Last updated: May 12, 2026
§1 About This Privacy Policy
1.1 When This Policy Applies (Our Responsibility)
This Privacy Policy describes how Lecturio GmbH (“Lecturio”, “we”, or “us”) collects, uses, and protects personal data when we act as the Data Controller.
This policy applies exclusively to situations where you enter into a direct relationship with us including the following:
- Our Websites: All interactions on dev.lecturio-dev.com, www.lecturio.de, hub.lecturio.com, info.lecturio.de, healer.lecturio.com, simtics.com, simtutor.com, qcg.de, as well as any other Lecturio-operated websites, subdomains, and domains used for marketing, support or service delivery.
- Our Mobile Applications: Our native applications that are accessible with personal accounts available on the Apple App Store and Google Play Store.
- Our Learning Platforms: The specific learning environments for Lecturio.de, Lecturio.com, Healer, SIMTICS, and SimTutor Author, as well as any other Lecturio-operated learning platforms or subdomains that are accessible with personal accounts.
- Our Social Media Presences: When you visit our profiles on platforms such as Facebook, Instagram, LinkedIn, or YouTube, where we act as a joint data controller with the platform operator regarding the processing of statistical and interaction data.
- Visitors: Anyone browsing our public web presence or using our apps outside of an institutional contract.
- Personal Accounts: Individual learners (B2C) who register for a personal account or subscription on any of our learning platforms or mobile applications described above.
- Business Contacts: Staff, administrators, and representatives of our institutional partners or vendors (B2B contacts) who visit or use our websites, apps, or platforms to manage their organization’s relationship with us.
1.2 When This Policy Does Not Apply
To ensure your data rights are protected, it is critical to understand when this document does not govern your information:
- Institutional Users: This policy does not apply to students, employees or faculty members who access the institutional versions of Lecturio, Healer, SIMTICS, or SimTutor platforms through an institutional license provided by a university, employer, or other organization.
- Whitelabel & Portals: This includes access via dedicated institutional subdomains, whitelabel portals (e.g., institution.lecturio.com), or partner-managed mobile applications.
In these cases, your institution is the Data Controller. They independently process your data—for example, by accessing your learning progress through their administrator account. Lecturio acts only as a service provider (Data Processor) following your institution’s instructions. Please refer to your institution’s own privacy policy for information on how your data is handled.
1.3 How to Read This Policy
To keep this document concise while covering multiple products and regions, please note the following: Unless otherwise stated, all provisions apply to all products (Lecturio, Healer, SIMTICS, and SimTutor). Where a rule applies to only one product, it will be clearly marked (e.g., “Lecturio only”).
1.4 General Legal Framework
We process personal data strictly in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Unless specifically stated otherwise in later sections, we rely on the following legal bases:
- Consent (Art. 6(1)(a) GDPR): For newsletters, marketing, and non-essential cookies.
- Performance of Contract (Art. 6(1)(b) GDPR): For account management, processing payments, and delivering learning services to personal account holders.
- Legal Obligation (Art. 6(1)(c) GDPR): For compliance with statutory requirements, such as tax laws.
- Legitimate Interests (Art. 6(1)(f) GDPR): For maintaining IT security, fraud prevention, and managing professional business relationships.
§2 Who We Are
2.1 Data Controller
The controller responsible for the processing of personal data in connection with all products and services described in this Privacy Policy is:
Lecturio GmbH
Käthe-Kollwitz-Str. 1,
04109 Leipzig,
Germany
Email: support@lecturio.com
Lecturio GmbH is the sole data controller for all products and services covered by this Policy, including Lecturio, Healer, SIMTICS, and SimTutor Author.
2.2 Data Protection Officer (DPO)
To ensure the highest standards of data protection, we have appointed an external Data Protection Officer pursuant to Art. 37 GDPR:
Mr. Stephan Hartmann
Email: data-privacy@lecturio.com
You may contact our DPO at any time with questions about data protection or to exercise your rights under this Policy. All privacy inquiries across all products are handled through data-privacy@lecturio.com.
§3 What Personal Data We Collect
We collect the following categories of personal data, depending on which product you use and how you interact with us:
| Category | Examples | Primary Source |
|---|---|---|
| Account and identity data | Name, email address, password (hashed), title, age, gender, level of education | Provided by you at registration |
| Social login data | Username and email address from identity providers (e.g. Facebook or Google) (where you register using these services) | Received from Single-Sign-On/Identity Providers like Meta or Google. |
| Business contact data | Name, job title, company name, work email address, phone number, location (country) | Provided via contact forms or collected in the B2B context |
| Learning and progress data | Videos viewed, quiz answers, simulation steps completed, performance scores, learning metrics | Generated by your use of the platform |
| Clinical case interaction data | Records of the clinical cases you worked through, your decisions, answers, and the sequence of steps taken | Generated by your answering of clinical case studies |
| Clinical performance data | Scores, performance metrics, and evaluation results associated with your clinical case work | Generated by your answering of clinical case studies |
| Simulation progress and performance data | Records of your progress through simulation steps and modules; scores, branching decisions, and evaluation metrics | Generated by your use of the platform |
| Learning timeline data | Timestamps and frequency of platform use, including case start and completion times | Generated by your use of the platform |
| AI interaction data | Text inputs and prompts submitted to AI-powered features; AI-generated responses | Generated during AI feature use |
| User-generated content | Comments, tags, ratings, reviews, uploaded files, course materials | Provided by you during use |
| Authoring content data | Simulation content, branching structures, and media created using SimTutor Author tools | Generated by your use of the platform |
| Support and communication data | Content of support tickets, chat messages, email correspondence | Provided when you contact us |
| Marketing engagement data | Email open/click events, newsletter subscription status, advertising interaction data | Generated by marketing communications |
| Payment data | Transaction ID, billing name and address; payment card details handled exclusively by certified payment processors (not stored by us) | Provided at checkout, self-service portals and via app stores |
| Technical and log data | IP address, URL requested, browser type and version, operating system, date and time of request, referring URL | Automatically collected by our servers |
| Device and app data | Device type, advertising identifiers (IDFA, Android Advertising ID), app crash reports | Automatically collected via mobile applications |
| Location data (country) | Country of residence, collected when you submit an inquiry form on simtics.com or simtutor.com | Provided via inquiry form on simtics.com or simtutor.com |
We do not intentionally collect special categories of personal data (e.g. health data, religious beliefs, ethnic origin). Clinical simulation data on Healer relates to healthcare scenarios and reflects clinical reasoning, but is not equivalent to the user’s own health data. If, in exceptional circumstances, a user discloses personal health information via any input field or support message, it is treated with the same care as other personal data and is not used for any purpose beyond the immediate context. We do not knowingly collect personal data from children under 16 without parental consent (see §11).
