Last updated: May 12, 2026

§1 About This Privacy Policy

1.1 When This Policy Applies (Our Responsibility)

This Privacy Policy describes how Lecturio GmbH (“Lecturio”, “we”, or “us”) collects, uses, and protects personal data when we act as the Data Controller.

This policy applies exclusively to situations where you enter into a direct relationship with us including the following:

1.2 When This Policy Does Not Apply

To ensure your data rights are protected, it is critical to understand when this document does not govern your information:

In these cases, your institution is the Data Controller. They independently process your data—for example, by accessing your learning progress through their administrator account. Lecturio acts only as a service provider (Data Processor) following your institution’s instructions. Please refer to your institution’s own privacy policy for information on how your data is handled.

1.3 How to Read This Policy

To keep this document concise while covering multiple products and regions, please note the following: Unless otherwise stated, all provisions apply to all products (Lecturio, Healer, SIMTICS, and SimTutor). Where a rule applies to only one product, it will be clearly marked (e.g., “Lecturio only”).

1.4 General Legal Framework

We process personal data strictly in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Unless specifically stated otherwise in later sections, we rely on the following legal bases:

§2 Who We Are

2.1 Data Controller

The controller responsible for the processing of personal data in connection with all products and services described in this Privacy Policy is:

Lecturio GmbH 
Käthe-Kollwitz-Str. 1, 
04109 Leipzig, 
Germany
Email: support@lecturio.com

Lecturio GmbH is the sole data controller for all products and services covered by this Policy, including Lecturio, Healer, SIMTICS, and SimTutor Author.

2.2 Data Protection Officer (DPO)

To ensure the highest standards of data protection, we have appointed an external Data Protection Officer pursuant to Art. 37 GDPR:

Mr. Stephan Hartmann 

Email: data-privacy@lecturio.com

You may contact our DPO at any time with questions about data protection or to exercise your rights under this Policy. All privacy inquiries across all products are handled through data-privacy@lecturio.com.

§3 What Personal Data We Collect

We collect the following categories of personal data, depending on which product you use and how you interact with us:

CategoryExamplesPrimary Source
Account and identity dataName, email address, password (hashed), title, age, gender, level of educationProvided by you at registration
Social login dataUsername and email address from identity providers (e.g. Facebook or Google) (where you register using these services)Received from Single-Sign-On/Identity Providers like Meta or Google.
Business contact dataName, job title, company name, work email address, phone number, location (country)Provided via contact forms or collected in the B2B context
Learning and progress dataVideos viewed, quiz answers, simulation steps completed, performance scores, learning metricsGenerated by your use of the platform
Clinical case interaction data Records of the clinical cases you worked through, your decisions, answers, and the sequence of steps takenGenerated by your answering of clinical case studies
Clinical performance data Scores, performance metrics, and evaluation results associated with your clinical case workGenerated by your answering of clinical case studies
Simulation progress and performance data Records of your progress through simulation steps and modules; scores, branching decisions, and evaluation metricsGenerated by your use of the platform
Learning timeline data Timestamps and frequency of platform use, including case start and completion timesGenerated by your use of the platform
AI interaction dataText inputs and prompts submitted to AI-powered features; AI-generated responsesGenerated during AI feature use
User-generated contentComments, tags, ratings, reviews, uploaded files, course materialsProvided by you during use
Authoring content data Simulation content, branching structures, and media created using SimTutor Author toolsGenerated by your use of the platform
Support and communication dataContent of support tickets, chat messages, email correspondenceProvided when you contact us
Marketing engagement dataEmail open/click events, newsletter subscription status, advertising interaction dataGenerated by marketing communications
Payment dataTransaction ID, billing name and address; payment card details handled exclusively by certified payment processors (not stored by us)Provided at checkout, self-service portals and via app stores
Technical and log dataIP address, URL requested, browser type and version, operating system, date and time of request, referring URLAutomatically collected by our servers
Device and app dataDevice type, advertising identifiers (IDFA, Android Advertising ID), app crash reportsAutomatically collected via mobile applications
Location data (country) Country of residence, collected when you submit an inquiry form on simtics.com or simtutor.comProvided via inquiry form on simtics.com or simtutor.com

