Privacy Policy

Last updated: June 2, 2026

This Privacy Policy describes how we collect, use, store, and protect your personal data when you use Goldy.ro (hereinafter referred to as "the Platform" or "the Service"). Data processing is carried out in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR), applicable Romanian data protection legislation, and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), as transposed into national law.

1. Data Controller

The Service is operated by the individual operating Goldy.ro, a private individual resident in Romania, European Union, acting as data controller within the meaning of Article 4(7) GDPR. Contact: [email protected].

The operator of Goldy.ro is solely responsible for determining the purposes and means of processing personal data collected through the Platform.

Contact email: [email protected]

Location: Romania, European Union

Platform: Goldy.ro

No Data Protection Officer (DPO) has been appointed, as the conditions requiring the designation of a DPO under Article 37 GDPR are not met in this case. Data protection inquiries or requests may be directed to: [email protected] or [email protected]. Use of these addresses does not constitute the formal appointment of a Data Protection Officer.

2. Scope of the Policy

This policy applies to all personal data processed in connection with:

the website and educational platform
user accounts and profiles
educational games, lessons, fluency exercises, worksheets, and related tools
team features, educator oversight, and parent or legal guardian access, if and when the functionality is enabled
support and feedback communications
OAuth authentication (Google, Facebook/Meta, Twitch)
cookies and local storage technologies

Third-party services accessed through or in connection with the Platform may be governed by their own privacy policies, the terms of which are separate from this policy.

3. What Data We Collect

3.1 Data Provided Directly by the User

Authentication data: email address stored encrypted using AES-256-GCM with an HMAC-SHA256 lookup hash, and password stored exclusively in hashed form - or OAuth authentication data if you use Google, Facebook/Meta, or Twitch for authentication
Profile information: display name, nickname, and avatar (optional)
Preferences: display theme, language, and tool configurations
Security data (optional): two-factor authentication (2FA) recovery codes and encrypted TOTP secret, if you enable the 2FA feature
Pending email (pendingEmail): if you initiate an email address change, the new address is temporarily stored encrypted (AES-256-GCM) until confirmation, then replaces the current address

3.2 Data Collected Automatically

Usage data: information about pages visited and features accessed, collected exclusively for functional and security purposes. This data is not used for commercial profiling or behavioural analysis.
Technical data: browser type, operating system, and screen resolution
IP addresses and security data: in normal operation, IP addresses used for security logs, rate limiting, blocked requests, and abuse prevention are transformed through hashing before storage and retained in accordance with the periods stated in Section 9. Where there are reasonable indications of abusive activity, unauthorized access attempts, brute-force attacks, spam, excessive load, attempts to bypass restrictions, or other security risks, an IP address may be temporarily included in an active technical IP block list in raw form for a maximum of 24 hours, after which it is automatically deleted.
Cookies and local storage: essential authentication cookies, Cloudflare security cookie, preference cookies (language and theme), and browser local storage for additional settings. Full details are available in Section 12 and on the Cookie Information page.

3.3 Educational Activity Data

When you or a learner associated with your account uses educational games, we collect detailed performance data to support personalized learning:

Problem-level results: mathematical operation type, difficulty level, answer given, correctness, and response time (measured with millisecond precision)
Session summaries: total score, accuracy percentage, time spent
Progress tracking: performance trends over time, areas of strength and difficulty
Activity tracking: games played, lessons completed, practice sessions
Adaptive spaced-repetition data: an SM-2 algorithm records individual fact mastery (e.g. 3×4, 7+8) to schedule optimal practice intervals. This data exists only within your account and is used exclusively to personalise learning.
Skill-check and placement assessment results: if you take the optional placement quiz or in-lesson skill check, the result is stored to recommend an appropriate difficulty starting point. If and when the team functionality is enabled, a display name chosen by the account holder may be visible to other members of the same team.

This data is used exclusively for educational purposes: tracking progress, identifying learning areas requiring support, adapting content difficulty, and supporting the activities of educators and parents, when the functionality is available. Educational data is never used for advertising, commercial profiling, or any purpose unrelated to the Platform's educational functionality. The Platform does not request or intentionally collect special-category data in normal educational use.

3.4 Data Relating to Minors

Minors may use the Platform only through and under the supervision of an adult account holder (parent, legal guardian, or authorized educator). The adult account holder is responsible for providing and managing the minor’s data.

The data stored in the LinkedProfile includes: the learner’s display name, avatar (optional), age group (without exact date of birth), active/inactive status, and optionally a quick-access PIN code (4 digits) for switching between profiles. The PIN is stored exclusively as a bcrypt hash (irreversible) and cannot be recovered by the platform; it can only be reset by the adult account holder from the account settings. All associated educational data is as described in section 3.3. Minors’ data is never used for advertising, commercial profiling, behavioural analysis, or any purpose not strictly related to the provision of the educational service.

3.5 Team leader and team data

Note on team/team leader features: team, team leader, and supervisor features - including their associated data - apply only if and when these features are enabled. At the time this policy was published, these features may be under construction or not yet publicly available.

