on the partner platform configuration.

5. Consent (EEA/UK)

Users in the EEA and the UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your choice is recorded in the cookie_consent cookie (typically for 12 months).

You can withdraw consent at any time by using “Manage cookie preferences” in the website footer or by clearing cookies in your browser settings. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only as needed to operate the site, respond to requests, and (if you consent) measure and improve marketing performance. We do not sell personal data.

6.1 Google LLC

If enabled by consent, Google services may process cookie identifiers, usage data, and conversion events to provide analytics and advertising measurement features. Google’s privacy information is available at https://policies.google.com/privacy.

6.2 Meta Platforms

If enabled by consent, Meta services may process page views, conversions, and audience membership signals to measure ads and build remarketing/custom/lookalike audiences. Meta’s privacy information is available at https://www.facebook.com/privacy/policy.

6.3 Cloudflare (CDN and security)

We may use Cloudflare to provide content delivery network (CDN) performance and security services. This can involve processing IP addresses and request metadata to detect threats and protect the site from abuse. Cloudflare’s privacy information is available at https://www.cloudflare.com/privacypolicy/.

We do not permit these providers to use site data for their own independent commercial purposes. Where required, we use appropriate contractual protections (such as data processing agreements).

7. International Transfers

Some service providers may process data outside the EEA/UK, including in the United States. Where international transfers occur, we rely on recognized transfer mechanisms, including the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the DPF where applicable, and Standard Contractual Clauses (SCCs) as a fallback where relevant.

Transfer mechanisms and provider certifications can change over time; we review these periodically and update this policy when necessary.

8. Data Retention

We keep personal data only for as long as needed for the purpose it was collected, and then delete or anonymize it unless we must keep it longer to meet legal obligations. Typical retention periods are:

• Contact submissions: up to 2 years from the last meaningful interaction.
• Analytics data: typically 14 months (depending on GA4 settings), plus cookie lifetimes described in the Cookie Policy.
• Marketing identifiers: per cookie lifetime (for example, 90 days for certain marketing cookies), unless renewed by subsequent interactions.
• Email correspondence: for the duration of the relationship plus up to 1 year, unless longer retention is needed for legal reasons.
• Server/security logs: typically up to 90 days, unless needed to investigate abuse or security incidents.
• Cookie consent record: up to 3 years for audit and compliance.
• Legal and tax: where applicable, retained according to statutory requirements (often 6–10 years for invoicing and accounting records).

9. Your Rights (GDPR & UK GDPR)

If GDPR or UK GDPR applies to you, you have rights regarding your personal data, including:

• Right of access (GDPR Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restrict processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email us at [email protected]. We typically respond within 30 days. For complex requests, this period may be extended by up to 60 additional days, as permitted by law.

Supervisory authority resources: https://edpb.europa.eu/ (EU guidance), https://www.ibo.org.uk/ (UK information commissioner resources), https://www.bfdi.bund.de/ (Germany), https://www.cnil.fr/ (France), https://uodo.gov.pl/ (Poland), https://www.aepd.es/ (Spain).

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we become aware that we received personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Some third-party providers may offer their own mechanisms for controlling tracking; please refer to their documentation for details.

12. Account Requests and Data Deletion

To request deletion of personal data we hold about you, email [email protected] with the subject line “Data Deletion Request”. We may request information to verify your identity before processing the request. Where deletion is not possible due to legal obligations, we will inform you and restrict processing to the extent required by law.

13. Business Transfers

If Elyvora Learning GmbH is involved in a merger, acquisition, asset sale, financing, insolvency, or reorganization, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide notice on our website.

14. California (CCPA / CPRA)

This section applies to California residents where the California Consumer Privacy Act (CCPA), as amended by the CPRA, is applicable. Over the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email address, IP address, cookie identifiers.
• Internet or network activity: pages viewed, interactions, and general usage metrics.
• Inferences: interests or preferences inferred from site interactions for advertising audiences (only when marketing consent is enabled).

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out of sharing for targeted advertising through our cookie preferences panel.

Subject to legal limitations, California residents can request to know, delete, and correct personal information, and to opt out of sale/sharing. To submit a request, email [email protected] with the subject “California Privacy Request”. We may need to verify identity before fulfilling the request. Authorized agents must provide proof of authorization.

15. Virginia (VCDPA)

Where applicable under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data and do not engage in profiling producing legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. To appeal a refusal, email with the subject “Appeal of Refusal — Privacy Request”. We respond to appeals within 60 days as required by law.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will announce them via a notice on the homepage at least 14 days before the changes take effect, when feasible. The “Last Updated” date at the top of this page reflects the current version.

18. Contact

For privacy questions or requests, contact:

• Elyvora Learning GmbH (Elyvora School)
• Friedrichstraße 68, 10117 Berlin, Germany
• Email: [email protected]
• Phone: +49 30 2000 6321