§4 How We Use Your Data
We process your personal data only when we have a valid legal basis under Art. 6 of the GDPR. To make this policy easier to navigate, we have divided our data usage into two main categories:
- §4.1–§4.6 — General Interactions (All Users): These sections and purposes apply to all visitors and app users, regardless of whether you have a registered account. If you browse our websites or use our apps without registering, only these sections apply to you.
- §4.7–§4.21 — Platform & Learning Services (Registered Users and Customers only): These sections and purposes apply exclusively to registered users and customers.
General Interactions (All Users)
4.1 Security, Fraud Prevention, and IT Operations
Purpose: To maintain the technical operation and security of our systems, detect and prevent misuse or attacks, conduct statistical analysis, and assist law enforcement; for example in the case of cyber attacks.
Data used: When you access any of our websites or services, our servers automatically record certain technical information in server log files, including:
- Your IP address
- The URL requested
- The browser type and version
- The operating system
- The date and time of the request
- The referring URL (where applicable)
- Security Telemetry: To distinguish humans from automated bots, we collect technical signals such as device characteristics, browser environment variables, and interaction patterns.
Legal basis:
This data is processed to maintain the technical operation and security of our systems, to detect and prevent misuse or attacks, to conduct anonymous evaluations for statistical purposes (such as analyzing user behavior), to improve our services, and to provide law enforcement authorities with information necessary for prosecution in the case of cyber attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interests in operating secure and reliable services). Log data containing IP addresses is retained for a period of 5 years (see §7 for retention periods generally).
Bot Protection and CAPTCHA Services: To protect our registration forms, login areas, and infrastructure from automated abuse and spam, we may utilize specialized security providers. These services analyze the “Security Telemetry” mentioned above to determine if a user is human.
Depending on the service used, a strictly necessary security cookie (an “immunity token”) may be stored locally on your device. This ensures that once you have successfully passed a verification challenge, you are not repeatedly interrupted during your session.
A detailed list of the specific service providers used for these security purposes can be found in our Subprocessor List. All providers are bound by Data Processing Agreements (DPA) and, where applicable, Standard Contractual Clauses to ensure a high level of data protection.
4.2 Web & Mobile Analytics
Purpose: To understand how visitors interact with our websites and mobile applications, measure the success of our marketing campaigns, and optimize our digital services for all devices.
Data used: Technical and log data; engagement data; demographic data (e.g. country, browser language), conversion data (e.g., whether a purchase was completed), browser cookies and mobile attribution identifiers.
Legal basis: Art. 6(1)(a) GDPR (Consent). We only deploy these tools if you opt-in via our cookie banner, app store settings or OS-level permission prompts.
How it works: We use third-party web analytics tools, mobile attribution platforms, and customer engagement software to understand page views, traffic sources, and marketing performance. Where these third-party tools transfer data outside the EEA, appropriate safeguards (such as EU Standard Contractual Clauses) are in place. You can manage or withdraw your consent at any time through the “Cookie Settings” link in our website footer or by adjusting the privacy settings on your mobile device.
4.3 Advertising, Remarketing & Affiliate Marketing
Purpose: To show you relevant advertising on other websites after you have visited ours, to measure the effectiveness of our advertising campaigns, and to properly attribute sales and registrations resulting from our affiliate partner networks.
Data used: Technical and log data; marketing engagement data; device advertising identifiers; conversion data (e.g., whether a purchase was completed).
Legal basis:Art. 6(1)(a) GDPR (Consent). On our websites, this consent is obtained through our cookie banner, where you must affirmatively select advertising or targeting cookies for this processing to occur. On mobile devices, this is managed through your operating system’s tracking permissions (e.g., App Tracking Transparency)
How it works:
- Advertising & Remarketing: We use advertising and remarketing platforms to serve interest-based ads on other websites and within mobile applications, as well as to measure the performance of our advertising campaigns. These tools utilize cookies, mobile-specific advertising identifiers, and SDKs to track your interactions across our digital services.
