Last updated: 21 May 2026
Scope: This privacy policy applies to the ERASMIO platform under the domains erasmio.de, www.erasmio.de, erasmio.com and www.erasmio.com. erasmio.de serves as the German language/country version, erasmio.com as the English/international version. Both domains use the same technical platform, the same server infrastructure and the same database.
1. Controller
The controller responsible for the processing of personal data is:
ERASMIO LIMITED
Chysoneras, 37
8574 Kissonerga, Paphos
Cyprus
Email: contact@erasmio.com
Privacy inquiries: contact@erasmio.com
Website: erasmio.com
Represented by: Pepe Schmidt.
No data protection officer has currently been appointed. Privacy-related inquiries may be directed to the email address above.
2. General Information on Data Processing
We process personal data to the extent necessary to provide the ERASMIO platform, manage user accounts, present course offerings, handle inquiries, non-binding registrations, bookings and payments, connect schools, providers, organizations and project participants, technically secure the platform, and comply with legal obligations.
Personal data means any information relating to an identified or identifiable natural person. This includes, in particular, name, email address, phone number, address and billing data, participant data, account data, roles, booking data, communication content, usage data, technical log data, IP addresses, location and organizational data, as well as content that users, providers or organizations upload to the platform.
3. Legal Bases for Processing
We process personal data on the basis of the following legal grounds in particular:
- Art. 6(1)(b) GDPR: processing for the performance of a contract or to take steps prior to entering into a contract, in particular for registration, user accounts, course inquiries, non-binding registrations, bookings, payment processing, provider profiles, and school and project functions.
- Art. 6(1)(c) GDPR: processing to comply with legal obligations, in particular tax, commercial, accounting and other statutory retention and documentation obligations.
- Art. 6(1)(f) GDPR: processing based on legitimate interests, in particular for IT security, abuse prevention, error analysis, platform administration, platform improvement, technical and aggregated analytics, presentation of providers and courses, enforcement of rights, and traceability of processes.
- Art. 6(1)(a) GDPR: processing based on consent, where we obtain such consent separately, for example for non-essential tracking, marketing or analytics functions that may be deployed in the future.
Where cookies or comparable technologies are used, access to information on the end device takes place, where required, on the basis of the applicable provisions, in particular Section 25(2) of the German TDDDG (Telecommunications Digital Services Data Protection Act) for technically necessary storage. For non-essential storage, we obtain consent where required.
4. Hosting, Server Operation and Technical Infrastructure
Our platform is operated on server infrastructure provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
The application runs on a Hetzner cloud server located in Helsinki, Finland. The database is operated as a PostgreSQL 16 database within the same server infrastructure via Docker and is likewise located in Helsinki, Finland. Caddy is used as the reverse proxy on the Hetzner server.
Uploaded files and images are currently stored on Hetzner Online GmbH server infrastructure, in particular in a persistent Docker volume on the production server. The use of Hetzner Object Storage for media files is in preparation; where Object Storage is used, this takes place in the HEL1/Helsinki, Finland region.
When the platform is accessed, technically necessary data is processed, in particular:
- IP address
- Date and time of access
- Pages and files accessed
- Browser and device information
- Referrer information
- Technical request and error data
- Server, Docker, Caddy and system logs
This processing serves to provide, stabilize and secure the platform, analyze errors, and prevent misuse.
A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable and functional provision of the platform.
5. Cloudflare: DNS, Proxy, CDN, Security and Technical Analytics
We use Cloudflare for managing our domains, DNS, proxy/CDN functions, technical delivery, security features and DDoS protection. Requests to erasmio.de, www.erasmio.de, erasmio.com and www.erasmio.com pass through Cloudflare and are then forwarded to our server infrastructure at Hetzner.
In doing so, the following data may be processed in particular:
- IP address
- Technical request data
- Header information
- Timestamps of access
- Domains and paths accessed
- Browser and device information
- HTTP status codes
- Cache and performance information
- Security events
- Information about automated or abusive traffic
Cloudflare provides us with aggregated technical evaluations. These may include, in particular, requests by period and domain, bandwidth, HTTP status codes, cache status, rough country or regional distributions, security events, blocked or challenged requests, and indications of automated or bot traffic.
