Privacy Policy

PRIVACY POLICY


This Privacy Policy (the “Policy”) describes how ABCPLATFORM S.L., NIF: B23995418, (the “Company”, “we”, “us”, or “our”) collects, processes, stores, shares, and protects personal data of users (“you” or “your”) of our multilingual, cross-border educational platform for Students, Teachers, Organizations, and Affiliates, including course creation and purchase, bookings, events, internal wallet transactions, cashback, certificates, hosting, messaging, community features, analytics, and support. We comply with the laws of Spain, the General Data Protection Regulation (EU) 2016/679 (GDPR), the ePrivacy rules (Directive 2002/58/EC) as implemented, and other applicable laws. This Policy applies to all domains and subdomains operated by us and to all access methods, including web applications, mobile applications, application programming interfaces, integrations, and official support channels. By using the platform, you acknowledge and accept this Policy. If you do not agree, you must cease use of the platform.


ARTICLE I. DEFINITIONS AND INTERPRETATION


1.1 Definitions

a. “Personal Data” means information relating to an identified or identifiable natural person, including identifiers, location data, and factors specific to identity.


b. “Processing” means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, restriction, and deletion.


c. “Special Categories of Data” has the meaning in Article 9 of the GDPR and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, and data concerning sex life or sexual orientation.


d. “Controller” means the entity that determines the purposes and means of processing. For the platform, the Controller is ABCPLATFORM S.L., NIF: B23995418.


e. “Processor” means an entity that processes Personal Data on behalf of the Controller under an agreement compliant with Article 28 of the GDPR.


f. “Applicable Law” means the GDPR, the Spanish LOPDGDD, the ePrivacy rules, and other relevant European Union and international laws.


g. “User” means any Student, Teacher, Organization, Affiliate, or visitor who interacts with the platform.


h. “Internal Wallet” means the in-platform balance associated with a user account, used for earnings, cashback, top-ups, purchases, and withdrawals, in accordance with our Terms.


i. “Supervisory Authority” means a public authority with competence for data protection, such as the AEPD in Spain.


j. “Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.


1.2 Interpretation

a. Singular includes plural, and plural includes singular.


b. References to laws include amendments and replacements.


c. “Including” means including without limitation.


ARTICLE II. SCOPE AND APPLICATION


2.1 Scope of Processing

(i) This Policy applies to data collected through our websites, subdomains, and mobile applications;

(ii) our official support channels, including email, phone, social messaging, and ticketing;

(iii) application programming interfaces and software development kits used by approved partners and integrations;

(iv) offline or hybrid collection at events where data is later entered or synchronized into our systems.


2.2 Data Subjects and Roles

This Policy covers Students, Teachers, Organizations, Affiliates, and visitors. When an organization processes data about its employees or students within the platform, it may act as an independent controller for that activity and must ensure compliance with Applicable Law.


2.3 Exclusions

(i) This Policy does not govern processing by third-party websites or services accessed through links or integrations, where those parties act as independent controllers;

(ii) information you intentionally make public in forums, reviews, or public profile fields.


2.4 Relation to Other Documents

This Policy operates alongside our Terms, Cookie Policy, Subscription and Commission Terms, and Content and Intellectual Property Policy. In the event of conflict, the document providing greater user protection under Applicable Law prevails, unless otherwise required by law.


ARTICLE III. DATA WE COLLECT


We collect Personal Data directly from you, automatically through your use of the platform, and from third parties where lawful.

3.1 Identification Data: name, preferred name, photograph, date of birth for age checks, voluntary gender, nationality for certification or tax, and credentials for Teachers and Organizations.


3.2 Contact Data: email, phone, postal address (where necessary), and communication preferences.


3.3 Verification Data: government identification, proof of address, transcripts, licenses, registry extracts, authorization to use marks, checks with authorities or vendors, and outcomes with timestamps.


3.4 Payment and Wallet Data: payment tokens, masked card numbers, bank identifiers, payout and transaction identifiers, chargebacks, payout logs, wallet balances, and complete wallet history, including fees.


3.5 Activity and Technical Data: device and browser details, language, time zone, user agent, internet protocol address, approximate location, optional precise location, session logs, pages viewed, clickstream, searches, bookings, errors, diagnostics, and security signals, including failed logins, recovery events, suspicious patterns, and device risk.


3.6 Communications Data: messages, attachments, forums, tickets, surveys, related metadata, and audio or video where platform tools are used.