We do not intentionally collect special categories of personal data (e.g. health data, religious beliefs, ethnic origin). Clinical simulation data on Healer relates to healthcare scenarios and reflects clinical reasoning, but is not equivalent to the user’s own health data. If, in exceptional circumstances, a user discloses personal health information via any input field or support message, it is treated with the same care as other personal data and is not used for any purpose beyond the immediate context. We do not knowingly collect personal data from children under 16 without parental consent (see §11).

§4 How We Use Your Data

We process your personal data only when we have a valid legal basis under Art. 6 of the GDPR. To make this policy easier to navigate, we have divided our data usage into two main categories:

General Interactions (All Users)

4.1 Security, Fraud Prevention, and IT Operations

Purpose: To maintain the technical operation and security of our systems, detect and prevent misuse or attacks, conduct statistical analysis, and assist law enforcement; for example in the case of cyber attacks.

Data used: When you access any of our websites or services, our servers automatically record certain technical information in server log files, including:

Legal basis: 

This data is processed to maintain the technical operation and security of our systems, to detect and prevent misuse or attacks, to conduct anonymous evaluations for statistical purposes (such as analyzing user behavior), to improve our services, and to provide law enforcement authorities with information necessary for prosecution in the case of cyber attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interests in operating secure and reliable services). Log data containing IP addresses is retained for a period of 5 years (see §7 for retention periods generally).

Bot Protection and CAPTCHA Services: To protect our registration forms, login areas, and infrastructure from automated abuse and spam, we may utilize specialized security providers. These services analyze the “Security Telemetry” mentioned above to determine if a user is human.

Depending on the service used, a strictly necessary security cookie (an “immunity token”) may be stored locally on your device. This ensures that once you have successfully passed a verification challenge, you are not repeatedly interrupted during your session.

A detailed list of the specific service providers used for these security purposes can be found in our Subprocessor List. All providers are bound by Data Processing Agreements (DPA) and, where applicable, Standard Contractual Clauses to ensure a high level of data protection.

4.2 Web & Mobile Analytics

Purpose: To understand how visitors interact with our websites and mobile applications, measure the success of our marketing campaigns, and optimize our digital services for all devices.

Data used: Technical and log data; engagement data; demographic data (e.g. country, browser language), conversion data (e.g., whether a purchase was completed), browser cookies and mobile attribution identifiers. 

Legal basis: Art. 6(1)(a) GDPR (Consent). We only deploy these tools if you opt-in via our cookie banner, app store settings or OS-level permission prompts.

How it works: We use third-party web analytics tools, mobile attribution platforms, and customer engagement software to understand page views, traffic sources, and marketing performance. Where these third-party tools transfer data outside the EEA, appropriate safeguards (such as EU Standard Contractual Clauses) are in place. You can manage or withdraw your consent at any time through the “Cookie Settings” link in our website footer or by adjusting the privacy settings on your mobile device.

4.3 Advertising, Remarketing & Affiliate Marketing

Purpose: To show you relevant advertising on other websites after you have visited ours, to measure the effectiveness of our advertising campaigns, and to properly attribute sales and registrations resulting from our affiliate partner networks.

Data used: Technical and log data; marketing engagement data; device advertising identifiers; conversion data (e.g., whether a purchase was completed).

Legal basis:Art. 6(1)(a) GDPR (Consent). On our websites, this consent is obtained through our cookie banner, where you must affirmatively select advertising or targeting cookies for this processing to occur. On mobile devices, this is managed through your operating system’s tracking permissions (e.g., App Tracking Transparency)

How it works:

Control: You can withdraw your consent or manage your advertising preferences at any time through our ‘Cookie Settings’ link in our Cookie Policy or by adjusting the tracking and privacy settings on your mobile device. For the specific providers we use, see our  Sub-processors List. For the specific cookies we use and manage your consent, see our Cookie Policy.

