Privacy Policy

Last updated: 26 March 2026

Data controller: Van Loon FT&C BV ("EduMarkets", "we", "us")

1. What we collect

• Account data: name, email address, hashed password, role (participant/trainer/admin).
• Usage data: module views, tab visits, calculation events, timestamps.
• Exercise data: quiz answers, scores, AI-generated feedback.
• Technical data: IP address (in server logs, not stored in the database), browser user-agent.

2. Why we collect it (legal basis)

• Contract performance: to provide the platform, authenticate users, and deliver educational content.
• Legitimate interest: to monitor usage for product improvement and to detect abuse.
• Legal obligation: to respond to lawful data requests.

3. How we use your data

• Authenticate and authorise access to modules.
• Track progress and provide trainer dashboards.
• Generate AI-powered educational feedback (see 3a below).
• Send password-reset and workshop-invite emails.

3a. AI-powered features

EduMarkets uses Anthropic's Claude API to generate educational feedback on exercise answers. When you submit an exercise, only your answer text and the exercise context are sent to Anthropic. No personal identifiers (name, email, IP address) are included in the request. Anthropic does not use this data for model training. See Anthropic's privacy policy.

4. Data sharing & sub-processors

We do not sell your data. We share data only with:

• Anthropic — exercise answers for AI feedback (no PII sent).
• DigitalOcean — hosting infrastructure.
• Postmark — transactional email delivery.
• Your trainer — if you joined via a workshop code, your trainer can see your name, email, activity, and quiz progress.

For full details see our Sub-Processor List.

5. Data retention

• Account data: retained while your account is active.
• Activity logs: automatically deleted after 90 days.
• Security audit logs: automatically deleted after 365 days.
• Password reset tokens: deleted 7 days after use or expiry.
• Refresh tokens: deleted 30 days after expiry or revocation.

6. Your rights (GDPR)

• Access & portability: download your data at any time via Account Settings or GET /api/auth/my-data.
• Rectification: update your name or email via Account Settings.
• Erasure: delete your account via Account Settings, or email support@edu-markets.com.
• Restriction & objection: contact us to restrict processing or object to specific uses.

7. Security

Passwords are hashed with bcrypt. Tokens are stored as SHA-256 hashes. All production traffic is encrypted via TLS. Access tokens expire after 15 minutes; refresh tokens after 7 days with server-side revocation.

8. Cookies

We use a single HttpOnly, Secure, SameSite=Lax cookie (em_refresh_token) for session management. No third-party tracking cookies are used.

9. Contact

For privacy inquiries: support@edu-markets.com