Privacy Policy
Summary
EduMarkets is a professional financial-education platform sold to institutional clients (banks, asset managers, training providers) and to independent trainers who run workshops on the platform. Users reach us either through their institution (employer or training provider) or by self-registering with a workshop code provided by their trainer.
- Our role: for almost all data we handle, we are a processor acting on the instructions of the institutional client or the trainer who created your workshop. They are the controller. We are an independent controller only for narrow activities such as billing contacts and our own security logging.
- What we process: account data, learning activity, exercise responses, AI-generated feedback, technical logs.
- Where data goes: hosted on DigitalOcean (EU primary, US fallback); email delivery via Postmark (US); AI feedback via Anthropic (US). All under EU Standard Contractual Clauses.
- Your rights: if you reached us via your institution, exercise GDPR/CCPA rights through them; we will assist. If you are a direct contact of ours (procurement, billing), exercise rights with us directly.
- Contact: support@edu-markets.com.
Contents
1. Who we are and our role
EduMarkets Technologies BV is a private limited company incorporated in the Netherlands. We provide a financial-education platform under the brand "EduMarkets" to institutional clients worldwide.
Under the EU General Data Protection Regulation (GDPR), the role you have when interacting with us depends on how you came to use the platform:
When we act as a processor
If you use EduMarkets because your employer, training provider or other institutional client has given you access, that institutional client is the controller of your personal data and we are the processor acting under their documented instructions, in accordance with Article 28 GDPR.
The same processor relationship applies if you self-registered with a workshop code provided by an independent trainer who uses our platform: the trainer (or the institution they work for) is the controller of your workshop data, and we are the processor.
In both cases, the processor role applies to your account information, your learning activity, your exercise responses, your AI-generated feedback and any associated technical logs. The legal basis for our processing is the controller's documented instruction, set out in a Data Processing Agreement (DPA) or equivalent platform terms we enter into with them.
When we act as a controller
We act as an independent controller for a narrow set of activities that are not carried out on an institutional client's instruction:
- Commercial communications with procurement, finance and administrative contacts at current and prospective institutional clients (for example, billing and account-management correspondence).
- Security event logging and audit-log retention used to detect, investigate and respond to abuse and security incidents on the platform.
- Operating the Anthropic API integration that delivers AI-generated educational feedback (the institutional client controls whether their users see the feature; we control how the integration with Anthropic is run as a service).
- Operation of our public marketing pages and responses to direct enquiries.
2. How you get an EduMarkets account
Users receive an account in one of three ways:
- Provisioned by your institution. Your employer or training provider creates an account for you, either through a manual request to us or through standards-based identity provisioning (SCIM 2.0, SAML 2.0 or LTI 1.3). The institution decides which data fields about you are sent to us. Your data is obtained from the institution; Article 14 GDPR applies, and the institutional client is responsible for informing you that your data is being shared with us.
- Created by EduMarkets at your institution's request. Where automated provisioning is not in use, our staff create accounts manually using the data the institution provides. Article 14 GDPR applies, as above.
- Workshop-code self-registration. A trainer who uses EduMarkets has invited you to a workshop and given you a workshop code. You self-register on our platform using that code, providing your name, email address, password and the workshop code. Because we collect this data directly from you, Article 13 GDPR applies and we provide this notice at the point of registration. After registration, the trainer who created the workshop (or the institution they work for) is the controller of your workshop data and we are the processor (Section 1).
Note on LMS integration: the platform supports score passback to your learning management system via LTI 1.3, automated user provisioning via SCIM 2.0, single sign-on via SAML 2.0 and learning activity statements via xAPI. None of these flows are active at present. When an institutional client activates one or more of these flows, the specific data movements will be described in that client's DPA, and this policy will be updated to describe them in general terms.
3. What personal data we process
3.1 Data we process as processor (on your institution's instruction)
| Category | Examples |
|---|---|
| Account data | Name, email address, hashed password, assigned role (participant, trainer, admin), institutional client identifier. |
| Learning activity | Modules visited, tabs opened, calculation events, timestamps, completion status. |
| Exercise responses | Quiz answers, free-text responses, calculated scores, AI-generated feedback associated with your answers. |
| Technical data | IP address (in server access logs, not stored in our application database), browser user-agent, session identifiers. |
3.2 Data we process as controller
| Category | Examples |
|---|---|
| Business-contact data | Name, business email, job title, telephone, employer (for procurement, billing and account-management contacts at institutional clients). |
| Security and audit records | Account-linked event records used to investigate abuse and security incidents (separate from learning activity). |
| Enquiry correspondence | Email and form correspondence received via our public pages and support inbox. |
We do not knowingly process special-category personal data under Article 9 GDPR (health, biometric, racial or ethnic origin, religious or political views, sexual orientation, trade-union membership). EduMarkets is a professional-development platform for adult users; we do not knowingly process data relating to children under 16.
