EduMarkets is a professional financial-education platform sold to institutional clients (banks, asset managers, training providers) and to independent trainers who run workshops on the platform. Users reach us either through their institution (employer or training provider) or by self-registering with a workshop code provided by their trainer.
EduMarkets Technologies BV is a private limited company incorporated in the Netherlands. We provide a financial-education platform under the brand "EduMarkets" to institutional clients in the European Economic Area and the United States.
Under the EU General Data Protection Regulation (GDPR), the role you have when interacting with us depends on how you came to use the platform:
If you use EduMarkets because your employer, training provider or other institutional client has given you access, that institutional client is the controller of your personal data and we are the processor acting under their documented instructions, in accordance with Article 28 GDPR.
The same processor relationship applies if you self-registered with a workshop code provided by an independent trainer who uses our platform: the trainer (or the institution they work for) is the controller of your workshop data, and we are the processor.
In both cases, the processor role applies to your account information, your learning activity, your exercise responses, your AI-generated feedback and any associated technical logs. The legal basis for our processing is the controller's documented instruction, set out in a Data Processing Agreement (DPA) or equivalent platform terms we enter into with them.
We act as an independent controller for a narrow set of activities that are not carried out on an institutional client's instruction:
Users receive an account in one of three ways:
Note on LMS integration: the platform supports score passback to your learning management system via LTI 1.3, automated user provisioning via SCIM 2.0, single sign-on via SAML 2.0 and learning activity statements via xAPI. None of these flows are active at present. When an institutional client activates one or more of these flows, the specific data movements will be described in that client's DPA, and this policy will be updated to describe them in general terms.
| Category | Examples |
|---|---|
| Account data | Name, email address, hashed password, assigned role (participant, trainer, admin), institutional client identifier. |
| Learning activity | Modules visited, tabs opened, calculation events, timestamps, completion status. |
| Exercise responses | Quiz answers, free-text responses, calculated scores, AI-generated feedback associated with your answers. |
| Technical data | IP address (in server access logs, not stored in our application database), browser user-agent, session identifiers. |
| Category | Examples |
|---|---|
| Business-contact data | Name, business email, job title, telephone, employer (for procurement, billing and account-management contacts at institutional clients). |
| Security and audit records | Account-linked event records used to investigate abuse and security incidents (separate from learning activity). |
| Enquiry correspondence | Email and form correspondence received via our public pages and support inbox. |
We do not knowingly process special-category personal data under Article 9 GDPR (health, biometric, racial or ethnic origin, religious or political views, sexual orientation, trade-union membership). EduMarkets is a professional-development platform for adult users; we do not knowingly process data relating to children under 16.
The legal basis for all our processor activities is the documented instruction of the controller (the institutional client or, for workshop-code users, the trainer who created your workshop), executed in our DPA or platform terms with them. The controller is responsible for establishing the legal basis on which they share your data with us (typically contract performance under your employment, training or workshop relationship with them, or their own legitimate interest in providing professional training).
The purposes for which we process on their instruction are:
| Purpose | Legal basis |
|---|---|
| Manage commercial relationships with institutional clients and respond to procurement enquiries. | Contract performance with the institutional client (GDPR Art. 6(1)(b)); our legitimate interest in pre-contractual communications (Art. 6(1)(f)). |
| Detect, investigate and respond to security incidents and platform abuse. | Our legitimate interest in maintaining the security and integrity of the platform (Art. 6(1)(f)); legal obligation in relation to incident reporting where applicable (Art. 6(1)(c)). |
| Operate the Anthropic API integration that delivers AI-generated feedback. | Our legitimate interest in operating the service (Art. 6(1)(f)). Each call is made on the institutional client's instruction; the integration itself is run as our service. |
| Respond to lawful requests from public authorities and exercise or defend legal claims. | Legal obligation (Art. 6(1)(c)) or our legitimate interest in defending claims (Art. 6(1)(f)). |
Where we rely on legitimate interest, you may object to the processing on grounds relating to your particular situation. See Section 11.
EduMarkets uses the Claude API provided by Anthropic, PBC ("Anthropic") to generate educational feedback on exercise responses.
When you submit an exercise that uses AI feedback, only the following is sent to the Claude API:
No directly identifying personal data is included in the request. Your name, email address, IP address, account identifier and institutional client identifier are not sent to Anthropic.
Under our commercial agreement with Anthropic:
You can read Anthropic's published privacy commitments at anthropic.com/privacy.
AI-generated feedback is provided to help you learn. It is not used to make decisions about you that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. In particular, AI is not used to determine:
Trainers and instructors employed by the institutional client remain responsible for any assessment or progression decisions, and human review is available at the institutional client's discretion.
From 2 August 2026, the EU AI Act requires deployers of AI systems to inform users when they are interacting with AI and to mark AI-generated content. Each piece of AI-generated feedback in EduMarkets is visibly labelled as AI-generated in the user interface and is identified as such in the underlying response data.
We use a small number of carefully selected sub-processors to operate the platform. The current list is published at /auth/processors.html and includes the provider, purpose, categories of data and processing location for each.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising. We do not engage in any advertising on the platform.
We give institutional clients at least 30 days' prior notice before engaging a new sub-processor or replacing an existing one. The notice is sent to the institutional client's designated contact and the public list at /auth/processors.html is updated.
Institutional clients have the right to object to a proposed new sub-processor on reasonable data-protection grounds within the notice period by writing to support@edu-markets.com. If we cannot resolve the objection, the institutional client may terminate the affected service in accordance with the DPA.
