Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data:

• Account data — name, email address, password (hashed), date of birth (for age-appropriate content).
• Profile data — profile picture, role (student / partner / admin), language and currency preferences.
• Transaction data — order history, purchased courses and kits, payment references (we do not store full card numbers).
• Usage data — course progress, quiz results, pages visited, session duration.
• Technical data — IP address, browser type, device type, time zone, cookies (see Cookie Policy).
• Support data — messages, support tickets, and correspondence you send us.
• Children's data — where a child under 16 uses our services, we require verifiable parental/guardian consent before collecting any personal data.

• Contract performance (Art. 6(1)(b)) — to create your account, deliver courses, process orders, and provide customer support.
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other legal requirements.
• Legitimate interests (Art. 6(1)(f)) — to prevent fraud, improve our services, and ensure platform security.
• Consent (Art. 6(1)(a)) — for marketing emails, non-essential cookies, and analytics. You may withdraw consent at any time.

• Providing and personalising our educational platform and shop.
• Processing payments and managing your subscription or purchases.
• Sending transactional emails (order confirmations, password resets).
• Sending newsletters and promotional offers — only with your explicit consent.
• Tracking course progress and issuing certificates of completion.
• Communicating with you regarding support requests.
• Complying with legal obligations (tax records, GDPR requests).
• Improving platform security and preventing fraudulent activity.

We do not sell your personal data. We share data only with:

• Payment processors (e.g. Stripe) — for secure payment processing. These processors are PCI-DSS compliant and operate under their own privacy policies.
• Avishkaar (AMS partner) — when you launch the Academy Management System, we transmit a pseudonymous user identity to Avishkaar under a data processing agreement.
• Hosting / infrastructure providers — our servers and database infrastructure. Data is stored within the EU or in countries with an adequacy decision.
• Legal authorities — when required by applicable law, court order, or to protect the rights and safety of our users.

All third-party processors are bound by data processing agreements (DPA) pursuant to Art. 28 GDPR.

• Account data — retained for the duration of your account plus 3 years after deletion, unless a longer period is required by law.
• Transaction / invoice data — retained for 10 years to satisfy German tax law (§ 147 AO).
• Support correspondence — retained for 3 years after ticket closure.
• Usage / analytics data — retained for 24 months, then anonymised.
• Marketing consent records — retained until you withdraw consent, plus 3 years for legal proof.

You have the following rights regarding your personal data (Arts. 15–22 GDPR):

• Right of access (Art. 15) — request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data where there is no overriding legal obligation to retain it.
• Right to restriction of processing (Art. 18) — ask us to limit how we use your data.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any right, email us at support@robitro.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. In Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), www.bfdi.bund.de.

We implement appropriate technical and organisational measures to protect your personal data, including TLS/SSL encryption in transit, hashed password storage (bcrypt), access controls, and regular security reviews. However, no system is 100% secure. If you suspect a security incident, contact us immediately at support@robitro.eu.

Our platform is designed for children and young learners. Where a user is under 16 years of age, we require verifiable consent from a parent or legal guardian before processing their personal data, in accordance with Art. 8 GDPR and § 13 TTDSG. We do not knowingly collect personal data from children under 13 without parental consent. If you believe a child's data has been submitted without consent, please contact us immediately.

Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other appropriate safeguards as required by Chapter V GDPR.

We use cookies and similar tracking technologies. For full details, please see our Cookie Policy.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or a prominent notice on our website. The date at the top of this page indicates when it was last revised. Continued use of our services after changes constitutes acceptance of the revised policy.

For any privacy-related questions or to exercise your rights, contact our Data Protection contact:
support@robitro.eu — Robitro, [Address], Germany