Privacy Policy

Responsible for the collection, processing and use of your personal data within the meaning of Art. 4 No. 7 GDPR is:

SmartGerman Language School

Represented by: Anastasia Sitov

Hüttenstraße 24a

30165 Hannover

Germany

Phone: +49 171 4758620

E-Mail: info@smart-german.com

We host our website at IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. IONOS acts as a processor with whom a data processing agreement exists.

When visiting our website, information is automatically transmitted by your browser and stored in server log files:

- IP address of the requesting computer

- Date and time of access

- Name and URL of the retrieved file

- Amount of data transferred

- Notification of successful retrieval

- Browser type and version

- Operating system of the user

- Referrer URL (previously visited page)

Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in the technical provision and security of the website).

Storage period: The log files are automatically deleted after a maximum of 7 days.

Our website uses localStorage (a browser-side storage technology) and technically necessary cookies to ensure the functionality of the website. These technologies are used exclusively for the following purposes:

- Storage of your language selection (German, English, Russian, Ukrainian)

- Session management for forms

- Technical functionality of the website

Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest) and § 25 Para. 2 TTDSG (technically necessary cookies/storage).

This storage is technically necessary for the convenient use of the website and takes place without consent. No tracking or profiling takes place.

For the management of course registrations, waiting lists and participant data, we use Supabase, a database service provider. Data processing takes place in the EU (Frankfurt).

Provider: Supabase Inc. / Supabase Germany GmbH

Processed data:

- Name, First Name

- Address (Street, ZIP, City)

- E-Mail Address

- Phone Number

- Course request and language level

- Registration date

Purpose: Management of course registrations, waiting lists, communication with participants, organization of lessons.

Legal basis: Art. 6 Para. 1 lit. b GDPR (contract initiation and execution) and Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient course management).

Storage period: Course data (name, contact, participation) are stored for up to 3 years after the end of the course. Invoice data are kept for 10 years (statutory retention obligation according to HGB/AO). Registration forms for offline registration are kept for 10 years (obligation to provide proof).

A data processing agreement pursuant to Art. 28 GDPR exists with Supabase.

We use the service Papierkram.de for the creation and management of invoices.

Provider: Papierkram GmbH, Grünberger Str. 54, 10245 Berlin, Germany

Processed data:

- Name, First Name

- Address

- E-Mail Address

- Invoice information (courses, prices, payment data)

Purpose: Creation and sending of invoices, accounting, fulfillment of tax obligations.

Legal basis: Art. 6 Para. 1 lit. b GDPR (performance of contract) and Art. 6 Para. 1 lit. c GDPR (statutory retention obligations according to HGB/AO).

Storage period: Invoice data are stored for 10 years in accordance with statutory retention periods.

A data processing agreement pursuant to Art. 28 GDPR exists with Papierkram.de.

We use the Resend API for the automated sending of confirmation e-mails and other notifications.

Provider: Resend Inc., USA (data center available in the EU)

Processed data:

- E-Mail address of the recipient

- Name of the recipient

- E-Mail content

- Time of sending

- Delivery status

Purpose: Sending course confirmations, reminders, invoices and other transactional e-mails within the scope of contract fulfillment.

Legal basis: Art. 6 Para. 1 lit. b GDPR (performance of contract) and Art. 6 Para. 1 lit. f GDPR (legitimate interest in reliable e-mail sending).

Storage period: E-Mail logs are stored at Resend for a maximum of 30 days.

A data processing agreement pursuant to Art. 28 GDPR exists with Resend. Further information: https://resend.com/legal/privacy-policy

As a data subject, you have the following rights at any time:

- Right of access (Art. 15 GDPR): You have the right to request information about your personal data processed by us.

- Right to rectification (Art. 16 GDPR): You have the right to demand the immediate correction of incorrect or completion of your personal data stored by us.

- Right to erasure (Art. 17 GDPR): You have the right to demand the deletion of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.

- Right to restriction of processing (Art. 18 GDPR): You have the right to demand the restriction of the processing of your personal data.

- Right to data portability (Art. 20 GDPR): You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request transmission to another controller.

