1. General Information

These Terms and Conditions govern your use of the LerneDeutsch platform operated by Weinberger GbR (GbR mit Stefanie Weinberger und Shlomo Weinberger), hereinafter referred to as "we", "us", or "our".

By accessing or using our service, you agree to be bound by these Terms. If you disagree with any part of the terms, you may not access the service.

2. Definitions

• Platform: The LerneDeutsch website and services.
• User: Any individual who accesses or uses the Platform.
• Subscription: Paid access to premium features of the Platform.
• Content: Text, graphics, images, audio, video, and other materials displayed on the Platform.

3. User Accounts

When you create an account with us, you must provide information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of your account on our service.

You are responsible for safeguarding the password that you use to access the service and for any activities or actions under your password.

4. Subscriptions and One-Time Purchases

Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns.

4.1 Subscription Services

By subscribing to our premium services, you agree to pay the subscription fees indicated for your selected plan. Subscription fees are charged at the beginning of your subscription and on each renewal date until canceled.

We clearly indicate the subscription amount, billing frequency, and whether you are entering into a recurring subscription before you complete your purchase. All prices are shown in euros (€) and include applicable taxes.

You may cancel your subscription at any time through your account settings or by contacting customer support. Cancellations will take effect at the end of the current billing period.

4.2 One-Time Purchases

For our self-paced video-on-demand courses, we offer one-time purchases that provide lifetime access to the course content. These purchases are not subscriptions and do not involve recurring charges.

The full price of the course is clearly displayed before purchase. After completing your purchase, you will receive immediate access to the course content, which will remain available to you indefinitely, subject to the terms outlined in section 4.3 below.

4.3 Access and Availability

While we strive to ensure continuous availability of our content, we reserve the right to make changes to our services, including but not limited to updating, removing, or discontinuing certain features, functionalities, or content. For one-time purchases, we commit to maintaining access to the core course content for a minimum of 5 years from the date of purchase.

If we need to discontinue access to any purchased course content due to legal, technical, or business reasons, we will provide at least 90 days' notice and may offer alternative content or compensation at our discretion.

4.4 Order Corrections

If you notice any errors in your order before completing the purchase, you can return to the previous steps in the checkout process to correct them. Once an order is submitted, you may contact our support team to address any issues.

5. Refund Policy

We offer a 30-day money-back guarantee for all subscription plans and one-time course purchases. If you are not satisfied with our service, you may request a refund within 30 days of your initial purchase by contacting our support team.

Please be aware that you have 30 days from the order completion date to cancel or apply for a refund.

For course purchases, refund eligibility may be affected if you have accessed a significant portion of the course content. This is evaluated on a case-by-case basis.

After the 30-day period, refunds are issued at our discretion and will generally only be provided in cases of technical issues that significantly impair the functionality of our service.

For subscription-related inquiries or refund requests, you may contact us at support@lernedeutsch.online or Paddle's customer support.

6. Product Description

LerneDeutsch offers German language learning services through our online platform, including:

6.1 Subscription Services

Our subscription plans provide access to premium features including:

• Unlimited access to flashcards and learning materials
• Advanced practice exercises and personalized learning paths
• Progress tracking and analytics
• Priority customer support

6.2 Video Courses

Our self-paced video-on-demand courses offer:

• Lifetime access to comprehensive German language instruction
• Structured learning paths from beginner to advanced levels
• Downloadable supplementary materials and exercises
• Progress tracking and completion certificates

We strive to provide accurate descriptions of all our services and features. If you believe any description is inaccurate or misleading, please contact us immediately.

7. Intellectual Property

The Platform and its original content, features, and functionality are and will remain the exclusive property of Weinberger GbR and its licensors. The Platform is protected by copyright, trademark, and other laws of both Germany and foreign countries.

Our trademarks and trade dress may not be used in connection with any product or service without the prior written consent of Weinberger GbR.

