Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how Softelyx School (“we”, “us”, or “our”) collects, uses, and protects personal data when you visit our website, read course pages, register interest in online courses or webinars, or contact us through our forms. We operate with a simple principle: collect only what is needed to run the site, respond to requests, and improve learning offerings.

For the purposes of the EU General Data Protection Regulation (“GDPR”) and applicable German data protection law, the Data Controller is:

• Legal entity: Softelyx Education GmbH
• Address: Leopoldstraße 250, Schwabing-Freimann, 80807 Munich, Germany
• Email: [email protected]
• Telephone: +49 89 25552480

We do not appoint a Data Protection Officer as a default matter. If our processing activities change such that a DPO is legally required, we will update this Policy and publish the relevant contact details.

2. Personal Data We Collect

The categories of personal data we may collect depend on how you use the site (for example, browsing course descriptions versus submitting a form). We may collect the following:

• Identity and contact data: name, email address, phone number (if provided), and other contact details you enter.
• Form content: messages, course or webinar preferences, baseline level notes, scheduling constraints, and any information you choose to include in free-text fields.
• Technical data: IP address, browser type and version, device type, operating system, language settings, and approximate location derived from IP (city-level).
• Usage data: pages viewed, time spent on pages, referral source, navigation paths, and interactions such as button clicks that help us understand what content is useful.
• Cookies and identifiers: cookie IDs and similar identifiers stored in your browser, described in Section 4 and our Cookie Policy.
• Conversion events: events such as submitting a form or requesting enrollment details, used to measure website performance and marketing effectiveness when consent is provided.

We do not intentionally collect special-category data (for example, health information, political opinions, religious beliefs), financial account details, or government-issued identifiers to provide our education services. Please do not include such information in free-text fields. If you do provide it, we will handle it in line with this Policy and limit access to what is necessary to respond.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only where we have a lawful basis under GDPR. The most common purposes and legal bases are:

• Responding to contact and enrollment requests: to reply to messages, clarify course dates, and provide scheduling details. Legal basis: GDPR Art. 6(1)(b) (steps at your request prior to entering into a contract) and, where applicable, Art. 6(1)(a) (consent).
• Website analytics: to understand which pages are useful, reduce friction, and improve clarity. Legal basis: GDPR Art. 6(1)(a) (consent), where required by EEA/UK rules.
• Marketing and remarketing: to measure advertising performance and show more relevant ads to interested audiences. Legal basis: GDPR Art. 6(1)(a) (consent).
• Security and fraud prevention: to protect the website, prevent abuse, and ensure service continuity. Legal basis: GDPR Art. 6(1)(f) (legitimate interests in keeping the site secure and reliable).
• Legal obligations: to comply with applicable legal, regulatory, or accounting requirements. Legal basis: GDPR Art. 6(1)(c) (legal obligation).

Automated decision-making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. If we introduce any such processing in the future, we will explain it clearly and provide required safeguards.

4. Cookies & Tracking

Our site uses cookies and similar technologies. Cookies are small text files stored on your device that help websites function, remember preferences, and measure performance. In addition to cookies, we may use pixel tags (small pieces of code that record page views or conversions) and server-side measurement tools. The categories below match our Cookie Policy.

4.1 Essential Cookies (always active)

Essential cookies are required for the website to function and to remember core choices. These do not require consent under many privacy laws.

• _site_session: supports basic session continuity. Retention: session.
• cookie_consent: stores your cookie preference choices. Retention: up to 12 months.
• Security/CSRF controls: may be used to protect forms and prevent malicious submissions. Retention: session to short-lived.

4.2 Analytics Cookies (consent-based)

With your consent, we use Google Analytics 4 (“GA4”) to understand usage and improve content. We configure analytics with privacy-focused settings such as IP anonymization where applicable.

• _ga (GA4 user identifier): retention typically 2 years.
• _ga_XXXXXXXXXX (GA4 session state): retention typically 2 years.

Our standard analytics data retention period is 14 months, after which data is deleted or anonymized in accordance with the analytics settings and vendor capabilities.

4.3 Marketing Cookies (consent-based)

With your consent, marketing cookies help measure advertising performance and support remarketing. For example, they help understand which ads lead to enrollment requests and allow ads to be shown to users who have visited certain pages.

• _gcl_au (Google Ads conversion linker): retention typically 90 days.
• _fbp (Meta Pixel browser identifier): retention typically 90 days.
• _fbc (Meta Pixel click identifier, when click ID is present): retention typically 90 days.