- Affiliate Marketing: We work with affiliate partners and networks. If you arrive at our platform via an affiliate link and complete a purchase, we share a pseudonymized transaction ID with the affiliate network solely to attribute the commission to the correct partner.
- International Transfers: Where providers are based outside the EEA, particularly in the USA, data protection is ensured through the EU-US Data Privacy Framework or EU Standard Contractual Clauses.
Control: You can withdraw your consent or manage your advertising preferences at any time through our ‘Cookie Settings’ link in our Cookie Policy or by adjusting the tracking and privacy settings on your mobile device. For the specific providers we use, see our Sub-processors List. For the specific cookies we use and manage your consent, see our Cookie Policy.
4.4 Social Media Presences
Purpose: We maintain public profiles on social media platforms to communicate with our community and provide customer support. When you interact with us via these platforms (e.g., through comments or direct messages), we process your data to respond to your inquiries.
Joint Controllership: For certain activities (like “Page Insights”), Lecturio GmbH acts as a joint controller with the platform operator (Art. 26 GDPR). The operator is primarily responsible for the technical infrastructure and account-level tracking.
Customer Support Integration: If you contact us for support via social media, we may synchronize your message and profile data (e.g., your handle and the conversation history) with our internal customer support tools. This allows us to manage your request centrally, ensure a faster response time, and link the inquiry to your existing student account if applicable.
Legal Basis:
- Art. 6(1)(f) GDPR (Legitimate Interest): Effective information, modern interaction, and streamlined support management.
- Art. 6(1)(b) GDPR (Performance of Contract): If your inquiry is related to a contract or subscription issue.
While you can exercise your data subject rights (access, correction, erasure) against us, the platform operators have direct access to the technical infrastructure and your profile data. Therefore, we recommend contacting the platform provider directly for requests regarding your account settings or tracking preferences.
For a list of our social media presences please see our Sub-processors List.
4.5 Contact Forms, Business Inquiries & Bookings
Purpose: To respond to inquiries submitted via our contact forms, manage business relationships, and facilitate the scheduling and delivery of demos, webinars, or consultation calls.
Data used: Contact data (name, email address, company, job title, message content), appointment details (date/time of booked calls), and participation status for registered events.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual or contractual processing) and Art. 6(1)(f) GDPR (legitimate interest in effective business communication and lead management).
How it works: We use external platforms to host our contact forms and manage appointment scheduling. To maintain data quality, we may use third-party verification tools to check the accuracy of provided email addresses. Information submitted via these forms is synchronized with our CRM systems to ensure professional follow-up. For a list of specific scheduling and form providers, see our Sub-processors List.
Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing your name and email address is required to respond to any request. Specific appointment details are required to successfully book a call or demo. Fields such as company name, job title, and phone number help us route your inquiry appropriately but are not required.
4.6 Marketing Communications and Newsletters
Purpose: To provide a tailored experience, we synchronize specific profile data and events with our communication platforms. This allows us to send you relevant educational content, learning progress updates (e.g., “reminders” or “achievements”), and promotional information such as webinars, events, and special offers via email, push notifications.
Data used:
- For all users: Identity Data (Name and email address), Technical Metadata (browser/device data, country, language), and if relevant push tokens (unique identifiers generated by your device or browser) to enable the delivery of notifications.
- For registered users and customers only: We additionally synchronize usage & learning Data (learning progress, completed courses, and platform events) and Account Status (subscription type, price, billing period, and status) to provide a more tailored educational experience.
Tracking Technologies: Pixels, Links, and SDKs
To optimize our service and understand user interests, our newsletters and platforms use tracking technologies:
- Tracking Pixels: Small graphics embedded in emails that log your email address, the newsletter issue, and the date/time of opening.
- Tracking Links: Individualized links that log which specific content you clicked and when.
- SDKs & Push Analytics: Software Development Kits and web-based tracking integrated into our platforms that monitor your interactions and provide real-time engagement data, including whether a push notification was delivered, opened, or dismissed.
Legal Basis & Opt-In Process: The legal basis for this processing is your Consent (Art. 6(1)(a) GDPR). We obtain this consent through the following methods:
- Double Opt-In (Email): If you subscribe via a contact form or create an account at one of our products using your email address, you will receive a confirmation email. Your subscription and the associated data synchronization are only activated once you click the confirmation link in that email.
- Direct Opt-In (Social Login): If you create an account via a social login provider (e.g., Google or Facebook), we ask for your explicit consent during or immediately following the registration process.
- Push Notification Consent: For both mobile applications and web-based platforms, we ask for your explicit permission via your device’s or browser’s system-level permission dialog before sending any notifications.
Revocation and Unsubscribe: You can withdraw your consent and unsubscribe at any time with future effect. You may unsubscribe by:
- For email newsletters:
- Clicking the “Unsubscribe” link at the bottom of any newsletter.
- Adjusting your preferences in your Account Settings.
- Sending an email to support@lecturio.com.
- For push notifications: Managing notification permissions in your Device’s System or Browser Settings.
Once you unsubscribe, we will stop the synchronization and tracking for these purposes and delete or anonymize the related data, unless further retention is legally required. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing your email address is required to subscribe to our newsletter; without it we cannot send you communications. Subscribing to the newsletter is entirely voluntary — there are no consequences for declining to subscribe or for unsubscribing at any time.
4.7 A/B Testing
Purpose: To analyze how our platforms are used and to test different variations of features (A/B testing) to improve the user experience and educational effectiveness for both registered members and anonymous visitors.