7.1 Course Content Usage Rights

When you purchase a course, you are granted a non-exclusive, non-transferable, personal license to access and use the course content for your personal, non-commercial educational purposes. This license includes:

• Viewing the video content on supported devices
• Downloading and using supplementary materials for personal use
• Completing exercises and assessments included with the course

7.2 Prohibited Uses

You may not:

• Share your account credentials with others
• Redistribute, sell, rent, lease, or sublicense course content
• Record, reproduce, duplicate, copy, or otherwise exploit course content for any commercial purpose
• Modify, adapt, or create derivative works based on course content
• Remove any copyright or other proprietary notices from course materials

Any unauthorized use of our course content may violate copyright laws and could result in termination of your access to the Platform and potential legal action.

8. User Content

Our Platform may allow you to post, link, store, share and otherwise make available certain information, text, graphics, videos, or other material. You are responsible for the content that you post to the Platform, including its legality, reliability, and appropriateness.

By posting content to the Platform, you grant us the right to use, modify, publicly perform, publicly display, reproduce, and distribute such content on and through the Platform. You retain any and all of your rights to any content you submit, post or display on or through the Platform and you are responsible for protecting those rights.

9. Limitation of Liability

In no event shall Weinberger GbR, nor its directors, employees, partners, agents, suppliers, or affiliates, be liable for any indirect, incidental, special, consequential or punitive damages, including without limitation, loss of profits, data, use, goodwill, or other intangible losses, resulting from your access to or use of or inability to access or use the Platform.

10. Changes to Terms

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material, we will try to provide at least 30 days' notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.

By continuing to access or use our Platform after those revisions become effective, you agree to be bound by the revised terms.

11. Governing Law

These Terms shall be governed and construed in accordance with the laws of Germany, without regard to its conflict of law provisions.

Our failure to enforce any right or provision of these Terms will not be considered a waiver of those rights. If any provision of these Terms is held to be invalid or unenforceable by a court, the remaining provisions of these Terms will remain in effect.

12. Contact Information

If you have any questions about these Terms, please contact us at:

13. Complaint Handling

We are committed to addressing any complaints or concerns you may have about our services promptly and effectively.

If you have a complaint, please contact our support team at support@lernedeutsch.online. We aim to respond to all complaints within 2 business days and resolve them within 14 days.

If you are not satisfied with our response to your complaint, you may contact the relevant consumer protection authority in Germany: Verbraucherzentrale Bundesverband (Federation of German Consumer Organizations) at www.vzbv.de.

14. Security Measures

We take the security of your information seriously and implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Our website uses SSL (Secure Socket Layer) encryption technology to protect your information during transmission. You can verify this by looking for the padlock icon in your browser's address bar and the "https" prefix in our URL.

We regularly review and update our security practices to ensure the ongoing confidentiality, integrity, availability, and resilience of our systems and services.

1. Introduction

Weinberger GbR ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our LerneDeutsch platform.

We adhere to the General Data Protection Regulation (GDPR) and applicable German data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Information We Collect

3.1 Personal Data

We collect and process the following categories of personal data:

• Identity Data: Name, username, email address, user ID
• Contact Data: Email address, phone number (if provided)
• Technical Data: IP address, browser type and version, device information, operating system, time zone setting, browser plug-in types and versions, screen resolution
• Usage Data: Information about how you use our Platform, including pages visited, time spent, features used, click patterns, and navigation paths
• Learning Data: Progress tracking, quiz results, flashcard performance, vocabulary entries, conversation transcripts, learning preferences, difficulty levels, and achievement data
• Communication Data: Records of your communications with us, including support tickets, feedback, and survey responses
• Payment Data: Billing address, payment method details (processed securely by Paddle.com as our merchant of record)
• Marketing Data: Your preferences for receiving marketing communications and your communication preferences
• Audio Data: Voice recordings from AI conversation features (STEFai), processed by ElevenLabs for language learning purposes
• Translation Data: German words and phrases you request translations for, processed by DeepL API

3.2 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). However, voice recordings may inadvertently contain such information. If this occurs, we process such data only for the specific purpose of language learning and delete it according to our retention schedule.