- Right to object (Art. 21 GDPR): If your personal data are processed on the basis of legitimate interests pursuant to Art. 6 Para. 1 S. 1 lit. f GDPR, you have the right to object to the processing.

- Right to withdraw consent (Art. 7 Para. 3 GDPR): You have the right to withdraw your consent to us at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.

- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

The data protection supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen

Prinzenstraße 5, 30159 Hannover

Phone: 0511 120-4500

E-Mail: poststelle@lfd.niedersachsen.de

Website: https://lfd.niedersachsen.de

8.1 Hosting and Server Log Files

To ensure the secure and stable operation of our website, we use hosting services from the following provider:

IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany

We have concluded a data processing agreement (DPA) with this provider in accordance with Art. 28 GDPR. This contract ensures that the provider processes the data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

When you visit our website, our host automatically collects information that your browser transmits (so-called server log files). These are:

- IP address (is usually stored anonymously)

- Date and time of the request

- Content of the request (concrete page)

- Access status/HTTP status code

- Website from which the request comes (Referrer URL)

- Browser and operating system

Legal basis: The processing is carried out on the basis of our legitimate interest (Art. 6 Para. 1 lit. f GDPR) in a technically error-free presentation and the guarantee of the stability and security of our website.

Storage period: The IP addresses of visitors are anonymized in the server log files after 7 days. The anonymized log files are then stored for 8 weeks and then deleted. After anonymization, it is no longer possible to trace back to your person.

8.2 Cookies

Our website uses cookies. Cookies are small text files that are stored on your device. We use exclusively technically necessary cookies that are required for the basic operation of the website (e.g. to save the language you have selected).

We do not use cookies for analysis, tracking or marketing purposes.

Legal basis: The use of these technically necessary cookies takes place on the basis of our legitimate interest in a user-friendly and functional provision of our services (Art. 6 Para. 1 lit. f GDPR).

Storage period: Most of the cookies we use are so-called 'session cookies'. They are automatically deleted after your visit. Other cookies (e.g. for language selection) remain stored on your device until you delete them. You can check your browser settings to be informed about the setting of cookies and only allow cookies in individual cases or exclude the acceptance of cookies for certain cases or generally.

8.3 Registration for Courses

If you register for a course via our website, by e-mail or by paper form on site, we collect the data necessary for the execution of the contract:

- Name and First Name

- Contact details (E-Mail, Phone)

- Address details

- Booked course data

- Further voluntary information that you have provided to us

For offline registrations: The data from the signed paper form are manually entered by us into our course management system (Supabase, Frankfurt). The original form is kept by us in accordance with the statutory retention periods. For offline registration, we additionally collect your handwritten signature on the registration form.

Legal basis: The processing of this data takes place for the implementation of pre-contractual measures and for the fulfillment of a contract (Art. 6 Para. 1 lit. b GDPR).

Storage period: We store this data until the expiry of the statutory warranty and limitation periods. Data subject to accounting obligations (e.g. invoices) are stored in accordance with statutory periods (usually 10 years according to HGB and AO).

8.4 Course Support and Homework (Telegram)

For communication with the teacher, the exchange of homework and daily course support, we use the messenger service Telegram. Participation in the Telegram channel/group is optional, but recommended for optimal course support.

Provider: Telegram Messenger LLP, Dubai, United Arab Emirates / Telegram FZ-LLC, Dubai

Server locations: Distributed worldwide (exact locations are not public)

Processed data:

- Telegram username and user ID

- Profile picture (if available)

- Phone number (depending on your Telegram settings)

- Messages, homework, shared files and media

- Metadata (timestamp, IP address on connection)

Purpose: Fast communication between teacher and participants, exchange of homework, provision of learning materials, organization of the course flow, answering questions.

Legal basis: The use of Telegram takes place on the basis of your express consent according to Art. 6 Para. 1 lit. a GDPR. By joining the Telegram group, you consent to data processing by Telegram. You can withdraw your consent at any time by leaving the Telegram group or informing us by e-mail.

