Legal

Privacy Policy

Last updated: December 2025

English working translation. The German version is the legally binding original.

1. Definitions

This privacy policy uses the terminology of the EU General Data Protection Regulation (GDPR). The key definitions:

  • Personal data: any information relating to an identified or identifiable natural person.
  • Data subject: any natural person whose personal data is processed.
  • Processing: any operation performed on personal data, whether automated or not.
  • Restriction of processing: marking stored personal data to limit its future processing.
  • Controller: the entity that determines the purposes and means of processing.
  • Processor: an entity that processes personal data on the controller's behalf.
  • Consent: a freely given, specific, informed and unambiguous indication of agreement.

2. Name and address of the controller

Study Core UG (haftungsbeschränkt) i. Gr.
Pastor-Boelitz-Straße 9
46483 Wesel, Germany
Management: Marcel Schmidtpeter and Vladlena Elis
Phone: 015679719524
E-mail: contact@study-it.education

3. Data security

This website uses TLS encryption to protect the transmission of confidential content. An encrypted connection is recognisable in the browser address bar (switch from "http://" to "https://" and a lock icon). Data transmitted via TLS cannot be read by third parties.

4. Collection of general data

Each time the website is accessed, general data is logged in server log files:

  • browser types and versions used
  • the operating system used by the accessing system
  • the referrer website
  • the sub-pages accessed
  • date and time of access
  • IP address
  • internet service provider of the accessing system

This data is used for correct content delivery, optimisation and IT-system security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

5. Rights of the data subject

  • Right to confirmation of whether personal data is being processed
  • Right of access and to receive a copy of the data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability (structured, machine-readable format)
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the supervisory authority

6. Contact via the website

If you contact us by e-mail or via a contact form, the personal data you submit is stored automatically and processed to respond to your request. Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interest), Art. 6(1)(b) GDPR (pre-contractual measures).

7. Registration

When registering, the personal data entered is stored along with the IP address, date and time of registration in order to prevent misuse of the services. Legal basis: Art. 6(1)(a) or (b) GDPR.

8. Appointment booking

For managing and organising appointments we process name, e-mail address and phone number. Legal bases: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(f) GDPR (legitimate interest), Art. 6(1)(a) GDPR (consent).

Bookings run on Wix.com Ltd. A processing agreement is in place.

9. Online tutoring

Study Core arranges online tutoring between customers and independent tutors who are not employed by Study Core. Personal data of the contracting party and the student is processed. Legal bases: Art. 6(1)(a) GDPR (consent for voluntary participation) and Art. 6(1)(b) GDPR (contract-based packages).

Lessons run on a self-developed video conferencing solution. Video, audio and chat data and IP addresses are processed solely for delivering the lesson and are not passed to third parties.

The tutor is given the student's name, the subject and session details. Tutors are contractually bound to comply with data-protection law.

10. AI-supported services

Study Core uses AI technologies to deliver the tutoring service. By booking and accepting the terms, you consent to the use of these AI features.

10.1 Audio recording and transcription

Audio data (participants' voices), video data, automatic transcripts (via OpenAI Whisper) and timestamps/metadata are processed. The data is used for learning logs, summaries, review of material and quality assurance. Access: customer / legal guardian, tutor, authorised Study Core staff.

10.2 AI summaries and learning logs

The AI generates automatic summaries of lesson content as learning logs for efficient review.

10.3 Progress analysis and personalised recommendations

The AI analyses learning progress, lesson content, completed exercises and learning behaviour to provide personalised materials and practice recommendations.

10.4 AI task correction and feedback

Submitted tasks are corrected automatically and supplied with feedback, enabling fast responses on progress.

10.5 Image analysis

Uploaded images (homework, worksheets, handwritten notes) may be analysed by AI to answer questions, identify mistakes or provide explanations.

10.6 Translation features

AI-supported translation features make learning content available in different languages and support multilingual students.

10.7 Chatbot

An AI-supported chatbot answers questions about our services, supports navigation and explains learning content. Inputs and technical data are processed when used.