3.3 Collection Methods

We collect personal data through:

• Direct Interactions: When you create an account, subscribe to services, use our learning features, contact customer support, participate in surveys, or communicate with us
• Automated Technologies: Cookies, server logs, analytics tools, and similar tracking technologies as detailed in our Cookie Policy
• Third-Party Sources: Payment processors (Paddle.com), authentication services (Supabase), analytics providers (Google Analytics, PostHog), translation services (DeepL), AI conversation services (ElevenLabs), and hosting providers (Vercel)
• Public Sources: Publicly available information that you have made available on social media platforms when you interact with our content

3.4 Data We Do Not Collect

We do not collect:

• Credit card or payment details directly (these are processed securely by Paddle.com)
• Passwords in plain text (all passwords are encrypted)
• Data from children under 16 without parental consent
• Unnecessary personal data beyond what is required for our services

4. How We Use Your Data

We process your personal data for the following purposes, with the corresponding lawful basis under GDPR:

4.1 Service Provision (Legal Basis: Contract Performance)

• Creating and managing your user account
• Providing access to learning materials, flashcards, and courses
• Processing AI conversation features through STEFai and ElevenLabs
• Providing word translations through DeepL API
• Tracking your learning progress and performance
• Enabling vocabulary management and flashcard creation
• Delivering personalized learning experiences
• Providing customer support and technical assistance

4.2 Payment Processing (Legal Basis: Contract Performance)

• Processing subscription payments through Paddle.com
• Managing billing and invoicing
• Handling refunds and payment disputes
• Maintaining payment records for accounting purposes

4.3 Communication (Legal Basis: Contract Performance & Legitimate Interest)

• Sending service-related notifications and updates
• Responding to your inquiries and support requests
• Providing important account and security information
• Sending transactional emails related to your account or purchases

4.4 Marketing (Legal Basis: Consent)

• Sending promotional emails about new features and courses (only with your explicit consent)
• Providing information about special offers and discounts
• Sharing educational content and learning tips

Important: We will only send you marketing communications if you have explicitly opted in. You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email or contacting us directly.

4.5 Analytics and Improvement (Legal Basis: Legitimate Interest)

• Analyzing usage patterns to improve our Platform
• Conducting research to enhance learning effectiveness
• Monitoring system performance and security
• Developing new features and services
• Understanding user preferences and behavior

4.6 Legal and Security (Legal Basis: Legal Obligation & Legitimate Interest)

• Complying with legal obligations and regulatory requirements
• Preventing fraud and ensuring platform security
• Protecting our rights and the rights of other users
• Maintaining records for tax and accounting purposes
• Responding to legal requests and court orders

4.7 Data Processing Principles

All data processing activities adhere to the GDPR principles:

• Lawfulness, Fairness, and Transparency: We process data lawfully and inform you about our processing activities
• Purpose Limitation: We only use data for the specific purposes outlined above
• Data Minimization: We only collect and process data that is necessary for our services
• Accuracy: We take steps to ensure your data is accurate and up-to-date
• Storage Limitation: We only retain data for as long as necessary
• Integrity and Confidentiality: We implement appropriate security measures
• Accountability: We can demonstrate compliance with these principles

5. Data Sharing and International Transfers

5.1 Third-Party Service Providers

We share your personal data with the following categories of third-party service providers who process data on our behalf:

Payment Processing

• Paddle.com (UK/US): Payment processing, subscription management, tax compliance, and billing as our merchant of record

Infrastructure and Hosting

• Supabase (US): Database hosting, user authentication, and backend services
• Vercel (US): Website hosting and content delivery

AI and Language Services

• ElevenLabs (US): AI conversation processing, voice synthesis, and conversation transcripts for STEFai features
• DeepL (Germany): Translation services for German words and phrases

Analytics and Performance

• Google Analytics (US): Website analytics, user behavior analysis, and performance monitoring
• Google Tag Manager (US): Tag management and tracking code deployment
• PostHog (EU): Product analytics, user behavior tracking, feature usage analysis, and performance monitoring

5.2 Legal and Regulatory Sharing

We may share your personal data when required by law or to protect our rights:

• With law enforcement agencies, courts, or regulatory authorities when legally required
• To protect our rights, property, or safety, or that of our users or the public
• In connection with legal proceedings or investigations
• To comply with tax obligations and financial regulations