These Cloudflare evaluations serve technical traffic measurement, performance analysis, error detection, security monitoring and abuse prevention. Cloudflare data is displayed in our admin interface only in aggregated form. We do not display raw Cloudflare logs containing full IP addresses in the admin interface and do not create personal visitor profiles from Cloudflare data.
Cloudflare Real User Measurements (RUM), i.e. the Cloudflare Web Analytics JavaScript snippet, is currently disabled. We do not currently use Google Analytics, marketing pixels, retargeting, or any external advertising tracking scripts.
We also use Cloudflare for technical protective measures against attacks, abusive traffic, DDoS attacks and unwanted automated access. Cloudflare Turnstile, Cloudflare Workers, Cloudflare Pages and Cloudflare Zaraz are currently not used for the ERASMIO domains.
Cloudflare may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular contractual data protection terms, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, performant and reliable provision of the platform and in detecting and defending against technical disruptions, abuse and attacks.
6. Registration, Login and User Accounts
Users can create an account on the platform. Depending on use and role, we process in particular:
- First and last name
- Email address
- Password hash
- User role, e.g. customer, provider, organization, admin
- Email verification status
- Registration and verification timestamp
- Login, session and authentication data
- Technical security and access data
- Where applicable, provider or referrer assignments
Passwords are not stored in plain text but are hashed. Email verification tokens are used for a limited time and are invalidated or deleted after expiry or use. Verification tokens are generally valid for 48 hours.
This processing serves the establishment and management of user accounts, authentication, access control, security, communication and the role-based provision of platform functions.
Legal basis: Art. 6(1)(b) GDPR for account provision and Art. 6(1)(f) GDPR for security measures, abuse prevention and traceability.
7. Customer Profiles, Wish Lists and Platform Usage
For customers and other users, depending on use, we process in particular:
- Name and contact details
- Country
- Phone number
- Billing address
- Courses saved to the wish list
- Course views
- Search activity
- Course inquiries
- Non-binding registrations
- Bookings
- Reviews
- Assignments to schools, organizations or providers, where applicable
Wish lists and saved preferences are generally stored for as long as the user account exists or until the user removes the relevant content.
Legal basis: Art. 6(1)(b) GDPR, insofar as the processing is necessary for the use of platform functions, as well as Art. 6(1)(f) GDPR for platform improvement, abuse protection and internal evaluations.
8. Provider Profiles, Courses, Dates and Availability
For providers, depending on use, we process in particular:
- Company name
- Contact person
- Email address and phone number
- Organization ID
- VAT ID
- Stripe account ID
- Verification, onboarding and visibility status
- Website and contact data
- Location data
- On-site contact persons
- Course rooms
- Accommodation data
- Uploaded images, logos and gallery content
- Calendar feed tokens
- Data on courses, dates, prices and availability
This data serves the creation and management of provider profiles, the presentation of course offerings, communication with interested parties and customers, the handling of inquiries, non-binding registrations, bookings and payments, as well as the review and administration of providers.
Legal basis: Art. 6(1)(b) GDPR for performing the provider and platform relationship, Art. 6(1)(c) GDPR for legal obligations, and Art. 6(1)(f) GDPR for quality control, abuse prevention and platform administration.
9. Schools, Teachers, Organizations and Project Functions
For schools, teachers, organizations and project participants, depending on use, we process in particular:
- Name of the organization or school
- Contact person
- Email address and phone number
- Organization ID
- Country
- Location data and coordinates
- VAT ID and verification result
- Approval rules and school connections
- Linked teachers
- Partner school profiles
- Project, chat, agenda and budget data
- Where applicable, accommodation data such as host name or host contact
This processing serves the management of school and organization profiles, collaboration between schools, teachers, organizations and providers, the planning and implementation of Erasmus and educational projects, communication, booking and project organization, and billing.
Where schools or organizations transmit personal data of participants, teachers or other contact persons, they are responsible for ensuring they are authorized to transmit such data and that the data subjects concerned have been informed accordingly.
Legal basis: Art. 6(1)(b) GDPR, insofar as the processing is necessary for the use of the platform and the implementation of projects, Art. 6(1)(c) GDPR for legal obligations, and Art. 6(1)(f) GDPR for secure administration, project organization and abuse prevention.