Team identification: team leader alias (optional), school or institution (optional, voluntarily provided by the team leader)
Pedagogical settings: avatarSeed for visual identification, recommended skill level (skillLevel), daily exercise limit (dailyLimit)
Team leader personal notes (leaderNote): free text entered by the team leader about a learner in their team, visible exclusively to that team leader and the operator
Team invitations (TeamInvite): the invitee's email address is stored encrypted (AES-256-GCM) with an HMAC-SHA256 lookup hash. Invitations are valid for 7 days and are deleted, invalidated, or anonymised after expiry in accordance with applicable technical procedures.
Learner progress data within the team: same data as in 3.3, accessible to the team leader for pedagogical guidance

Educator and team data are used exclusively for providing team management and pedagogical supervision functionality.

3.6 Mandatory Data and Consequences of Non-Provision

To create and maintain a user account, the following data is mandatory:

A valid email address
A password (for email/password authentication) or OAuth authorization (for social login)
A display name (used to identify the user within the Platform)

All other data - including nickname, avatar, theme and language preferences, 2FA configuration, and detailed tool settings - is optional and may be provided or withheld at your discretion.

If you do not provide the mandatory data listed above, we will be unable to create or maintain your account, and you will not be able to access the authenticated features of the Service. Certain features (such as guest access to educational tools) may remain available without an account, subject to limitations.

3.7 Sources of Data

Personal data processed by the Platform is obtained from the following sources:

Directly from the user: data provided at account creation, profile configuration, preference selection, support requests, and use of Platform features
From OAuth providers (Google, Facebook/Meta, Twitch): if you choose to authenticate through an OAuth provider, we receive your email address and basic profile information (such as display name) from that provider, as permitted by the authorization you grant during the OAuth flow. No other data is requested or received from these providers.
From adult account holders on behalf of minors: if a parent, legal guardian, or authorized educator creates or manages a profile for a minor, the data relating to the minor is provided by the adult account holder
Generated automatically by the Platform: usage data, technical data, educational performance data, session data, and security logs are generated automatically as a result of your interaction with the Platform

3.8 Community Content (when enabled)

The Platform includes a community module that, at the time this policy was published, is not active. When the community functionality is enabled, adult account holders will be able to publish posts and interact with community content. The following data is collected in that context:

Moderation: all posts are submitted to an administrator for review before publication. A post may be in "pending" (awaiting review), "published" (approved), or "rejected" (declined) state.
Author attribution: published posts display the author's nickname (preferred over real name). If no nickname is set, the display name is used.
Likes and interactions: when you like a post, your userId is recorded against that post to enforce a one-like-per-user limit.
Deletion: on account deletion, all your posts (regardless of status) and all your likes are permanently deleted via an automatic cascade. Approved posts are removed from public view immediately on account deletion.

Community participation is entirely voluntary. You may delete any of your own posts at any time through the community interface. No community data is shared with third parties for commercial purposes. This policy will be reviewed and updated, if necessary, when the community module is activated.

3.9 Optional Newsletter

The Platform offers an optional newsletter containing educational tips and platform updates.

Subscription is entirely voluntary (opt-in). We use double opt-in: you receive a confirmation email and must click a link to activate your subscription. No emails are sent before confirmation.
Data collected: email address, optional display name, and preferred language (EN/RO). Email addresses are stored encrypted (AES-256-GCM) with an HMAC lookup hash - the same encryption used for account emails.
Legal basis: explicit consent (Article 6(1)(a) GDPR). You may withdraw consent at any time by clicking the "Unsubscribe" link in any newsletter email or by contacting [email protected].
Your newsletter subscription status is independent of your Platform account. Deleting your account also removes your newsletter subscription.

Newsletter and transactional emails (account verification, password reset, invitations) are sent via Zoho Mail (authorised processor, server in the Netherlands, EU). Email data is not shared with third parties for commercial purposes and is used solely for delivering the relevant emails.

4. Who Can Access Educational Data

Role	Data Accessible	Purpose
Account holder	All data associated with their own account	Personal progress monitoring
Educator / Team leader (if and when the functionality is enabled)	Detailed learner analytics within their team: scores, accuracy, response times, progress trends	Personalized pedagogical guidance
Parent / Legal guardian (when the functionality is available)	Progress summaries and game completion data	Monitoring the child’s development
Platform administrator (operator)	Data necessary solely for operation, technical support, security, and legal compliance	Platform operation, integrity, and legal obligations

Access to educational data is strictly limited to the purposes indicated above. Data is not shared with third parties for marketing, advertising, or commercial analytics purposes.

