Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how avoryx (“we”, “us”) collects, uses, shares, and protects personal data when you visit our website at avoryxlearning.com (the “Site”), or when you contact us to request information about online courses, webinars, and educational programs. We aim to keep this policy practical and readable. If you have questions, you can contact us using the details in Section 18.

Data Controller: Avoryx Learning GmbH, Balanstraße 73, Gebäude 15, 81541 Munich, Germany. Contact email: [email protected]. For most uses described in this policy, Avoryx Learning GmbH determines the purposes and means of processing and is therefore the data controller under the GDPR and UK GDPR.

We do not appoint a Data Protection Officer (DPO) as a matter of course. If our processing changes and a DPO becomes mandatory, we will update this policy and provide DPO contact details.

Effective Date: March 12, 2026.

2. Personal Data We Collect

We collect the minimum data needed to operate the Site, respond to requests, and (where you consent) measure performance and show relevant educational offers. The specific data we process depends on how you interact with the Site.

• Identity and contact data: name, email address, and phone number if you choose to provide it.
• Form content and messages: information you type into our forms, such as program interest (for example, English, Chinese, Arabic, AI, programming, digital skills) and any message describing goals, preferred dates, or context.
• Technical data: IP address, browser type and version, device type, operating system, language preference, and approximate location inferred from IP (typically at city level).
• Usage data: pages viewed, time spent, scrolling and click paths, referrer URLs, and other signals that help us understand how content is used.
• Cookies and identifiers: values stored in cookies or similar technologies, including a cookie consent record and, where consent is given, analytics and marketing identifiers.
• Conversion and event data: events such as form submissions, page views, and session interactions that help us measure performance and attribution.

We do not intentionally collect special-category data (such as health information, religious beliefs, political opinions), financial account details, or government identification numbers through the Site. Please do not include such information in messages. If you submit it anyway, we will process it only to the extent necessary to respond and to protect our systems, and we may delete it when appropriate.

3. Why We Process Personal Data & Legal Basis (GDPR Art. 6)

We process personal data only where we have a legal basis. The bases below apply primarily to users in the EEA and UK, but we apply the same principles more broadly.

Contact and admissions inquiries

Purpose: to respond to requests for schedules, registration steps, and program details; to recommend an appropriate course track; and to follow up on your inquiry. Legal basis: GDPR Art. 6(1)(b) (steps at your request prior to entering a contract) and/or Art. 6(1)(a) (consent, where required by local law or where you explicitly request contact and provide optional details).

Analytics (Site measurement and improvement)

Purpose: to understand how the Site is used (for example, which pages help learners find the right program), to diagnose content issues, and to improve navigation. Legal basis: GDPR Art. 6(1)(a) (consent). Analytics cookies and tags are activated only after you provide consent via our cookie controls.

Marketing and advertising measurement

Purpose: to measure ad performance, attribute conversions, and show relevant educational offers to people who expressed interest in programs. Legal basis: GDPR Art. 6(1)(a) (consent). Marketing cookies and tags are activated only after consent.

Security, fraud prevention, and service reliability

Purpose: to protect the Site from abuse, prevent spam submissions, detect malicious behavior, and maintain availability. Legal basis: GDPR Art. 6(1)(f) (legitimate interests). We balance our interests against users’ rights and use proportionate measures.

Legal obligations

Purpose: to comply with legal requirements (for example, responding to lawful requests and maintaining records where required). Legal basis: GDPR Art. 6(1)(c) (legal obligation).

Automated decision-making (GDPR Art. 22)

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects for individuals.

4. Cookies & Tracking

Cookies are small text files stored on your device. We also use similar technologies (such as pixel tags) that can transmit signals when you load pages. Our cookie categories match our Cookie Policy and the controls available in the Site footer (“Manage cookie preferences”).

Essential (always active)

These cookies are required for basic site functionality and security. They include: _site_session (session continuity) and cookie_consent (stores your cookie preference choice). They may also include anti-forgery tokens and request integrity mechanisms. Retention: session to 12 months, depending on the cookie.

Analytics (consent required)

When enabled, analytics helps us understand usage patterns such as which pages are visited, how long sessions last, and how users navigate. We use Google Analytics 4 (GA4) with IP anonymization where available. Example cookies include _ga (2 years) and _ga_XXXXXXXXXX (2 years). Analytics data retention is set to 14 months.

Marketing (consent required)

When enabled, marketing cookies and tags support conversion attribution, remarketing, and audience building (such as lookalike audiences). Example cookies include _gcl_au (Google Ads, 90 days), _fbp (Meta, 90 days), and _fbc (Meta click identifier, 90 days when a click ID is present).

Beyond cookies

Some measurement relies on pixel tags and server-side events. When implemented, these may send conversion events (for example, a completed form) and may include hashed identifiers (such as a hashed email address) to improve attribution. We use these technologies only when you have provided the relevant cookie consent. Device identifiers may also be inferred from IP address and User-Agent strings for fraud prevention and security.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Your choice is recorded in the cookie_consent browser cookie (12 months).