10. Course Inquiries, Expressions of Interest and Non-Binding Registrations
For course inquiries, expressions of interest and non-binding registrations, we process in particular:
- Name and email address of the requesting account
- Course and date information
- Provider and school assignment
- Participant names
- Status of the inquiry or registration
- History and status data
- Internal decision and communication data
- Where applicable, data on inquiry-handling fees or billing data
For non-binding school registrations, synthetic email addresses may be generated so that we do not need to process the real, individual email addresses of participants.
This processing serves the handling of inquiries, non-binding pre-registration, communication between customers, schools and providers, and internal tracking.
Legal basis: Art. 6(1)(b) GDPR for pre-contractual measures and Art. 6(1)(f) GDPR for tracking, platform organization and abuse prevention.
11. Bookings, Checkout, Invoices and Payment-Related Data
For bookings and during checkout, we process in particular:
- Participant name
- Participant email address
- Billing name
- Billing email address
- Company
- Billing address
- Country
- VAT ID
- Course, date and booking data
- Payment status
- Invoice links
- Booking snapshots
- Stripe IDs
- Platform software fees
- Inquiry-handling fees
- Saved billing address data, where stored in the profile
This processing serves the execution of the booking, contract performance, payment processing, invoicing, communication, and compliance with statutory documentation and retention obligations.
Payment data is partly processed and stored by Stripe. ERASMIO additionally stores its own booking-, billing-, platform- and documentation-related data, insofar as this is necessary for contract performance, platform operation, traceability and statutory retention obligations.
Legal basis: Art. 6(1)(b) GDPR for booking processing, Art. 6(1)(c) GDPR for statutory retention, tax and accounting obligations, and Art. 6(1)(f) GDPR for fraud prevention, evidentiary purposes and secure platform processing.
12. Payment Processing with Stripe
We use Stripe for payment processing, payment status, invoicing information, Stripe Connect, payouts to providers and related financial processes.
The following data may be transmitted to Stripe in particular:
- Customer's name and email address
- Billing address
- Participant data
- Course, date and booking metadata
- VAT ID context
- Payment amount
- Payment status
- Stripe customer ID
- Stripe account ID for providers
- Payout information
- Bank name and last digits of bank account for provider payouts
- Technically necessary payment and transaction data
The actual entry of payment data takes place, depending on the integration, directly via Stripe. We do not store complete credit card information on our own systems.
Depending on the processing involved, Stripe may act as a processor, an independent controller, or jointly with other parties in its own data-protection capacity. Providers may likewise have their own responsibilities in connection with their payment processing and their contractual relationship with customers.
Stripe may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular contractual data protection terms, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(b) GDPR for payment processing, Art. 6(1)(c) GDPR for legal obligations, and Art. 6(1)(f) GDPR for fraud prevention and secure payment processes.
13. VAT ID Verification via EU VIES
To verify VAT identification numbers, we use the EU VIES service. The VAT ID entered is transmitted to the VIES service for this purpose.
We store in particular:
- VAT ID
- Verification status
- Source
- Time of verification
- Response or notification from the service
This processing serves tax verification, invoicing and the correct handling of B2B transactions.
Legal basis: Art. 6(1)(c) GDPR, insofar as the verification is required to fulfil tax obligations, and Art. 6(1)(f) GDPR to prevent incorrect billing and abuse.
14. Transactional Emails with Resend
We use Resend to send transactional emails. These include, in particular:
- Verification emails
- Booking confirmations
- Invoicing and payment information
- Notifications regarding inquiries, registrations and bookings
- Review notifications
- System and security information
Depending on the email, the following may be processed in particular:
- Recipient address
- Name
- Account and booking data
- Participant data
- Provider and course information
- Invoicing information
- Verification and action links
- Template information
- Delivery status
- Error and delivery information
We log email sending activity to ensure delivery, error analysis, security and traceability.
Resend may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular a Data Processing Addendum, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(b) GDPR for contract- or account-related emails, Art. 6(1)(c) GDPR for legally relevant communications, and Art. 6(1)(f) GDPR for error analysis, deliverability and security.