3.7 Special Categories of Data: are not sought. If you voluntarily provide such data for specific features, we process it only with explicit consent or another Article 9 condition, with minimization, restricted access, and no unrelated use.


3.8 Cookies and Automatic Collection: cookies, web beacons, pixel tags, software development kits, and analytics tools generate technical data. See Article XI.


ARTICLE IV. LEGAL BASES FOR PROCESSING


Each processing purpose has a lawful basis.

4.1 Contractual Necessity: account creation and management, purchases, bookings, events, certificates, wallet operations, customer support, and essential service communications.


4.2 Legal Obligation: accounting and tax record-keeping, anti-money laundering and counter-terrorist financing (where applicable), lawful requests, records of consent and opt-outs, accountability, and safety reporting (where applicable).


4.3 Legitimate Interests: platform security, fraud prevention, service improvement, analytics, protection of rights, policy enforcement, moderation, and limited direct marketing to existing customers where permitted, subject to a documented balancing test and opt-out.


4.4 Consent: marketing to non-customers, certain content, use of non-essential cookies, verification with third parties (where appropriate), and Special Categories of Data where no other Article 9 condition applies.


4.5 Special Categories of Data: explicit consent (Article 9 paragraph 2(a)), legal claims (Article 9 paragraph 2(f)), and, in limited employment or social protection contexts, Article 9 paragraph 2(b) for Organizations acting as controllers, with minimization, restricted access, and strict retention.


ARTICLE V. PURPOSES OF PROCESSING


5.1 Service and Account: creation, authentication, preferences, and access to features; lawful basis: contract; data categories: identification, contact, and technical; retention for the life of the account and as required by law.


5.2 Credential Verification: identity and qualification verification, impersonation prevention; lawful basis: legitimate interests and, in some cases, legal obligation; with recorded outcomes, timestamps, and reviewers retained for the life of the account plus statutory audit periods.


5.3 Transactions, Wallet, and Payouts: payment processing, commissions, reconciliation, chargebacks, withdrawals, and accounting entries; lawful bases: contract and legal obligation; retention per tax and accounting rules, typically up to ten years.


5.4 Certification and Verification Page: issuance of certificates with limited fields (names, course titles, completion dates, certificate numbers) and third-party verification; lawful bases: contract and legitimate interests; with verification available for the life of the platform and optional redaction of non-essential fields where lawful.


5.5 Security, Fraud, and Abuse: detection of fraudulent accounts, unauthorized access, scraping, payment fraud, and policy breaches; lawful bases: legitimate interests and, where applicable, legal obligation; using risk scoring, rate limiting, anomaly detection, device fingerprinting (where permitted), and behavioral analytics, without solely automated decisions that produce legal effects without human review.


5.6 Support and Disputes: responses to inquiries, refunds, and dispute resolution; lawful bases: contract and legitimate interests; with retention according to limitation periods.


5.7 Analytics and Product: understanding navigation, measuring adoption, and improving performance; lawful basis: legitimate interests, with consent for non-essential cookies and use of aggregation or pseudonymization with strict access controls.


5.8 Marketing and Personalization: optional newsletters, updates, promotions, and recommendations; lawful basis: consent or legitimate interests; with simple opt-out.


ARTICLE VI. USER CONSENT


6.1 Consent must be freely given, specific, informed, and unambiguous. We do not use pre-checked boxes or bundle consent with service terms.


6.2 We provide separate consents for marketing, non-essential cookies, third-party verification (where relevant), and Special Categories of Data.


6.3 You may withdraw consent at any time through settings or by contacting legal@abcplatform.com, without affecting prior lawful processing.


6.4 We maintain consent logs, recording who consented, when, how, and what information was provided.


6.5 Where national law requires parental consent for minors, we obtain verifiable consent from a parent or guardian.


ARTICLE VII. DATA SHARING


7.1 We do not sell or rent Personal Data.


7.2 Categories of recipients include payment providers, verification vendors, hosting and cloud providers, communications platforms, analytics and product tools, professional advisers, and public authorities where legally required.


7.3 All processors are bound by Article 28-compliant agreements covering confidentiality, security, sub-processing, assistance with data subject requests, and deletion or return upon termination.


7.4 We provide a current sub-processor list on request and give material change notices with an opportunity to object where appropriate.


