1. Who we are
AISO Learn is an education platform operated by AISO Group (“AISO Learn”, “we”, “us”). Corporate registration details (legal entity name, registered address, company number, VAT) are published on our imprint page once finalised; until then, all privacy matters are handled by the AISO Group privacy team at the address below.
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR, AISO Learn is the data controller for personal data collected through this site and our programmes.
2. Data Protection Officer
Our Data Protection Officer is Greg Stoos. You can reach the DPO at:
- Email: privacy@aisolearn.com
- Post: Data Protection Officer (Greg Stoos), AISO Group - c/o AISO Learn / Precious Episode LDA, Avenida David Mourão-Ferreira 14, 8A, 1750-204 Lisboa, Portugal
3. What personal data we collect
We only collect what we need to deliver our service. Concretely:
| Where | What we collect | Why |
|---|---|---|
| Contact / enquiry forms | Name, email, organisation, message | Reply to your enquiry |
| EU AI Act Scorecard | Email (optional), responses to assessment questions, organisation type, role | Generate and email your scorecard report |
| Programme enrolment | Name, email, billing details, organisation, role | Deliver the programme, issue invoices, and provide completion records |
| Newsletter | Email, language preference | Send the newsletter you asked for |
| Account (if created) | Name, email, password hash, progress data | Operate your account |
| Server logs | IP address, user-agent, requested URL, timestamp | Security, abuse prevention, debugging |
| Analytics (if consented) | Pseudonymous device/session identifiers, pages viewed | Understand site usage in aggregate |
| Cookies | See our cookie policy | Essential operation +, with consent, analytics |
We do not collect special-category data (health, political opinions, etc.) unless you voluntarily provide it in a message to us.
4. Lawful basis for processing (GDPR Article 6)
| Purpose | Lawful basis |
|---|---|
| Replying to enquiries | Art. 6(1)(b) - steps prior to entering a contract; or Art. 6(1)(f) - legitimate interest in answering you |
| Delivering a programme you signed up for | Art. 6(1)(b) - performance of contract |
| Sending the Scorecard report | Art. 6(1)(b) - performance of the service you requested |
| Newsletter | Art. 6(1)(a) - consent (you can withdraw at any time) |
| Analytics cookies | Art. 6(1)(a) - consent |
| Essential cookies, security logs, fraud prevention | Art. 6(1)(f) - legitimate interest |
| Bookkeeping, tax, legal records | Art. 6(1)(c) - legal obligation |
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
5. How long we keep data (retention)
| Data | Retention |
|---|---|
| Enquiry messages | Up to 24 months from last contact, then deleted |
| Scorecard responses (with email) | Up to 24 months, then anonymised for aggregate analysis |
| Scorecard responses (anonymous) | Indefinitely in aggregate, no identifiers |
| Programme participant records | Duration of programme + 7 years for tax/accounting |
| Newsletter subscribers | Until you unsubscribe |
| Server logs | 30 days |
| Analytics (aggregated) | 14 months |
| Backups | Rolling 35 days |
6. Who we share data with (processors)
We use the following carefully selected processors. Each is bound by a data-processing agreement under Article 28 GDPR:
- Cloudflare, Inc. - content delivery, DDoS protection, edge hosting. Some traffic data is processed in the EU; cross-border transfers are covered by the EU Standard Contractual Clauses.
- Resend (Resend, Inc.) - transactional email (Scorecard reports, enquiry confirmations). EU SCCs in place.
- Sanity.io (Sanity AS, Norway) - content management; processes editor and limited form data within the EEA.
- PostHog (EU region) - privacy-friendly product analytics, EU-hosted.
- Resend (Resend, Inc.) - newsletter delivery and lifecycle email.
- Stripe Payments Europe, Ltd. - payment processing for paid programmes (we never store full card numbers).
We do not sell personal data. We do not share it with third parties for their own marketing.
7. International transfers
Some of our processors are headquartered outside the EEA (notably in the United States). Where personal data is transferred outside the EEA or UK, we rely on:
- EU Standard Contractual Clauses (Commission Decision 2021/914), and where applicable
- UK International Data Transfer Addendum to the EU SCCs,
- supplementary measures (encryption in transit and at rest, access controls, minimisation).
A copy of the safeguards is available on request from our DPO.
8. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17)
- Restrict processing (Art. 18)
- Data portability - receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest, including profiling (Art. 21)
- Withdraw consent at any time, where processing is based on consent (Art. 7(3))
- Not be subject to a decision based solely on automated processing that has legal effects (Art. 22) - we do not carry out such processing.
To exercise any right, email privacy@aisolearn.com. We respond within one month (extendable by two further months for complex requests, with notice). There is no fee unless your request is manifestly unfounded or excessive.
9. Complaints
If you believe we have not handled your data properly, please contact us first so we can fix it. You also have the right to lodge a complaint with your national data protection authority. For example:
- Portugal - Comissão Nacional de Proteção de Dados (CNPD), www.cnpd.pt
- France - Commission Nationale de l’Informatique et des Libertés (CNIL), www.cnil.fr
- Ireland - Data Protection Commission (DPC), www.dataprotection.ie
- United Kingdom - Information Commissioner’s Office (ICO), ico.org.uk
- A full list of EU/EEA authorities: edpb.europa.eu/about-edpb/about-edpb/members
10. Security
We protect personal data with TLS in transit, encryption at rest where supported by our processors, role-based access controls, audit logs, and regular review of our security posture. No system is perfectly secure; if we ever detect a breach affecting your rights, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay where required by Article 34 GDPR.
11. Children
AISO Learn is intended for professional learners. We do not knowingly collect data from children under 16. If you believe a child has submitted data, contact privacy@aisolearn.com and we will delete it.
12. Changes to this policy
We may update this policy as our service evolves or the law changes. Material changes will be flagged on this page and, where appropriate, communicated by email. The “last updated” date at the top of the page always reflects the current version.
13. Contact
- Data Protection Officer: privacy@aisolearn.com
- General privacy enquiries: privacy@aisolearn.com
- Postal: AISO Group - c/o AISO Learn (postal address on request via email above)
AISO Learn provides AI literacy training and documentation to support organisations with AI Act Article 4 readiness. We are not a law firm or certification body and do not provide legal advice, formal compliance certification, conformity assessment, or a guarantee of regulatory compliance.