Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how kalyra (“we”, “us”, or “our”) collects, uses, and protects your personal data when you visit kalyra.school (the “Website”), when you submit a request through our forms, or when you interact with our educational offerings, including online courses, webinars, and structured learning programs.

The data controller responsible for processing your personal data is Kalyra Learning GmbH, Taunusanlage 8, Innenstadt, 60329 Frankfurt am Main, Germany. You can contact us at [email protected] or by phone at +49 69 153 25871.

We operate primarily from Germany and follow the requirements of the EU General Data Protection Regulation (GDPR) and applicable German and EU privacy laws. If we materially expand our processing into activities that require a designated Data Protection Officer (DPO), we will update this policy with DPO contact details.

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect personal data that you choose to provide, as well as certain technical information that is generated when you use the Website. The categories below describe what we may collect, depending on how you interact with us.

• Identity and contact data: name, email address, phone number (if provided), and related contact details.
• Form content: information you enter into a form, such as your preferred course format, the topics you are interested in, scheduling preferences, prerequisites you have completed, and any message you include.
• Technical data: IP address, browser type and version, device type, operating system, language settings, and approximate location derived from IP address.
• Usage data: pages viewed, time spent on pages, referral source, click paths, and interactions with features such as FAQ accordions or navigation elements.
• Cookies and identifiers: browser cookies, local storage signals, and similar identifiers as described in Section 4 and in our Cookie Policy.
• Conversion events: events that indicate a form submission or an interest selection, used for measurement and attribution when you have consented to analytics or marketing cookies.

We do not intentionally collect special-category data (such as health information, biometric data, religion, or political opinions), financial account details, or government-issued identifiers through this Website. Please do not submit such information in free-text fields.

3. Why We Process Your Data & Legal Basis

We process personal data only when we have a valid legal basis under GDPR Article 6. The legal basis depends on the purpose and your interaction with the Website.

• Contact and enrollment requests: to respond to your request, confirm cohort availability, and provide pricing and schedule information. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering a contract) and Art. 6(1)(a) (consent) where you explicitly consent to be contacted.
• Analytics: to understand how visitors use the Website and to improve usability and content. Legal basis: GDPR Art. 6(1)(a) (consent).
• Marketing and remarketing: to measure advertising effectiveness and build audiences for relevant campaigns. Legal basis: GDPR Art. 6(1)(a) (consent).
• Security and fraud prevention: to protect the Website, detect abuse, and maintain availability. Legal basis: GDPR Art. 6(1)(f) (legitimate interests).
• Legal obligations: where required to comply with applicable laws, legal process, or enforceable requests. Legal basis: GDPR Art. 6(1)(c).

Automated decision-making (GDPR Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Cookies & Tracking Technologies

We use cookies and related technologies to operate the Website, understand performance, and (with consent) measure and improve advertising. Cookies are small files stored on your device by your browser. Some cookies are first-party (set by our Website) and some are third-party (set by service partners).

Our cookie categories align with the choices available in the cookie preferences panel and with our Cookie Policy.

Essential (always active)

Essential cookies are required for the Website to function. They include identifiers such as _site_session for session continuity and cookie_consent to store your consent choices. Where applicable, we may also use security-related cookies such as CSRF tokens. Retention varies from session to up to 12 months, depending on the cookie.

Analytics (requires consent)

If you opt in to analytics cookies, we may use Google Analytics 4 (GA4) with IP anonymization to understand aggregated traffic and usage patterns. Example cookies include _ga (2 years) and _ga_XXXXXXXXXX (2 years). We use analytics insights to improve navigation clarity, content structure, and performance. Data retention for analytics reports is typically set to 14 months.

Marketing (requires consent)

If you opt in to marketing cookies, we may use tools such as Google Ads and Meta Pixel to measure ad performance, attribute conversions, and build audiences (including remarketing and lookalike audiences). Example cookies include _gcl_au (90 days), _fbp (90 days), and _fbc (90 days when a click identifier is present).

In addition to cookies, marketing measurement can involve pixel tags and server-side event delivery. If implemented, server-side measurement may use hashed identifiers (such as a hashed email address) to improve attribution accuracy. Hashing does not make personal data anonymous, but it reduces exposure in transit.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your choice is recorded in the cookie_consent browser cookie, typically for 12 months.