7.5 Where we act as joint controllers with a partner, we allocate responsibilities under Article 26 and provide a summary of the arrangement.


ARTICLE VIII. INTERNATIONAL TRANSFERS


8.1 Where the destination has an adequacy decision, we rely on that decision.


8.2 Otherwise, we rely on the Standard Contractual Clauses adopted in twenty twenty-one or any successor clauses, with transfer impact assessments and supplementary measures where needed.


8.3 Supplementary measures may include strong encryption with European Union-controlled keys, transport security, minimization, strict access controls, transparency reporting, and challenges to unlawful access requests.


8.4 Where neither adequacy nor clauses are available, we may rely on derogation under Article 49, applied restrictively (for example, explicit consent or necessity for legal claims).


8.5 Onward transfers by recipients must occur only under equivalent safeguards and with approved sub-processors.


ARTICLE IX. DATA STORAGE AND SECURITY


9.1 Technical measures include encryption in transit using TLS version 1.3, encryption at rest using AES-256, pseudonymization and hashing, secure key management with rotation, segregation of duties, network security with firewalls, least privilege, denial-of-service protections, continuous monitoring, secure development practices, code review, dependency scanning, static and dynamic analysis, change control, logging and tamper-evident audit trails, time synchronization, encrypted redundant backups with tested restoration, and periodic independent penetration testing with prioritized remediation.


9.2 Organizational measures include role-based access at least privilege, periodic access reviews, immediate revocation on role change or termination, confidentiality and security training with refreshers, disciplinary measures for violations, vendor risk management, privacy governance with a Data Protection Officer (where required) or a designated privacy lead, audits, and privacy by design and by default.


9.3 Physical security at data centers and offices includes access controls, visitor logs, cameras, environmental monitoring, and secure media disposal.


9.4 Data Breach Response includes detection and triage, prompt severity assessment, containment and credential rotation, scoping of affected data and consequences, notification to the competent authority within seventy-two hours where risk exists, phased information where necessary, timely user notice where high risk exists, documentation in a breach register, and post-incident review with corrective actions and program updates.


ARTICLE X. USER RIGHTS AND PROCEDURES


We respond without undue delay and within one month, which may be extended by up to two further months where necessary, with notice and reasons.

10.1 Right of Access: confirmation whether we process your data and a copy with purposes, categories, recipients, retention, and rights, delivered in a commonly used electronic form.


10.2 Right to Rectification: correction of inaccurate or incomplete data with supporting documents where appropriate.


10.3 Right to Erasure: deletion where data is no longer needed, consent is withdrawn and no other lawful basis applies, you object and there are no overriding grounds, or processing is unlawful, subject to retention required by law or for legal claims.


10.4 Right to Restriction: limitation of processing during accuracy verification, where processing is unlawful and you oppose deletion, where we no longer need data but you require it for legal claims, or while an objection is assessed.


10.5 Right to Data Portability: receipt of data you provided in a structured, commonly used, machine-readable format, and transmission to another controller where processing is based on consent or a contract and carried out by automated means.


10.6 Right to Object: objection at any time to processing based on legitimate interests, including profiling, unless we demonstrate compelling legitimate grounds or processing is for legal claims. An absolute right applies to direct marketing.


10.7 Rights related to Automated Decision-Making: we do not make decisions based solely on automated processing that produce legal or similarly significant effects without human involvement. You may contest a decision and obtain human review.


10.8 Right to Withdraw Consent: withdrawal at any time, without affecting prior lawful processing.


10.9 Identity Verification: we may request additional information to verify identity before fulfilling a request.


10.10 Refusal of Requests: we may refuse manifestly unfounded or excessive requests and may charge a reasonable fee where lawful.


10.11 How to Exercise: submit requests via account settings or contact the Data Protection Officer at legal@abcplatform.com, and specify the right you are exercising with sufficient detail to locate your data.


ARTICLE XI. COOKIES AND TRACKING


We use cookies and similar technologies for essential functions, analytics, personalization, and advertising where permitted. You can manage preferences through the cookie settings link and your browser controls.

11.1 Consent Management: on first visit, we display a banner with “Accept all,” “Reject all,” and “Manage preferences.” We log your choices with date, time, selections, and an anonymous identifier. You may change your choices at any time.


11.2 Classification:

I. Strictly necessary — purpose: security, session continuity, authentication, load balancing, and fraud prevention; examples: session identifiers, authentication tokens, bot detection, and content delivery network steering; retention: session or up to twelve months; consent not required under ePrivacy.

