Privacy Policy

Last updated: January 2026

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section 'Notice on the Responsible Party' in this privacy policy.

How do we collect your data?

Your data is collected in part by you providing it to us. This may be data that you enter in a contact form, for example.

Other data is collected automatically or with your consent when you visit the website by our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of page access).

What do we use your data for?

Some of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior.

What rights do you have regarding your data?

You have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances, as well as the right to data portability and to object to processing (Art. 20, 21 GDPR).

2. General Information and Mandatory Disclosures

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. Personal data is data that can be used to personally identify you.

We would like to point out that data transmission over the Internet (e.g., when communicating by email) may have security gaps. Complete protection of data from access by third parties is not possible.

Notice on the Responsible Party

The responsible party for data processing on this website is:

AIAct-Akademie.de

Bremer Straße 163

27751 Delmenhorst

Germany

E-Mail: info@aiact-akademie.de

Data Protection Officer

We are not legally obligated to appoint a data protection officer. If you have any questions about data protection, you can contact us directly at the address above.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the address bar of your browser changing from 'http://' to 'https://' and by the lock symbol in your browser bar. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Complain to the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority. A list of EU data protection authorities and their contact details can be found at the following link:https://edpb.europa.eu.

Legal Bases for Processing

Where we process personal data, we do so based on Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract/pre-contract), Art. 6(1)(c) GDPR (legal obligation) or Art. 6(1)(f) GDPR (legitimate interests, e.g., security and stability of the website).

Automated Decision-Making

We do not make automated individual decisions including profiling within the meaning of Art. 22 GDPR. Please note that third-party analytics providers (e.g., Microsoft in the context of Microsoft Clarity) may process data for profiling and advertising purposes in accordance with their own privacy policies.

3. Data Collection on This Website

Hosting

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. When you visit our website, Hetzner automatically collects technical data (e.g., IP address, browser type, time of access) in server log files. The legal basis is Art. 6(1)(f) GDPR. Processing takes place in Germany/EU. More information at: https://www.hetzner.com/legal/privacy-policy

Cookies

Our websites use so-called 'cookies'. Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted after your visit ends. Permanent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser. We use technically necessary cookies to enable login sessions (NextAuth), language preferences, and security features. Additionally, we use analytics cookies (e.g., for Microsoft Clarity and Google Analytics) only with your consent.

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are: browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of server request, and IP address. This data is not merged with other data sources. Processing is for technical provision, error analysis, security and prevention of abuse (e.g., rate limiting based on IP, user agent or session ID). Legal basis is Art. 6(1)(f) GDPR.

Contact and Support Requests

If you send us inquiries via the contact form, support chat, feedback or booking form, your information from the form including the contact data you provided will be processed for the purpose of handling the inquiry and in case of follow-up questions. We use Resend as a processor for email delivery. Legal basis is Art. 6(1)(b) GDPR (contract/pre-contract) or Art. 6(1)(f) GDPR (general inquiries).

Registration, Login and User Account

To use the platform we process registration and account data (e.g., email address, name, optionally company details) as well as login and session data. Passwords are stored only in hashed form.

For system emails (e.g., verification, password reset, invitations) we use Resend as a processor.

Login via Google (Google OAuth)

We offer you the option to log in to our platform using your Google account. When you use this function, the following data is transmitted to us from Google:

Email address, name (first and last name), profile picture

This data is used to create and manage your user account. The legal basis for processing is Art. 6 (1) (b) GDPR (contract performance) or Art. 6 (1) (a) GDPR (consent).

Data processing is based on your consent, which you give when using Google Login. You can revoke this consent at any time by unlinking your Google account in your profile settings.

For more information about data protection at Google, please visit:https://policies.google.com/privacy.

Courses, Progress and Certificates

We process data on course purchases, learning progress, quiz results, compliance checks, XP points and issued certificates (certificate number, issue date).

For certificate verification we process the certificate number and last name; the check is performed via the verification page.