5. Purposes of Processing

We process your personal data for the following purposes:

Creation and management of user accounts
Authentication and access session management (including OAuth)
Provision of educational features: games, lessons, exercises, worksheets
Educational progress tracking and performance summary generation
Personalization of difficulty level based on performance data
Saving your preferences (theme, language, tool configurations)
Team management and educator oversight functionality, if and when the functionality is enabled
Facilitating parent or legal guardian access to learner progress data, when the functionality is available
Platform security, fraud prevention, abuse prevention, prevention of unauthorized access, rate limiting, protection against brute-force attacks, and application of temporary technical blocking or access-restriction measures in the event of security risks
Responding to support and feedback requests
Compliance with applicable legal obligations
Enforcement of the Terms and Conditions
Defense of the operator’s rights and legitimate interests in connection with potential claims or disputes
Sending the optional Goldy newsletter (educational tips, platform updates) to subscribers who have given their explicit consent
Aggregate, cookieless analytics via self-hosted Umami Analytics: anonymised page views, game completion rates, and usage events to measure and improve feature adoption. No personal data, IP addresses, or individual identification are attached to these events.
Product improvement through non-personalised A/B testing using randomly assigned session variants (A or B). No advertising, commercial profiling, or individual identification is involved.

6. Legal Basis for Processing

Processing Activity	GDPR Article	Explanation
Account creation and authentication	Art. 6(1)(b)	Necessary for providing the service requested by the user
Educational features and progress tracking	Art. 6(1)(b)	Core service functionality
Team management and educator oversight, if and when the functionality is enabled	Art. 6(1)(b)	Service provision within the educational context
Facilitating parent or legal guardian access, when the functionality is available	Art. 6(1)(b)	Service provision at the account holder’s request
Two-factor authentication (2FA)	Art. 6(1)(b)	Optional security feature for protecting access to the service
Security logs, blocked requests, hashed/pseudonymized IP addresses, rate limiting, anti-abuse, and temporary technical IP block list	Art. 6(1)(f)	Legitimate interest: platform security, abuse prevention, prevention of unauthorized access, protection against brute-force attacks, and protection of service availability. Raw IP addresses may be retained only in the active technical IP block list for a maximum of 24 hours; logs relating to blocked requests or security events retain IP addresses only in hashed/pseudonymized form.
Strictly necessary cookies (auth, CSRF, Cloudflare)	Art. 6(1)(b) + ePrivacy	Strictly necessary for service provision; exempt from consent
Preference cookies (language, theme)	Art. 6(1)(b) + ePrivacy	Functional interface personalisation; language cookie may be auto-set on first visit from the browser’s Accept-Language header; theme defaults to ‘dark’ on first visit; both updated on each explicit user selection (EDPB/WP194)
Legal compliance	Art. 6(1)(c)	Compliance with applicable legal obligations
Support, dispute handling, defense of legal claims	Art. 6(1)(f) and/or Art. 6(1)(c)	Legitimate interest and/or legal obligation
Newsletter subscription and sending	Art. 6(1)(a)	Explicit consent: double opt-in via confirmation email. You may withdraw consent at any time by clicking the unsubscribe link in any newsletter.
Aggregate, cookieless analytics (Umami)	Art. 6(1)(f)	Legitimate interest: measuring platform usage through anonymised, cookieless Umami Analytics hosted on EU infrastructure. No personal data or cross-user tracking.
Non-personalised A/B testing	Art. 6(1)(f)	Legitimate interest: product improvement through random variant assignment. No advertising, commercial profiling, or individual identification.

The Service does not use personal data for advertising or commercial profiling purposes.

The Service does not carry out automated decision-making producing legal effects or similarly significant effects on data subjects within the meaning of Article 22 GDPR. The automated adaptation of educational content difficulty is performed exclusively for pedagogical purposes and does not produce such effects.

7. Legitimate Interests (Article 6(1)(f) GDPR)

Where processing is based on the operator’s legitimate interest under Article 6(1)(f) GDPR, the specific interests pursued are as follows:

Platform security and integrity: monitoring access patterns, detecting and preventing unauthorized access, brute-force attacks, DDoS attacks, and other security threats. This is necessary to maintain the availability, confidentiality, and integrity of the Platform for all users.
Fraud and abuse prevention: detecting and preventing fraudulent, abusive, or malicious activity, including the misuse of accounts, manipulation of educational data, and exploitation of Platform features. This interest is proportionate because it is limited to automated technical measures and does not involve profiling for commercial purposes.
Rate limiting and overload protection: enforcing rate limits on API requests and authentication attempts to protect Platform infrastructure and ensure fair access for all users.
Security logging and abuse prevention: retaining security-relevant logs, including timestamps, access patterns, authentication events, blocked requests, and IP addresses transformed through hashing before storage, for a limited period, for the purpose of detecting, preventing, and investigating security incidents. Where there are reasonable indications of active abuse or a security risk, the originating IP address may be retained in raw form in an active technical IP block list for a maximum of 24 hours, after which it is automatically deleted. Separately, logs relating to blocked requests or security events may be retained for a maximum of 14 days, with IP addresses transformed through hashing before storage. Log data and entries in the block list are used exclusively for security, abuse prevention, protection of service availability, and enforcement of the Terms and Conditions, and are not shared with third parties for commercial purposes.
Dispute resolution and defense of legal claims: retaining data necessary to establish, exercise, or defend legal claims arising from or in connection with the use of the Service, including enforcement of the Terms and Conditions. This retention is time-limited to applicable statute of limitations periods.
Support and service communications: processing personal data to respond to user support requests, bug reports, and feedback. This is proportionate because it only involves data voluntarily provided by the user in the context of the communication.