15. Email Communication with Google Workspace
We use Google Workspace for our email communications under contact@erasmio.com.
When you contact us by email, we process in particular:
- Your email address
- Your name
- The content of your message
- Attachments
- Timestamps of communication
- Technical email metadata
This processing serves the handling of your inquiry, communication with you, documentation of business processes, and compliance with contractual or statutory obligations.
Google may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular contractual data protection terms, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(b) GDPR, insofar as the communication relates to a contract or pre-contractual measures, Art. 6(1)(c) GDPR, insofar as legal obligations are concerned, and otherwise Art. 6(1)(f) GDPR. Our legitimate interest lies in efficient and traceable communication.
16. Maps, Location Search and Geocoding with Mapbox
We use Mapbox for maps, location search, address suggestions, geocoding and reverse geocoding.
The following may be processed in particular:
- Addresses or search queries entered
- Location and coordinate data
- Technical request data
- IP address
- Browser and device information
- Timestamps of requests
This processing serves the display of locations, address search, the assignment of courses, schools and providers to places, and improving usability.
Mapbox may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular contractual data protection terms, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(b) GDPR, insofar as map and location functions are required for desired platform functions, and Art. 6(1)(f) GDPR. Our legitimate interest lies in user-friendly location search and the correct display of course, provider and school locations.
17. AI-Supported Search, Embeddings and Improvement Suggestions with OpenAI
We use the OpenAI API server-side for AI-supported functions, in particular for:
- Semantic search
- Embeddings
- Improved discoverability of courses
- Processing of course data and course descriptions
- AI-supported improvement suggestions for course content
In doing so, course data, course descriptions, search terms, course titles, metadata and comparable content may be transmitted to OpenAI. Personal data is not deliberately transmitted to OpenAI. However, processing of personal data may technically still be possible if such content is contained in course descriptions, search queries or other transmitted content.
OpenAI is not used for a fully fledged user chat or user assistant. No decision is made solely through automated processing that has a legal effect or comparable significant impact.
OpenAI API keys are used exclusively server-side and are not embedded in users' browsers. According to OpenAI, data transmitted via the API is not used by default for training or improving OpenAI's models unless express permission is given for this.
OpenAI may also process personal data outside the EU/EEA. Where necessary, this takes place on the basis of appropriate safeguards, in particular a Data Processing Addendum, Standard Contractual Clauses and/or an adequacy decision such as the EU-U.S. Data Privacy Framework, where applicable.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in improving the search function, better discoverability of matching course offerings, and supporting providers in improving course content. Insofar as the search is directly necessary for the use of desired platform functions, Art. 6(1)(b) GDPR may additionally apply.
18. Internal Platform and Admin Analytics
We process aggregated platform and usage data in order to understand and improve the usage, stability, security and economic development of our platform.
In doing so, we evaluate internal platform events, for example:
- Page and course views
- Search activity
- Provider profile views
- Favorites added
- Course inquiries
- Booking starts
- Completed bookings
- Registrations
- Aggregated revenue, course, provider, school and booking metrics
This evaluation is conducted as an internal admin tool and is accessible only to authorized administrators. The data is generally displayed in aggregated form. We do not create personal visitor profiles for anonymous users and do not display complete user journeys of individual visitors in the admin interface.
For our own analytics module, we do not use Google Analytics, marketing pixels, external tracking scripts, persistent visitor IDs via cookie or local storage, or fingerprinting logic. Full IP addresses are not permanently stored as an analysis attribute.
Data that may be processed includes, in particular, timestamp, domain, path or page type, language or country version, role of logged-in users, optional object IDs such as course or provider ID, referrer domain, rough country information, and rough device type, insofar as this is technically available and can be done in a data-protection-compliant manner.
Raw data from internal usage and analytics events is generally stored for a maximum of 90 days. Aggregated, non-personal analysis and statistical data may be retained for up to 24 months.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, economical and user-friendly further development of the platform, the detection of technical anomalies, and operational platform management.
19. Course Views and Internal Usage Events
For logged-in users, course views and certain internal usage events may be stored, for example to display provider statistics, internal analytics and to improve the platform.