4.4 Social Media Presences

Purpose: We maintain public profiles on social media platforms to communicate with our community and provide customer support. When you interact with us via these platforms (e.g., through comments or direct messages), we process your data to respond to your inquiries.

Joint Controllership: For certain activities (like “Page Insights”), Lecturio GmbH acts as a joint controller with the platform operator (Art. 26 GDPR). The operator is primarily responsible for the technical infrastructure and account-level tracking.

Customer Support Integration: If you contact us for support via social media, we may synchronize your message and profile data (e.g., your handle and the conversation history) with our internal customer support tools. This allows us to manage your request centrally, ensure a faster response time, and link the inquiry to your existing student account if applicable.

Legal Basis: 

While you can exercise your data subject rights (access, correction, erasure) against us, the platform operators have direct access to the technical infrastructure and your profile data. Therefore, we recommend contacting the platform provider directly for requests regarding your account settings or tracking preferences.

For a list of our social media presences please see our Sub-processors List.

4.5 Contact Forms, Business Inquiries & Bookings

Purpose: To respond to inquiries submitted via our contact forms, manage business relationships, and facilitate the scheduling and delivery of demos, webinars, or consultation calls.

Data used: Contact data (name, email address, company, job title, message content), appointment details (date/time of booked calls), and participation status for registered events.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual or contractual processing) and Art. 6(1)(f) GDPR (legitimate interest in effective business communication and lead management).

How it works: We use external platforms to host our contact forms and manage appointment scheduling. To maintain data quality, we may use third-party verification tools to check the accuracy of provided email addresses. Information submitted via these forms is synchronized with our CRM systems to ensure professional follow-up. For a list of specific scheduling and form providers, see our Sub-processors List.

Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing your name and email address is required to respond to any request. Specific appointment details are required to successfully book a call or demo. Fields such as company name, job title, and phone number help us route your inquiry appropriately but are not required.

4.6 Marketing Communications and Newsletters

Purpose: To provide a tailored experience, we synchronize specific profile data and events with our communication platforms. This allows us to send you relevant educational content, learning progress updates (e.g., “reminders” or “achievements”), and promotional information such as webinars, events, and special offers via email, push notifications.

Data used:

Tracking Technologies: Pixels, Links, and SDKs

 To optimize our service and understand user interests, our newsletters and platforms use tracking technologies:

Legal Basis & Opt-In Process: The legal basis for this processing is your Consent (Art. 6(1)(a) GDPR). We obtain this consent through the following methods:

Revocation and Unsubscribe: You can withdraw your consent and unsubscribe at any time with future effect. You may unsubscribe by:

Once you unsubscribe, we will stop the synchronization and tracking for these purposes and delete or anonymize the related data, unless further retention is legally required. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing your email address is required to subscribe to our newsletter; without it we cannot send you communications. Subscribing to the newsletter is entirely voluntary — there are no consequences for declining to subscribe or for unsubscribing at any time.

4.7 A/B Testing

Purpose: To analyze how our platforms are used and to test different variations of features (A/B testing) to improve the user experience and educational effectiveness for both registered members and anonymous visitors.

Data used: 

Legal basis: 

How it works: We use a “warehouse-native” infrastructure for our testing. This means that the core data remains within our secure environment. We utilize cookies or similar local storage technologies to assign your browser to a specific test group. While an external tool helps us manage the experiment “rules,” the evaluation is performed using hashed, non-readable identifiers. No raw personal data (such as names or email addresses) is shared with the service provider for these purposes.

4.8 Promotions, Sweepstakes, and Contests 

Purpose: To administer promotional campaigns and contact participants about outcomes.

Data used: Name, email address, aggregate demographic data (not used to identify individuals) as well as other data if specified in separate terms and conditions of specific promotions.

Legal basis: Art. 6(1)(b) GDPR (Performance of Contract). By entering the promotion, you enter into a participation agreement with us. Processing your data is necessary to administer the campaign, verify eligibility, and notify winners according to the specific terms of the promotion. Separate terms and conditions apply to each  individual promotion, which will describe the applicable data processing in detail.