Data used:
- Identifiers: Pseudonymized (hashed) identifiers, such as a hashed session ID or a unique experiment ID stored in a cookie.
- Technical metadata: Browser type and interaction events (e.g., whether a button was clicked).
- Assignment data: Information on which version (e.g., “Version A” or “Version B”) was shown to you.
Legal basis:
- Art. 6(1)(a) GDPR (Consent): We rely on your consent for the placement of non-essential cookies or similar identifiers used to maintain a consistent experiment experience (ensuring you don’t see different versions of the same page). You can manage this via our Cookie Settings.
- Art. 6(1)(f) GDPR (Legitimate Interest): For essential technical optimization and measuring the basic performance of our website.
How it works: We use a “warehouse-native” infrastructure for our testing. This means that the core data remains within our secure environment. We utilize cookies or similar local storage technologies to assign your browser to a specific test group. While an external tool helps us manage the experiment “rules,” the evaluation is performed using hashed, non-readable identifiers. No raw personal data (such as names or email addresses) is shared with the service provider for these purposes.
4.8 Promotions, Sweepstakes, and Contests
Purpose: To administer promotional campaigns and contact participants about outcomes.
Data used: Name, email address, aggregate demographic data (not used to identify individuals) as well as other data if specified in separate terms and conditions of specific promotions.
Legal basis: Art. 6(1)(b) GDPR (Performance of Contract). By entering the promotion, you enter into a participation agreement with us. Processing your data is necessary to administer the campaign, verify eligibility, and notify winners according to the specific terms of the promotion. Separate terms and conditions apply to each individual promotion, which will describe the applicable data processing in detail.
4.9 Surveys
Purpose: To gather feedback on our products, conduct market research, and understand the learning needs of our visitors and users to improve our platforms.
Data used:
- Your survey responses and feedback content.
- Contact data (name and email), only if you voluntarily provide it within the survey.
- Technical metadata (IP address, browser type, device type, and timestamp).
- Account Linking: For registered users, we may auto-populate certain fields (such as your email address or a unique user identifier) to connect your feedback directly to your account.
Legal basis: The legal basis is your Consent (Art. 6(1)(a) GDPR). Participation in our surveys is entirely voluntary.
How it works: We use third-party survey tools to conduct these studies; within these tools, you may be asked to affirmatively provide your consent before submitting your responses. If you provide explicit consent within a survey to be contacted (e.g., for follow-up questions, user research, or further information regarding your feedback), your survey data and contact information may be transferred to our CRM systems to facilitate this outreach.
You can withdraw your consent at any time by contacting us, which will result in the deletion of your specific response data unless it has already been anonymized for statistical analysis.
4.10 Conducting Webinars, Demos & Video Calls
Purpose: To conduct live educational webinars, product demonstrations, and virtual meetings or consultations.
Data used:
- Participant Data: Name, email address, and IP address.
- Audio/Visual Data: Video streams and audio recordings (only where explicitly notified or consented to).
- Interaction Data: Chat messages, Q&A inputs, and poll responses provided during the session.
- Technical Metadata: Connection quality logs, device type, and duration of participation.
Legal basis: Art. 6(1)(b) GDPR (Performance of Contract) for registered participants, and Art. 6(1)(f) GDPR (Legitimate Interest) for providing a stable and interactive communication environment.
How it works: We use professional video conferencing and webinar platforms to host these sessions. These providers act as processors on our behalf. While we do not record sessions by default, any session being recorded will be clearly indicated to all participants at the start. Technical logs are processed to ensure the stability of the connection and to analyze the success of the event (e.g., attendance rates).
Data Retention: Meeting metadata and chat logs are generally retained for up to 12 months for quality assurance, unless the content is part of a permanent record associated with your account or a legal dispute.
4.11 Workflow Automation and System Integration
Purpose: To maintain data consistency across our internal infrastructure and to automate administrative or compliance-related tasks. This ensures that information submitted via one interface is correctly updated across all relevant internal databases and business tools.
Data used: Identity and contact data, account status, and specific event triggers.
Legal basis: Art. 6(1)(f) GDPR (Legitimate Interest). Our legitimate interest lies in ensuring the technical integrity and efficiency of our business processes through the automated synchronization of data between our authorized internal systems.
How it works: We use cloud-based automation middleware to act as a secure “bridge” between our various software platforms. These tools allow us to create automated workflows where data provided in one system is automatically transmitted to another. For example, when you submit a contact or inquiry form, the data is first captured by our primary communication tool and then automatically synchronized with our internal relationship management or support systems to ensure your request is handled promptly.
Retention: These integration platforms are configured to act as “pass-through” services. While they process data to execute a workflow, logs are only retained for 7 days to allow for technical troubleshooting, after which the data is automatically removed from the middleware environment.
4.12 Job Applications & Recruiting
Purpose: To host vacancies, manage the recruitment process, evaluate candidate suitability for open positions, and communicate with applicants regarding their status.
Data used:
- Identity & Contact Data: Name, email, phone number, address.
- Professional Profile: CV/Resume, cover letter, work samples, and education history.
- Public Profiles: Information from professional networks (e.g., LinkedIn) if provided or linked.
- Assessment Data: Interview notes, test results, and internal evaluations.
Legal basis:
- Art. 6(1)(b) GDPR & § 26 BDSG: Processing is necessary to decide on the establishment of an employment relationship.