5.3 International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers:

Adequacy Decisions

• United Kingdom: Covered by EU adequacy decision

Standard Contractual Clauses (SCCs)

• United States: All US-based providers (Paddle, Supabase, Vercel, ElevenLabs, Google) are bound by Standard Contractual Clauses approved by the European Commission

EU-Based Providers

• European Union: PostHog (EU instance) - no additional safeguards required as data remains within the EEA

Additional Safeguards

• Data Processing Agreements (DPAs) with all processors
• Regular security assessments and audits
• Encryption of data in transit and at rest
• Access controls and monitoring

5.4 Data Processor Obligations

All third-party service providers are contractually bound to:

• Process data only for the specific purposes we instruct
• Implement appropriate technical and organizational security measures
• Not use your data for their own purposes
• Delete or return data upon termination of services
• Assist with data subject rights requests
• Notify us of any data breaches

5.5 What We Don't Do

We do not:

• Sell, rent, or trade your personal information to third parties for marketing purposes
• Share your data with advertisers or marketing companies
• Use your data for automated decision-making that significantly affects you
• Transfer data without appropriate safeguards

6. Data Retention and Deletion

6.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention periods are:

Account Data

• Active Accounts: Retained for the duration of your account
• Closed Accounts: Deleted within 30 days of account closure, except where longer retention is required by law
• Inactive Accounts: Accounts inactive for 3 years will be automatically deleted after 30 days notice

Learning Data

• Progress and Performance: Retained for the duration of your account plus 1 year for service improvement
• Conversation Transcripts (STEFai): Retained for 2 years for quality improvement, then automatically deleted
• Vocabulary Entries: Retained for the duration of your account
• Flashcard Data: Retained for the duration of your account

Communication Data

• Support Tickets: Retained for 3 years for quality assurance and legal compliance
• Marketing Communications: Retained until you unsubscribe or withdraw consent
• Transactional Emails: Retained for 7 years for accounting and legal purposes

Financial Data

• Payment Records: Retained for 10 years as required by German tax law
• Subscription Data: Retained for 7 years for accounting purposes
• Refund Records: Retained for 7 years for financial compliance

Technical Data

• Server Logs: Retained for 90 days for security and performance monitoring
• Analytics Data: Anonymized and retained for 26 months (Google Analytics default); PostHog data retained for 12 months
• Security Logs: Retained for 1 year for security incident investigation

6.2 Automated Deletion

We have implemented automated systems to ensure data is deleted according to our retention schedule:

• Regular automated deletion of expired data
• Secure deletion methods that make data unrecoverable
• Monitoring and logging of deletion activities
• Regular audits to ensure compliance with retention policies

6.3 Legal Retention Requirements

Some data must be retained longer due to legal obligations:

• German Tax Law: Financial records for 10 years
• German Commercial Code: Business correspondence for 6 years
• GDPR: Data breach records for 3 years
• Consumer Protection: Complaint records for 3 years

6.4 Data Security During Retention

We implement comprehensive security measures throughout the data lifecycle:

• Encryption: All personal data is encrypted in transit and at rest
• Access Controls: Role-based access with regular review and audit
• Monitoring: Continuous monitoring for unauthorized access attempts
• Backup Security: Encrypted backups with secure deletion schedules
• Regular Assessments: Annual security audits and penetration testing
• Staff Training: Regular data protection training for all employees

7. Your Data Protection Rights

Under GDPR and German data protection laws, you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights and will respond to your requests within one month.

7.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and access to such data. This includes:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom data has been disclosed
• The envisaged period for which data will be stored
• Information about your other rights under GDPR

7.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed, including by means of providing a supplementary statement.

7.3 Right to Erasure - "Right to be Forgotten" (Article 17 GDPR)

You have the right to obtain erasure of personal data concerning you without undue delay where one of the following grounds applies:

• The personal data is no longer necessary for the original purposes
• You withdraw consent and there is no other legal ground for processing
• You object to processing and there are no overriding legitimate grounds
• The personal data has been unlawfully processed
• Erasure is required for compliance with a legal obligation

Note: This right may be limited where processing is necessary for exercising freedom of expression, compliance with legal obligations, or establishment of legal claims.

