Privacy Policy

did deutsch-institut GmbH  |  Last updated: May 2026

This Privacy Policy explains what personal data we collect, for what purposes we process it, and what rights you have. We have organized this document by topic so you can quickly find the section most relevant to you.

• A – Who We Are
• B – Principles of Data Processing
• C – Website, Technology, and Infrastructure
• D – Marketing, CRM, and Communications
• E – Course Operations and Contract Processing
• F – Online Instruction and Video Conferencing
• G – Exams and Certificates
• H – Job Applications and HR
• I – Law Enforcement Requests
• J – International Data Transfers
• K – Retention Periods
• L – Your Rights
• M – Data Security and Updates

A – Who We Are

The entity responsible for the processing of personal data on this website and in connection with our language course offerings is:

did deutsch-institut GmbH
– Data Protection –
Gutleutstraße 32
60329 Frankfurt am Main, Germany
Phone: +49 69 2400 4560
Email: [email protected]
Web: www.did.de

If you have questions about the collection, processing, or use of your personal data, or if you wish to exercise your rights or withdraw a previously given consent, please contact us at the email address above.

B – Principles of Data Processing

We process personal data only where a clear legal basis exists. In our case, these are:

• Consent (Art. 6(1)(a) GDPR) – e.g., for analytics cookies or the newsletter
• Performance of a contract (Art. 6(1)(b) GDPR) – e.g., to process a course booking
• Legal obligation (Art. 6(1)(c) GDPR) – e.g., statutory retention requirements under tax and commercial law
• Legitimate interests (Art. 6(1)(f) GDPR) – e.g., IT security and fraud prevention

Particularly sensitive data – such as allergies or health-related information required to arrange suitable accommodation – is processed on the basis of Art. 9(2)(a) GDPR. This processing only takes place if you voluntarily provide such information.

Once a contract has been fully processed, your data will be blocked from further use and deleted upon expiration of the applicable statutory retention periods.

C – Website, Technology, and Infrastructure

Server Log Files

Every time our website is accessed, our hosting provider automatically collects technical connection data in so-called server log files: the name of the page or file accessed, date and time, data volume transferred, HTTP status code, browser type and version, operating system, referrer URL, IP address, and internet service provider.

This data is used solely for the secure and stable operation of the website, is not merged with other data sources, and is automatically deleted after 7 days. The legal basis is Art. 6(1)(f) GDPR.

Hosting: IONOS

Our website is hosted on servers operated by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany. IONOS processes technical connection data as part of the hosting service under a data processing agreement pursuant to Art. 28 GDPR. The legal basis is Art. 6(1)(f) GDPR.

IONOS Privacy Policy: ionos.de/terms-gtc/terms-privacy

Cloudflare CDN

To ensure fast load times and protection against attacks (DDoS), we use the Content Delivery Network of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare acts as a reverse proxy: all requests to our website first pass through Cloudflare servers, which process technical connection data including your IP address. A data processing agreement is in place; transfers of data to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(f) GDPR.

Cloudflare Privacy Policy: cloudflare.com/privacypolicy

TYPO3 – Content Management System

Our website runs on TYPO3, an open-source content management system installed on our own IONOS servers that does not send data to third parties. Access to the TYPO3 backend is restricted to authorized staff members.

Cookies and Consent Management

When you first visit our website, a cookie banner appears that allows you to decide which categories of cookies may be set:

• Strictly necessary cookies – always active, no consent required
• Analytics cookies – only with your consent (e.g., Google Analytics)
• Marketing and personalization cookies – only with your consent (e.g., Meta Pixel, HubSpot tracking)

You may withdraw your consent at any time via the cookie settings on our website. The legal basis is Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (German Telecommunications and Digital Services Data Protection Act) for cookies requiring consent, and Art. 6(1)(f) GDPR for strictly necessary cookies.

For more information about cookies, visit youronlinechoices.com.

Fonts: Adobe Fonts

To maintain a consistent visual appearance, we use Adobe Fonts, a service of Adobe Systems Software Ireland Companies, 4–6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (parent company: Adobe Inc., USA). When you visit our website, your browser loads the required fonts from Adobe servers, transmitting your IP address to Adobe to enable correct font delivery. Adobe states that IP addresses are not stored permanently. We load Adobe Fonts only after you have given your consent via the cookie banner. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(a) GDPR.