10.8 AI service providers

Primary provider: OpenAI, L.L.C. (3180 18th Street, San Francisco, CA 94110, USA). Whisper is used for speech recognition / transcription; GPT models for text analysis, summaries and chatbot functions. Possible future providers: Amazon Web Services or self-hosted models. A processing agreement is in place with OpenAI; data is not used to train OpenAI's models.

10.9 Transfer to the USA

Use of OpenAI involves transferring data to US servers. OpenAI is certified under the EU-US Data Privacy Framework; additional EU Standard Contractual Clauses are in place. Note: the USA is a third country; US authorities could obtain access under US law.

10.10 Retention period

Audio, transcripts, summaries and other AI-generated data are stored for the duration of the contract and 24 months after contract termination. The contract ends when a package expires without renewal or when the account is deleted.

10.11 Legal basis

Art. 6(1)(b) GDPR (contract performance) for the AI-supported services; Art. 6(1)(f) GDPR (legitimate interest) for data used for quality assurance.

11. Hosting and technical service providers

Various technical service providers process personal data on our behalf. Processing agreements under Art. 28 GDPR are in place with each.

11.1 Wix (website hosting)

Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel. Website operation, appointment bookings, newsletter. Processing on servers in different countries (USA, Israel) under EU Standard Contractual Clauses. Fonts are loaded from Wix servers, not external third parties.

11.2 Vercel (meeting-app hosting)

Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Hosting the meeting app; serverless functions run in the EU region. Technical data (IP, browser type, device info, usage data) is processed. Legal bases: Art. 6(1)(b) and (f) GDPR.

11.3 Supabase (database)

Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. Database in AWS region eu-central-1 (Frankfurt). Stored: account data, bookings, lesson and progress data, transcripts and summaries. Legal basis: Art. 6(1)(b) GDPR.

11.4 Clerk (authentication)

Clerk Inc., 660 4th Street #406, San Francisco, CA 94107, USA. Processed: e-mail address, encrypted password, name (if provided), IP address, login timestamps. Clerk is certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses in place. Legal basis: Art. 6(1)(b) GDPR.

11.5 GetStream.io (live streaming / chat)

Stream.io Inc., 2093 Philadelphia Pike #5765, Claymont, DE 19703, USA. Processing in the EU region (Dublin). Processed: video and audio data during live streaming, chat messages, user identifiers and technical connection data. Legal basis: Art. 6(1)(b) GDPR.

11.6 Sentry (error monitoring)

Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Data stored in the EU (EU Data Residency). Captured: error messages, stack traces, browser/device info, URL, timestamp and anonymised user identifiers. Legal basis: Art. 6(1)(f) GDPR.

11.7 Server locations

EU/Germany: Supabase (Frankfurt), Vercel (EU), GetStream.io (Dublin), Sentry (EU). USA: Clerk, OpenAI. Israel/USA: Wix. For all third-country transfers, EU Standard Contractual Clauses and/or EU-US Data Privacy Framework certifications are in place.

12. Satisfaction survey

After an online tutoring session, an optional voluntary satisfaction survey may be offered via link. Provider: Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) via Google Forms. Responses and technical data (IP, browser type) are transmitted to Google and stored on Google servers (possibly in the USA). Legal bases: Art. 6(1)(a) and (f) GDPR.

13. Blog

Study Core allows comments on blog posts. Stored and published: comment text, timestamp, chosen username (pseudonym) and the IP address of the internet service provider.

The IP address is logged for security reasons in case of legal violations or unlawful content. It is not passed to third parties unless required by law or to defend legal claims. Legal bases: Art. 6(1)(a) and (f) GDPR.

14. Tutor applications

Interested tutors can apply via an application form. Collected: name, e-mail address and message. The data is used exclusively for processing the application and deleted after the process concludes: at the latest six months after rejection. Legal bases: Art. 6(1)(b) and (f) GDPR.

15. Newsletter

For newsletter subscription, personal data is collected via an input form. We use double opt-in: a confirmation e-mail is sent to the address entered. Unsubscription is possible at any time. Service: Wix.com Ltd. with a processing agreement. Legal basis: Art. 6(1)(a) GDPR.

16. Cookies and local storage

Cookies are text files stored on a computer via a browser. They enable user-friendly services and the optimisation of content and offers. The Wix platform sets technically necessary cookies by default to ensure functionality. Browser settings can be used to prevent or limit cookie use. Legal basis: Art. 6(1)(f) GDPR.