In all cases, the operator has assessed that these legitimate interests are not overridden by the fundamental rights and freedoms of data subjects, taking into account the nature, scope, context, and purposes of the processing, the reasonable expectations of users, and the safeguards applied. This assessment also specifically considered minors whose educational data may be processed through adult-managed accounts: minors' data is not used for commercial profiling, advertising, or purposes unrelated to educational functionality, access is strictly limited as set out in Section 4, and the safeguards, minimization measures, access controls, and security measures described in this policy apply equally to minors' data.

8. How We Use Data

The data collected is used for the following:

Service provision: operating the educational Platform, including games, lessons, fluency exercises, worksheets, and related tools
Authentication and account management: processing authentication (email/password or OAuth), session management, CSRF protection
Saving preferences: theme, language, tool configurations, and accessibility options
Educational progress tracking: recording results, generating session summaries, tracking performance trends
Difficulty personalization: automated adaptation of difficulty levels based on performance data, exclusively for educational purposes
Team and oversight features: facilitating educator and parent access to relevant progress data, if and when the functionality is enabled
Platform improvement: optimizing features and user experience, based on aggregated and de-identified data where possible
Security and abuse prevention: security monitoring, rate limiting, protection against brute-force attacks, prevention of unauthorized access, and application of temporary technical blocking or access-restriction measures in the event of security risks
Support and communications: responding to support requests and delivering important account or service notifications
Legal compliance: compliance with applicable legal obligations, including responding to official requests
Enforcement and defense of rights: enforcement of the Terms and Conditions and defense of legal claims
Newsletter: sending the optional Goldy newsletter to subscribers who have given their explicit consent

9. Data Storage and Retention

Permanent data is stored on European Union infrastructure (Germany, European Union, and/or other EU locations if the infrastructure is later modified). The Platform applies or will apply technical and organisational procedures to delete or anonymise data in accordance with the stated retention periods. The operator reviews these procedures periodically.

Data Category	Retention Period	Reason
Account data (email, profile, preferences)	Duration of account; deleted after 24-hour grace period upon deletion request	Service provision
Educational and game data	Duration of account. Upon deletion, game results may be retained only after removal of direct identifiers (userId and, where applicable, profileId), to the extent applicable, and may be retained for up to 24 months for aggregated statistics, system integrity, and service improvement.	Learning history and progress; statistical integrity and aggregate analysis on de-identified data.
Login history and session data	90 days	Security and unauthorized access detection
IP addresses - blocked-request/security logs (hashed/pseudonymized) and active technical IP block list (raw)	Hashed/pseudonymized IPs in blocked-request/security logs: maximum 14 days; raw IPs in the active technical IP block list: maximum 24 hours, with automatic deletion	Attack detection, rate limiting, abuse prevention, prevention of unauthorized access, and protection of service availability. Hashed log entries are not reversible in normal operation. Raw IP addresses in the active technical block list are used exclusively to apply temporary blocking and are automatically deleted after a maximum of 24 hours.
Security logs (access patterns, errors, application events without raw IP addresses)	90 days	Security incident detection and investigation. Any IP address data in these logs is processed according to the IP address row above.
Session and CSRF tokens	Until session expiry	Session operation and CSRF protection
OAuth tokens (access_token, refresh_token, id_token)	Stored for the duration of the linked OAuth account connection; deleted on account disconnection or account deletion	Required to provide OAuth-based sign-in without the user re-authorising each session
Feedback and support messages	2 years from last interaction, then deleted or retained in aggregated, de-identified form	Support continuity and service improvement
Backup copies	Maximum 30–90 days, until overwritten in normal cycle	Disaster recovery
Guest progress data (localStorage)	Controlled by browser; not stored on servers	Device/browser-specific
Activity/operational audit logs that do not include raw IP addresses and do not extend the retention of pseudonymised IP addresses	Up to 12 months, after which they are deleted, aggregated, or de-identified in accordance with applicable procedures	Operational audit trail, security, abuse prevention, and legitimate interest (Art. 6(1)(f))
Team member profiles (alias, skill level, teacher notes)	Deleted when member account is deleted; or 90 days after team is archived, whichever comes first	Educational service provision; deleted in accordance with applicable procedures upon account deletion and archive cleanup
Community posts and likes	Published posts: duration of account, deleted when account is deleted. Pending or rejected posts: deleted after 30 days from creation or rejection, whichever is earlier according to the implemented cleanup procedure, or upon account deletion.	Platform community feature; deleted in accordance with applicable procedures upon account deletion
Newsletter subscriber email addresses	Until unsubscription or account deletion. Unsubscribed records are de-identified or anonymised within 30 days.	Consent-based newsletter delivery; right to withdraw consent at any time
Team invitations (TeamInvite - encrypted email)	Valid for 7 days; deleted, invalidated, or anonymised after expiry in accordance with applicable technical procedures.	Invitation functionality; limitation of invitee data storage.