Adobe Privacy Policy: adobe.com/privacy/policies/adobe-fonts.html

Fonts: Font Awesome (in the Booking Form)

The booking form of our school management software FIDELO uses icons provided by Font Awesome, a service of Fonticons, Inc., 307 S. Main St., Suite 202, Bentonville, AR 72712, USA. When the form is loaded, your browser establishes a connection to Font Awesome CDN servers, transmitting your IP address and technical access data. To our current knowledge, Font Awesome does not permanently store personal data. This integration is technically required by FIDELO; we are working with FIDELO to explore whether local self-hosting is feasible. The legal basis is currently Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent).

Font Awesome Privacy Policy: fontawesome.com/privacy

Accessibility: AccessAble / AccessGo

To make our website accessible to all users, we use the accessibility tool AccessAble / AccessGo. It enables individual display adjustments such as font size, contrast, or screen reader mode. Anonymized session data and selected settings may be collected in this context. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in maintaining an accessible website in accordance with applicable accessibility legislation).

YouTube and External Media

Some pages of our website may embed videos from YouTube, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. YouTube is a platform of the Google group.

We embed YouTube videos using the enhanced privacy mode. According to YouTube, this means no cookies are stored on your device as long as you do not play the video. When you do play a video, data – including your IP address, device information, and interaction data – is transmitted to YouTube servers and may be stored there. If you are logged into a Google account at that time, YouTube may associate your interaction with your account.

Additional external media content (e.g., embedded maps or multimedia content from third-party providers) may also be present on our website. Such content is only loaded after you have given your consent via the cookie banner, to prevent automatic data transfers to third parties. The legal basis is Art. 6(1)(a) GDPR (consent). Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

Google/YouTube Privacy Policy: policies.google.com/privacy

Google Services on the Website

Google Tag Manager: We use the Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Tag Manager is a tool that allows us to centrally manage website tags (e.g., for Google Analytics, Meta Pixel, or HubSpot tracking). To our knowledge, the Google Tag Manager does not set its own cookies and serves only to manage other tags – it controls when and whether other tags are loaded, depending on the consent you have given via our cookie banner. Tags on our site fire only after consent has been given (Consent Mode). The services integrated via the Tag Manager are each described separately in this Privacy Policy. The legal basis for using the Tag Manager is Art. 6(1)(f) GDPR (legitimate interest in efficient tag management).

Google Analytics 4: We use Google Analytics 4, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to analyze visitor behavior on our website. IP anonymization is enabled. Data processed: anonymized IP address, page views, time on site, click paths, device category. The legal basis is Art. 6(1)(a) GDPR (consent). Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Opt-out: tools.google.com/dlpage/gaoptout or via your cookie settings.

Google Ads and Remarketing: We run Google Ads to promote our language courses. Remarketing cookies may be set in this context. The legal basis is Art. 6(1)(a) GDPR (consent). Manage your ad settings at: adssettings.google.com.

Google Maps: We use Google Maps to display our school locations. When the map feature is activated, your IP address is transmitted to Google. The legal basis is Art. 6(1)(a) GDPR (consent via the cookie banner).

Google Privacy Policy: policies.google.com/privacy

D – Marketing, CRM, and Communications

HubSpot – CRM, Marketing Automation, and Chatbot

We use HubSpot, provided by HubSpot Ireland Limited, One Dockland Central, Guild Street, Dublin 1, Ireland, as our central customer relationship management and marketing platform. We use it for: managing contact and partner data (agencies, B2B contacts), transactional and sales email communications, website forms, lead tracking and marketing automation, analysis of email open and click behavior, and the live chat and chatbot on our website.

Note: Our newsletter is not sent via HubSpot but via Direct Mail (see below).

Information entered in the HubSpot chatbot (name, email address, message content) is stored in our CRM and used to process your inquiry. HubSpot sets tracking cookies; data may be processed on US servers. A data processing agreement pursuant to Art. 28 GDPR is in place. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(b) GDPR for handling inquiries and pre-contractual measures, and Art. 6(1)(a) GDPR for tracking cookies.

HubSpot Privacy Policy: legal.hubspot.com/privacy-policy

MyAsk AI – AI-Powered Chatbot

We additionally operate an AI-powered chatbot on our website provided by AskAI Ltd (trading as My AskAI), London, United Kingdom. The chatbot is configured to provide automated answers to general questions about our courses and locations.

If you voluntarily enter personal information into the chatbot (for example your name, email address, or course preferences), this information may be processed in order to respond to your inquiry. Providing personal data is entirely optional. Please do not submit highly sensitive information such as passport data, banking details, or health information through the chatbot.