When you fill out the booking form, we store your name, email address, phone number and billing address locally in your browser (Local Storage, key studyit:contactDraft:v1) so the fields are prefilled on your next booking. The data is never transmitted to our servers and does not leave your device. You can remove the entry at any time via the "Clear saved details" button on the booking form or through your browser settings. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a more convenient re-booking experience).

17. Web analytics and marketing

17.1 Umami (reach measurement)

Privacy-friendly web-analytics tool. No cookies are set and no IP addresses are stored; analysis is fully aggregated and anonymised. Captured: pages visited, time on page, screen size, browser, OS and country of origin (country level only). No linkage to other data takes place. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in needs-based website design). Provider: Umami Software, Inc. (when using Umami Cloud) or the controller itself (when self-hosted).

17.2 Google Analytics 4 (consent required)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics 4 is loaded only after explicit consent via our cookie banner (Google Consent Mode v2, default status "denied"). Captured: device and browser information, truncated IP address, pages visited, time on page, and interaction events during the booking and sign-up flow (e.g. selecting a package or a time slot). Transmission to Google in the USA is based on the EU-US Data Privacy Framework and supplementary standard contractual clauses. Retention: 14 months. Legal basis: Art. 6(1)(a) GDPR (consent), revocable any time via the "Cookie settings" button in the footer.

17.3 Google Ads & Enhanced Conversions (consent required)

Provider: Google Ireland Limited (see above). To measure the effectiveness of online ads we use Google Ads conversion tracking. If you reach our website via a Google ad and subsequently complete a booking, a conversion cookie is set and a conversion ping is transmitted to Google. This lets us know that an ad was clicked and a specific action was taken; we receive no information that personally identifies you.

Additionally we use the Enhanced Conversions for Web feature. The contact details you provide in the booking form (email, phone number, first and last name, billing address) are SHA-256 hashed in your browser and then transmitted together with the conversion to Google. Google uses these hash values exclusively to match against its own, equally hashed, account records in order to improve ad measurement. Plain-text data never leaves your browser. Transmission only takes place if you have previously consented to marketing cookies. Conversion-data retention at Google: up to 540 days. Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.

Server-side conversion transmission: in addition, on a successful booking the conversion ping may be sent server-side via the Google Measurement Protocol to make measurement more reliable. Deduplication is performed via the transaction ID; the same data categories as above are processed. This also only takes place where consent has been granted.

You can revoke your consent at any time via the "Cookie settings" button in the footer. For further information see Google's privacy notice at https://policies.google.com/privacy.

18. Payment providers

18.1 Stripe

Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA or Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. When Stripe is selected, payment data (card number, cardholder, expiry) is transmitted as required to process the payment. Legal basis: Art. 6(1)(b) GDPR.

18.2 PayPal

PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. When PayPal is selected, user data (name, address, e-mail, IP, phone number etc.) is automatically transmitted. Legal basis: Art. 6(1)(b) GDPR.

19. Social-media links

The website contains links to our profiles on Facebook, Instagram, YouTube, TikTok, Pinterest, LinkedIn, Threads and Xing. A connection to the respective platform is only established when you click the link; no data is transmitted to the operator before that. After the click, the platform's privacy policy applies.

20. WhatsApp

Contact option via WhatsApp (WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Processed: message content, name, phone number and optional profile picture. Communication is end-to-end encrypted. WhatsApp processes metadata (timestamps, phone numbers). Legal basis: Art. 6(1)(a) GDPR.

21. Routine deletion and blocking

The controller processes and stores personal data only as long as necessary for the storage purpose or as required by law. Once the purpose lapses or the retention period expires, the data is routinely blocked or deleted in accordance with statutory rules.

22. Automated decision-making

No automated decision-making or profiling within the meaning of Art. 22 GDPR with legal or similarly significant effect takes place. The AI-supported analyses described in section 10 serve only to support the learning process; the final assessment of progress is made by the tutor.

23. Changes to this policy

This privacy policy is updated occasionally: for example, due to changes in the law or to our services (e.g. new services or AI features). The version current at the time of your visit applies.