Privacy Policy

1. Introduction & Controller Identity

This Privacy Policy explains how nexentra (“we”, “us”, “our”) collects, uses, and protects personal data when you visit our website and when you contact us about online courses, webinars, masterclasses, intensives, and educational programmes. This policy applies to information processed through our website, our contact forms, and our communications related to course registration and purchase details.

Data Controller: Nexentra Learning GmbH, Leopoldstraße 250, Schwabing-Freimann, 80807 Munich, Germany. You can contact us at [email protected] for any questions about this policy or how we handle personal data.

Effective Date: March 14, 2026. If we materially change this Privacy Policy, we will provide a clear notice on the website before the changes take effect.

2. Personal Data We Collect

We collect personal data that you provide directly and data generated when you use the website. The exact data depends on how you interact with the site (for example, whether you submit a form or only browse pages). We aim to keep collection proportionate and aligned with educational service delivery.

• Identity & contact data: name (if provided), email address, and phone number (if provided).
• Form content: messages, learning preferences (track and format selections), scheduling constraints, and any programme-related details you choose to share.
• Technical data: IP address, browser type and version, device identifiers, operating system, and language settings.
• Usage data: pages visited, time spent on pages, navigation paths, referrer information, and interactions with site elements.
• Cookies & identifiers: cookies required for site operation and your cookie consent choice; optional analytics and marketing identifiers when you provide consent.
• Conversion events: events such as form submissions or other signals that indicate interest in course enrolment, used for measurement and service improvement when permitted.

We do not intend to collect special-category data (such as health data, religious beliefs, political opinions), financial account details, or government identification numbers through this website. Please avoid sending such information in free-text form fields. If you send it anyway, we will handle it with care and limit access, but we may not be able to provide the same guarantees as when data is collected through dedicated, purpose-built processes.

3. Why We Process Data & Legal Basis (GDPR Art. 6)

We process personal data only when we have a lawful basis under the GDPR (and, where applicable, UK GDPR). Below are the main purposes for which we process data and the typical legal bases relied upon. Depending on the scenario, more than one basis may apply.

• Contact and enrolment workflow: to respond to requests, provide programme options, confirm dates, and explain enrolment steps. Legal basis: Art. 6(1)(b) (steps prior to entering a contract) and, where applicable, Art. 6(1)(a) (consent).
• Analytics: to understand how the site is used, improve navigation, and assess content performance. Legal basis: Art. 6(1)(a) (consent) where required.
• Marketing and remarketing: to measure advertising performance and show more relevant ads. Legal basis: Art. 6(1)(a) (consent) where required.
• Security and fraud prevention: to protect the website and forms against abuse, bot activity, and malicious traffic. Legal basis: Art. 6(1)(f) (legitimate interest).
• Legal compliance: to meet legal obligations (for example, responding to lawful requests, maintaining required records). Legal basis: Art. 6(1)(c) (legal obligation).

Automated Decision-Making (Art. 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Some security mechanisms may use automated signals to determine whether an interaction appears suspicious (for example, bot protection on forms), but these checks are used to protect the service rather than to make decisions with significant effects about you.

4. Cookies & Tracking

We use cookies and similar technologies to provide core functionality, to measure site performance, and (when you consent) to support advertising measurement and remarketing. Cookies are small text files stored on your device. We also reference “pixel tags” and similar methods that can collect identifiers and event data.

Essential cookies (always active)

Essential cookies are required for the website to function properly. They include session continuity and storing your cookie preferences. These do not require consent in many jurisdictions because they are necessary to provide the service you requested.

• Examples: _site_session, cookie_consent, and similar security/CSRF protection mechanisms.
• Retention: session to 12 months (depending on the cookie).

Analytics cookies (consent-based)

If you enable analytics cookies, we may use Google Analytics 4 (GA4) configured to reduce identifiability, including IP anonymization where supported. Analytics cookies help us understand which pages are useful, where visitors drop off, and whether content is discoverable. We use this information to improve course descriptions, schedules, and navigation.

• Examples: _ga, _ga_XXXXXXXXXX (GA4 session state cookie).
• Data retention: typically 14 months for analytics event data (settings may vary by configuration).

Marketing cookies (consent-based)

If you enable marketing cookies, we may use them to measure ad performance (for example, which ads lead to visits or form submissions) and to build remarketing audiences. Marketing cookies can also help reduce irrelevant advertising by limiting repeated exposure and improving attribution accuracy.

• Examples: _gcl_au (Google Ads), _fbp and _fbc (Meta).
• Retention: commonly 90 days for marketing identifiers (exact retention depends on provider configuration and browser behavior).

Beyond cookies, measurement can involve pixel tags and server-side methods. Where used, these may rely on device signals such as IP address and User-Agent. In some implementations, identifiers can be hashed before being shared with partners for matching and attribution. All such processing is subject to your consent choices where consent is required.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR/UK GDPR. Marketing and analytics cookies activate only after explicit, informed, freely given consent (Art. 6(1)(a)). Your consent choice is stored in the cookie_consent browser cookie for up to 12 months.

You may withdraw consent at any time by using the “Manage cookie preferences” link in the website footer or by clearing cookies in your browser settings. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising & Service Partners

We use certain providers to host and secure the website and, depending on your consent, to measure site usage and advertising performance. We share only the information needed for the relevant purpose and where permitted by law.