Beyond cookies, some advertising measurement may use server-side signals (for example, sending hashed identifiers such as an email hash when you submit a form). Where required, these signals are activated only with marketing consent and are used for conversion attribution and audience measurement.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your choice is recorded in the cookie_consent cookie for up to 12 months.

You can withdraw consent at any time by using “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing that occurred before your withdrawal.

6. Sharing With Advertising & Service Partners

We share limited data with service providers that help us operate the website and measure performance. We do not sell personal data. Depending on your cookie consent settings and your interactions, data may be shared with:

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, and conversion events when consent is given.
• Meta Platforms, Inc. (Meta Pixel, Custom/Lookalike Audiences, Conversion API where enabled): page views, conversion events, audience membership signals, and hashed identifiers when consent is given.
• Cloudflare (CDN and security): IP-based threat detection and performance/security telemetry needed to keep the site reliable.

We require service providers to process data only on our instructions for the purposes described above, and to implement appropriate technical and organizational safeguards. We do not permit these providers to use site data for their own independent commercial purposes.

7. International Transfers

Some partners (for example, Google and Meta) may process data outside the EEA/UK, including in the United States. Where applicable, transfers may rely on the EU–US Data Privacy Framework (DPF) and its extensions, with Standard Contractual Clauses (EU 2021/914) or UK IDTA as fallback mechanisms. We also apply practical safeguards such as limiting data shared, using pseudonymization where possible, and restricting access.

8. Retention

We keep personal data only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law. Typical retention periods are:

• Contact and enrollment submissions: up to 2 years from the last interaction, unless ongoing communication requires longer.
• Analytics data: typically 14 months (as configured in our analytics tools).
• Marketing cookie data: per cookie lifetime (commonly 90 days) and vendor settings.
• Email correspondence: for the duration of the relationship plus 1 year, unless needed to handle disputes.
• Server logs and security records: typically up to 90 days, unless needed to investigate abuse.
• Cookie consent records: up to 3 years for audit purposes (where appropriate), typically stored in a way that identifies only the consent state.
• Legal and accounting records: retained as required by applicable law (often 6–10 years for invoices and related documents).

9. Your Rights (GDPR & UK GDPR)

If GDPR or UK GDPR applies to you, you have the following rights, subject to legal limits:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise these rights, contact us at [email protected]. We typically respond within 30 days. For complex requests, the response period may be extended by up to 60 additional days as permitted by law, and we will tell you if an extension is needed.

If you want to identify your appropriate authority, you can consult:

• EU: European Data Protection Board (EDPB) website for guidance
• UK: Information Commissioner’s Office (ICO)
• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the relevant state authority
• France: CNIL
• Poland: UODO
• Spain: AEPD

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to “Do Not Track” (DNT) browser signals. Some third-party providers may have their own DNT handling, which is governed by their policies and technical implementations.

12. Account & Data Deletion Requests

To request deletion of personal data, email [email protected] with the subject line “Data Deletion Request”. We may ask for information to verify your identity before acting on the request. We aim to complete verified deletion requests within 30 days, except where limited retention is required by law (for example, accounting records).

13. Business Transfers

If Softelyx Education GmbH is involved in a merger, acquisition, asset sale, financing, insolvency, or similar event, personal data may be transferred to a successor entity. If such a transfer materially changes how personal data is used, we will provide notice on the website.

14. California (CCPA/CPRA)

This section applies to California residents to the extent the California Consumer Privacy Act (as amended by the CPRA) applies. In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email, IP address, cookie IDs.
• Internet or network activity: browsing interactions, page views, and conversion events.
• Inferences: preferences or interests inferred from browsing behavior for advertising relevance.

We do not sell personal information as defined by CCPA. We may share information for cross-context behavioral advertising when marketing cookies are enabled. California residents may opt out via our cookie preferences panel (“Manage cookie preferences” in the footer).

Subject to legal limits, California residents may request: the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. Submit requests by emailing [email protected] with the subject “California Privacy Request”. We may need to verify your identity. Authorized agents must provide written proof of authorization.

15. Virginia (VCDPA)

If the Virginia Consumer Data Protection Act (VCDPA) applies, Virginia residents have rights to access, correct, delete, obtain a copy (portability), and opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we deny a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, or legal requirements. If changes are material, we will provide a notice on the homepage at least 14 days before the changes take effect where feasible. The “Last Updated” date at the top of this page shows when this Policy was last revised.

18. Contact

If you have questions about privacy, cookie settings, or how we handle personal data, contact:

• Softelyx Education GmbH
• Address: Leopoldstraße 250, Schwabing-Freimann, 80807 Munich, Germany
• Email: [email protected]
• Telephone: +49 89 25552480