4. Purposes and legal bases
4.1 When we act as processor
The legal basis for all our processor activities is the documented instruction of the controller (the institutional client or, for workshop-code users, the trainer who created your workshop), executed in our DPA or platform terms with them. The controller is responsible for establishing the legal basis on which they share your data with us (typically contract performance under your employment, training or workshop relationship with them, or their own legitimate interest in providing professional training).
The purposes for which we process on their instruction are:
- Authenticate users and authorise access to learning content.
- Deliver learning modules, exercises and trainer dashboards.
- Generate AI-powered educational feedback on exercise responses (see Section 5).
- Provide aggregated reporting to the institutional client about its own users.
- Send transactional emails (such as password resets and login links).
4.2 When we act as controller
| Purpose | Legal basis |
|---|---|
| Manage commercial relationships with institutional clients and respond to procurement enquiries. | Contract performance with the institutional client (GDPR Art. 6(1)(b)); our legitimate interest in pre-contractual communications (Art. 6(1)(f)). |
| Detect, investigate and respond to security incidents and platform abuse. | Our legitimate interest in maintaining the security and integrity of the platform (Art. 6(1)(f)); legal obligation in relation to incident reporting where applicable (Art. 6(1)(c)). |
| Operate the Anthropic API integration that delivers AI-generated feedback. | Our legitimate interest in operating the service (Art. 6(1)(f)). Each call is made on the institutional client's instruction; the integration itself is run as our service. |
| Respond to lawful requests from public authorities and exercise or defend legal claims. | Legal obligation (Art. 6(1)(c)) or our legitimate interest in defending claims (Art. 6(1)(f)). |
Where we rely on legitimate interest, you may object to the processing on grounds relating to your particular situation. See Section 11.
5. AI-generated educational feedback
EduMarkets uses the Claude API provided by Anthropic, PBC ("Anthropic") to generate educational feedback on exercise responses.
5.1 What is sent to Anthropic
When you submit an exercise that uses AI feedback, only the following is sent to the Claude API:
- The text of your response.
- The exercise context (the question, the model solution, the marking criteria).
No directly identifying personal data is included in the request. Your name, email address, IP address, account identifier and institutional client identifier are not sent to Anthropic.
5.2 How Anthropic handles the data
Under our commercial agreement with Anthropic:
- Anthropic does not use Claude API inputs or outputs to train its models.
- Anthropic retains API inputs and outputs for up to 30 days, after which they are deleted (this is the data-retention setting that applies to our organisation; the default for new Anthropic accounts is 7 days).
- Anthropic is based in the United States; data is transferred under EU Standard Contractual Clauses (see Section 7).
You can read Anthropic's published privacy commitments at anthropic.com/privacy.
5.3 No automated decisions with legal or similarly significant effect
AI-generated feedback is provided to help you learn. It is not used to make decisions about you that produce legal effects or similarly significantly affect you within the meaning of Article 22 GDPR. In particular, AI is not used to determine:
- Whether you pass or fail an assessment.
- Whether you receive a certificate, qualification or progression to the next module.
- Your eligibility for any benefit, role or status with your employer or training provider.
Trainers and instructors employed by the institutional client remain responsible for any assessment or progression decisions, and human review is available at the institutional client's discretion.
5.4 AI transparency (EU AI Act, Article 50)
From 2 August 2026, the EU AI Act requires deployers of AI systems to inform users when they are interacting with AI and to mark AI-generated content. Each piece of AI-generated feedback in EduMarkets is visibly labelled as AI-generated in the user interface and is identified as such in the underlying response data.
6. Sub-processors and recipients
We use a small number of carefully selected sub-processors to operate the platform. The current list is published at /auth/processors.html and includes the provider, purpose, categories of data and processing location for each.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising. We do not engage in any advertising on the platform.
Sub-processor changes
We give institutional clients at least 30 days' prior notice before engaging a new sub-processor or replacing an existing one. The notice is sent to the institutional client's designated contact and the public list at /auth/processors.html is updated.
Institutional clients have the right to object to a proposed new sub-processor on reasonable data-protection grounds within the notice period by writing to support@edu-markets.com. If we cannot resolve the objection, the institutional client may terminate the affected service in accordance with the DPA.
Other recipients
We may also disclose personal data to:
- Your institutional client (this is the normal operation of the platform — they are the controller of your data).
- Professional advisors (lawyers, auditors, accountants) under duties of confidentiality, where strictly necessary.
- Public authorities, where required by a lawful and binding request.
- Acquirers or successors in the event of a corporate restructuring, on terms protective of your rights.
