Privacy Policy

This Privacy Policy explains how EduCoach collects, uses, shares, and protects your personal data when you use the platform. It is prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Greek law 4624/2019.

We respect your privacy and are committed to transparency: this document explains what data we collect, why, with whom we share it, how long we keep it, and what rights you have.

The Controller of your personal data is [COMPANY NAME], with registered office at [ADDRESS], VAT No. [VAT], Tax Office [DOY] (hereinafter "Provider" or "we").

Contact for personal data matters: hello@educoach.gr

The Provider is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For any data protection matter, you can contact us directly.

Data you provide

• Account details: Name, email address, password (encrypted by the authentication provider — see the "Data Recipients" section) or, alternatively, Google ID if you use Sign in with Google.
• Age confirmation: Confirmation that you are over 15 years old.
• User profile: Information on education, skills, interests, preferences, and goals — as provided in questionnaires and conversations.
• Chatbot conversation content.
• Payment data (if you purchase premium): EduCoach does not store card details; they are handled solely by the payments provider Stripe. We only retain a customer identifier (Stripe customer ID) and subscription data.

Data collected automatically

• Technical data: IP address, browser type, operating system, device information.
• Usage data: Pages you visit, actions within the platform, Chatbot interactions, session duration.
• Logs and errors: Technical error data (via Sentry) for detecting and fixing issues.
• Cookies: See the separate Cookie Policy.

Special categories of data

We do not knowingly collect special categories of data under Article 9 GDPR (health, ethnic origin, religion, political beliefs, etc.). If you notice such data in posts or submissions to the platform, we ask you to remove them.

We process your data for the following purposes and on the corresponding legal bases under GDPR:

You may withdraw your consent at any time where processing is based on it, without affecting the lawfulness of prior processing.

We do not sell your personal data. We share it with strictly selected processors bound by data processing agreements (DPAs) under Article 28 GDPR:

• To competent authorities, when required by law or court order.
• To legal advisors / accountants, for compliance with legal or tax obligations.
• In case of corporate change (merger, acquisition) — with notice to you and preservation of GDPR safeguards.

Certain AI providers (Google Gemini, Cohere) and infrastructure providers (Clerk, Stripe, Vercel, Sentry) maintain facilities or personnel in the United States or other countries outside the EEA. For these transfers we apply appropriate safeguards:

• Standard Contractual Clauses (SCCs) of the European Commission.
• Adequacy decisions where available (e.g. Canada, EU-US Data Privacy Framework).
• Supplementary technical and organizational measures (encryption in transit and, in some cases, at rest).

You can request a copy of the SCCs by contacting us.

We retain your data only as long as necessary:

Notice before deletion for inactivity: You will receive a warning email 30 days before account deletion due to inactivity, so you can reactivate your account.

The Service uses automated processing and profiling to generate personalized study and career recommendations.

Important clarification: This processing does not produce legal effects for you nor significantly affect you within the meaning of Article 22 GDPR. The recommendations are strictly supportive and informational: they are an exploration tool, not decisions taken about you. The final decision always rests with you.

How it works (in plain terms):

• Your questionnaire answers and Chatbot interactions build a profile of interests and skills.
• A recommendation system matches your profile against available study programs and careers.
• The Chatbot (powered by Gemini) answers questions and explains the recommendations.
• A reranking module (Cohere) improves the order of the most relevant results.

Your right: You can request human review of any recommendation and express your view by contacting us.

Further details are included in the AI Use Notice.

Under GDPR, you have the following rights:

• Access (Art. 15): A copy of the data we hold about you.
• Rectification (Art. 16): Correction of inaccurate or incomplete data.
• Erasure / right to be forgotten (Art. 17): Deletion of your data under GDPR conditions.
• Restriction of processing (Art. 18): Restriction of processing in specific cases.
• Portability (Art. 20): Receipt of your data in a structured, commonly used format, and transfer to another controller.
• Objection (Art. 21): Objection to processing based on legitimate interest or for direct marketing purposes.
• Withdrawal of consent (Art. 7): Where processing is based on consent, at any time, without affecting the lawfulness of prior processing.
• Not to be subject to solely automated decisions (Art. 22): As explained in the "Automated Decision-Making" section, the Service does not take such decisions, but you can always request human review.

How to exercise your rights: By sending an email. We will reply within 30 days (extendable by 60 days in exceptionally complex cases, with notice to you).

Right to lodge a complaint: You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), Kifisias 1-3, 115 23 Athens, www.dpa.gr.

We take appropriate technical and organizational measures to protect your data, including:

• Data encryption in transit (TLS/HTTPS).
• Encrypted password storage by the authentication provider (Clerk, SOC 2 compliant).
• Selection of trusted service providers with data processing agreements.
• Minimization principle and periodic access reviews.
• Option to enable two-factor authentication (2FA) via Clerk.

In the event of a data breach that may pose a high risk to your rights, we will notify you without undue delay in accordance with Articles 33-34 GDPR.

The Service is intended for users aged 15 and over, in accordance with Article 21 of Greek law 4624/2019.

• Users 15-17: May provide consent for Service use on their own. We strongly recommend informing and obtaining the guardian's agreement before use.
• Users under 15: Use is not permitted. If we become aware that we have collected data from a minor under 15 without guardian consent, we will promptly delete it.

Parents/guardians who believe their child has provided data without their consent can contact us.

The platform uses cookies and similar technologies. Details on cookie types, purposes, and management are in the separate Cookie Policy.

We may update this Policy from time to time. For substantive changes, we will notify you by email and/or with a prominent in-platform announcement at least 15 days before the changes take effect. The last-updated date appears at the top of the document.

For any question, rights request, or complaint regarding this Policy or the processing of your data:

Email: hello@educoach.gr

Mailing address: [ΕΔΡΑ]

Supervisory authority: Hellenic Data Protection Authority (HDPA), Kifisias 1-3, 115 23 Athens, www.dpa.gr.