The following may be processed in particular:
- Course ID
- User ID
- User role
- Time of the view
- Page type or event type
Course views and comparable internal usage events are generally evaluated in aggregated form. No personal visitor profiles are created and no complete user journeys of individual visitors are displayed in the admin interface.
Raw data is generally stored for a maximum of 90 days; aggregated statistical data may be retained for up to 24 months.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in improving and operationally managing the platform and in providing meaningful provider and admin statistics.
20. Ratings and Reviews
Users may rate courses. In doing so, we process in particular:
- User ID
- Course ID
- Rating
- Comment
- Time
- Indication of whether the review should be displayed anonymously to the public
If a review is marked as anonymous, it may be displayed on the platform without a visible name. Internally, the review may technically still be linked to the user account, in particular for abuse prevention, traceability and enforcement of our platform rules.
Reviews and review content may generally be stored permanently, insofar as they are necessary for platform presentation, historical display of reviews, traceability or abuse prevention. Upon deletion of user accounts, reviews may be continued in anonymized form.
Legal basis: Art. 6(1)(b) GDPR for the review function and Art. 6(1)(f) GDPR for quality assurance, abuse prevention and evidentiary purposes.
21. Uploads, Images, Logos and Public Content
Providers, schools, organizations or authorized users may upload images, logos, gallery content and other content. Depending on the function, such content may be publicly visible. If uploaded content contains personal data, such as identifiable persons, names or contact details, the platform also processes that data.
Providers and other users who upload content are responsible for uploading only content for which they hold the necessary rights, consents or other legal grounds.
Uploaded images, files and other content are generally stored for as long as they are required for active course, provider, school or platform presentation. Deleted content is deleted or anonymized, unless legal, contractual, booking-related, evidentiary or security-related reasons prevent this. Certain content may be archived longer if it is connected to historical bookings, evidence, or legal claims.
Legal basis: Art. 6(1)(b) GDPR for providing the profile, course and platform presentation, and Art. 6(1)(f) GDPR for presentation, traceability, quality assurance and abuse prevention.
22. Cookies, Local Storage and Session Storage
We use cookies and comparable storage technologies to technically provide the platform, log users in, implement security functions and improve usability.
22.1 Technically Necessary Cookies
We use technically necessary cookies, in particular for login, authentication, sessions, security, and role-based platform functions.
- Legal basis for access to the end device: Section 25(2) TDDDG, insofar as the storage or access is technically necessary.
- Legal basis for the subsequent processing of personal data: Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR.
22.2 provider_referrer Cookie
The provider_referrer cookie serves the technical attribution of a provider entry point within the platform, for example when a user visits a public provider page and subsequently registers. A provider slug may be stored briefly and, upon registration, assigned to the user account in order to enable a closed provider funnel or a matching course display within the platform.
The cookie is not used for external marketing, affiliate, advertising or campaign tracking. No data is shared with advertising networks and no marketing audiences are created. The cookie is stored for a maximum of 30 days.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in technical provider attribution and the consistent provision of desired platform functions.
22.3 Dashboard, Filter and UI Storage
We use functional cookies as well as local storage and session storage for:
- Dashboard preferences
- Filter settings
- Date range filters
- Theme and UI states
- Sidebar states
- Tabs viewed
- Form drafts
Dashboard, filter, theme, sidebar and UI preferences are generally stored for a maximum of 12 months or until manually deleted by the user. Form drafts in session storage are generally stored until the end of the browser session.
This storage serves exclusively the technical provision and user-friendly operation of the platform. We do not currently use marketing/tracking cookies, external advertising pixels, retargeting tools, cross-site identifiers, or fingerprinting logic.
Legal basis: Art. 6(1)(f) GDPR, insofar as the storage serves usability and user-friendliness. Insofar as the storage is technically necessary, Section 25(2) TDDDG additionally applies.
23. Admin Area, Security and Logging
For administration, security, error analysis and traceability, we process internal technical data. This may include:
- API activity logs
- Webhook logs
- Email delivery status
- Error and status information
- Templates affected
- Timestamps
- Technical request data
- Admin audit logs
- Aggregated platform data
- Booking origin and destination locations for admin analytics
Sensitive fields such as passwords, tokens, secrets, API keys, webhooks or complete payment data are, where possible, not stored or are masked. Admin analytics is conducted in aggregated form wherever possible.