According to information published by the provider, content (vectors and reference data) is hosted on Qdrant servers operated on Google Cloud Platform (GCP) in The Dalles, Oregon, USA (region us-west1). Data is encrypted both in transit and at rest (AES-256). According to the provider's own statements, user inputs are not used for the training of AI models and are processed solely for responding to user queries.

AskAI Ltd is based in the United Kingdom, for which an adequacy decision of the European Commission exists. Where data is processed on servers in the United States, transfers are based on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

The legal basis for operating the chatbot is Art. 6(1)(f) GDPR (legitimate interest in providing automated information services on our website). Where users voluntarily provide personal data in connection with pre-contractual inquiries, Art. 6(1)(b) GDPR may additionally apply.

My AskAI Privacy Policy: myaskai.com/privacy

Email Newsletter – Direct Mail (e3 Software)

For sending our newsletter, we use Direct Mail, an email marketing application by e3 Software, LLC, USA. The double opt-in process is mandatory: after signing up, you will receive a confirmation email and will only be added to the mailing list after actively confirming your subscription. No newsletter will be sent without this confirmation.

When we use the e3 delivery service, your email address and the content of the campaign are transmitted to e3 Software's servers in the USA for the duration of the sending process. Once the campaign has been sent, e3 Software deletes this data from its servers. For tracking purposes (opens, clicks), anonymized tracking data is collected and stored on e3's servers. e3 Software explicitly does not share, sell, rent, or otherwise disclose customer email lists to third parties. A data processing agreement pursuant to Art. 28 GDPR is in place. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework (e3 Software is DPF-certified).

You may unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting us at [email protected]. The legal basis is Art. 6(1)(a) GDPR (consent). The lawfulness of processing carried out prior to withdrawal remains unaffected.

Direct Mail Privacy Policy: directmailmac.com/privacy

Social Networks

We maintain profiles on several social networks. When you visit our profiles, the respective platform processes data in its own capacity as a data controller. If you do not want providers to associate data collected through our web presence with your profile on their platform, please log out of the relevant service before visiting our pages.

Facebook and Instagram (Meta): Operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. As a page operator, we are jointly responsible with Meta for page statistics (Page Insights) pursuant to Art. 26 GDPR; the legal basis for this is Art. 6(1)(f) GDPR. Where we run targeted ads on Meta platforms (Custom Audiences, remarketing via Meta Pixel), this is done exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR, which you grant via our cookie banner. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Meta Privacy Policy

TikTok: Operated by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin D02 T380, Ireland (parent company: ByteDance Ltd., Cayman Islands). Data may be transferred to the US and Singapore; the basis for such transfers is the EU Standard Contractual Clauses. The legal basis for our use of the platform is Art. 6(1)(f) GDPR. TikTok Privacy Policy

X (formerly Twitter): Operated by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Data transfers to the US are based on the EU Standard Contractual Clauses. The legal basis for our use of the platform is Art. 6(1)(f) GDPR. X Privacy Policy

WhatsApp Business

We also offer WhatsApp Business as an additional communication channel, a service of Meta Platforms Ireland Limited, Dublin 2, Ireland. When you contact us via WhatsApp, Meta processes your phone number as well as message content and metadata. Please do not send highly sensitive information such as passport data, banking details, or medical information via WhatsApp. For such matters, please use our website contact forms or reach us by phone. The legal basis is Art. 6(1)(b) GDPR (pre-contractual communication) and Art. 6(1)(a) GDPR (consent through initiating contact).

WhatsApp Privacy Policy

E – Course Operations and Contract Processing

FIDELO – School Management Software

We use FIDELO, a software by Fidelo Software GmbH, Gottfried-Hagen-Straße 60, 51105 Cologne, Germany, to manage course bookings and participant data. The following categories of data are processed in connection with contract performance:

• Master data: First and last name, date of birth, nationality, postal address, email address, phone number
• Emergency contact: Name and phone number of a trusted contact person
• Course data: Course type, language level, location, duration
• Payment data: Invoice amounts, payment receipt (no full banking details)
• Accommodation data: Address, preferences, and where applicable, allergies and health-related information – this information is required to arrange suitable accommodation and cannot be guaranteed without it. Processing of this special category of data pursuant to Art. 9(2)(a) GDPR only takes place if you voluntarily provide such information
• Visa data: Where required for the issuance of a booking confirmation, school enrollment letter, or invitation letter for submission to a visa authority

FIDELO also supports the payment options PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg) and Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland). Icons in the booking form are loaded via Font Awesome (see Section C). A data processing agreement is in place with FIDELO. The legal basis is Art. 6(1)(b) GDPR.