7.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain restriction of processing where:

• You contest the accuracy of personal data (restriction during verification)
• Processing is unlawful and you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of legitimate grounds

7.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format
• Transmit that data to another controller without hindrance
• Have your data transmitted directly to another controller where technically feasible

This includes your learning progress, vocabulary entries, flashcard data, and conversation transcripts.

7.6 Right to Object (Article 21 GDPR)

You have the right to object to processing of your personal data where:

• Processing based on legitimate interests: You may object at any time, and we will cease processing unless we demonstrate compelling legitimate grounds
• Direct marketing: You have an absolute right to object to processing for direct marketing purposes
• Scientific research: You may object unless processing is necessary for public interest tasks

7.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

7.8 Right Not to be Subject to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you. We do not engage in automated decision-making that significantly affects you.

7.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: support@lernedeutsch.online
• Subject Line: "GDPR Data Subject Request - [Type of Request]"
• Required Information: Please include your full name, email address, and specific details about your request

7.10 Response Timeline and Verification

We will respond to your request within one month of receipt. In complex cases, this may be extended by two additional months with notification. We may request additional information to verify your identity before processing your request.

7.11 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. In Germany, you may contact:

• Federal Commissioner for Data Protection and Freedom of Information (BfDI)
• Website: www.bfdi.bund.de
• Or your local state data protection authority

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files that are placed on your computer or mobile device when you visit our website. They are widely used to make websites work more efficiently and to provide information to website owners about how visitors use their sites.

8.2 Types of Cookies We Use

8.2.1 Strictly Necessary Cookies

These cookies are essential for the website to function properly and cannot be switched off. They include:

• Authentication Cookies: Keep you logged in during your session
• Security Cookies: Help protect against fraud and maintain security
• Load Balancing Cookies: Ensure website performance and availability

Legal Basis: Legitimate interest (essential for website functionality)

8.2.2 Performance and Analytics Cookies

These cookies help us understand how visitors interact with our website:

• Google Analytics: Tracks website usage, page views, user behavior, and performance metrics
• Google Tag Manager: Manages tracking codes and marketing tags
• PostHog: Product analytics, user behavior tracking, feature usage analysis, and session recordings
• Session Recording: Helps us understand user experience and identify issues

Legal Basis: Consent (required before activation)

Retention: Google Analytics data is retained for 26 months; PostHog data is retained for 12 months

8.2.3 Functional Cookies

These cookies enable enhanced functionality and personalization:

• Language Preferences: Remember your language settings
• Theme Preferences: Remember your dark/light mode choice
• Learning Progress: Store your current lesson or quiz progress
• Supabase Session: Maintain your authentication state

Legal Basis: Legitimate interest (enhancing user experience)

8.2.4 Third-Party Service Cookies

Cookies set by our third-party service providers:

• Paddle.com: Payment processing and subscription management cookies during checkout
• ElevenLabs: AI conversation service cookies for STEFai functionality
• Vercel: Hosting and performance optimization cookies

Legal Basis: Contract performance (necessary for service delivery)

8.3 Cookie Consent Management

We implement a cookie consent management system that:

• Blocks non-essential cookies until consent is given
• Allows granular consent choices by cookie category
• Provides easy withdrawal of consent
• Remembers your preferences across sessions
• Complies with GDPR and ePrivacy Directive requirements

8.4 Managing Your Cookie Preferences

You can control cookies through several methods:

8.4.1 Our Cookie Settings

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer or by contacting us directly.