4.9 Surveys

Purpose: To gather feedback on our products, conduct market research, and understand the learning needs of our visitors and users to improve our platforms.

Data used: 

Legal basis: The legal basis is your Consent (Art. 6(1)(a) GDPR). Participation in our surveys is entirely voluntary.

How it works: We use third-party survey tools to conduct these studies; within these tools, you may be asked to affirmatively provide your consent before submitting your responses. If you provide explicit consent within a survey to be contacted (e.g., for follow-up questions, user research, or further information regarding your feedback), your survey data and contact information may be transferred to our CRM systems to facilitate this outreach.

You can withdraw your consent at any time by contacting us, which will result in the deletion of your specific response data unless it has already been anonymized for statistical analysis.

4.10 Conducting Webinars, Demos & Video Calls

Purpose: To conduct live educational webinars, product demonstrations, and virtual meetings or consultations.

Data used: 

Legal basis: Art. 6(1)(b) GDPR (Performance of Contract) for registered participants, and Art. 6(1)(f) GDPR (Legitimate Interest) for providing a stable and interactive communication environment.

How it works: We use professional video conferencing and webinar platforms to host these sessions. These providers act as processors on our behalf. While we do not record sessions by default, any session being recorded will be clearly indicated to all participants at the start. Technical logs are processed to ensure the stability of the connection and to analyze the success of the event (e.g., attendance rates).

Data Retention: Meeting metadata and chat logs are generally retained for up to 12 months for quality assurance, unless the content is part of a permanent record associated with your account or a legal dispute.

4.11 Workflow Automation and System Integration

Purpose: To maintain data consistency across our internal infrastructure and to automate administrative or compliance-related tasks. This ensures that information submitted via one interface is correctly updated across all relevant internal databases and business tools.

Data used: Identity and contact data, account status, and specific event triggers.

Legal basis: Art. 6(1)(f) GDPR (Legitimate Interest). Our legitimate interest lies in ensuring the technical integrity and efficiency of our business processes through the automated synchronization of data between our authorized internal systems.

How it works: We use cloud-based automation middleware to act as a secure “bridge” between our various software platforms. These tools allow us to create automated workflows where data provided in one system is automatically transmitted to another. For example, when you submit a contact or inquiry form, the data is first captured by our primary communication tool and then automatically synchronized with our internal relationship management or support systems to ensure your request is handled promptly.

Retention: These integration platforms are configured to act as “pass-through” services. While they process data to execute a workflow, logs are only retained for 7 days to allow for technical troubleshooting, after which the data is automatically removed from the middleware environment.

4.12 Job Applications & Recruiting

Purpose: To host vacancies, manage the recruitment process, evaluate candidate suitability for open positions, and communicate with applicants regarding their status.

Data used: 

Legal basis: 

How it works: We use specialized HR management platforms to host our job board and process applications. Only authorized members of our HR team and the relevant department managers have access to your application.

Data Retention: All candidate profiles will be automatically anonymized 180 days after their rejection. This process permanently removes all personal identifiers and documents (CVs, contact details), while retaining non-identifiable data for internal recruitment analytics and reporting. We will only store your data for a longer period (up to 2 years) if you provide explicit consent to join our Talent Pool.

Platform & Learning Services (Registered Users and Customers only)

4.13 Account Creation & Management

Purpose: To create and manage your user account, verify your identity, and provide access to your learning materials or simulations across all devices.

Data used:

1. Mandatory Account Data (Required for Registration) To access our services and perform our contract with you, we must collect specific data depending on the platform you are using:

2. Optional Profile Data (Provided Voluntarily) You may choose to provide additional information during onboarding or in your account settings to personalize your experience. This is entirely optional:

Legal Basis: Art. 6(1)(b) GDPR (Performance of Contract). International transfers to social login providers (USA) are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses.