- Art. 6(1)(a) GDPR (Consent): If you wish to remain in our “Talent Pool” for future vacancies after a specific rejection.
How it works: We use specialized HR management platforms to host our job board and process applications. Only authorized members of our HR team and the relevant department managers have access to your application.
Data Retention: All candidate profiles will be automatically anonymized 180 days after their rejection. This process permanently removes all personal identifiers and documents (CVs, contact details), while retaining non-identifiable data for internal recruitment analytics and reporting. We will only store your data for a longer period (up to 2 years) if you provide explicit consent to join our Talent Pool.
Platform & Learning Services (Registered Users and Customers only)
4.13 Account Creation & Management
Purpose: To create and manage your user account, verify your identity, and provide access to your learning materials or simulations across all devices.
Data used:
1. Mandatory Account Data (Required for Registration) To access our services and perform our contract with you, we must collect specific data depending on the platform you are using:
- General (All Platforms): Name, email address, and hashed password.
- Social Login (Lecturio): If you use Xing, Google, Apple, or Facebook to create an account, we receive an identifier as well as your name and email address from the provider.
- SIMTICS: In addition to your name and email, registration for our simulation services requires your phone number, company/organization name, and billing address to verify your professional status and regional tax compliance.
- Institutional Verification: If you register using an institutional or school email address, that address is used to verify eligibility for specific pricing or access levels.
2. Optional Profile Data (Provided Voluntarily) You may choose to provide additional information during onboarding or in your account settings to personalize your experience. This is entirely optional:
- Study & Career Profile (Lecturio): Education level, exams you are preparing for, medical school/institution, and aspired degree.
- Extended Profile (Lecturio): You may optionally add your date of birth (for age-gated content or birthday greetings), a profile photo, or your gender.
Legal Basis: Art. 6(1)(b) GDPR (Performance of Contract). International transfers to social login providers (USA) are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses.
Consequences of Non-Provision: Providing mandatory account data is required to use the respective platform. Optional profile data is not required; if you choose not to provide it, you can still use the platform, but personalization may be limited.
4.14 Delivering the Platform and Learning Services
Purpose: To deliver our learning and simulation platforms, including a tailored learning experience, tracking of your learning progress, and the delivery of the specific product features you have contracted for.
Data used: Account and identity data, learning and progress data, user-generated content, AI interaction data, technical and log data.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.
Personalization and profiling (Art. 4(4) GDPR): We use automated processing of your learning and progress data — including content viewed, quiz results, performance scores, and time spent on topics — to personalize your content recommendations and adapt the learning path presented to you. This constitutes profiling within the meaning of Art. 4(4) GDPR. The logic applied is based on content similarity, curriculum sequencing, and your demonstrated performance on assessments. Personalization does not restrict your access to any content; it influences only which content is surfaced to you first. It does not produce decisions with legal or similarly significant effect, and Art. 22 rights do not apply to this processing. You may contact data-privacy@lecturio.com if you wish to understand more about how personalization works or to object to this processing.
User-generated content: Content you submit (e.g. comments, tags, ratings, reviews) is associated with your account during the period of your membership. Upon account deletion, such content is retained in anonymized form unless you specifically request its deletion.
Mobile Device Permissions & Consent: To provide the full range of features within our mobile applications, the app may request access to certain functions of your device. These permissions are requested at the time the feature is first used (Just-In-Time Consent):
- Camera/Library: Used to allow you to upload a profile picture or submit media (e.g. in order to use the Lecturio Bookmatcher)
- Microphone: Used for audio input on different AI-features.
- Notifications: Used to send learning reminders and progress updates.
- Storage/Files: Used to download course materials (e.g. videos) for offline viewing.
You can manage or revoke these permissions at any time through your device’s system settings. Denying certain permissions may limit your ability to use specific interactive features, but will not prevent access to the core learning platform.
4.15 Lecturio Tutoring Programme
Purpose: To operate the Lecturio Tutoring Programme, which connects learners with qualified tutors for personalised academic support and exam preparation.
Data used:
- Identity Data: Name, email address.
- Performance Data: Learning progress, course completion status.
- Communication Data: Video/audio signals during sessions, chat logs (if used), and meeting metadata (IP address, device information, session duration).
Legal basis: Art. 6(1)(b) GDPR — performance of the contract for the Tutoring Programme.
Data shared with coaches: To ensure effective support, your assigned tutor receives access to your name, email address, and relevant learning progress. Tutors are subject to strict confidentiality obligations and are permitted to process this data solely for the purpose of your academic coaching.
Video Conferencing & Infrastructure: To conduct personalized sessions, we utilize professional third-party video conferencing and communication platforms. These tools enable real-time interaction between the learner and the tutor.
Intake forms: We use a survey tool for initial intake communication with potential coaching participants. Data submitted via this tool is processed on the basis of Art. 6(1)(b) GDPR.
4.16 AI-Powered Features
Purpose: To process your text inputs and prompts in order to generate AI responses and deliver AI-powered features across our platforms (including but not limited to chatbots on Lecturio, AI conversations on SimTutor, and AI feedback features on Healer).
Data used: AI interaction data (your inputs and the AI’s responses); pseudonymised user identifiers.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract.
Your inputs are processed by AI model providers acting on our behalf. Each provider is contractually prohibited from using your data to train its general-purpose models.
We also use an AI monitoring platform to analyze feature performance and improve service quality. This platform logs your interaction content and associated user identifiers.