8.4.2 Browser Settings

Most web browsers allow you to control cookies through their settings:

• Chrome: Settings > Privacy and Security > Cookies and other site data
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Cookies and site permissions

8.4.3 Third-Party Opt-Outs

• Google Analytics: Google Analytics Opt-out Browser Add-on
• Google Ads: Google Ads Settings
• PostHog: Contact us at support@lernedeutsch.online to opt out of PostHog analytics

8.5 Impact of Disabling Cookies

Disabling certain cookies may impact your experience:

• Strictly Necessary: Website may not function properly
• Functional: Loss of personalization and preferences
• Analytics: No impact on functionality, but we cannot improve our services based on usage data

8.6 Cookie Retention Periods

• Session Cookies: Deleted when you close your browser
• Authentication Cookies: 30 days or until logout
• Preference Cookies: 1 year
• Analytics Cookies: 26 months (Google Analytics default); 12 months (PostHog)
• Consent Cookies: 12 months (renewed annually)

8.7 Updates to Cookie Usage

We may update our cookie usage from time to time. When we make significant changes, we will:

• Update this policy with the new information
• Request new consent where required by law
• Notify you of changes through our website or email

9. Data Breach Notification

9.1 Our Commitment to Data Security

We implement comprehensive technical and organizational measures to prevent data breaches. However, in the unlikely event of a personal data breach, we are committed to transparent and prompt notification in accordance with GDPR requirements.

9.2 Breach Response Procedures

In case of a personal data breach, we will:

• Immediate Assessment: Evaluate the nature, scope, and potential impact within 24 hours
• Containment: Take immediate steps to contain the breach and prevent further data loss
• Investigation: Conduct a thorough investigation to determine the cause and extent
• Documentation: Maintain detailed records of the breach and our response

9.3 Notification to Supervisory Authority

We will notify the competent supervisory authority (BfDI in Germany) within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

9.4 Notification to Data Subjects

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. The notification will include:

• Clear and plain language description of the breach
• Contact details of our Data Protection Officer
• Likely consequences of the breach
• Measures we have taken to address the breach
• Recommendations for protecting yourself

9.5 Breach Prevention Measures

We maintain robust security measures to prevent breaches:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Regular Audits: Quarterly security assessments and penetration testing
• Staff Training: Regular data protection and security awareness training
• Incident Response Plan: Tested and updated annually
• Vendor Management: All third-party processors undergo security assessments

10. Data Protection Impact Assessments (DPIA)

10.1 When We Conduct DPIAs

We conduct Data Protection Impact Assessments for processing activities that are likely to result in high risk to your rights and freedoms, including:

• Implementation of new AI features (such as STEFai conversation analysis)
• Large-scale processing of learning behavior data
• Introduction of new tracking technologies
• Significant changes to data sharing arrangements

10.2 DPIA Process

Our DPIA process includes:

• Risk Assessment: Systematic evaluation of potential privacy risks
• Necessity and Proportionality: Assessment of whether processing is necessary and proportionate
• Mitigation Measures: Identification and implementation of risk reduction measures
• Stakeholder Consultation: Engagement with relevant stakeholders where appropriate
• Supervisory Authority Consultation: Consultation with BfDI when residual risks remain high

10.3 Completed DPIAs

We have completed DPIAs for the following high-risk processing activities:

• STEFai Conversation Processing: AI-powered conversation analysis and transcript storage
• Learning Analytics: Comprehensive tracking of learning progress and behavior
• Cross-Border Data Transfers: Transfer of data to US-based service providers

11. Accountability and Governance

11.1 Data Protection by Design and by Default

We implement data protection principles into all our systems and processes:

• Privacy by Design: Data protection considerations are integrated from the earliest design stages
• Data Minimization: We collect only the minimum data necessary for each purpose
• Purpose Limitation: Data is used only for the specific purposes for which it was collected
• Storage Limitation: Automated deletion systems ensure data is not kept longer than necessary
• Default Privacy Settings: The most privacy-friendly settings are applied by default

11.2 Records of Processing Activities

We maintain comprehensive records of all processing activities, including:

• Purposes of processing and legal basis
• Categories of data subjects and personal data
• Recipients of personal data, including third-party processors
• International transfers and safeguards
• Retention periods and deletion schedules
• Security measures implemented

11.3 Staff Training and Awareness

All staff members receive comprehensive data protection training:

• Initial Training: GDPR fundamentals and role-specific responsibilities
• Regular Updates: Quarterly training sessions on new developments
• Incident Response: Training on breach detection and response procedures
• Certification: Annual data protection competency assessments