Consequences of Non-Provision: Providing mandatory account data  is required to use the respective platform. Optional profile data is not required; if you choose not to provide it, you can still use the platform, but personalization may be limited.

4.14 Delivering the Platform and Learning Services

Purpose: To deliver our learning and simulation platforms, including a tailored learning experience, tracking of your learning progress, and the delivery of the specific product features you have contracted for.

Data used: Account and identity data, learning and progress data, user-generated content, AI interaction data, technical and log data.

Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you.

Personalization and profiling (Art. 4(4) GDPR): We use automated processing of your learning and progress data — including content viewed, quiz results, performance scores, and time spent on topics — to personalize your content recommendations and adapt the learning path presented to you. This constitutes profiling within the meaning of Art. 4(4) GDPR. The logic applied is based on content similarity, curriculum sequencing, and your demonstrated performance on assessments. Personalization does not restrict your access to any content; it influences only which content is surfaced to you first. It does not produce decisions with legal or similarly significant effect, and Art. 22 rights do not apply to this processing. You may contact data-privacy@lecturio.com if you wish to understand more about how personalization works or to object to this processing.

User-generated content: Content you submit (e.g. comments, tags, ratings, reviews) is associated with your account during the period of your membership. Upon account deletion, such content is retained in anonymized form unless you specifically request its deletion.

Mobile Device Permissions & Consent: To provide the full range of features within our mobile applications, the app may request access to certain functions of your device. These permissions are requested at the time the feature is first used (Just-In-Time Consent):

You can manage or revoke these permissions at any time through your device’s system settings. Denying certain permissions may limit your ability to use specific interactive features, but will not prevent access to the core learning platform.

4.15 Lecturio Tutoring Programme 

Purpose: To operate the Lecturio Tutoring Programme, which connects learners with qualified tutors for personalised academic support and exam preparation.

Data used: 

Legal basis: Art. 6(1)(b) GDPR — performance of the contract for the Tutoring Programme.

Data shared with coaches: To ensure effective support, your assigned tutor receives access to your name, email address, and relevant learning progress. Tutors are subject to strict confidentiality obligations and are permitted to process this data solely for the purpose of your academic coaching.

Video Conferencing & Infrastructure: To conduct personalized sessions, we utilize professional third-party video conferencing and communication platforms. These tools enable real-time interaction between the learner and the tutor.

Intake forms: We use a survey tool for initial intake communication with potential coaching participants. Data submitted via this tool  is processed on the basis of Art. 6(1)(b) GDPR. 

4.16 AI-Powered Features

Purpose: To process your text inputs and prompts in order to generate AI responses and deliver AI-powered features across our platforms (including but not limited to chatbots on Lecturio, AI conversations on SimTutor, and AI feedback features on Healer).

Data used: AI interaction data (your inputs and the AI’s responses); pseudonymised user identifiers.

Legal basis: Art. 6(1)(b) GDPR — performance of the contract.

Your inputs are processed by AI model providers acting on our behalf. Each provider is contractually prohibited from using your data to train its general-purpose models. 

We also use an AI monitoring platform to analyze feature performance and improve service quality. This platform logs your interaction content and associated user identifiers.

These logs are stored during the period of your membership for troubleshooting and quality assurance purposes, unless further retention is legally required.  Access to these logs is strictly limited to authorized internal staff who are subject to confidentiality obligations. 

Profiling and automated analysis (Art. 4(4) GDPR): When you interact with AI-powered features, your text inputs and responses are automatically analysed to generate a reply or evaluation. This constitutes profiling within the meaning of Art. 4(4) GDPR;  your inputs are processed to evaluate aspects of your knowledge, clinical reasoning, or simulation performance. For individual users (not accessing via an institutional contract), AI outputs are informational and do not produce decisions with legal or similarly significant effect; they are intended to support your learning, not to determine outcomes. For users whose accounts are linked to an educational institution or employer, please refer to your institution’s privacy policy. 

For the specific providers we use, see our Sub-processors List.