We may also disclose personal data to:
Some of our sub-processors are located in, or operate from, the United States. The current transfers are:
| Recipient | Country | Transfer mechanism |
|---|---|---|
| DigitalOcean LLC | European Union (AMS3 primary) / United States (failover, support) | EU Standard Contractual Clauses (Module 2) |
| Postmark (ActiveCampaign LLC) | United States | EU Standard Contractual Clauses (Module 2) |
| Anthropic, PBC | United States | EU Standard Contractual Clauses (Module 2) |
We currently rely on the European Commission's 2021 Standard Contractual Clauses as the transfer mechanism for all transfers to third countries. We do not currently rely on the EU-US Data Privacy Framework.
Supplementary technical and organisational measures (encryption in transit and at rest, access controls, audit logs) are described in our DPA with each institutional client, which is available on request to support@edu-markets.com. A copy of the relevant Standard Contractual Clauses is available on the same request.
The retention periods below apply to the data we hold:
| Category | Period |
|---|---|
| Account data (as processor) | Retained for as long as your account is active. Deleted or returned on the institutional client's instruction in accordance with the DPA, typically on contract termination. |
| Learning activity logs | 90 days (or longer if the institutional client instructs us to retain for compliance purposes). |
| Security and audit logs (as controller) | 365 days, then deleted. |
| Password-reset tokens | Deleted 7 days after use or expiry. |
| Refresh tokens | Deleted 30 days after expiry or revocation. |
| AI feedback inputs/outputs at Anthropic | Up to 30 days at Anthropic, then deleted by Anthropic. |
| Business-contact data (procurement, billing) | For the duration of the commercial relationship, and for up to 7 years thereafter to meet Dutch civil and tax law retention obligations. |
| Backups | Encrypted backups are retained for up to 35 days on a rolling basis. Deletions in production data propagate to backups within this window. |
We apply the following technical and organisational measures to protect personal data:
EduMarkets uses a single first-party cookie, em_refresh_token, with the attributes HttpOnly, Secure and SameSite=Lax. Its sole purpose is to maintain your authenticated session. It is strictly necessary for the platform to function and is therefore not subject to a consent requirement under Article 5(3) of the ePrivacy Directive.
We do not use third-party tracking cookies, analytics cookies, advertising cookies, social-media plugins or any similar technologies. Because we use no non-essential cookies, no cookie consent banner is presented.
Where we process your data as a processor on behalf of your institutional client or trainer (this is the case for almost all users), your data-protection rights are exercised against the controller, namely:
The rights available to you under GDPR include: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to a decision based solely on automated processing that produces legal effects (we do not carry out such processing — see Section 5).
If you contact us directly with a request, we will acknowledge it, route it to the relevant controller and assist them in responding, in accordance with Article 28(3)(e) GDPR. We will not generally act on the request unilaterally.
Where we are the controller of your data (Section 1), you may exercise your rights directly with us by writing to support@edu-markets.com. We will respond within one month of receipt, extendable by two further months for complex requests in accordance with Article 12(3) GDPR.
You have the right to lodge a complaint with a data-protection supervisory authority. For data we process as controller, the lead authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also lodge a complaint with the supervisory authority in your EU/EEA country of residence or place of work. For data we process as processor, complaints about the controller's processing should generally be directed to the institutional client's lead supervisory authority.
For any privacy-related question or request:
We have not appointed a Data Protection Officer. Our processing activities do not fall within the categories that require a mandatory DPO under Article 37 GDPR. Privacy enquiries are handled by the address above.
As an EU-established entity, we do not require an EU representative under Article 27 GDPR.
We do not currently offer services to UK or Swiss institutional clients and have not appointed a UK or Swiss representative. We will revisit this position when we extend service to those jurisdictions.
The "Last updated" date at the top of this page reflects the most recent revision. We may update this policy from time to time to reflect changes in our processing or in applicable law.
For material changes — for example, the addition of a new processing purpose, a new sub-processor, or a change to the legal basis for an existing activity — we will give institutional clients at least 30 days' prior notice by email to their designated contact and via an in-platform banner visible to users.
For non-material changes (clarifications, typographical corrections, contact-detail updates), we update this page and revise the "Last updated" date without separate notice.
This section applies if you are a California resident.
For data we process on behalf of an institutional client, EduMarkets acts as a service provider under California Civil Code section 1798.140(ag). We process personal information solely for the business purposes specified in our written agreement with the institutional client, and we do not retain, use or disclose personal information outside of that agreement.
Categories of personal information we process (using the CCPA categories):
We do not process sensitive personal information as defined in section 1798.140(ae) beyond what is incidentally included in account credentials (for example, an email address). We do not use sensitive personal information for any purpose that would trigger a right to limit its use.
We do not sell or share personal information. We do not engage in cross-context behavioural advertising. We have not knowingly sold or shared personal information in the preceding 12 months.
Your California rights (the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit the use of sensitive personal information, the right to non-discrimination) are generally exercised through your institutional client, who is the "business" under the CCPA. If you submit a request directly to us, we will route it to them and assist in responding. For direct contacts of EduMarkets (procurement, billing), please email support@edu-markets.com.
For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states with comprehensive privacy laws of similar shape:
If you are a Brazilian data subject and reach the platform through an institutional client that operates in Brazil, the institutional client is the "controlador" under the LGPD and EduMarkets is the "operador". Rights under Article 18 LGPD are exercised through the institutional client; we will assist them in responding.
If anything in this policy is unclear, please email support@edu-markets.com and we will explain it.