These logs are stored during the period of your membership for troubleshooting and quality assurance purposes, unless further retention is legally required. Access to these logs is strictly limited to authorized internal staff who are subject to confidentiality obligations.
Profiling and automated analysis (Art. 4(4) GDPR): When you interact with AI-powered features, your text inputs and responses are automatically analysed to generate a reply or evaluation. This constitutes profiling within the meaning of Art. 4(4) GDPR; your inputs are processed to evaluate aspects of your knowledge, clinical reasoning, or simulation performance. For individual users (not accessing via an institutional contract), AI outputs are informational and do not produce decisions with legal or similarly significant effect; they are intended to support your learning, not to determine outcomes. For users whose accounts are linked to an educational institution or employer, please refer to your institution’s privacy policy.
For the specific providers we use, see our Sub-processors List.
4.17 In-App Telemetry, Crash Reporting & Product Improvement
Purpose: To ensure the stability and security of our learning platforms, identify technical bugs or software errors in real-time, and improve the overall user experience by identifying usability roadblocks.
Data used: Technical log data; device and app data; pseudonymised user identifiers; in-app interaction data.
Legal basis: Art. 6(1)(f) GDPR (Legitimate Interest). Our legitimate interest lies in providing a secure, stable, and high-performing educational platform and understanding how to improve its usability for our learners.
How it works: We use a combination of internal and cloud-based monitoring services to analyze platform health.
- Self-Hosted Analytics: We process core usage and interaction data on our own secure infrastructure. This ensures that detailed behavioral data remains within our direct control and is not shared with third-party analytics providers.
- Crash & Error Monitoring: We use specialized cloud-based monitoring to detect and fix software bugs in real-time. When a “crash” occurs, a report containing technical information about the app’s state is sent to our monitoring infrastructure so we can resolve the issue.
- Session Recording: To identify complex usability issues or technical “roadblocks” that prevent a smooth learning experience, we may record specific user sessions. These recordings are used exclusively for internal analysis. We implement safeguards to ensure that sensitive information (such as passwords or payment details) is masked and not captured during the recording.
4.18 Payment Processing
Purpose: To process payments for subscriptions and purchases, manage recurring billing, and comply with statutory tax and accounting requirements.
Data used:
- Identity & Billing: Name, email address, address, and (if applicable) VAT ID.
- Payment Metadata: Payment method type and identifiers (e.g., Credit Card, PayPal), the last four digits of the payment card, expiration date, as well as transaction, subscription and product IDs.
- Tax & Verification: IP address (for tax residency verification to comply with EU VAT OSS and international tax laws), country of origin, and currency.
- Subscription Data: Plan type, renewal dates, and coupon usage.
- Debt & Claims Data: In the event of a payment default, we process information regarding the outstanding balance, payment history, and correspondence related to the claim, including name, contact data and billing address.
Legal basis:
- Art. 6(1)(b) GDPR (Performance of a contract) for standard billing and subscription management.
- Art. 6(1)(f) GDPR (Legitimate Interest) for the enforcement of legal claims and the recovery of outstanding debts.
How it works:
Lecturio acts as the Data Controller for the management of your subscription and tax compliance. Regarding the secure processing of your actual payment credentials (e.g., full credit card numbers or CVV), the respective payment gateways and app stores act as independent Data Controllers. We do not store complete credit or debit card numbers on our servers; all transactions are handled via encrypted connections to PCI DSS-certified providers.
Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing payment data (billing name, address, and card or payment account details) is required to complete a purchase. Without it we cannot process your subscription or transaction. Payment data is not required to access any free content or free features of our platforms.
Mobile In-App Purchases & Subscriptions: For in-app purchases, the store operator handles the payment; we receive only the data necessary to verify your purchase and activate your subscription.
Debt Collection: If payments remain outstanding despite reminders, we may transfer the necessary data (identity, contact details, and debt information) to specialized debt collection agencies or legal service providers. These partners act as independent Data Controllers or Processors depending on the specific legal arrangement.
For all processors and applicable transfer mechanisms, see the Sub-processors List.
4.19 Customer Support
Purpose: To respond to your inquiries, resolve technical issues, provide product guidance via email, live chat, or phone, and maintain the quality of our customer service.
Data used:
- Identity & Account Data: Name, email address, postal address and unique account identifier.
- Communication Content: The text of your messages, chat transcripts, and (in the case of phone support) voicemails, call summaries or recordings.
- Technical Context: Browser type, operating system, and the specific page you were viewing when you initiated support (to assist in troubleshooting).
Legal basis: Art. 6(1)(b) GDPR (Performance of Contract) and Art. 6(1)(f) GDPR (Legitimate interest in ensuring efficient support and quality control).
How it works: We use integrated customer support and live-chat platforms to manage our communications. To ensure a seamless support experience, we synchronize relevant account data (such as your email address and user ID) with these platforms, allowing our staff to identify your account and previous interactions immediately. To provide faster and more accurate assistance, we use AI-assisted tools that process the content of your inquiries to categorize issues, suggest relevant help articles, or generate response drafts for our staff. These AI tools operate within our secure support environment; your data is not used by the AI providers to train their general-purpose models.
Data Retention: Support interactions are generally associated with your account and are retained for the duration of your membership to provide continuity of service. They are deleted or anonymized when your account is closed, unless legal retention requirements (e.g., for commercial correspondence) apply.