Upon a deletion request, the account is disabled promptly. A 24-hour grace period applies during which you may cancel the deletion and reactivate the account.
After the grace period expires, personal data is deleted from active systems.
Residual data in backup copies is overwritten within the normal backup cycle (maximum 30–90 days) for disaster recovery purposes.
Certain data may be retained in aggregated, de-identified form rather than deleted, where such processing is lawful and proportionate (e.g., aggregated statistical data for product improvement). Where retained, such data is processed in a manner that no longer permits direct identification of the data subject.
Data may be retained beyond the periods indicated above only where required by applicable law or legal obligation.
Certain residual data may remain temporarily in technical logs, backups, or archived systems for a limited period, where technically necessary or required by law.

Regarding team data specifically: (a) When a learner leaves a team, their team membership record is marked inactive. Their team member profile (alias, skill level, teacher notes) is deleted when their account is deleted, or 90 days after team archiving, whichever comes first. Game results may be retained after removal of direct identifiers, to the extent applicable, and only if they are no longer used to identify the data subject. (b) When a team is archived, data is retained for 90 days for export, after which member profiles are deleted in accordance with applicable technical procedures. (c) When the team leader's account is deleted, the team remains but the leader role becomes vacant. Retention of activity logs for a longer period does not extend the retention of IP addresses in blocked-request or security logs, which remains limited to a maximum of 14 days, with IP addresses transformed through hashing before storage.

10. Third-Party Processors and Data Sharing

We do not sell your personal data or disclose it for commercial purposes, except where required by law. We do not share data with advertisers, marketing networks, analytics providers, or data brokers.

Personal data may be accessed only by the operator and by processors or service providers strictly necessary for the provision of the Service, security, technical support, hosting, and legal compliance, solely to the extent necessary to fulfill those purposes.

Provider	Purpose	Location	Data Shared	International Transfer?	Safeguards
Hetzner Online GmbH (VPS/hosting)	Application, database, and file hosting	Germany (EU)	All application data	No	EU infrastructure; data processing agreement (DPA) signed with Hetzner
Cloudflare, Inc.	CDN, security, DDoS protection	US (with EU infrastructure)	Cloudflare may temporarily process HTTP requests, technical headers, security cookies, and IP addresses, including in raw form at edge infrastructure level, for security, anti-abuse filtering, DDoS protection, and performance optimisation. Within Goldy.ro's own systems, IP addresses are stored in raw form only in the active technical IP block list, for a maximum of 24 hours; in blocked-request logs or security-event logs, IP addresses are stored in hashed/pseudonymized form in accordance with the stated retention periods.	Limited	SCCs, EU-U.S. Data Privacy Framework, and/or other appropriate safeguards
Google LLC	OAuth authentication (optional)	US	Email, basic profile data (at sign-in only)	Yes, at sign-in	SCCs, EU-U.S. Data Privacy Framework, and/or other appropriate safeguards
Meta Platforms, Inc.	OAuth authentication (optional)	US	Email, basic profile data (at sign-in only)	Yes, at sign-in	SCCs, EU-U.S. Data Privacy Framework, and/or other appropriate safeguards
Twitch Interactive, Inc. (Amazon)	OAuth authentication (optional)	US	Email, basic profile data (at sign-in only)	Yes, at sign-in	SCCs, EU-U.S. Data Privacy Framework, and/or other appropriate safeguards
Zoho Mail / Zoho Corporation	Sending the optional newsletter and transactional emails (account verification, password reset, invitations, and notifications) via Zoho Mail	EU, with possible limited group-level processing per applicable DPA/SCCs	Recipient email address and content of the sent email; minimum technical delivery data. Communications are protected by TLS where applicable.	Possibly limited, per service configuration and applicable contractual safeguards	Zoho DPA; Standard Contractual Clauses (SCCs), where applicable

OAuth provider tokens (access_token, refresh_token, id_token) are stored in an encrypted database record linked to your account for the duration of the OAuth connection. These tokens are used solely to provide OAuth-based sign-in and are deleted when you disconnect the OAuth provider or delete your account. All account data is stored exclusively on EU infrastructure.

Use of OAuth providers is also subject to their own privacy policies.

We may disclose data where required by law, court order, or legal request.

We do not knowingly transfer personal data to countries that do not have an adequate legal transfer mechanism, without appropriate GDPR-compliant safeguards.

The platform uses self-hosted Umami Analytics (cookie-free, privacy-focused analytics). Anonymous page views and a small set of behavioural events are recorded; no personal data, IP addresses, or user-identifiable information is attached. Analytics data is stored on Goldy's own EU infrastructure and is not shared with third parties.

The platform does not use Google Analytics, Facebook Pixel, Amazon Advertising, behavioural advertising services, or any other third-party tracking/profiling technology.