Company and License Management

For team purchases and company administration we process company data (company name, billing email, VAT ID), memberships and roles, seat assignments and invitations (email address, status, token hash, expiry). Invitations can be sent individually or via CSV upload; email delivery is handled via Resend.

Comments and Likes

If you post comments or like articles, we store the comment/like, timestamp and association with your user account. Comments are publicly displayed after approval (with your name and, if applicable, profile image).

4. Analytics Tools and Advertising

Google Tag Manager

We use Google Tag Manager to manage website tags. The Tag Manager itself does not create user profiles but may technically transmit the IP address to Google. Services embedded via Tag Manager process data according to the respective information in this privacy policy.

Google Analytics

This website uses features of the web analytics service Google Analytics (possibly via Google Tag Manager). The provider is Google Ireland Limited ('Google'), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data.

Microsoft Clarity

This website uses Microsoft Clarity, a web analytics service provided by Microsoft Corporation ('Microsoft').

Microsoft Clarity records user behavior on this website (e.g., mouse movements, clicks, scroll behavior). These recordings help us improve the usability of our website.

The collected data is processed on Microsoft servers. Microsoft processes this data as an independent controller and may use it in accordance with the Microsoft Privacy Statement for its own purposes (e.g., service improvement, Microsoft Advertising).

For more information about data protection at Microsoft, please visit:https://privacy.microsoft.com/en-us/privacystatement.

Sentry (Error and Performance Monitoring)

We use Sentry to analyze errors and monitor stability. Technical data (e.g., IP address, browser, device information, timestamp, error messages) may be processed; if you are logged in, a pseudonymous user identifier may be included.

Objection to Data Collection

Google Analytics and Microsoft Clarity are only loaded if you have consented to the 'Marketing' category in the cookie banner (legal basis: Art. 6 (1) (a) GDPR). Without your consent, no data collection by these services takes place. You can revoke your consent at any time via the cookie settings.

5. Newsletter

Newsletter Data

If you would like to receive the newsletter offered on the website, we require an email address from you as well as information that allows us to verify that you are the owner of the specified email address and agree to receive the newsletter. Data processing is based on your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time.

MailerLite

For sending and managing the newsletter we use MailerLite as a processor. This involves processing your email address, optionally name, IP address and the time of subscription.

Geolocation for Newsletter Sign-up

To classify the subscription geographically, we may derive coarse location data (country/city/region) from your IP address via the service ipwho.is. Your IP address is transmitted to this service.

6. Payment Processing

Stripe

We use Stripe for payments and the customer portal. This involves processing name, email address, payment and billing data; payment processing is handled directly by Stripe. We receive a Stripe customer ID and information about payments, invoices and subscriptions.

Legal basis is Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (statutory retention obligations).

7. Data Transfers to Third Countries

General Information

Some of our service providers are located outside the European Union or the European Economic Area (EEA). Where there is no level of data protection comparable to the EU, we ensure appropriate safeguards to protect your personal data.

USA – EU-US Data Privacy Framework (DPF)

For transfers of personal data to the USA we primarily use providers certified under the EU-US Data Privacy Framework (DPF). The European Commission adopted an adequacy decision for the DPF on 10 July 2023.

According to our information, the following providers are DPF-certified:

Google LLC (Google OAuth, possibly Google Analytics/Tag Manager)
Microsoft Corporation (Microsoft Clarity)

Standard Contractual Clauses (SCCs)

Where providers are not DPF-certified or are located in other third countries, we conclude the EU Commission's Standard Contractual Clauses (SCCs). This may include providers such as Stripe, Resend, Sentry or ipwho.is.

United Kingdom (UK)

For the UK, there is an EU adequacy decision (valid until 27 Dec 2031). Transfers to the UK are therefore permitted without additional safeguards.

Switzerland

Switzerland is also covered by an EU adequacy decision. Transfers to Switzerland are therefore permitted without additional safeguards.

8. Storage Duration

We store personal data only as long as necessary for the respective purposes or as required by statutory retention obligations.