II. Functional — purpose: remembering choices and personalization; examples: language, time zone, and saved view settings; retention: six to twelve months; consent required.

III. Analytical — purpose: measurement of traffic and usage; examples: analytics identifiers such as GA, A/B testing, and heatmap identifiers; retention: up to twenty-four months with internet protocol address truncation; consent required in the European Economic Area.

IV. Advertising and Retargeting — purpose: personalized ads and attribution; examples: advertising pixels, conversion identifiers, and cross-device mapping where permitted; retention: up to thirteen months or shorter per local rules; consent required in the European Economic Area. A live list is available in the cookie settings panel.


11.3 Mobile software development kits are disclosed in-app, and we honor the same consent settings where feasible.


11.4 “Do Not Track” and “Global Privacy Control” are honored where required. In the European Economic Area, consent is still obtained through the banner for non-essential categories.


11.5 Effects of Disabling: strictly necessary cookies may impair core functions. Disabling other categories may reduce personalization, measurement, or relevance.


ARTICLE XII. AUTOMATED DECISION MAKING AND PROFILING


12.1 Use cases include fraud risk scoring based on login patterns, device signals, and transactions, and recommendation systems for courses or teachers.


12.2 Human oversight is applied before any measure that may significantly affect you, for example, restrictions on withdrawals.


12.3 Your choices include opting out of personalized recommendations in privacy settings and contesting automated assessments by contacting You may withdraw consent at any time through settings or by contacting legal@abcplatform.com, without affecting prior lawful processing.


ARTICLE XIII. CHILDREN’S DATA


13.1 Age limits: the service is intended for users who have reached the national digital age of consent; otherwise, verifiable parental or guardian consent is required.


13.2 Parental controls may include dashboards and additional verification of the consenting adult.


13.3 Unintentional collection: if we learn that we collected data from a child without the required consent, we will delete the data or obtain consent.


ARTICLE XIV. RETENTION


14.1 Principle: we retain Personal Data only as long as necessary for the purposes collected and to meet legal, accounting, or reporting requirements, and to assert or defend legal claims.


14.2 Illustrative schedule: profile data for the life of the account and deleted or anonymized within ninety days of closure unless a longer period is required by law; wallet and transactional records for periods required by tax and accounting laws, typically up to ten years; verification records for the life of the account plus up to five years; support communications for up to five years; certificates and verification entries may remain verifiable for the life of the platform, with minimized public data and optional lawful redaction.


14.3 Backups: upon deletion, we remove active records, place identifiers on a suppression list, and allow encrypted backups to expire on schedule without active processing, except for disaster recovery.


ARTICLE XV. MARKETING COMMUNICATIONS


15.1 Consent and preferences: we send marketing communications only with prior opt-in where required. Existing customers may receive communications about similar services under legitimate interests that are permitted, with an opt-out at any time.


15.2 Methods and content include email, in-app messages, or push notifications (if you opt in), covering features, promotions, events, and surveys, subject to reasonable frequency caps.


15.3 OPT out through message links, account settings, or legal@abcplatform.com. Service messages necessary for your use of the platform will continue.


ARTICLE XVI. THIRD PARTY LINKS AND INTEGRATIONS


16.1 Links may point to third-party sites whose privacy practices we do not control. Review their privacy policies before providing data.


16.2 Integrations disclose requested permissions and the data exchanged. You may disconnect at any time through settings.


ARTICLE XVII. COMPLAINTS, DISPUTES, AND REDRESS


17.1 Contact us first at legal@abcplatform.com with sufficient detail to allow investigation.


17.2 You have the right to lodge a complaint with the AEPD or your local supervisory authority.


17.3 We seek amicable resolution, without prejudice to any rights you may have under Applicable Law to bring claims before competent courts.


ARTICLE XVIII. AMENDMENTS AND VERSIONING


18.1 We may amend this Policy to reflect changes in law, technology, or our services. The updated Policy will be posted with an effective date.


18.2 For material changes that significantly affect your rights, we will provide prominent notice, which may include email or in-product banners, and will seek fresh consent where required.


18.3 We maintain prior versions and will provide them upon request.


ARTICLE XIX. CONTACT INFORMATION


For questions, requests, or complaints regarding this Policy or our data practices, contact:


Email: legal@abcplatform.com