• Google LLC: analytics and advertising measurement (GA4, Google Ads, tag management/remarketing as configured). Data may include cookie identifiers, usage events, and conversion events when consent is given. Learn more: https://policies.google.com/privacy
• Meta Platforms: marketing measurement and audiences (Pixel, Custom/Lookalike Audiences, Conversion API as configured). Data may include page views, conversions, and identifiers (potentially hashed) when consent is given. Learn more: https://www.facebook.com/privacy/policy
• Cloudflare: content delivery network (CDN) and security services that can process IP addresses and traffic patterns to detect threats. Learn more: https://www.cloudflare.com/privacypolicy/

We do not sell personal data. When we share data with service providers, we do so under contractual terms intended to limit their processing to the services they provide to us. These providers may not use site data for their own independent commercial purposes.

7. International Transfers

Some of our providers operate globally and may process data outside the EEA/UK, including in the United States. Where required, we rely on recognized transfer mechanisms to protect personal data, including the EU–US Data Privacy Framework (DPF) where applicable, the UK Extension to the DPF, and Standard Contractual Clauses (EU 2021/914) as a fallback. For the UK, we may also rely on the UK International Data Transfer Agreement (IDTA) where relevant.

We assess transfers based on the nature of the data, the purpose of processing, and the safeguards in place. If you would like more details on the safeguards used for a specific transfer, contact us at [email protected].

8. Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required by law. Retention periods can vary based on the type of data and the context in which it was collected.

• Contact submissions: typically up to 2 years from the last interaction.
• Analytics data: typically 14 months (depending on configuration and consent).
• Marketing cookies: retained according to cookie lifetime (for example, 90 days) and your consent choice.
• Email correspondence: for the relationship duration plus up to 1 year, unless a longer period is required to resolve a dispute.
• Server logs: typically up to 90 days for security and troubleshooting.
• Cookie consent record: up to 3 years for audit and accountability, where necessary.
• Legal and tax: retained as required by applicable law (often 6–10 years for certain records).

9. Your Rights (GDPR & UK GDPR)

If the GDPR or UK GDPR applies to you, you may have the right to request access to your personal data, rectify inaccuracies, erase data, restrict processing, object to processing, and request data portability. You may also withdraw consent at any time for consent-based processing.

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))
• Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email [email protected]. We aim to respond within 30 days. In complex cases, we may extend by up to 60 additional days and will inform you if an extension is needed.

Supervisory authorities: For EU guidance, see https://edpb.europa.eu. For the UK, see https://ico.org.uk. Country-specific authorities include Germany https://www.bfdi.bund.de, France https://www.cnil.fr, Poland https://uodo.gov.pl, and Spain https://www.aepd.es.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Some third-party providers may have their own approaches to DNT and similar controls. You can also limit tracking through your cookie preferences and browser settings.

12. Data Deletion Requests

If you would like us to delete personal data associated with you, email [email protected] with the subject line “Data Deletion Request”. We may ask for limited information to verify your identity and locate your data. We typically complete deletion within 30 days of verification, unless we must retain certain information to comply with legal obligations or to establish, exercise, or defend legal claims.

13. Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, reorganization, insolvency, or similar transaction, personal data may be transferred to a successor or affiliate as part of that transaction. We will provide a notice on the website if the transfer materially changes how personal data is used.

14. California (CCPA / CPRA)

This section applies to California residents to the extent the California Consumer Privacy Act (CCPA), as amended by the CPRA, applies. In the past 12 months, we may have collected the following categories of personal information: identifiers (such as name, email, IP address, cookie identifiers), internet or other electronic network activity information (such as page views and interactions), and inferences (such as interests derived from browsing behavior when marketing cookies are enabled).

We do not sell personal information as defined by the CCPA. We may share personal information for cross-context behavioral advertising when marketing cookies are enabled; California residents may opt out via our cookie preferences panel (“Manage cookie preferences” in the footer).

Subject to legal limitations, California residents may have the right to know, delete, correct, and opt out of sale/sharing, and the right to non-discrimination for exercising rights. To submit a request, email [email protected] with the subject “California Privacy Request”. We will verify your request using information reasonably related to your prior interactions with us. Authorized agents must provide proof of authorization.

15. Virginia (VCDPA)

If the Virginia Consumer Data Protection Act (VCDPA) applies, Virginia residents may have rights including access, correction, deletion, portability, and the right to opt out of targeted advertising. We do not sell personal data or engage in profiling that produces legal or similarly significant effects.

To submit a request, email [email protected] with the subject “Virginia Privacy Request”. If we deny your request, you may appeal by emailing with the subject “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days. If an appeal is denied, you may contact the Virginia Attorney General.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. If a change is material, we will provide a clear notice on the website at least 14 days before the updated policy becomes effective. The “Last Updated” date at the top of this page indicates when the most recent version was published.

18. Contact

If you have questions about privacy, your rights, or this Privacy Policy, contact:

• Legal entity: Nexentra Learning GmbH
• Address: Leopoldstraße 250, Schwabing-Freimann, 80807 Munich, Germany
• Email: [email protected]
• Phone: +49 89 2153 9078