Support contacts:
– Lecturio.com: support@lecturio.com
– Lecturio.de: support@lecturio.de
– Healer: healer@lecturio.com
– SimTutor / SIMTICS: support@lecturio.com
For all customer support providers, see our Sub-processors List.
4.20 Legal Compliance and Enforcement
Purpose: To comply with statutory legal obligations (e.g., tax and commercial laws), respond to lawful requests from public authorities or law enforcement, and to establish, exercise, or defend our legal claims.
Data used: Any categories of personal data processed by us, but strictly limited to what is necessary for the specific legal requirement or dispute. This typically includes identity, billing, and contract data.
Legal basis: Art. 6(1)(c) GDPR (Compliance with a legal obligation) and Art. 6(1)(f) GDPR (Legitimate interest in the assertion and defense of legal claims).
Statutory Retention Periods:
- We retain accounting records, invoices, and contractual documents containing payment information to comply with tax and commercial retention requirements (e.g., § 257 HGB, § 147 AO) for 10 years.
- Other business correspondence and related documentation that does not fall under the 10-year rule we retain for a maximum period of 6 years.
- Data specifically relevant to ongoing or threatened legal proceedings is retained until the final resolution of the matter or until the expiration of the relevant statutes of limitations.
4.21 Business Transfers and Restructuring
Purpose: In the event of a sale, merger, acquisition, or restructuring of any part of our business, personal data may be shared with potential acquirers or successors.
Data used: Relevant categories of personal data, strictly limited to what is necessary for the evaluation or execution of the transaction.
Legal basis: Art. 6(1)(f) GDPR — legitimate interests in facilitating a lawful business transaction. Any potential acquirer is informed that it must use personal data only for the purposes disclosed in this Privacy Policy.
§5 Who We Share Your Data With
We share personal data only to the extent necessary for the purposes described in §4. The principal categories of recipients are:
Internal Staff: Authorized employees of Lecturio GmbH (and its subsidiaries where necessary for service delivery) who require access to perform their duties. All are subject to strict confidentiality obligations.
Data processors: Third-party service providers engaged under Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR. A current list of all processors and sub-processors is available in our Sub-processors List.
Payment processors: Financial institutions and PCI DSS-certified providers who handle secure transaction processing.
AI model providers: Providers of large language models used for our AI-powered features. These providers are contractually prohibited from using your data to train their general-purpose models.
Analytics and marketing providers: Tools used for web analytics, advertising measurement, and marketing communications, as described in §4.2 and §4.3.
Tutors: In the context of Lecturio Tutoring, assigned tutors receive access to the data necessary to conduct your sessions.
Supervisory authorities and law enforcement: Public bodies, courts, or law enforcement where required by applicable law, court order, or other legal process (see §4.20).
Potential acquirers: In connection with a proposed business transfer (see §4.21).
We do not sell personal data to third parties.
For details of specific providers, countries of operation, and transfer mechanisms, see the Sub-processors List.
§6 International Data Transfers
Lecturio GmbH is established in Germany and processes personal data primarily within the European Economic Area (EEA). However, some of our processors and sub-processors are based in, or process data in, countries outside the EEA — primarily the United States.
Transfers of personal data outside the EEA are only made where appropriate safeguards are in place pursuant to Chapter V of the GDPR:
| Mechanism | Description |
|---|---|
| Adequacy decision | The European Commission has determined that the destination country ensures an equivalent level of protection (e.g. New Zealand, Japan, Canada, Israel, UK). No additional safeguards required. |
| Standard Contractual Clauses (SCCs) | European Commission-approved contract clauses that bind the transferring and receiving parties to GDPR-equivalent protections. Updated SCCs apply from 2021; further updated in Q2 2025. |
| Binding Corporate Rules (BCRs) | Approved intra-group transfer rules for multinational organisations. |
| EU-US Data Privacy Framework (DPF) | Adequacy decision for certified US companies (adopted July 2023). Applicable where the US recipient is DPF-certified. |
We continuously monitor the legal landscape and update our transfer arrangements to reflect changes in law or guidance from supervisory authorities.
For a full list of all third-country recipients and the transfer mechanism applicable to each, see our Sub-processors List.
§7 Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, or for as long as required by applicable law. The following retention periods apply:
| Data Category | Retention Period | Basis / Trigger |
|---|---|---|
| Account and identity data | Duration of membership, then deleted or anonymized | Account deletion request |
| Learning and progress data | Duration of membership, then deleted or anonymized | Account deletion request |
| User-generated content | Duration of membership; retained in anonymized form unless specific deletion requested | Account deletion or specific request |
| AI interaction data | Duration of membership, then deleted or anonymized | Account deletion request or specific request |
| Technical / log data (IP addresses) | 5 years | Rolling deletion; statutory limitation period (German civil law) |
| Workflow Automation Logs | 7 days | Automation |
| Support communications | Duration of membership / until ticket resolved; then deleted or anonymized | Membership termination or ticket closure |
| Payment records and invoices | 10 years | Statutory accounting and tax requirements (§ 147 AO, § 257 HGB) |
| Contractual documents | 8 years | Statutory accounting and tax requirements |
| Legal correspondence and dispute data | 6 years | Statutory limitation period |
| Claim-related data | 10 years | Statutory limitation period |
| Newsletter subscription and engagement data | Until unsubscribe / consent withdrawal | Consent withdrawal |
| Business Inquiry Data (No contract formed) | 1 year after last contact | Purpose termination (inactivity) OR deletion request |
| Business Inquiry Data (Contract formed) | Duration of contract + 8 years | Statutory limitation period |
| Candidate Data | 180 days | Automation |
7.1 Account Deletion
You may request the deletion of your account and associated personal data at any time through the following methods:
- In-App Account Deletion (Self-Service): Users of our mobile applications can initiate account deletion directly within the app settings. This provides an automated way to queue your account for removal.