4.17 In-App Telemetry, Crash Reporting & Product Improvement

Purpose: To ensure the stability and security of our learning platforms, identify technical bugs or software errors in real-time, and improve the overall user experience by identifying usability roadblocks.

Data used: Technical log data; device and app data; pseudonymised user identifiers; in-app interaction data. 

Legal basis: Art. 6(1)(f) GDPR (Legitimate Interest). Our legitimate interest lies in providing a secure, stable, and high-performing educational platform and understanding how to improve its usability for our learners.

How it works: We use a combination of internal and cloud-based monitoring services to analyze platform health.

4.18 Payment Processing

Purpose: To process payments for subscriptions and purchases, manage recurring billing, and comply with statutory tax and accounting requirements.

Data used:

Legal basis: 

How it works: 

Lecturio acts as the Data Controller for the management of your subscription and tax compliance. Regarding the secure processing of your actual payment credentials (e.g., full credit card numbers or CVV), the respective payment gateways and app stores act as independent Data Controllers. We do not store complete credit or debit card numbers on our servers; all transactions are handled via encrypted connections to PCI DSS-certified providers.

Mandatory and optional fields (Art. 13(2)(e) GDPR): Providing payment data (billing name, address, and card or payment account details) is required to complete a purchase. Without it we cannot process your subscription or transaction. Payment data is not required to access any free content or free features of our platforms.

Mobile In-App Purchases & Subscriptions: For in-app purchases, the store operator handles the payment; we receive only the data necessary to verify your purchase and activate your subscription.

Debt Collection: If payments remain outstanding despite reminders, we may transfer the necessary data (identity, contact details, and debt information) to specialized debt collection agencies or legal service providers. These partners act as independent Data Controllers or Processors depending on the specific legal arrangement. 

For all processors and applicable transfer mechanisms, see the Sub-processors List.

4.19 Customer Support

Purpose: To respond to your inquiries, resolve technical issues, provide product guidance via email, live chat, or phone, and maintain the quality of our customer service.

Data used: 

Legal basis: Art. 6(1)(b) GDPR (Performance of Contract) and Art. 6(1)(f) GDPR (Legitimate interest in ensuring efficient support and quality control).

How it works: We use integrated customer support and live-chat platforms to manage our communications. To ensure a seamless support experience, we synchronize relevant account data (such as your email address and user ID) with these platforms, allowing our staff to identify your account and previous interactions immediately. To provide faster and more accurate assistance, we use AI-assisted tools that process the content of your inquiries to categorize issues, suggest relevant help articles, or generate response drafts for our staff. These AI tools operate within our secure support environment; your data is not used by the AI providers to train their general-purpose models.

Data Retention: Support interactions are generally associated with your account and are retained for the duration of your membership to provide continuity of service. They are deleted or anonymized when your account is closed, unless legal retention requirements (e.g., for commercial correspondence) apply.

Support contacts: 

– Lecturio.com: support@lecturio.com 

Lecturio.de: support@lecturio.de

– Healer: healer@lecturio.com 

– SimTutor / SIMTICS: support@lecturio.com

For all customer support providers, see our Sub-processors List.

4.20 Legal Compliance and Enforcement

Purpose: To comply with statutory legal obligations (e.g., tax and commercial laws), respond to lawful requests from public authorities or law enforcement, and to establish, exercise, or defend our legal claims.

Data used: Any categories of personal data processed by us, but strictly limited to what is necessary for the specific legal requirement or dispute. This typically includes identity, billing, and contract data.

Legal basis: Art. 6(1)(c) GDPR (Compliance with a legal obligation) and Art. 6(1)(f) GDPR (Legitimate interest in the assertion and defense of legal claims).

Statutory Retention Periods:

4.21 Business Transfers and Restructuring

Purpose: In the event of a sale, merger, acquisition, or restructuring of any part of our business, personal data may be shared with potential acquirers or successors.

Data used: Relevant categories of personal data, strictly limited to what is necessary for the evaluation or execution of the transaction.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests in facilitating a lawful business transaction. Any potential acquirer is informed that it must use personal data only for the purposes disclosed in this Privacy Policy.