Error monitoring (GlitchTip / Sentry-compatible, optional): if GLITCHTIP_DSN is configured, the Platform may collect technical error events, stack traces, browser/device metadata, request context, and a pseudonymised user identifier (12-character SHA-256 hash) where applicable, solely for security, debugging, and service reliability. Error monitoring is disabled when no DSN is configured. If the service is hosted outside the operator’s own EU infrastructure, the applicable processor and transfer safeguards will be documented before activation.

11. International Data Transfers

Permanent account and application data is stored exclusively on European Union infrastructure (Germany, European Union, and/or other EU locations if the infrastructure is later modified - Hetzner Online GmbH, signed DPA).

Limited international transfers may occur in the following situations:

OAuth authentication (optional): if you choose to sign in through Google, Facebook, or Twitch, the authentication request and your email address are processed by these companies, which are based in the United States. This processing is limited to the authentication flow. After completion, account data remains stored in the EU.
Cloudflare (CDN/security): Cloudflare may temporarily process HTTP requests, technical headers, security cookies, and IP addresses, including in raw form at edge infrastructure level, for security, anti-abuse filtering, DDoS protection, and performance optimisation. Within Goldy.ro's own systems, IP addresses are stored in raw form only in the active technical IP block list, for a maximum of 24 hours; in blocked-request logs or security-event logs, IP addresses are stored in hashed/pseudonymized form in accordance with the stated retention periods. This processing within Goldy.ro's own systems is separate from Cloudflare's temporary processing at edge infrastructure level for security, anti-abuse filtering, DDoS protection, and performance optimisation. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF) and processes data under a data processing agreement. Account data is not stored at Cloudflare.

These transfers are protected by one or more of the following mechanisms: Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions; the EU-U.S. Data Privacy Framework (where the recipient is certified); and/or other legally approved transfer mechanisms under Chapter V GDPR.

You may request a copy of the applicable safeguards by contacting the operator at [email protected].

Should additional international transfers become necessary in the future, they will be carried out only with adequate safeguards in accordance with GDPR.

International processing is limited to the purposes described above and is carried out only to the extent necessary for the provision of the respective features, with applicable legal safeguards.

12. Cookies and Local Storage

This Platform uses only strictly necessary cookies and preference cookies, as well as browser local storage. No third-party analytics, advertising, marketing, remarketing, behavioural profiling, or cross-site tracking cookies are used. The platform uses self-hosted, cookieless Umami Analytics, which collects anonymised page view and event data and does not identify individual users.

Cookie / Key	Provider	Type	Purpose	Duration	Legal Basis
__Host-authjs.csrf-token	First party (NextAuth.js)	Cookie	CSRF attack protection	Session	Art. 6(1)(b) + ePrivacy exemption
__Secure-authjs.callback-url	First party (NextAuth.js)	Cookie	OAuth redirect URL storage	Session	Art. 6(1)(b) + ePrivacy exemption
__Secure-authjs.session-token	First party (NextAuth.js)	Cookie	Session maintenance	Session or until expiry; JWT maxAge 24 hours; forced re-authentication after 7 days of inactivity	Art. 6(1)(b) + ePrivacy exemption
cf_clearance	Cloudflare	Third-party cookie	DDoS and bot protection	Variable (typically up to 24h; set by Cloudflare)	Art. 6(1)(b) + Art. 6(1)(f) + ePrivacy exemption
language	First party	Cookie	Remembers selected language	1 year	Art. 6(1)(b) + ePrivacy (user-requested personalization)
theme	First party	Cookie	Remembers selected display theme	1 year	Art. 6(1)(b) + ePrivacy (user-requested personalization)
localStorage keys	First party (browser)	Local storage	Tool settings, game progress, accessibility, guest data, onboarding calibration, and non-personalised A/B variant assignment	Persistent until cleared by user	Art. 6(1)(b) + ePrivacy exemption
csrf-token	First party (custom proxy)	Cookie	CSRF attack protection for non-NextAuth form endpoints (double-submit cookie pattern)	4 hours	Art. 6(1)(b) + ePrivacy exemption

The language cookie is set automatically on your first visit based on your browser’s language settings (Accept-Language header), and is updated whenever you explicitly select a different language. The theme cookie defaults to ‘dark’ on first visit if no prior preference is stored; both cookies are updated on every explicit selection. Because these cookies serve functional personalization of the interface, they are exempt from the separate consent requirement under Article 5(3) of the ePrivacy Directive, per EDPB/WP194 guidance.

A transparency notice regarding cookies and local storage may be displayed on first visit. As the platform does not use optional analytics, marketing, or advertising cookies, this notice is informational and allows the user to confirm that they have taken note of the information regarding the technologies used. The confirmation is stored in localStorage under the key goldy_cookie_consent. No additional tracking technology is activated as a result of this confirmation.

The exact names, durations, and technical attributes of cookies may vary slightly depending on the framework version, production configuration, or third-party providers; however, the categories, purposes, and legal bases remain as described in this policy.

