Privacy Policy
This privacy policy explains how SkillWald processes your personal data. It is written to be easy to understand.
1. Data Controller
The controller responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:
[Operator name]
[Legal form]
[Street and number]
[Postal code, city, country]
Email: [email address]
2. Data We Collect
- Registration data: name, email address, password (stored only as a bcrypt hash, never in plain text).
- Usage data: learning progress, exercise answers, input in AI exercises and simulations, seminar registrations, sessions with the AI coach.
- When signing in with Google: name, email address and profile ID that Google transmits to us as part of the OAuth login.
- Technical data: IP address (for abuse and attack detection only, not stored permanently), browser type via HTTP headers.
3. Purposes of Processing
We process your data to provide and manage your user account, save your learning progress, provide the interactive AI exercises and the AI coach, register you for seminars, and ensure the security and operation of the platform.
4. Legal Bases (Art. 6 GDPR)
- Performance of a contract (Art. 6(1)(b) GDPR) — providing your account and the learning features.
- Consent (Art. 6(1)(a) GDPR) — in particular for the use of the AI features, where your input is transmitted to service providers outside the EU. You may withdraw your consent at any time with effect for the future.
- Legitimate interest (Art. 6(1)(f) GDPR) — security of the platform and detection of abuse.
5. Sharing with Third Parties / Processors
We do not sell your data. To provide certain features we use carefully selected service providers that process your data on our behalf (processing on behalf of the controller under Art. 28 GDPR):
- Anthropic PBC (USA) — operates the Claude AI that evaluates our AI-powered exercises and simulations. When you work on such an exercise, the text you enter (your prompts and answers) is transmitted to Anthropic in the USA for processing. The legal basis is your consent (Art. 6(1)(a)) and the performance of a contract (lit. b); the transfer to the USA is safeguarded by the EU Commission's standard contractual clauses (Art. 46 GDPR). Please do not enter any special categories of personal data into these exercises.
- ElevenLabs Inc. (USA) — provides the voice technology for the AI voice coach. When you use the voice coach, audio data (your voice input) and the associated text are transmitted to ElevenLabs for processing. The legal basis is your consent (Art. 6(1)(a)); the transfer to the USA is safeguarded by standard contractual clauses.
- Google Ireland Ltd. / Google LLC — only if you use sign-in with your Google account (OAuth). In that case we exchange the data required for login with Google (name, email address, profile ID). The legal basis is your consent (Art. 6(1)(a)) or the performance of a contract (lit. b).
Beyond this, we only share data where we are legally required to do so.
6. Transfers to Third Countries (Art. 44 ff. GDPR)
Some of the service providers listed above process data in the USA. A level of data protection equivalent to EU law is not guaranteed there in every case. The transfer therefore takes place on the basis of the EU Commission's standard contractual clauses (Art. 46(2)(c) GDPR) and, where the provider is certified accordingly, on the basis of an adequacy decision (EU-US Data Privacy Framework). In addition, we base the transfer of your AI input on your explicit consent (Art. 49(1)(a) GDPR).
7. Retention Period
We store your data for as long as your account exists. After you delete your account, your personal data is deleted or anonymized, unless statutory retention obligations require otherwise. Input transmitted to the AI service providers is processed there in accordance with their respective retention periods.
8. Cookies
We use only technically necessary cookies:
- session_id — session cookie for authentication (up to 30 days)
- csrf_token — protection against Cross-Site Request Forgery
- oauth_state — temporary during Google login (approx. 10 minutes)
No tracking, analytics, or advertising cookies are used. No consent is required for technically necessary cookies (§ 25(2) TDDDG).
9. Your Rights (Art. 15–21 GDPR)
- Access (Art. 15) — what data we store about you.
- Rectification (Art. 16) — correction of inaccurate data.
- Erasure (Art. 17) — you can delete your account and all data at any time in your profile settings.
- Restriction (Art. 18) — restriction of processing.
- Data portability (Art. 20) — you can export your data as a JSON file at any time in your profile settings.
- Objection (Art. 21) — object to the processing.
You also have the right to lodge a complaint with a data protection supervisory authority.
10. Data Security
Passwords are hashed with bcrypt (cost factor 12). All connections are TLS-encrypted. SQL injection is prevented through parameterized database queries.
11. Contact for Data Protection Requests
For questions about data protection you can reach us at: [data protection email address]