7. International transfers
Some of our sub-processors are located in, or operate from, the United States. The current transfers are:
| Recipient | Country | Transfer mechanism |
|---|---|---|
| DigitalOcean LLC | European Union (AMS3 primary) / United States (failover, support) | EU Standard Contractual Clauses (Module 2) |
| Postmark (ActiveCampaign LLC) | United States | EU Standard Contractual Clauses (Module 2) |
| Anthropic, PBC | United States | EU Standard Contractual Clauses (Module 2) |
We currently rely on the European Commission's 2021 Standard Contractual Clauses as the transfer mechanism for all transfers to third countries. We do not currently rely on the EU-US Data Privacy Framework.
Supplementary technical and organisational measures (encryption in transit and at rest, access controls, audit logs) are described in our DPA with each institutional client, which is available on request to support@edu-markets.com. A copy of the relevant Standard Contractual Clauses is available on the same request.
8. Retention
The retention periods below apply to the data we hold:
| Category | Period |
|---|---|
| Account data (as processor) | Retained for as long as your account is active. Deleted or returned on the institutional client's instruction in accordance with the DPA, typically on contract termination. |
| Learning activity logs | 90 days (or longer if the institutional client instructs us to retain for compliance purposes). |
| Security and audit logs (as controller) | 365 days, then deleted. |
| Password-reset tokens | Deleted 7 days after use or expiry. |
| Refresh tokens | Deleted 30 days after expiry or revocation. |
| AI feedback inputs/outputs at Anthropic | Up to 30 days at Anthropic, then deleted by Anthropic. |
| Business-contact data (procurement, billing) | For the duration of the commercial relationship, and for up to 7 years thereafter to meet Dutch civil and tax law retention obligations. |
| Backups | Encrypted backups are retained for up to 35 days on a rolling basis. Deletions in production data propagate to backups within this window. |
9. Security
We apply the following technical and organisational measures to protect personal data:
- Passwords are stored as bcrypt hashes; tokens are stored as SHA-256 hashes.
- All production traffic is encrypted in transit via TLS 1.2 or higher.
- Data is encrypted at rest at the storage layer of our hosting provider.
- Access tokens expire after 15 minutes; refresh tokens after 7 days, with server-side revocation supported.
- Access to production systems is restricted to authorised personnel and logged.
- We maintain an incident-response process and will notify the institutional client of personal data breaches affecting their users without undue delay, in line with Article 33 GDPR.
10. Cookies
EduMarkets uses a single first-party cookie, em_refresh_token, with the attributes HttpOnly, Secure and SameSite=Lax. Its sole purpose is to maintain your authenticated session. It is strictly necessary for the platform to function and is therefore not subject to a consent requirement under Article 5(3) of the ePrivacy Directive.
We do not use third-party tracking cookies, analytics cookies, advertising cookies, social-media plugins or any similar technologies. Because we use no non-essential cookies, no cookie consent banner is presented.
11. Your rights
11.1 If you reached EduMarkets through your institution or a trainer
Where we process your data as a processor on behalf of your institutional client or trainer (this is the case for almost all users), your data-protection rights are exercised against the controller, namely:
- If your institution gave you access, contact your institution's data-protection contact.
- If you self-registered via a workshop code, contact the trainer who created the workshop (or the institution they work for).
The rights available to you under GDPR include: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to a decision based solely on automated processing that produces legal effects (we do not carry out such processing — see Section 5).
If you contact us directly with a request, we will acknowledge it, route it to the relevant controller and assist them in responding, in accordance with Article 28(3)(e) GDPR. We will not generally act on the request unilaterally.
11.2 If you are a contact of ours directly (procurement, billing, enquiry)
Where we are the controller of your data (Section 1), you may exercise your rights directly with us by writing to support@edu-markets.com. We will respond within one month of receipt, extendable by two further months for complex requests in accordance with Article 12(3) GDPR.
11.3 Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. For data we process as controller, the lead authority is the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also lodge a complaint with the supervisory authority in your EU/EEA country of residence or place of work. If you are in the United Kingdom, you may complain to the UK Information Commissioner's Office (ICO, ico.org.uk); if you are in Switzerland, to the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch). For data we process as processor, complaints about the controller's processing should generally be directed to the institutional client's lead supervisory authority.
12. How to contact us
For any privacy-related question or request:
- Email: support@edu-markets.com
- Postal address: EduMarkets Technologies BV, Goirleseweg 70, 5026 PC Tilburg, The Netherlands
We have not appointed a Data Protection Officer. Our processing activities do not fall within the categories that require a mandatory DPO under Article 37 GDPR. Privacy enquiries are handled by the address above.
As an EU-established entity, we do not require an EU representative under Article 27 GDPR.