The following retention periods generally apply to log data:
- Server, Docker, Caddy and error logs: a maximum of 14 days.
- Technical API, webhook and activity logs: a maximum of 14 days, plus additional limits based on technical volume constraints.
- Administrative audit and traceability logs: a maximum of 180 days.
- Logs related to security incidents, abuse, fraud prevention or attack detection: longer on a case-by-case basis, insofar as necessary for investigation, legal enforcement or system security; a guideline maximum retention of 12 months applies.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in IT security, error correction, platform administration, fraud and abuse prevention, and the stable provision of the platform.
24. Backups, Snapshots and Restoration
For restoration and operational security, we use automated server-side backups within the Hetzner cloud infrastructure. Backups are enabled for the production server and are automatically deleted following the technically scheduled rotation.
Manual snapshots may be created before major technical changes, before migrations, or for error analysis. Such snapshots are retained only for as long as necessary for restoration, error analysis or system security.
Separate dedicated PostgreSQL database backups, e.g. via pg_dump, are currently planned but, as of the current state, not implemented in production. This privacy policy will be amended to reflect relevant changes to the backup strategy, where necessary.
Backups may contain the same personal data as the production platform. Deletion of individual data from backups may technically be delayed; however, the data is removed once the backup rotation has elapsed or once no-longer-needed snapshots have been deleted.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in operational security, recoverability, resilience and protection against data loss.
25. Calendar Feeds and Feed Tokens
Providers may use calendar feeds or comparable functions. In doing so, feed tokens, course, date and availability data may be processed.
Feed tokens must be treated as confidential. In the event of suspected misuse, tokens may be deactivated or renewed.
Legal basis: Art. 6(1)(b) GDPR for providing the function and Art. 6(1)(f) GDPR for security and abuse prevention.
26. Recipients of Personal Data
Depending on use, personal data may be disclosed to the following recipients or categories of recipients:
- Providers, insofar as necessary for handling inquiries, registrations or bookings
- Schools, teachers or organizations, insofar as necessary for school, project or booking functions
- Customers or participants, insofar as necessary for booking and project handling
- Payment service providers, in particular Stripe
- Email service providers, in particular Resend
- Email/mailbox providers, in particular Google Workspace
- Map and location service providers, in particular Mapbox
- AI/search service providers, in particular OpenAI
- DNS, CDN, proxy and security service providers, in particular Cloudflare
- EU VIES service for VAT ID verification
- Hosting and infrastructure service providers, in particular Hetzner
- IT, support and maintenance service providers
- Tax advisors, legal advisors, authorities or courts, insofar as legally required or necessary for the enforcement of legal claims
Disclosure takes place only insofar as necessary for the stated purposes, a legal basis exists, or consent has been given.
27. International Data Transfers
Some service providers we use may process personal data outside the European Union or the European Economic Area, in particular in the United States.
This concerns in particular:
- Cloudflare
- Google Workspace
- Stripe
- Resend
- OpenAI
- Mapbox
Insofar as personal data is transferred to third countries, this takes place only on the basis of appropriate safeguards, in particular:
- An adequacy decision of the European Commission
- The EU-U.S. Data Privacy Framework, where applicable
- Standard Contractual Clauses of the European Commission
- Supplementary technical and organizational measures
- Or other legally permissible transfer mechanisms
28. Retention Period and Deletion
We store personal data only for as long as necessary for the respective purposes or as required by statutory retention periods.
In particular, the following principles apply:
- User accounts are stored for as long as the account exists.
- Self-service account deletion is planned. Until then, users may submit deletion requests via contact@erasmio.com.
- After deletion of a user account, personal profile data is deleted or anonymized, unless legal, tax, booking-related, evidentiary or contractual obligations prevent this.
- Automatic deletion due to inactivity does not currently take place.
- Booking, platform billing, invoice, payment, VAT and reverse-charge data is generally stored for 10 years, insofar as necessary for legal, tax, accounting or evidentiary purposes.
- Course inquiries, expressions of interest, inquiry data and non-binding registrations are generally stored for a maximum of 36 months, unless longer legal, contractual or evidentiary reasons apply.