For additional detail about each cookie, duration, and control options, see the Cookie Information.

13. Data Security

We apply appropriate technical and organizational measures to protect your data, including:

Encryption in transit: all communications are protected via HTTPS/TLS
Password hashing: passwords are stored exclusively in hashed form, not in plain text
Encryption and hashing of sensitive data: email addresses, OAuth tokens, 2FA secrets, and email addresses in invitations are encrypted using AES-256-GCM where applicable; lookup hashes use HMAC-SHA256; IP addresses in blocked-request logs, security-event logs, and session tracking are pseudonymised using HMAC-SHA256 (keyed hash) before storage, in accordance with the declared retention periods
Secure authentication: implemented via NextAuth.js with integrated session protection
CSRF protection: CSRF tokens to prevent cross-site request forgery attacks
Access controls: role-based and privilege-based access restrictions
Monitoring and logging: activity monitoring for security incident detection
Rate limiting: protective measures against brute-force attacks and overloading
Temporary technical IP block list: IP addresses associated with abusive activity or security risk may be temporarily added to an active block list for a maximum of 24 hours, with automatic deletion upon expiry.
Security patches and updates: periodic application of security fixes and updates
Backups: periodic encrypted local backups on hosting infrastructure (Hetzner, Germany) and encrypted offsite backups via rclone, for disaster recovery

Although we apply reasonable and appropriate safeguards, no information system or internet-based service can guarantee absolute security or the complete elimination of all risk.

14. GDPR Rights

Under GDPR, you have the following rights with respect to your personal data:

Right	GDPR Article	Description	How to Exercise	Response Time
Right of access	Art. 15	Receive confirmation of data processing and a copy of the personal data held	Account settings or email request	30 days
Right to rectification	Art. 16	Request correction of inaccurate data or completion of incomplete data	Account settings or email request	30 days
Right to erasure	Art. 17	Request deletion of your data (“right to be forgotten”), subject to legal exceptions	Account settings (delete account) or email request	30 days
Right to restriction	Art. 18	Request limitation of processing in certain circumstances	Email request	30 days
Right to data portability	Art. 20	Receive your data as a downloadable archive (ZIP) containing a machine-readable JSON file, a human-readable PDF summary, and a key legend for interpreting the JSON fields	Account settings (export) or email request	30 days
Right to object	Art. 21	Object to processing based on legitimate interests	Email request	30 days
Right to withdraw consent	Art. 7(3)	Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal	Unsubscribe link for newsletter where applicable, or request by email. For processing necessary to provide the service, ceasing processing may require disabling certain features or deleting the account.	30 days
Right to lodge a complaint	Art. 77	Lodge a complaint with the supervisory authority (ANSPDCP, Romania)	Directly with ANSPDCP (https://www.dataprotection.ro)	N/A

Additional Information on Exercising Your Rights

Email for requests: [email protected] - include the email address associated with your account and the details of your request.
Identity verification: for security purposes, we may verify your identity before processing a request.
Response period: we will respond within 30 days of receiving the request. This period may be extended by an additional 60 days for complex or multiple requests, with prior notification, in accordance with Article 12(3) GDPR.
Cost: requests are generally free of charge. We reserve the right to charge a reasonable fee or refuse requests that are manifestly unfounded or excessive, in accordance with Article 12(5) GDPR.
Supervisory authority: you have the right to lodge a complaint with ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), Romania - https://www.dataprotection.ro.

Where you object to processing based on legitimate interest, we will assess your request in accordance with the GDPR. Certain processing strictly necessary for the security of the service, abuse prevention, or the defence of rights may continue where there are compelling legitimate grounds or applicable legal obligations.

For a structured request with automatic tracking, you may also use the Data Subject Request form at /dsar. This generates a reference number for your records and for our compliance audit trail.

15. Account Deletion and Data Export

You may request an export of your personal data as a downloadable ZIP archive containing a machine-readable JSON file, a human-readable PDF summary, and a key legend for interpreting the JSON fields. For security and abuse prevention purposes, exports may be reasonably limited in frequency.

Upon a deletion request, the account is disabled promptly.
A 24-hour grace period applies during which you may cancel the deletion and reactivate the account.
After the grace period expires, personal data is deleted from active systems.
Residual data in backup copies is overwritten within the normal backup cycle (maximum 30–90 days) for disaster recovery purposes.
Certain data may be retained in aggregated, de-identified form where such processing is lawful and proportionate (e.g., aggregated statistical data). Where retained, such data is processed in a manner that no longer permits direct identification of the data subject.
Data may be retained beyond the standard periods where required by law or legal obligation.
Certain residual data may remain temporarily in technical logs, backups, or archived systems for a limited period, where technically necessary or required by law.

