Privacy Policy

Last updated: December 22, 2024

1. Data Controller

The data controller responsible for your personal data is:

Name: Albert Banke

Location: Copenhagen, Denmark

Email: privacy@educated.dk

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

  • Email address - Required for account creation and authentication
  • Institution email - Optional, for verifying educational affiliation
  • Professional status - Optional, to understand your relationship to education

2.2 User-Generated Content

  • Reviews - Including ratings, pros/cons, and written feedback
  • Suggestions - Institution or education program suggestions

2.3 Technical Data

  • IP address - For security and fraud prevention
  • Browser type and version - For compatibility and debugging
  • Device information - Operating system and device type
  • Usage data - Pages visited, features used, timestamps

2.4 Cookies

We use essential cookies required for the platform to function:

  • Session cookies - To keep you logged in
  • CSRF tokens - For security against cross-site attacks

We do not use tracking cookies or third-party advertising cookies.

3. How We Use Your Data

We process your personal data for the following purposes:

  • Service Provision: To create and manage your account, authenticate you, and provide our review platform services
  • Communication: To send you magic link login emails and important service notifications
  • Security: To protect against fraud, abuse, and unauthorized access
  • Improvement: To analyze usage patterns and improve our platform
  • Legal Compliance: To comply with applicable laws and regulations

4. Legal Basis for Processing

Under GDPR, we process your data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services when you create an account
  • Consent (Art. 6(1)(a)): Where you have given explicit consent, such as accepting our Terms & Conditions
  • Legitimate Interests (Art. 6(1)(f)): For platform security, fraud prevention, and service improvement, where these interests do not override your rights
  • Legal Obligation (Art. 6(1)(c)): Where required by applicable law

5. Data Sharing

We may share your data with:

5.1 Service Providers

  • Hosting: Fly.io (servers located in EU)
  • Email: Transactional email services for login and notifications
  • Database: PostgreSQL hosted within EU

5.2 Third Parties

As described in our Terms & Conditions, we may share aggregated, anonymized, or statistical data derived from reviews with educational institutions, researchers, and commercial partners. This data cannot be used to identify you personally.

5.3 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority.

6. International Transfers

Your data is primarily processed and stored within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions.

7. Data Retention

We retain your personal data as follows:

  • Account data: For as long as your account is active, plus 30 days after deletion request
  • Reviews and content: May be retained in anonymized form after account deletion as permitted by our Terms & Conditions
  • Technical logs: Up to 90 days for security purposes
  • Legal records: As required by applicable law (typically 5 years for business records in Denmark)

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right to Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18): Request limitation of how we use your data
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV)
  • Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@educated.dk. We will respond to your request within 30 days as required by GDPR. We may ask you to verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Secure authentication (magic link, no passwords stored)
  • Regular security assessments
  • Access controls and audit logging

10. Children's Privacy

Our platform is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it promptly.

11. Right to Complain

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet

Carl Jacobsens Vej 35

2500 Valby, Denmark

Phone: +45 33 19 32 00

Email: dt@datatilsynet.dk

Website: www.datatilsynet.dk

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email or platform notification. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact Us

For any questions about this Privacy Policy or how we handle your data:

Email: privacy@educated.dk

General inquiries: support@educated.dk

View Terms & Conditions | Back to registration