Data Controller
The data controller responsible for processing your personal data is:
As data controller, Leviq determines the purposes and means of processing your personal data and is responsible for ensuring that processing complies with the GDPR and applicable national data protection legislation.
Personal Data We Collect
2.1 Data You Provide Directly
| Category | Data Elements | Collected When |
|---|---|---|
| Account Data | Full name, email address, password (hashed), role (learner/instructor) | Registration |
| Profile Data | Bio, skill level, learning goals, interests, specialty, years of experience, website, LinkedIn URL, teaching philosophy | Profile setup |
| Payment Data | Transaction ID, amount, currency, payment status (card details processed by Stripe — not stored by Leviq) | Course purchase |
| Course Content | Video files, lesson titles, course descriptions, learning objectives, target audience information | Instructor upload |
| Communications | Messages sent to support, dispute correspondence, feedback | User-initiated |
2.2 Data Generated by Your Use of the Platform
| Category | Data Elements |
|---|---|
| Activity Data | Course enrollments, lessons watched, quiz attempts, quiz answers and results, learning progress |
| Technical Data | IP address, browser type and version, operating system, device type, referral URL, time zone |
| Log Data | Access logs, error logs, session identifiers, timestamps of Platform interactions |
| Video Analytics | Video play events, completion rates (anonymised aggregates for instructors) |
2.3 Data from Third Parties
We may receive limited personal data from payment processors (Stripe) confirming transaction completion, and from authentication providers if you use social login.
Purposes of Processing & Legal Basis
The GDPR requires that every processing activity has a valid legal basis. The table below sets out the purposes for which we process your data and the corresponding legal basis under Article 6 GDPR.
| Purpose | Data Used | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Account creation & management | Account data, profile data | Art. 6(1)(b) — performance of contract |
| Course delivery & streaming | Account data, enrollment data, activity data | Art. 6(1)(b) — performance of contract |
| Payment processing & fraud prevention | Payment data, account data, IP address | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (fraud prevention) |
| AI quality verification of course content | Course video files, transcripts | Art. 6(1)(b) — contract (instructor); Art. 6(1)(f) — legitimate interest (platform quality) |
| Knowledge Check quiz & personalised learning | Quiz answers, quiz results, activity data | Art. 6(1)(b) — contract; Art. 6(1)(a) — consent (where applicable) |
| Video watermarking | Email address, access timestamp | Art. 6(1)(f) — legitimate interest (content protection & piracy prevention) |
| Platform security & abuse prevention | Log data, technical data, activity data | Art. 6(1)(f) — legitimate interest (platform security) |
| Customer support | Account data, communications | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest |
| Legal compliance & record keeping | Transaction data, account data | Art. 6(1)(c) — legal obligation (VAT, accounting, consumer law) |
| Marketing communications | Email address, name, interests | Art. 6(1)(a) — consent (opt-in required; withdrawable at any time) |
| Platform analytics & improvement | Anonymised/pseudonymised usage data | Art. 6(1)(f) — legitimate interest |
3.1 Legitimate Interests Assessment
Where we rely on Art. 6(1)(f) GDPR (legitimate interests), we have carried out a balancing test and concluded that our legitimate interests are not overridden by your rights and freedoms, taking into account the limited intrusiveness of the processing, the reasonable expectations of users of an e-learning platform, and the safeguards we have put in place. You may request a copy of our legitimate interests assessment by contacting [email protected].
AI Processing & Automated Decision-Making
4.1 AI Systems Used
Leviq uses AI-powered processing in the following ways:
- Video Transcription: Uploaded course videos are transcribed using OpenAI's Whisper API. The transcript is stored and used for quality assessment and quiz generation.
- Quality Assessment: Video and transcript content is analysed by AI models (OpenAI GPT-4o-mini) to produce quality scores assessing teaching clarity, content depth, and alignment with course objectives.
- Quiz Generation: Video transcripts are processed by AI to generate comprehension questions for learners.
- Answer Evaluation: Learner quiz responses are evaluated by AI to assess comprehension and generate personalised explanations.
4.2 Article 22 GDPR — Automated Decision-Making
The AI quality assessment system produces scores that influence whether an instructor's course is published ("AI Verified" status). This constitutes automated processing that produces significant effects on Instructors. In accordance with Article 22 GDPR, Instructors have the right to:
- Request human review of any AI quality decision;
- Express their point of view regarding the automated decision;
- Contest the decision by contacting [email protected].
Learner Knowledge Check quiz evaluations do not produce legal or similarly significant effects — they are educational tools — and therefore do not engage Article 22 rights.
4.3 Third-Party AI Processor
OpenAI, Inc. (USA) processes certain data as a sub-processor under a Data Processing Agreement compliant with Chapter V GDPR (see Article 7 on International Transfers). OpenAI processes content solely to provide the API service; it does not train its models on data submitted via API by default, in accordance with its API data usage policies.
Cookies & Tracking Technologies
5.1 Types of Cookies Used
| Cookie Type | Purpose | Legal Basis | Duration |
|---|---|---|---|
| Strictly Necessary | Session management, CSRF protection, authentication | Art. 6(1)(b) — contract; exempt from consent under ePrivacy Directive Art. 5(3) | Session / up to 14 days |
| Functional | Language preferences, UI settings | Art. 6(1)(a) — consent | Up to 12 months |
| Analytics | Platform usage statistics, performance monitoring | Art. 6(1)(a) — consent | Up to 13 months |
| Marketing | Currently not used | N/A | N/A |
5.2 Cookie Consent
Non-essential cookies require your prior, informed, and freely given consent in accordance with Article 5(3) of the ePrivacy Directive (2002/58/EC) and GDPR. You may withdraw consent at any time through our cookie preference centre or by clearing your browser cookies.