- Ratings and reviews may generally be stored permanently, insofar as necessary for platform presentation, historical display of reviews, traceability or abuse prevention. Upon account deletion, reviews may be continued in anonymized form.
- Uploads, images, logos and files are stored for as long as required for active course, provider, school or platform presentation. Deleted content is deleted or anonymized, unless legal, contractual, booking-related, evidentiary or security-related reasons prevent this.
- Raw data from internal analytics, usage and course-view events is generally stored for a maximum of 90 days.
- Aggregated analytics and statistical data may be retained for up to 24 months.
- Cloudflare analytics data is processed according to Cloudflare's availability and plan; within ERASMIO it is only retrieved and displayed in aggregated form.
- Server, Docker, Caddy and error logs are generally stored for a maximum of 14 days.
- Technical API, webhook and activity logs are generally stored for a maximum of 14 days, plus additional limits based on technical volume constraints.
- Administrative audit logs are stored for a maximum of 180 days.
- Security-incident logs may be stored longer on a case-by-case basis, insofar as necessary for investigation, legal enforcement or system security; a guideline maximum of 12 months applies.
- Backups are deleted after the technically scheduled rotation. Manual snapshots are retained only for as long as necessary for restoration, error analysis or system security.
- Email verification tokens are time-limited, generally 48 hours, and are invalidated or deleted after expiry or use.
- Project, chat, agenda and budget data is generally stored for the duration of the project and thereafter for as long as necessary for project handling, documentation, evidentiary purposes or legal obligations. Insofar as it is relevant to bookings, billing or tax matters, it may be retained for up to 10 years in accordance with the periods stated above.
Once data is no longer required and no statutory retention grounds apply, it is deleted or anonymized.
29. Obligation to Provide Personal Data
The provision of certain personal data is necessary to create a user account, inquire about courses, make non-binding registrations, complete bookings, process payments, manage provider or school profiles, or comply with legal obligations.
Without the required data, certain platform functions cannot be used, or can only be used to a limited extent.
30. Automated Decision-Making and Profiling
We do not use any decision-making based solely on automated processing within the meaning of Art. 22 GDPR that produces legal effects concerning data subjects or similarly significantly affects them.
We do not conduct automated assessment of individuals, personal visitor profiling, fingerprinting logic, or automated funding, creditworthiness, rejection or pricing decisions.
AI-supported search, embeddings, rankings and improvement suggestions serve discoverability, quality assurance and support in using the platform, but do not make legally binding decisions about users.
31. Data Security
We implement technical and organizational security measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration or destruction.
These measures include, in particular:
- Role-based access concepts
- Access restrictions to admin areas
- Password hashing
- Session and authentication protection
- Encrypted data transmission via HTTPS/TLS
- Logging of security-relevant events
- Backup and recovery measures
- Regular security and system updates
- Technical and organizational access restrictions
- Gradual introduction of two-factor authentication for important admin and service accounts
Security measures are continuously reviewed and adapted in accordance with the state of the art, the risk involved, and technical developments.
32. Rights of Data Subjects
Data subjects have the following rights under the GDPR:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to certain processing
- Right to withdraw any consent given, with effect for the future
- Right to lodge a complaint with a data protection supervisory authority
To exercise your rights, you may contact us at contact@erasmio.com.
33. Right to Object to Processing Based on Legitimate Interests
Insofar as we process personal data on the basis of Art. 6(1)(f) GDPR, data subjects may object to such processing at any time for reasons arising from their particular situation.
We will then no longer process the data concerned, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or the processing serves the assertion, exercise or defense of legal claims.
34. Withdrawal of Consent
Insofar as processing is based on consent, data subjects may withdraw such consent at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.
35. Right to Lodge a Complaint with a Supervisory Authority
Data subjects have the right to lodge a complaint with a data protection supervisory authority.
The supervisory authority responsible for ERASMIO LIMITED is:
Office of the Commissioner for Personal Data Protection
Cyprus
Data subjects may also contact any other competent data protection supervisory authority.
36. Changes to this Privacy Policy
We may amend this privacy policy if the platform, the services we use, our data processing activities, technical functions, or legal requirements change. The version currently in force is available on our platform.