11.4 Third-Party Processor Management

We ensure all third-party processors meet GDPR requirements:

• Due Diligence: Comprehensive security and privacy assessments
• Data Processing Agreements: Binding contracts with all processors
• Regular Audits: Annual compliance reviews and security assessments
• Incident Notification: Contractual requirements for breach notification

11.5 Continuous Improvement

We continuously improve our data protection practices through:

• Regular Reviews: Annual privacy policy and procedure reviews
• Technology Updates: Implementation of new privacy-enhancing technologies
• Regulatory Monitoring: Tracking of new regulations and guidance
• User Feedback: Incorporation of user privacy concerns and suggestions

12. Children's Privacy

12.1 Age Restrictions

Our Platform is not intended for children under 16 years of age in accordance with GDPR Article 8. We do not knowingly collect personal data from children under 16 without appropriate parental consent.

12.2 Parental Consent

If we need to process personal data of a child under 16, we will:

• Obtain verifiable parental consent before processing
• Provide clear information to parents about the processing
• Allow parents to access, rectify, or delete their child's data
• Enable parents to withdraw consent at any time

12.3 Detection and Response

If we become aware that we have collected personal data from a child under 16 without appropriate consent:

• We will immediately cease processing the data
• Delete the data from our systems within 30 days
• Notify the supervisory authority if required
• Implement additional safeguards to prevent future occurrences

12.4 Educational Content

While our platform is designed for adult learners, we recognize that some content may be suitable for older children with parental supervision. In such cases:

• Parents must create and manage the account
• Enhanced privacy protections apply
• Limited data collection and processing
• No marketing communications to children

13. Data Protection Officer

13.1 Appointment and Role

While not legally required for our organization size, we have appointed an internal Data Protection Officer (DPO) to ensure the highest standards of data protection compliance and to serve as your primary contact for privacy matters.

13.2 DPO Responsibilities

Our Data Protection Officer is responsible for:

• Monitoring compliance with GDPR and German data protection laws
• Conducting privacy impact assessments and risk evaluations
• Providing data protection training to staff
• Serving as the contact point for supervisory authorities
• Handling data subject requests and privacy inquiries
• Advising on data protection matters and new processing activities

13.3 Contact the DPO

You can contact our Data Protection Officer directly for any privacy-related matters:

• Email: support@lernedeutsch.online
• Subject Line: Please include "DPO - [Your Request Type]"
• Response Time: We will respond within 5 business days

13.4 Independence and Expertise

Our DPO operates independently and reports directly to senior management. They possess:

• Professional qualifications in data protection law
• Practical experience in data protection compliance
• Knowledge of our business operations and IT systems
• Regular training on evolving privacy regulations

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update our Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We are committed to transparency in how we communicate these changes.

14.2 Notification of Changes

When we make changes to this Privacy Policy, we will:

• Material Changes: Notify you by email and/or prominent notice on our website at least 30 days before the changes take effect
• Minor Changes: Update the "Last updated" date and post the revised policy on our website
• Legal Requirement Changes: Implement immediately with notification as soon as reasonably possible

14.3 Consent for Material Changes

For material changes that affect how we process your personal data:

• We will seek your explicit consent where required by law
• You will have the option to object to the changes
• If you object, we will either maintain the previous terms for your data or, if not possible, provide you with options including account deletion

14.4 Version Control

We maintain a record of all previous versions of this Privacy Policy. You can request access to previous versions by contacting our Data Protection Officer.

15. Contact Information

15.1 Data Controller Contact

For general inquiries about this Privacy Policy or our data practices, please contact us at:

15.2 Data Protection Officer

For privacy-specific inquiries and data subject requests:

• Email: support@lernedeutsch.online
• Subject Line: "DPO - [Your Request Type]"

15.3 Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR:

Federal Level (Germany)

State Level (North Rhine-Westphalia)

15.4 Response Times

• General Inquiries: 2-3 business days
• Data Subject Requests: Within 1 month (may be extended to 3 months for complex requests)
• Privacy Concerns: Within 5 business days
• Data Breach Reports: Immediate acknowledgment, full response within 72 hours