Privacy Policy
Last updated: February 2026
Who We Are
AI Act Fundamentals is an EU AI Act training platform provided by [Company Name] Oy (business ID: [y-tunnus]), a company registered in Finland with its registered office at [Street Address], [Postal Code] [City], Finland.
We provide online training services to help organizations comply with the EU AI Act's AI literacy requirements. This privacy policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR).
Roles under GDPR: [Company Name] Oy acts as a data controller for the operation of the platform, user account management, certificate issuance, and service improvement. Where your organisation subscribes to the service and its employees use the platform, your organisation is the data controller for its employees' training data and [Company Name] Oy acts as a data processor on the organisation's behalf, as described in our Terms of Service. For data protection inquiries, contact us at privacy@aiactfundamentals.eu.
What Data We Collect
We collect the following personal data:
- Name and email address (provided during registration or invitation)
- Company name and organization details (for company admin accounts)
- Training progress and completion status
- Quiz answers and scores
- Certificate generation and access records
- Technical data such as IP address, browser type, and access times (for security and service improvement)
If your employer invited you: When a company administrator adds you to the platform, we receive your name and email address from your organisation. Your employer is the source of this data and should have informed you that your details would be shared with us for training purposes. All the information in this privacy policy applies equally to data received from your employer as to data you provide directly.
Data Recipients and Processors
We share your personal data with the following categories of recipients, all of whom process data on our behalf under Data Processing Agreements (DPAs) that comply with GDPR:
- Cloud hosting provider: Our platform and data are hosted within the EU
- Email delivery service: Service-related emails (invitations, notifications) are sent via a third-party email provider
- Analytics tools: We use analytics services to understand how the platform is used and to improve the service
- Payment processor: Subscription payments are processed by a third-party payment provider
We do not sell your personal data to third parties. We may also disclose data to legal or regulatory authorities when required by law.
Why We Collect Your Data
We use your personal data for the following purposes:
- To provide the training service and track your progress
- To generate and verify completion certificates
- To allow company administrators to monitor team training completion
- To send service-related communications (e.g., invitation links, completion notifications)
- To improve our service and user experience
- To comply with legal obligations
Legal Basis for Processing
We process your personal data on the following legal grounds under GDPR. Each processing purpose is linked to its specific legal basis:
| Purpose | Legal basis |
|---|---|
| Providing the training service, managing your account, and tracking progress | Contract performance (Art. 6(1)(b)) |
| Generating and verifying completion certificates | Contract performance (Art. 6(1)(b)) |
| Allowing company administrators to monitor team completion | Contract performance (Art. 6(1)(b)) |
| Sending service-related communications (invitations, notifications) | Contract performance (Art. 6(1)(b)) |
| Improving the service and user experience through usage analytics | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and ensuring platform security | Legitimate interest (Art. 6(1)(f)) |
| Retaining billing data and complying with accounting obligations | Legal obligation (Art. 6(1)(c)) |
| Sending marketing communications (if applicable) | Consent (Art. 6(1)(a)) |
How Long We Keep Your Data
We retain your personal data for the duration of your organisation's subscription. After the subscription ends:
- Account, training, and certificate data (name, email, progress, quiz results, certificate records): Deleted when the organisation's subscription ends
- Technical logs (IP address, browser data): Deleted within 6 months
- Billing data: Retained as required by Finnish accounting law (Kirjanpitolaki)
After the applicable retention period, data is securely deleted or irreversibly anonymised.
Your Rights Under GDPR
As a data subject in the EU, you have the following rights:
- Right of access: Request a copy of your personal data
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to restrict processing: Request limitation of processing in certain circumstances
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (see below)
How to exercise your rights: Send your request to privacy@aiactfundamentals.eu. We will verify your identity and respond within 30 days. If your request is complex, we may extend this by a further 60 days and will notify you of the extension within the original 30-day period. There is no fee for your first request; we may charge a reasonable fee for manifestly unfounded or excessive requests.
Supervisory authority: You have the right to lodge a complaint with the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, Finland. Website: tietosuoja.fi.
Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. This includes encryption in transit and at rest, access controls, and regular security assessments.
Our platform and training data are hosted within the European Economic Area (EEA). Some of our service providers, including our payment processor Stripe, may process data outside the EEA as part of their global operations. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses or adequacy decisions by the European Commission.
Cookies and Tracking Technologies
Our platform uses cookies and similar technologies to ensure the service functions correctly and to improve your experience:
- Essential cookies: Required for the platform to function (e.g., session authentication, language preferences). These do not require consent.
- Analytics cookies: Used to understand how the platform is used and to identify areas for improvement. These are only set with your consent.
You can manage your cookie preferences through our cookie consent banner when you first visit the platform, and at any time through your browser settings. Disabling essential cookies may prevent the service from functioning correctly.
We use server-side logging to record IP addresses and access times for security purposes. These logs are retained for 6 months and are not used for tracking or profiling.
Contact Us
If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us at privacy@aiactfundamentals.eu. You also have the right to lodge a complaint with your local data protection authority.