You can withdraw consent at any time using “Manage cookie preferences” in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We share personal data with service providers when needed to run the Site and respond to requests. We do not sell personal data. Where partners process data for measurement or advertising, they act as service providers/processors and are restricted by contractual terms and technical controls.

• Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing where enabled): cookie identifiers, usage data, conversion events, and audience signals, depending on consent settings.
• Meta Platforms (Meta Pixel, Custom/Lookalike Audiences, Conversion API where enabled): page views, conversion events, audience membership signals, and hashed identifiers where configured, depending on consent.
• Cloudflare (CDN and security services): IP addresses and request metadata to provide content delivery, DDoS protection, and threat detection.

We do not permit these providers to use site data for their own independent commercial purposes.

7. International Transfers

Some providers process data outside the EEA/UK, including in the United States. When personal data is transferred internationally, we rely on lawful transfer mechanisms, including the EU–US Data Privacy Framework (DPF) where applicable, the UK Extension to the DPF, the Swiss–US DPF (where relevant), and Standard Contractual Clauses (EU 2021/914) as a fallback. For UK transfers, the UK International Data Transfer Agreement (IDTA) may be used as a fallback.

We also assess transfer risks and apply supplementary safeguards where appropriate (for example, access controls, data minimization, and encryption in transit).

8. Retention

We keep personal data only as long as needed for the purposes described in this policy, unless a longer period is required by law.

• Contact submissions: up to 2 years from the last interaction, to provide continuity for follow-ups and program recommendations.
• Analytics data: 14 months (typical configuration), subject to the settings of the relevant analytics tool.
• Marketing cookies: retained according to cookie lifetimes (for example, 90 days for common ad identifiers), unless you withdraw consent earlier.
• Email correspondence: duration of the relationship plus 1 year, unless further retention is needed to handle disputes or legal obligations.
• Server logs and security records: typically 90 days, unless a longer period is required to investigate abuse or incidents.
• Cookie consent record: up to 3 years for audit and compliance.
• Legal and tax records: retained as required by applicable law (often 6–10 years for invoice-related records).

9. Your Rights (GDPR & UK GDPR)

If you are in the EEA or UK, you may have the following rights, subject to legal limitations: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)), and the right to lodge a complaint with a supervisory authority (Art. 77).

To exercise a right, email [email protected]. We typically respond within 30 days. For complex requests, we may extend by up to 60 additional days, as permitted by law, and we will explain the reason for any delay.

Supervisory authorities: EEA guidance is available via the European Data Protection Board (EDPB). UK users can contact the Information Commissioner’s Office (ICO). Depending on where you live, you may also contact your local authority (for example, Germany’s federal and state data protection authorities).

10. Children

This Site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If you believe a child under 16 has provided personal data without verifiable parental consent, please contact us and we will delete the data promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own handling of DNT or similar signals.

12. Data Deletion Requests

You may request deletion of personal data by emailing [email protected] with the subject line “Data Deletion Request”. We may ask for reasonable information to verify your identity before completing the request. If we must retain certain data to comply with legal obligations or to establish, exercise, or defend legal claims, we will keep only what is necessary and will restrict use where possible.

We aim to complete validated deletion requests within 30 days.

13. Business Transfers

If Avoryx Learning GmbH is involved in a merger, acquisition, asset sale, financing, reorganization, insolvency, or similar transaction, personal data may be transferred to a successor entity or counterparties as part of that transaction. If the transfer materially changes how data is used, we will provide notice on the Site.

14. California (CCPA / CPRA)

This section applies to California residents where the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is applicable. In the last 12 months, we may have collected the following categories of personal information:

• Identifiers: name, email, IP address, online identifiers and cookie IDs.
• Internet or network activity: browsing interactions with our Site, such as pages viewed and session events.
• Inferences: preferences or interests inferred from usage, used to show relevant offers where marketing consent is provided.

We do not sell personal information as defined by the CCPA. We do share information for cross-context behavioral advertising when marketing cookies are enabled; California residents may opt out via our cookie preferences panel (accessible from the footer).

California residents may have the rights to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your identity before responding. Authorized agents may submit requests with written proof of authorization.

15. Virginia (VCDPA)

Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we deny a request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We respond to appeals within 60 days. If an appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Privacy Policy

We may update this policy from time to time to reflect changes in our practices, technologies, or legal requirements. If changes are material, we will announce them via a visible notice on the Site at least 14 days before they take effect. The “Last Updated” date at the top of this page indicates when the latest version became effective.

18. Contact

If you have questions about this Privacy Policy or want to exercise your rights, contact:

• Legal entity: Avoryx Learning GmbH
• Address: Balanstraße 73, Gebäude 15, 81541 Munich, Germany
• Email: [email protected]
• Phone: +49 89 2154 7392

If you contact us by post, include enough detail for us to locate your record (for example, the email address used on the form) and describe your request clearly.