You can withdraw or adjust consent at any time via the “Manage cookie preferences” link in the footer, or by clearing cookies in your browser settings. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data only as needed to operate the Website, respond to requests, and (with consent) measure analytics and advertising performance. We do not sell personal data.

• Google LLC (GA4, Google Ads, Google Tag Manager, remarketing): cookie identifiers, usage data, conversion events, and audience list signals when consented. Privacy policy.
• Meta Platforms (Pixel, Custom Audiences, Lookalike Audiences, Conversion API): page view events, conversions, audience membership, and hashed identifiers where implemented and consented. Privacy policy.
• Cloudflare (CDN and security): IP-based threat detection and performance routing. Privacy policy.

We do not permit these providers to use Website data for their own independent commercial purposes. Their use is limited to providing services to us and subject to contractual controls.

7. International Transfers

Some service providers may process data outside the EEA/UK, including in the United States. When transfers occur, we rely on appropriate safeguards, which may include the EU–US Data Privacy Framework (since July 2023), the UK Extension to the DPF, and/or the Swiss–US DPF where applicable. Where needed, we also use Standard Contractual Clauses (EU 2021/914) and the UK International Data Transfer Agreement (IDTA) as fallback mechanisms.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

• Contact and enrollment submissions: typically up to 2 years from the last interaction.
• Analytics data: typically 14 months in reporting configuration, plus cookie lifetime as described.
• Marketing cookies: per cookie lifetime (often 90 days), unless you change consent sooner.
• Email correspondence: for the duration of the relationship, plus up to 1 year for operational continuity.
• Server logs: typically 90 days for security and troubleshooting.
• Cookie consent record: up to 3 years for audit and compliance evidence.
• Legal and tax records: where applicable, retained as required by law (often 6–10 years for invoices and accounting records).

9. Your Rights (GDPR & UK GDPR)

If GDPR or UK GDPR applies to your data, you may have the following rights, subject to legal limits and exemptions:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise a right, email [email protected]. We aim to respond within 30 days, and may extend by up to 60 additional days for complex requests, as permitted by law.

Supervisory authority references: EU guidance at edpb.europa.eu, UK at ico.org.uk, Germany at bfdi.bund.de, France at cnil.fr, Poland at uodo.gov.pl, Spain at aepd.es.

10. Children

This Website is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have received personal data from a child under 16 without verifiable parental consent, we will delete that data promptly.

11. Do Not Track

This Website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own handling of DNT and similar signals.

12. Data Deletion Requests

You can request deletion of your personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may ask for information to verify your identity before fulfilling the request. We aim to complete verified deletion requests within 30 days, unless we must retain certain information to comply with legal obligations.

13. Business Transfers

In the event of a merger, acquisition, asset sale, financing, reorganization, insolvency, or similar transaction, personal data may be transferred to a successor or affiliate as part of that transaction. If such a transfer materially changes how your data is used, we will provide notice on the Website.

14. California Privacy Notice (CCPA/CPRA)

This section is provided for transparency for visitors from California. In the past 12 months, we may have collected the following categories of personal information: identifiers (such as name, email, IP address, and cookie identifiers), internet or other electronic network activity (such as page views and interactions), and inferences (such as preferences derived from browsing behavior) where marketing cookies are enabled.

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising when you opt in to marketing cookies. California residents may opt out by disabling marketing cookies in our cookie preferences panel.

California rights may include: the right to know, delete, correct, opt out of sale/sharing, and non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your request as required by law. Authorized agents may submit requests with written proof of authorization.

15. Virginia Privacy Notice (VCDPA)

For visitors from Virginia, rights may include access, correction, deletion, data portability, and the ability to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we deny a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days where required.

16. Nevada Notice

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements, or service providers. If a change is material, we will provide a notice on the homepage at least 14 days before the changes take effect, where feasible. The “Last Updated” date at the top of this page indicates when this policy was last revised.

18. Contact

If you have questions about this Privacy Policy or how we handle personal data, contact:

Kalyra Learning GmbH
Taunusanlage 8, Innenstadt, 60329 Frankfurt am Main, Germany
Email: [email protected]
Phone: +49 69 153 25871