§5 Who We Share Your Data With

We share personal data only to the extent necessary for the purposes described in §4. The principal categories of recipients are:

Internal Staff: Authorized employees of Lecturio GmbH (and its subsidiaries  where necessary for service delivery) who require access to perform their duties. All are subject to strict confidentiality obligations.

Data processors: Third-party service providers engaged under Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR. A current list of all processors and sub-processors is available in our Sub-processors List.

Payment processors: Financial institutions and PCI DSS-certified providers who handle secure transaction processing.

AI model providers: Providers of large language models used for our AI-powered features. These providers are contractually prohibited from using your data to train their general-purpose models.

Analytics and marketing providers: Tools used for web analytics, advertising measurement, and marketing communications, as described in §4.2 and §4.3.

Tutors: In the context of Lecturio Tutoring, assigned tutors receive access to the data necessary to conduct your sessions.

Supervisory authorities and law enforcement: Public bodies, courts, or law enforcement where required by applicable law, court order, or other legal process (see §4.20).

Potential acquirers: In connection with a proposed business transfer (see §4.21).

We do not sell personal data to third parties.

For details of specific providers, countries of operation, and transfer mechanisms, see the Sub-processors List.

§6 International Data Transfers

Lecturio GmbH is established in Germany and processes personal data primarily within the European Economic Area (EEA). However, some of our processors and sub-processors are based in, or process data in, countries outside the EEA — primarily the United States.

Transfers of personal data outside the EEA are only made where appropriate safeguards are in place pursuant to Chapter V of the GDPR:

MechanismDescription
Adequacy decisionThe European Commission has determined that the destination country ensures an equivalent level of protection (e.g. New Zealand, Japan, Canada, Israel, UK). No additional safeguards required.
Standard Contractual Clauses (SCCs)European Commission-approved contract clauses that bind the transferring and receiving parties to GDPR-equivalent protections. Updated SCCs apply from 2021; further updated in Q2 2025.
Binding Corporate Rules (BCRs)Approved intra-group transfer rules for multinational organisations.
EU-US Data Privacy Framework (DPF)Adequacy decision for certified US companies (adopted July 2023). Applicable where the US recipient is DPF-certified.

We continuously monitor the legal landscape and update our transfer arrangements to reflect changes in law or guidance from supervisory authorities.

For a full list of all third-country recipients and the transfer mechanism applicable to each, see our Sub-processors List.

§7 Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or for as long as required by applicable law. The following retention periods apply:

Data CategoryRetention PeriodBasis / Trigger
Account and identity dataDuration of membership, then deleted or anonymizedAccount deletion request
Learning and progress dataDuration of membership, then deleted or anonymizedAccount deletion request
User-generated contentDuration of membership; retained in anonymized form unless specific deletion requestedAccount deletion or specific request
AI interaction dataDuration of membership, then deleted or anonymizedAccount deletion request or specific request
Technical / log data (IP addresses)5 yearsRolling deletion; statutory limitation period (German civil law)
Workflow Automation Logs7 daysAutomation
Support communicationsDuration of membership / until ticket resolved; then deleted or anonymizedMembership termination or ticket closure
Payment records and invoices10 yearsStatutory accounting and tax requirements (§ 147 AO, § 257 HGB)
Contractual documents8 yearsStatutory accounting and tax requirements
Legal correspondence and dispute data6 yearsStatutory limitation period
Claim-related data10 yearsStatutory limitation period
Newsletter subscription and engagement dataUntil unsubscribe / consent withdrawalConsent withdrawal
Business Inquiry Data (No contract formed)1 year after last contactPurpose termination (inactivity) OR deletion request
Business Inquiry Data (Contract formed)Duration of contract + 8 yearsStatutory limitation period
Candidate Data180 daysAutomation

7.1 Account Deletion

You may request the deletion of your account and associated personal data at any time through the following methods:

Effect of Deletion: Upon processing your request, personal data is either permanently deleted or anonymized so that it can no longer be associated with you. Please note that certain data may be retained if we are subject to statutory retention obligations (e.g., for tax or accounting purposes) as described in the sections above.