FIDELO Privacy Policy: fidelo.com/de/data_protection_declaration.html

Payment Service Providers

Depending on your chosen payment method, we share the data required to process the payment (name, billing address, amount, reference number) with one of the following providers. These providers process your payment data in their own capacity as data controllers; did deutsch-institut does not store full banking details. The legal basis is Art. 6(1)(b) GDPR.

• Flywire (Flywire Corporation, Boston, MA, USA): flywire.com/privacy
• TransferMate (TransferMate Global Payments, Waterford, Ireland): transfermate.com/privacy-policy
• PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg, via FIDELO): paypal.com – Privacy
• Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland, via FIDELO): stripe.com/privacy

Data Sharing with Partners and Service Providers

For the purpose of fulfilling our contractual obligations, we share personal data – strictly limited to what is necessary – with the following recipients:

• Fidelo Software GmbH (school management software, data processing agreement in place)
• Payment service providers (depending on chosen payment method, see above)
• Accommodation providers (hotels, host families, student residences) – data: first and last name, gender, date of birth, where applicable allergies and preferences, contact details
• Examination centers (telc) for booked exams
• Booking agencies and partners, where the booking was made through them

Your data is also shared within did deutsch-institut GmbH and with affiliated companies of the did deutsch-institut group, to the extent required for contract fulfillment.

Accounting and Payroll: DATEV

For accounting, payroll processing, and tax administration, we use DATEV products provided by DATEV eG, Paumgartnerstraße 6–14, 90429 Nuremberg, Germany. Data processed includes customer master data, invoice details, and internally, payroll-relevant employee data. The legal basis is Art. 6(1)(c) GDPR (statutory bookkeeping obligation under §§ 238 et seq. of the German Commercial Code (HGB) and §§ 140 et seq. of the German Fiscal Code (AO)). Retention period: 10 years.

F – Online Instruction and Video Conferencing

We use video conferencing systems to deliver online German courses and digital instruction. In doing so, personal data of course participants is processed. Please note: video and audio data are personal data. Please only share information in the chat or via camera that is necessary for the lesson.

Zoom

For online courses where participants log in via video conference, we use Zoom, a service of Zoom Video Communications, Inc., 55 Almaden Blvd., 6th Floor, San José, CA 95113, USA.

The following personal data is processed when using Zoom:

• Name and email address (for registered users)
• IP address and device information (operating system, hardware)
• Video and audio data (camera and microphone, if activated)
• Meeting metadata (topic, time, duration, participant list)
• Chat messages within the meeting
• Recordings, where the meeting is recorded with prior consent

Zoom acts as a data processor; a data processing agreement (Global Data Processing Addendum) pursuant to Art. 28 GDPR is in place. Zoom is an active participant in the EU-US Data Privacy Framework; transfers of data to the US are permissible on this basis. EU Standard Contractual Clauses have additionally been agreed. Retention periods for meeting metadata are governed by the settings configured in our Zoom account.

Recordings are only made with the prior explicit consent of all participants. The legal basis is Art. 6(1)(b) GDPR (performance of a contract – delivery of the booked online course); for voluntarily activated features (e.g., camera, chat) Art. 6(1)(a) GDPR; for recordings Art. 6(1)(a) GDPR (consent).

Zoom Privacy Policy: zoom.us/privacy

Microsoft Teams (for Online Instruction with Participants)

For certain course formats and communication with course participants, we also use Microsoft Teams, a service of Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland.

The following data is processed when Microsoft Teams is used for online instruction:

• Name and email address
• IP address and device information
• Video and audio data (camera and microphone, if activated)
• Meeting metadata and chat messages
• Recordings, where the meeting is recorded with prior consent

A data processing agreement pursuant to Art. 28 GDPR is in place; data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(b) GDPR (performance of a contract – delivery of the booked course).