We serve institutional clients worldwide, including in the EEA, the United Kingdom, Switzerland and the United States. We are not required to appoint a UK or Swiss representative for our processing: for platform data we act as a processor for clients established in those countries, and our own limited controller activities do not meet the thresholds of Article 27 UK GDPR or Article 14 Swiss FADP. We keep this assessment under review.
13. Changes to this policy
The "Last updated" date at the top of this page reflects the most recent revision. We may update this policy from time to time to reflect changes in our processing or in applicable law.
For material changes — for example, the addition of a new processing purpose, a new sub-processor, or a change to the legal basis for an existing activity — we will give institutional clients at least 30 days' prior notice by email to their designated contact and via an in-platform banner visible to users.
For non-material changes (clarifications, typographical corrections, contact-detail updates), we update this page and revise the "Last updated" date without separate notice.
14. Definitions
- Controller — the entity that determines the purposes and means of processing personal data. For your platform use, this is normally your institutional client or, if you self-registered with a workshop code, the trainer who created your workshop.
- Processor — the entity that processes personal data on behalf of the controller. For your platform use, this is normally EduMarkets.
- Institutional client — the bank, asset manager, training provider or other organisation that has contracted with EduMarkets and given you access to the platform.
- Trainer — an individual who uses EduMarkets to deliver training, typically by creating a workshop and inviting participants via a workshop code. A trainer may act in their own right as a controller, or as part of an institutional client.
- GDPR — Regulation (EU) 2016/679, the EU General Data Protection Regulation.
- UK GDPR — the version of the GDPR retained in UK law under the European Union (Withdrawal) Act 2018, as amended.
- CCPA / CPRA — the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
- Sub-processor — a third party engaged by EduMarkets to process personal data on behalf of an institutional client.
- Standard Contractual Clauses (SCCs) — the data-transfer clauses adopted by the European Commission under Decision 2021/914.
15. Jurisdiction-specific notices
15.1 California (CCPA / CPRA)
This section applies if you are a California resident.
For data we process on behalf of an institutional client, EduMarkets acts as a service provider under California Civil Code section 1798.140(ag). We process personal information solely for the business purposes specified in our written agreement with the institutional client, and we do not retain, use or disclose personal information outside of that agreement.
Categories of personal information we process (using the CCPA categories):
- Identifiers (name, email address, account identifier).
- Customer-records information (employer, role).
- Internet or network activity (usage logs, learning activity).
- Professional or employment-related information (training records).
We do not process sensitive personal information as defined in section 1798.140(ae) beyond what is incidentally included in account credentials (for example, an email address). We do not use sensitive personal information for any purpose that would trigger a right to limit its use.
We do not sell or share personal information. We do not engage in cross-context behavioural advertising. We have not knowingly sold or shared personal information in the preceding 12 months.
Your California rights (the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, the right to limit the use of sensitive personal information, the right to non-discrimination) are generally exercised through your institutional client, who is the "business" under the CCPA. If you submit a request directly to us, we will route it to them and assist in responding. For direct contacts of EduMarkets (procurement, billing), please email support@edu-markets.com.
15.2 Other US state privacy laws
For residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and other US states with comprehensive privacy laws of similar shape:
- EduMarkets generally acts as a processor on behalf of the institutional client (the "controller" or "business" under those laws).
- We do not engage in targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
- State-specific rights (access, deletion, correction, portability, opt-out) are exercised primarily through your institutional client. Requests submitted directly to us will be acknowledged and routed.
- For direct contacts of EduMarkets, email support@edu-markets.com.
15.3 Brazil (LGPD)
If you are a Brazilian data subject and reach the platform through an institutional client that operates in Brazil, the institutional client is the "controlador" under the LGPD and EduMarkets is the "operador". Rights under Article 18 LGPD are exercised through the institutional client; we will assist them in responding.
15.4 United Kingdom (UK GDPR)
If you use the platform through an institutional client established in the United Kingdom, that client is the controller under the UK GDPR and EduMarkets processes your personal data as its processor under a Data Processing Agreement. Transfers to our sub-processors in the United States are covered by the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum. Your UK GDPR rights (access, rectification, erasure, restriction, portability, objection) are exercised through your institutional client; we will assist them in responding. You may complain to the ICO (ico.org.uk).
15.5 Switzerland (FADP)
If you use the platform through an institutional client established in Switzerland, that client is the controller under the Swiss Federal Act on Data Protection (FADP) and EduMarkets acts as processor. Transfers abroad are covered by the EU Standard Contractual Clauses with the adaptations recognised by the FDPIC. Your rights under the FADP are exercised through your institutional client; we will assist. You may contact the FDPIC (edoeb.admin.ch).
If anything in this policy is unclear, please email support@edu-markets.com and we will explain it.