§8 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website. Upon your first visit, a Cookie Consent Banner allows you to manage your preferences.

Our Policy on Consent:

Cookie categories we use:

CategoryRequires ConsentDescription & Examples
Strictly NecessaryNoEssential for site security, load balancing, and remembering your privacy preferences.
FunctionalYesEnables enhanced functionality and personalization, such as videos or live chat. (e.g., logged-in status, preference storage)
Performance / AnalyticsYesHelps us understand how visitors interact with the site. (e.g., Google Analytics, Hotjar, Microsoft Clarity)
Targeting / AdvertisingYesUsed to deliver adverts more relevant to you and your interests. (e.g., TikTok Pixel, Meta Pixel, Google Ads, LinkedIn)

For a full list of all cookies (name, purpose, duration, provider) and the option to adjust your consent settings, see our Cookie Policy.

You can also manage cookies by: 

Please note that disabling certain cookies may affect the functionality of our services.

§9 Your Rights

As a data subject under the GDPR, you have the following rights listed below. To exercise any of them, contact us at data-privacy@lecturio.com. We will respond within one month (extendable by two further months for complex or numerous requests, with prior notice).

We may need to verify your identity before processing your request. For manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee or refuse to act, in accordance with Art. 12(5) GDPR.

9.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to receive a copy of that data along with information about how it is processed.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data concerning you.

9.3 Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of personal data concerning you where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis; (c) you object and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) deletion is required by law.

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest its accuracy or while an objection is being assessed.

9.5 Right to Data Portability (Art. 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to processing based on Art. 6(1)(f) (legitimate interests). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Lecturio GmbH is:

Der Sächsische Datenschutzbeauftragte (Saxon Data Protection Commissioner) Devrientstraße 5 01067 Dresden Germany Website: https://www.saechsdsb.de

You may also lodge a complaint with the supervisory authority of your EU member state of residence or place of work.

9.9 Unauthorized Account Registration

If an account has been registered on any of our platforms without your authorisation (e.g. using your email address without your knowledge), please notify us immediately at support@lecturio.com. We will delete the account without delay.

§10 Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption of data in transit and at rest, access controls, staff training, and regular security assessments.

In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours where required under Art. 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Art. 34 GDPR.

§11 Children

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent.

If you believe a child under 16 has provided us with personal data without appropriate consent, please contact us at data-privacy@lecturio.com and we will take steps to delete that data promptly.

§12 Third-Party Websites and External Links

Our websites and services may contain hyperlinks to external websites operated by third parties. These links are provided for convenience or to guide you to additional relevant information. This Privacy Policy does not cover external websites, as we do not control how they operate or how they handle personal data.

We do not intentionally transfer personal data to external websites through hyperlinks. However, when you visit an external website, it may independently collect certain technical data about you (such as your IP address via server log files). We recommend reviewing the privacy policy of any external website you visit.

§13 Changes to This Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our services, new features or technologies, changes in applicable law, or for other operational reasons.

When we make material changes, we will notify you through one or more of the following means: 

The date at the top of this document indicates when it was last updated. We encourage you to review this Policy periodically. Your continued use of our services after an update constitutes acknowledgement of the revised Policy.

Previous versions of this Privacy Policy are available on request by contacting data-privacy@lecturio.com.

§14 Contact Us and Governing Law

For any questions about this Privacy Policy or to exercise your rights, contact:

Data Protection Officer Lecturio GmbH Käthe-Kollwitz-Str. 1, 04109 Leipzig, Germany Email: data-privacy@lecturio.com

This Privacy Policy is governed by and constructed in accordance with the laws of the Federal Republic of Germany, in particular the GDPR as applicable in Germany and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

This document forms part of a document set. 

Related documents: 

Cookie Policy — full cookie inventory and consent management 
Sub-processors List— all third-party processors and transfer mechanisms