Legal

Privacy Policy

Last updated: April 26, 2026 · Applies to all Acutis Institute services

Acutis Institute OÜ ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable Estonian data protection law.

Please read this policy carefully. By using our website or enrolling in our courses, you acknowledge that you have read and understood this policy.

Data Controller

Acutis Institute OÜ

Registry code: 17230268

Lõõtsa tn 5, Lasnamäe linnaosa, Tallinn, Harju maakond, 11415, Estonia, European Union

Email: legal@eaoai.eu

1. What Personal Data We Collect

We collect the following categories of personal data:

Data you provide directly

Name and email address , when you purchase a course or submit a contact form
Payment information , processed by Stripe (we do not receive or store your full card details)
Contact form submissions , name, email, phone number (if provided), and message content
Course submissions , capstone project work and peer review responses

Data collected automatically

Technical data , IP address, browser type and version, device type, operating system
Usage data , pages visited, lessons accessed, course progress, timestamps
Cookies , see Section 8 below

2. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

Purpose	Legal Basis
Processing your enrollment and providing course access	Contract performance (Art. 6(1)(b))
Processing payment via Stripe	Contract performance (Art. 6(1)(b))
Issuing your certificate of completion	Contract performance (Art. 6(1)(b))
Responding to support and contact form inquiries	Legitimate interests (Art. 6(1)(f))
Maintaining records for tax and accounting purposes	Legal obligation (Art. 6(1)(c))
Sending course-related announcements and updates	Legitimate interests (Art. 6(1)(f))
Sending marketing emails (if you opt in)	Consent (Art. 6(1)(a))
Improving our platform and services	Legitimate interests (Art. 6(1)(f))
Fraud prevention and platform security	Legitimate interests (Art. 6(1)(f))

3. How We Use Your Data

To create and manage your student account and verify your course access
To deliver the course content and track your progress
To issue your certificate of completion upon passing the assessment
To send transactional emails (enrollment confirmation, access credentials, certificate delivery)
To respond to your inquiries and support requests
To comply with our legal and accounting obligations under Estonian law
To detect and prevent fraud, unauthorized access, and abuse of our platform
To improve course content and the platform based on anonymized usage data

We will never sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Data Sharing and Third Parties

We share your personal data only with the following categories of third parties, and only to the extent necessary:

Third Party	Purpose	Location
Stripe, Inc.	Payment processing	USA (Standard Contractual Clauses apply)
Cloudflare, Inc.	Website hosting, CDN, and student database (KV)	USA/EU (SCCs apply)
Google LLC	Video hosting (YouTube, unlisted)	USA (SCCs apply)
Email service provider	Transactional emails	EU (where possible)

All third-party processors with whom we share data are contractually bound to process your data only as instructed, to maintain adequate security, and to comply with GDPR. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

We may also disclose your data if required to do so by law or in response to a valid legal request from public authorities.

5. Data Retention

Student account and course progress data , retained for 12 months after the end of your five-month access period, then deleted or anonymized
Payment records and invoices , retained for 7 years in compliance with Estonian Accounting Act requirements
Certificate records , retained indefinitely for verification purposes (name, email, certificate ID, completion date only)
Contact form submissions , retained for up to 12 months after your inquiry is resolved
Marketing consent records , retained until you withdraw consent, plus 3 years thereafter for compliance documentation

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your data where no legal basis for retention exists

Right to Restriction

Request that we restrict processing of your data in certain circumstances

Right to Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests or for direct marketing

Right to Withdraw Consent

Withdraw marketing consent at any time without affecting prior processing

Right to Lodge a Complaint

Complain to the Estonian Data Protection Inspectorate or your local supervisory authority

To exercise any of these rights, please email us at legal@eaoai.eu. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee, or with the supervisory authority in your country of residence within the EU.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These include:

Encryption of data in transit (TLS/HTTPS) and at rest where applicable
Access controls limiting who within our organization can access personal data
Use of reputable, GDPR-compliant third-party processors
No storage of payment card data on our own systems

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR requirements (within 72 hours of becoming aware).

8. Cookies

Our website uses cookies and similar technologies. We use:

Strictly necessary cookies , required for the website and course platform to function (login session, access token). These cannot be disabled.
Functional cookies , remember your preferences and course progress (stored in localStorage).
Analytics cookies , only if you consent, to understand how visitors use our site. We do not use Google Analytics without your explicit consent.

You can manage or disable non-essential cookies through your browser settings. Disabling cookies may affect your ability to access the course platform.

9. Children's Privacy

Our services are intended for individuals aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without verifiable parental consent, we will delete that data promptly. If you believe we have inadvertently collected such data, please contact us at legal@eaoai.eu.

10. International Data Transfers

Acutis Institute OÜ is based in Estonia, within the European Economic Area. Where your data is processed by third-party service providers outside the EEA (including Stripe and Cloudflare, which operate in the United States), we ensure that appropriate safeguards are in place under GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) issued by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will notify enrolled students by email. Your continued use of our services after any change constitutes acceptance of the updated policy.

12. Contact and Complaints

For any questions, concerns, or to exercise your rights, contact our privacy team:

Acutis Institute OÜ , Privacy

Lõõtsa tn 5, Lasnamäe linnaosa, Tallinn, Harju maakond, 11415, Estonia

Email: legal@eaoai.eu

Estonian Data Protection Inspectorate: www.aki.ee

EU ODR Platform: ec.europa.eu/consumers/odr