Notes on data protection risks:

- No standard end-to-end encryption: Normal chats and group chats are not end-to-end encrypted. Only 'Secret Chats' offer this function.

- Server locations: Telegram stores data on servers distributed worldwide. The exact locations are not transparent.

- Third country transfer: Data transfer takes place to countries outside the EU that do not offer an equivalent level of data protection.

- Metadata: Telegram stores metadata (who communicates with whom) for up to 12 months.

- Access by authorities: Depending on the server location, local authorities may demand access to data under certain circumstances.

- Alternative communication: If you have concerns regarding Telegram, you can alternatively communicate with us by e-mail. We strive to ensure good course support even without Telegram.

Storage period: Messages in Telegram groups are stored for the duration of the course and up to 6 months after the end of the course, unless the group is deleted earlier. You can delete your own messages yourself at any time.

Further information on data protection at Telegram: https://telegram.org/privacy

8.5 Contact (E-Mail, Phone)

If you contact us by e-mail or phone, the data you provide (your e-mail address, possibly your name and phone number) will be stored by us to answer your questions.

Legal basis: Art. 6 Para. 1 lit. b GDPR (for contract initiation) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient communication).

8.6 Google Maps

On our website we use the offer of Google Maps. This allows us to display interactive maps directly on the website and enables you to use the map function comfortably (e.g. for directions).

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Important: The map is not loaded by default. Only when you actively click on the button 'Show Map' (two-click solution), a connection to the Google servers is established. Your IP address and possibly location data are transmitted to Google.

Legal basis: The use of Google Maps takes place exclusively on the basis of your consent according to Art. 6 Para. 1 lit. a GDPR. You grant this consent by activating the map.

Third country transfer: By using Google Maps, data can be transmitted to the USA. Google relies on the 'EU-US Data Privacy Framework'. Nevertheless, we point out that access rights by US authorities may theoretically exist in the USA.

Further information on data processing by Google can be found in Google's privacy policy: https://policies.google.com/privacy.

For the delivery of our online courses, we use Microsoft Teams.

Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent company: Microsoft Corporation, USA).

9.1 Type and Purpose of Processing

When using Microsoft Teams, various types of data are processed. The scope of data also depends on the information you provide before or during participation in an online session.

Processed data: Meeting metadata (e.g. date, time, meeting ID), audio and video data (your voice and image), text inputs (chat function) as well as video recordings of the teaching sessions.

Purpose of recording: The recordings serve exclusively the participants of the respective course for review and revision of the learning content.

9.2 Legal Basis

The use of Microsoft Teams for the general delivery of instruction is based on Art. 6 Para. 1 lit. b GDPR (performance of contract).

The video recording of sessions takes place exclusively on the basis of your express consent pursuant to Art. 6 Para. 1 lit. a GDPR, which you grant during course registration via a mandatory checkbox.

9.3 Storage Duration and Access

The video recordings are stored in a protected environment (e.g. password-protected cloud storage from Microsoft). Access is strictly limited to the instructor and the registered participants of the same course. No disclosure to third parties takes place.

The recordings are permanently deleted no later than 30 days after the completion of the respective course.

9.4 Withdrawal of Consent

You may withdraw your consent to recording at any time with effect for the future. Please note that the course concept of our online B1 courses is based on these recordings; a withdrawal may therefore result in further participation in online instruction being technically or organizationally no longer possible.

9.5 Data Transfer to Third Countries (USA)

When using Microsoft Teams, data processing in the USA may occur. The transfer is based on the EU-US Data Privacy Framework (DPF) as well as supplementary Standard Contractual Clauses (SCCs). Microsoft is DPF-certified. Please note the general risks of third-country transfers (theoretical access possibilities by US authorities).

Further information: https://privacy.microsoft.com/de-de/privacystatement

We use the widespread SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser during the website visit. You can recognize whether a single page of our internet presence is transmitted in encrypted form by the closed representation of the key or lock symbol in the address bar of your browser.

This Privacy Policy is currently valid and has the status November 2025. Due to the further development of our website or due to changed legal requirements, it may become necessary to change this Privacy Policy.