Microsoft 365 – Internal Use

For internal collaboration and communication among our staff (not for external course participants), we use additional Microsoft 365 services: email (Outlook), document management (Word, Excel, SharePoint), and cloud storage (OneDrive). A data processing agreement is in place. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Microsoft Privacy Statement: privacy.microsoft.com

Microsoft Forms – Host Family Data, Course Evaluations, and Placement Tests

For certain data collection purposes, we use Microsoft Forms, an online form service provided by Microsoft Ireland Operations Limited, One Microsoft Place, Leopardstown, Dublin 18, Ireland. Data entered via Microsoft Forms is stored and processed on Microsoft servers. A data processing agreement pursuant to Art. 28 GDPR is in place. Data transfers to the US are based on the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

We use Microsoft Forms for the following purposes:

• Host family data: To create host family profiles, we collect personal information from host families via Microsoft Forms (e.g., contact details, living situation, preferences, and where applicable, information about pets or household rules). This data is required to match suitable accommodation for course participants. Where special categories of personal data are included (e.g., health-related information), processing only takes place on a voluntary basis. The legal basis is Art. 6(1)(b) GDPR (performance of a contract); for any special categories of data, Art. 9(2)(a) GDPR (voluntary disclosure).
• Course evaluations: Upon completion of a course, we invite participants to submit a voluntary evaluation of their course experience via Microsoft Forms. Name and/or email address and the evaluation content are collected. Participation is voluntary and has no bearing on the course or contractual relationship. The legal basis is Art. 6(1)(a) GDPR (consent).
• Placement tests: To determine the appropriate language level, we occasionally administer placement tests via Microsoft Forms. Name, contact details, and test results are collected. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract).

Data collected is used solely for the stated purpose and is not merged with other data sources unless expressly indicated. Retention periods: host family data for as long as the host family relationship exists; evaluations for up to 3 years; placement test results until contract conclusion or up to 6 months in the event of non-booking.

G – Exams and Certificates

telc Examination Center

As an authorized examination center of telc gGmbH, Basler Straße 7, 61352 Bad Homburg vor der Höhe, Germany, we transmit the required candidate data (name, date of birth, contact details, exam result) to telc when booking and administering language exams. telc processes this data in its own capacity as a data controller and stores it permanently in central examination archives for record-keeping and certificate management purposes. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation as an examination center).

telc Privacy Policy: telc.net/datenschutz.html

VirtualBadge – Digital Certificates

Successfully passed telc exams are issued and delivered as digital certificates (Open Badges) via VirtualBadge. The provider is futurenext GmbH (Virtualbadge.io), registered in the Mannheim Commercial Register (HRB 736146), Germany.

For certificate delivery, we share the minimum data strictly required: name, email address, exam designation, exam date, and exam result. VirtualBadge acts as a data processor; a data processing agreement pursuant to Art. 28 GDPR is in place. VirtualBadge is headquartered in Germany; according to the provider, operations are conducted primarily within the EU. Any sub-processors engaged (e.g., for email delivery of certificates) are, according to the provider, integrated in a data protection-compliant manner. Where data is transferred to third countries in this context, such transfers are based on the EU Standard Contractual Clauses.

The digital certificate may be shared by you and published on platforms such as LinkedIn; this occurs at your own initiative. The retention period for certificate data is governed by telc's archiving obligations and the validity period of the badge. The legal basis is Art. 6(1)(b) GDPR (performance of a contract – delivery of the exam certificate).

VirtualBadge Privacy Policy: virtualbadge.io/privacy-policy

H – Job Applications and HR

Job Applications via the Website

You may apply for open positions through our website. The application documents you submit (name, contact details, résumé, cover letter, references) are temporarily stored on our servers and used solely to process your application. After the application process is complete, your data will be deleted within 6 months, unless you have explicitly consented to longer retention (e.g., inclusion in a talent pool). The legal basis is Art. 6(1)(b) GDPR in conjunction with § 26 of the German Federal Data Protection Act (BDSG).

Internal Communications: Microsoft 365 and DATEV

For internal management of employee data – including payroll-relevant information and social security data – we use DATEV eG, Paumgartnerstraße 6–14, 90429 Nuremberg, Germany, and Microsoft 365 (see Section F). The legal basis is Art. 6(1)(b) GDPR (performance of the employment relationship) and Art. 6(1)(c) GDPR (statutory bookkeeping obligation). Retention period: 10 years.

I – Law Enforcement Requests

In connection with the administration of telc language exams, we occasionally receive inquiries from law enforcement authorities (e.g., police, public prosecutors) asking whether a particular individual has taken an exam at our center – typically in the context of investigations into fraudulent language certificates.

We disclose data to authorities only where a court order or prosecutorial request based on a legal provision exists, or where a statutory obligation to provide information applies. Informal requests without a corresponding order are not answered by did deutsch-institut. The legal basis is Art. 6(1)(c) GDPR.