16. Children and Age Requirement

Account holders must be at least 18 years old.
Minors (under 18) may use the Platform only through and under the supervision of an adult account holder: a parent, legal guardian, or authorized educator.
The adult account holder is legally responsible for the minor’s use of the Service, for data created or provided in connection with the account, and for exercising GDPR rights on behalf of the minor.
The educator who creates or manages a learner profile for a minor declares and warrants that they hold the legal authority, institutional mandate, or necessary consent from the parent, legal guardian, or competent institution. The Platform does not independently verify these authorisations, except where required by law, where there are reasonable indications of abuse, or where clarification of a dispute is necessary.
The GDPR rights of the minor (access, rectification, erasure, etc.) are exercised by the adult account holder on the minor’s behalf, until the minor reaches the age of legal capacity.
The Service does not permit and does not intend to permit the creation of independent accounts by minors. Accounts identified as having been created by minors without adult supervision may be suspended or deleted.
Minor data is not used for advertising, commercial profiling, behavioural analysis, or any purpose not strictly related to the Platform’s educational functionality.

17. Team leaders, teams and personal notes

Team leaders using team management features declare and warrant that they hold the legal authority, institutional mandate, or necessary consent to create and manage learner profiles in their team, including parental or legal guardian consent where required.

Team leader personal notes (leaderNote) are free text entered by the team leader about a learner. They are visible exclusively to that team leader and, where operationally or legally necessary, to the operator. The educator is responsible for the content of these notes and for complying with GDPR principles when entering them (minimisation, accuracy, relevance).

In the event of disputes regarding access to a minor learner's data (e.g. between a team leader and the parent/legal guardian), the operator may request supporting documents and, upon finding lack of authorisation, may restrict access or delete the relevant data. The operator cannot arbitrate disputes regarding parental or guardianship authority.

18. Special category data (sensitive)

The platform does not intentionally collect, request or process special category data under Article 9 GDPR: health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning sex life or sexual orientation.

If a user voluntarily enters such data in free-text fields (notes, support messages), it will be treated with the same level of protection as other data and not used for other purposes. Users are responsible for the data they enter in free-text fields on the platform.

If the operator identifies or is notified of the introduction of such data, it may delete, restrict, anonymise, or request modification of the relevant content, to the extent permitted by law and proportionate to the identified risk.

19. Automated decisions and profiling

The platform uses automated algorithms exclusively for pedagogical purposes: adaptive difficulty adjustment and spaced repetition scheduling (SM-2 algorithm) are performed automatically based on recorded performance data.

These automated processes do not constitute "automated decisions with significant legal or similar effect" under Article 22 GDPR. They do not affect the rights, interests or legal status of users and can be deactivated by deleting progress data or the account.

The platform does not use personal data for commercial profiling, behavioural marketing or any form of automated decision-making unrelated to educational functionality.

20. Aggregated, anonymised, or de-identified data

The platform may generate and use aggregated and anonymised statistical data (e.g. total number of exercises completed platform-wide, average accuracy rates by operation type) for service improvement and internal reporting.

Aggregated data does not permit direct or indirect identification of any data subject and is not subject to individual GDPR rights. It may be retained indefinitely in this form.

Upon account deletion, game results (GameResult) may be retained only after removal of direct identifiers, including userId and, where applicable, profileId or other identifiers that would permit direct association with the data subject. Such de-identified data may be retained for up to 24 months for statistical integrity, service improvement, and aggregate analysis, provided they are no longer used to identify the data subject.

21. User responsibility

Users are responsible for the accuracy of data provided to the platform, for the security of their authentication credentials (password, 2FA code) and for maintaining the confidentiality of their account.

Team leaders and parents/legal guardians who manage learner profiles are responsible for the appropriate use of data accessible through the platform, in accordance with GDPR principles and the educational purpose of the platform.

Any unauthorised use of data accessed through the platform or any unauthorised access to other users' data is prohibited and may result in account suspension and notification of the competent authorities.

22. Security incident notification (data breaches)

In the event of a security incident involving personal data (data breach), the operator will assess the risk and act in accordance with GDPR requirements.

If the incident poses a risk to the rights and freedoms of data subjects, the operator will notify the supervisory authority (ANSPDCP in Romania) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

If the incident poses a high risk to data subjects, they will be notified directly without undue delay, in accordance with Article 34 GDPR.

The operator documents security incidents involving personal data and applies reasonable internal measures for identification, assessment, containment, and remediation. The operator aims to maintain an internal incident response procedure proportionate to the nature and scale of the service.

23. Changes to This Policy

This policy may be updated from time to time. Significant changes will be communicated through the Platform or, where feasible, by email to the address associated with your account.

This policy will be updated specifically upon: activation of the community module, activation of Umami Analytics, or introduction of any new data-processing service. If the purposes of data processing change significantly, users will be informed before the new processing is applied, in accordance with the applicable GDPR requirements.

The “Last updated” date at the top of the document always reflects the most recent version. We recommend reviewing this policy periodically to stay informed of any changes.

24. Contact and Complaints

For any questions, requests, or inquiries regarding this policy or the exercise of your rights under GDPR:

General email: [email protected]

Data protection email: [email protected] | DPO requests: [email protected] (this email does not constitute the formal appointment of a Data Protection Officer)