5.3 Do Not Track
We respect browser-level "Do Not Track" signals where technically feasible.
Data Sharing & Disclosure
6.1 We Do Not Sell Your Data
Leviq does not sell, rent, or trade your personal data to third parties for commercial purposes.
6.2 Service Providers (Data Processors)
We share data with carefully selected third-party processors who provide services on our behalf, bound by Data Processing Agreements under Article 28 GDPR:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Transaction data, email | USA (SCCs) |
| OpenAI, Inc. | AI transcription & evaluation | Video audio, transcripts, quiz answers | USA (SCCs) |
| Cloud Hosting Provider | Infrastructure & database hosting | All platform data | EU/EEA preferred |
6.3 Legal Disclosure
We may disclose personal data where required by law, court order, or regulatory authority, including to comply with EU member state law, prevent fraud, or protect the rights and safety of users.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections. You will be notified with at least 30 days' advance notice before your data becomes subject to a different privacy policy.
6.5 Aggregated & Anonymised Data
We may share aggregated, anonymised statistics about Platform usage with third parties (e.g., investors, business partners). Such data cannot reasonably be used to identify you.
International Data Transfers
Some of our processors are located outside the European Economic Area (EEA), including in the United States. Such transfers are safeguarded by one or more of the following mechanisms pursuant to Chapter V GDPR:
- Standard Contractual Clauses (SCCs) — EU Commission implementing decisions 2021/914/EU for controller-to-processor transfers;
- Adequacy Decision — where the European Commission has determined the recipient country provides adequate protection;
- Supplementary Technical Measures — encryption, pseudonymisation, and access controls where SCCs alone may be insufficient.
You may obtain a copy of applicable transfer safeguards by contacting [email protected].
Data Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & profile data | Duration of account + 3 years after closure | Dispute resolution; legal claims limitation period |
| Course enrollment records | 7 years after course completion | VAT compliance; consumer rights claims |
| Payment records | 10 years | EU accounting and tax law obligations |
| Video content (instructor) | Until removed by instructor + 90 days (backup) | Contractual obligations; backup recovery |
| AI transcripts | Linked to course lifetime | Quiz generation; quality assessment |
| Quiz attempts & results | Duration of account | Learning progress tracking |
| Security & access logs | 12 months | Security investigation; fraud detection |
| Marketing consent records | 3 years after withdrawal of consent | Demonstrating compliance with consent obligations |
| Support communications | 3 years after resolution | Dispute resolution; quality assurance |
Data is securely deleted or irreversibly anonymised at the end of the applicable retention period, unless a longer period is required by applicable law.
Your Data Subject Rights
Under the GDPR (Articles 15–22), you have the following rights regarding your personal data:
Right of Access (Art. 15)
Obtain a copy of all personal data we hold about you and information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data concerning you.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten") where it is no longer necessary, consent is withdrawn, or processing is unlawful.
Right to Restriction (Art. 18)
Request that we restrict processing of your data while accuracy is contested or an objection is pending.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format and transmit it to another controller, where processing is based on consent or contract.
Right to Object (Art. 21)
Object to processing based on legitimate interests or for direct marketing purposes at any time.
Automated Decision Rights (Art. 22)
Not be subject to solely automated decisions with significant effects without human review, as set out in Article 4 of this Policy.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
9.1 How to Exercise Your Rights
Submit a written request to [email protected], including sufficient identification. We will respond within one month of receipt (extendable by two further months for complex requests, with prior notification). Rights requests are processed free of charge unless manifestly unfounded or excessive.
9.2 Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority in your EU member state of habitual residence, place of work, or the location of the alleged infringement. A list of EU supervisory authorities is available at https://edpb.europa.eu.
Children's Privacy
The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent, in accordance with Article 8 GDPR.
If you are a parent or guardian and believe your child has provided personal data to us without appropriate consent, please contact [email protected] immediately. We will take prompt steps to delete such data.
Where the Platform is used by individuals aged 16–18, we rely on verifiable parental/guardian consent and apply additional safeguards including restricted data collection and enhanced privacy defaults.
Data Security
Leviq implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. These measures include:
- Encryption of data in transit using TLS 1.2 or higher;
- Encryption of sensitive data at rest (passwords are hashed using strong algorithms; payment data is not stored);
- Access controls based on the principle of least privilege;
- Regular security assessments and penetration testing;
- Video content protected by user-specific watermarking and access-controlled streaming;
- Staff training on data protection and information security;
- Incident response procedures compliant with Art. 33–34 GDPR notification requirements (72-hour supervisory authority notification; user notification without undue delay where required).
Notwithstanding these measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet. You are encouraged to report any suspected security vulnerabilities to [email protected].
Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our processing activities, legal obligations, or regulatory guidance. Material changes will be communicated by email to your registered address at least 30 days before they take effect, with a prominent notice on the Platform.
The "Last Updated" date at the top of this page reflects the date of the most recent revision. We encourage you to periodically review this Policy. Continued use of the Platform after the effective date of changes constitutes acceptance of the revised Policy, to the extent permitted by applicable law.
Contact & Data Protection Officer
For any queries, rights requests, or concerns regarding this Privacy Policy or our data processing activities:
Privacy Enquiries
[email protected]
Response within 5 business days
Data Protection Officer
[email protected]
For GDPR rights & complaints
Security Concerns
[email protected]
Data breaches & vulnerabilities
Supervisory Authority
edpb.europa.eu
EU data protection board
Also see: Terms of Service