J – International Data Transfers

Some of the services we use process data outside the EU or the European Economic Area (EEA), in particular in the United States. For each such transfer, we ensure that appropriate safeguards are in place. The following overview shows which services transfer data internationally and on what basis:

• Google Tag Manager: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework (to our knowledge, does not set its own cookies)
• Google (Analytics, Ads, Maps): USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Adobe Fonts: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Font Awesome (via FIDELO): USA – EU Standard Contractual Clauses (via FIDELO DPA)
• Direct Mail / e3 Software (newsletter): USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework, DPA in place
• HubSpot: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Zoom: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Microsoft 365 / Teams: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Meta (Facebook, Instagram, WhatsApp): USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• TikTok: USA / Singapore – EU Standard Contractual Clauses
• X (formerly Twitter): USA – EU Standard Contractual Clauses
• Cloudflare: USA – EU Standard Contractual Clauses + EU-US Data Privacy Framework
• Flywire: USA – EU Standard Contractual Clauses
• MyAsk AI: United Kingdom / USA (GCP Oregon, us-west1) – UK: EU Commission adequacy decision; USA: EU Standard Contractual Clauses, DPA in place

K – Retention Periods

We retain personal data only for as long as necessary for the applicable processing purpose or as required by statutory retention obligations. Please note: after expiration of the retention period, it is no longer possible to re-issue course certificates or participation certificates for programs completed more than 10 years ago.

• Server log files: 7 days
• Contact inquiries (without contract conclusion): 3 years
• Job application documents: 6 months after rejection
• Contract data (course bookings, invoices): 10 years (§§ 238 et seq. HGB)
• Accounting and payroll data (DATEV): 10 years
• Newsletter subscriptions: until consent is withdrawn
• Newsletter delivery data at e3 Software (Direct Mail): deleted after sending is complete; tracking data (opens, clicks): until unsubscription
• CRM contacts (HubSpot): up to 3 years after last contact
• Chatbot interactions: up to 3 years or until consent is withdrawn
• Cookie consent records (for documentation purposes): 3 years
• Zoom meeting metadata: in accordance with the deletion periods configured in our Zoom account (currently 30 days active, then 30 days in the trash)
• Zoom recordings: until consent is withdrawn, no later than when the need ceases
• Microsoft Forms – host family data: for as long as the host family relationship exists
• Microsoft Forms – course evaluations: up to 3 years
• Microsoft Forms – placement test results: until contract conclusion, or up to 6 months in the event of non-booking
• Exam data (telc archive): in accordance with the telc privacy policy

L – Your Rights

Under the GDPR, you have the following rights with respect to us. To exercise your rights, please contact us at [email protected].

Right of Access (Art. 15 GDPR)

You may request information about what data we have stored about you, where it comes from, for what purpose we process it, and to whom we disclose it.

Right to Rectification (Art. 16 GDPR)

You may request the correction of inaccurate data or the completion of incomplete data.

Right to Erasure (Art. 17 GDPR)

You may request the deletion of your data, unless statutory retention obligations or other legal grounds preclude this.

Right to Restriction of Processing (Art. 18 GDPR)

You may request that we retain but not actively process your data – for example, while the accuracy of your data is being verified.

Right to Data Portability (Art. 20 GDPR)

You may request your data in a commonly used, machine-readable format, or request that it be transferred directly to another provider, where processing is based on consent or a contract and is carried out by automated means.

Right to Object (Art. 21 GDPR)

You may object to the processing of your data where it is based on a legitimate interest. In the case of direct marketing, this right is unconditional.

Withdrawal of Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

If you believe that the processing of your data is not lawful, you may lodge a complaint with the supervisory authority responsible for us:

The Hessian Commissioner for Data Protection and Freedom of Information
(Der Hessische Beauftragte für Datenschutz und Informationsfreiheit)
P.O. Box 3163
65021 Wiesbaden, Germany
Phone: +49 611 1408-0
www.datenschutz.hessen.de

M – Data Security and Updates

Data Security

We protect our website and other systems against loss, destruction, unauthorized access, alteration, or disclosure of your data through technical and organizational measures. Data transmission on our website is encrypted via SSL/TLS, indicated by "https://" in your browser's address bar.

We have entered into data processing agreements pursuant to Art. 28 GDPR with all external service providers that process personal data on our behalf. Our employees and contracted partners are bound by confidentiality obligations with respect to personal data.

Links to Other Websites

Our website may contain links to pages operated by other providers, to which this Privacy Policy does not apply. did deutsch-institut is not responsible for the data protection practices or content of those other websites.

Updates to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in law, technical developments, or changes to our services. The current version is always available on our website at www.did.de/datenschutz. We recommend checking this page periodically to stay informed about the latest version.