- Email Request: You may also contact us via email. We will process your request within 30 calendar days, or within the timeframes required by applicable law:
- Lecturio users: support@lecturio.com
- Healer users: healer@lecturio.com
- SimTutor / SIMTICS users: support@lecturio.com
Effect of Deletion: Upon processing your request, personal data is either permanently deleted or anonymized so that it can no longer be associated with you. Please note that certain data may be retained if we are subject to statutory retention obligations (e.g., for tax or accounting purposes) as described in the sections above.
§8 Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience on our website. Upon your first visit, a Cookie Consent Banner allows you to manage your preferences.
Our Policy on Consent:
- Strictly Necessary cookies are active by default as they are essential for the website to function.
- Performance, Functional, and Targeting cookies are blocked by default and will only be activated if you provide explicit consent.
- You can withdraw or change your consent at any time by clicking the “Cookie Settings” link in our Cookie Policy.
Cookie categories we use:
| Category | Requires Consent | Description & Examples |
| Strictly Necessary | No | Essential for site security, load balancing, and remembering your privacy preferences. |
| Functional | Yes | Enables enhanced functionality and personalization, such as videos or live chat. (e.g., logged-in status, preference storage) |
| Performance / Analytics | Yes | Helps us understand how visitors interact with the site. (e.g., Google Analytics, Hotjar, Microsoft Clarity) |
| Targeting / Advertising | Yes | Used to deliver adverts more relevant to you and your interests. (e.g., TikTok Pixel, Meta Pixel, Google Ads, LinkedIn) |
For a full list of all cookies (name, purpose, duration, provider) and the option to adjust your consent settings, see our Cookie Policy.
You can also manage cookies by:
- Configuring your browser to refuse or delete cookies;
- Using opt-out tools provided by individual third-party providers (links provided in the Cookie Policy).
Please note that disabling certain cookies may affect the functionality of our services.
§9 Your Rights
As a data subject under the GDPR, you have the following rights listed below. To exercise any of them, contact us at data-privacy@lecturio.com. We will respond within one month (extendable by two further months for complex or numerous requests, with prior notice).
We may need to verify your identity before processing your request. For manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee or refuse to act, in accordance with Art. 12(5) GDPR.
9.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to receive a copy of that data along with information about how it is processed.
9.2 Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data and completion of incomplete personal data concerning you.
9.3 Right to Erasure (Art. 17 GDPR)
You have the right to request deletion of personal data concerning you where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by law.
9.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest its accuracy or while an objection is being assessed.
9.5 Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
9.6 Right to Object (Art. 21 GDPR)
You have the right to object at any time to processing based on Art. 6(1)(f) (legitimate interests). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.
9.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
9.8 Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Lecturio GmbH is:
Der Sächsische Datenschutzbeauftragte (Saxon Data Protection Commissioner) Devrientstraße 5 01067 Dresden Germany Website: https://www.saechsdsb.de
You may also lodge a complaint with the supervisory authority of your EU member state of residence or place of work.
9.9 Unauthorized Account Registration
If an account has been registered on any of our platforms without your authorisation (e.g. using your email address without your knowledge), please notify us immediately at support@lecturio.com. We will delete the account without delay.
§10 Security
We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption of data in transit and at rest, access controls, staff training, and regular security assessments.
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours where required under Art. 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Art. 34 GDPR.
§11 Children
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent.
If you believe a child under 16 has provided us with personal data without appropriate consent, please contact us at data-privacy@lecturio.com and we will take steps to delete that data promptly.
§12 Third-Party Websites and External Links
Our websites and services may contain hyperlinks to external websites operated by third parties. These links are provided for convenience or to guide you to additional relevant information. This Privacy Policy does not cover external websites, as we do not control how they operate or how they handle personal data.
We do not intentionally transfer personal data to external websites through hyperlinks. However, when you visit an external website, it may independently collect certain technical data about you (such as your IP address via server log files). We recommend reviewing the privacy policy of any external website you visit.
§13 Changes to This Policy
We reserve the right to update this Privacy Policy at any time to reflect changes in our services, new features or technologies, changes in applicable law, or for other operational reasons.
When we make material changes, we will notify you through one or more of the following means:
- A notice on our website;
- An email notification;
- An in-app notification.
The date at the top of this document indicates when it was last updated. We encourage you to review this Policy periodically. Your continued use of our services after an update constitutes acknowledgement of the revised Policy.
Previous versions of this Privacy Policy are available on request by contacting data-privacy@lecturio.com.
§14 Contact Us and Governing Law
For any questions about this Privacy Policy or to exercise your rights, contact:
Data Protection Officer Lecturio GmbH Käthe-Kollwitz-Str. 1, 04109 Leipzig, Germany Email: data-privacy@lecturio.com
This Privacy Policy is governed by and constructed in accordance with the laws of the Federal Republic of Germany, in particular the GDPR as applicable in Germany and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
This document forms part of a document set.
Related documents:
– Cookie Policy — full cookie inventory and consent management
– Sub-processors List— all third-party processors and transfer mechanisms