Contract and invoicing data is generally retained for 6 or 10 years under commercial and tax law. You can delete or deactivate your account in the settings; data is deleted or anonymized unless legal obligations require retention.

Privacy Policy

Last updated: January 2026

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section 'Notice on the Responsible Party' in this privacy policy.

How do we collect your data?

Your data is collected in part by you providing it to us. This may be data that you enter in a contact form, for example.

What do we use your data for?

Some of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior.

What rights do you have regarding your data?

2. General Information and Mandatory Disclosures

Data Protection

When you use this website, various personal data is collected. Personal data is data that can be used to personally identify you.

Notice on the Responsible Party

The responsible party for data processing on this website is:

AIAct-Akademie.de

Bremer Straße 163

27751 Delmenhorst

Germany

E-Mail: info@aiact-akademie.de

Data Protection Officer

We are not legally obligated to appoint a data protection officer. If you have any questions about data protection, you can contact us directly at the address above.

SSL/TLS Encryption

Revocation of Your Consent to Data Processing

Right to Complain to the Competent Supervisory Authority

Legal Bases for Processing

Automated Decision-Making

3. Data Collection on This Website

Hosting

Cookies

Server Log Files

Contact and Support Requests

Registration, Login and User Account

To use the platform we process registration and account data (e.g., email address, name, optionally company details) as well as login and session data. Passwords are stored only in hashed form.

For system emails (e.g., verification, password reset, invitations) we use Resend as a processor.

Login via Google (Google OAuth)

We offer you the option to log in to our platform using your Google account. When you use this function, the following data is transmitted to us from Google:

Email address, name (first and last name), profile picture

This data is used to create and manage your user account. The legal basis for processing is Art. 6 (1) (b) GDPR (contract performance) or Art. 6 (1) (a) GDPR (consent).

Data processing is based on your consent, which you give when using Google Login. You can revoke this consent at any time by unlinking your Google account in your profile settings.

For more information about data protection at Google, please visit:https://policies.google.com/privacy.

Courses, Progress and Certificates

We process data on course purchases, learning progress, quiz results, compliance checks, XP points and issued certificates (certificate number, issue date).

For certificate verification we process the certificate number and last name; the check is performed via the verification page.

Company and License Management

Comments and Likes

4. Analytics Tools and Advertising

Google Tag Manager

Google Analytics

Microsoft Clarity

This website uses Microsoft Clarity, a web analytics service provided by Microsoft Corporation ('Microsoft').

Microsoft Clarity records user behavior on this website (e.g., mouse movements, clicks, scroll behavior). These recordings help us improve the usability of our website.

For more information about data protection at Microsoft, please visit:https://privacy.microsoft.com/en-us/privacystatement.

Sentry (Error and Performance Monitoring)

Objection to Data Collection

5. Newsletter

Newsletter Data

MailerLite

For sending and managing the newsletter we use MailerLite as a processor. This involves processing your email address, optionally name, IP address and the time of subscription.

Geolocation for Newsletter Sign-up

To classify the subscription geographically, we may derive coarse location data (country/city/region) from your IP address via the service ipwho.is. Your IP address is transmitted to this service.

6. Payment Processing

Stripe

Legal basis is Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (statutory retention obligations).

7. Data Transfers to Third Countries

General Information

USA – EU-US Data Privacy Framework (DPF)

According to our information, the following providers are DPF-certified:

Google LLC (Google OAuth, possibly Google Analytics/Tag Manager)
Microsoft Corporation (Microsoft Clarity)

Standard Contractual Clauses (SCCs)

United Kingdom (UK)

For the UK, there is an EU adequacy decision (valid until 27 Dec 2031). Transfers to the UK are therefore permitted without additional safeguards.

Switzerland

Switzerland is also covered by an EU adequacy decision. Transfers to Switzerland are therefore permitted without additional safeguards.

8. Storage Duration

We store personal data only as long as necessary for the respective purposes or as required by statutory retention obligations.