EZclass Privacy Policy
Effective Date: April 9, 2026
Controller: EZclass OÜ | Registry No. 16802842 | Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
Contact: [email protected]
Table of Contents
- Introduction and Scope
- Who We Are and How to Contact Us
- Personal Data We Collect
- How and Why We Use Your Personal Data
- Data Sharing and Third-Party Processors
- International Data Transfers
- Data Retention
- Your Rights
- Cookies and Tracking Technologies
- Automated Processing and AI-Based Assessment
- Voice Recordings and Speech Data
- Children's Privacy
- Security
- Changes to This Policy
- CCPA / CPRA Addendum (California Residents)
- UK GDPR Addendum (United Kingdom Residents)
- Brazil LGPD Notice (Brazilian Residents)
- Latin America Notice (MX, CO, PE, SV, AR, CL Residents)
1. Introduction and Scope
EZclass OÜ ("EZclass", "we", "us", or "our") operates the online English learning platform available at ezclass.io and the AI-powered placement test hosted at placement.ezclass.io (collectively, the "Services").
This Privacy Policy explains:
- what personal data we collect and how;
- the purposes and legal bases for processing under the EU General Data Protection Regulation (GDPR) and other applicable laws;
- who we share data with, including all material sub-processors;
- how long we retain data;
- your rights and how to exercise them; and
- how international transfers are safeguarded.
This Policy applies to all users of the Services worldwide, with jurisdiction-specific addenda for California (§15), the United Kingdom (§16), Brazil (§17), and Latin America (§18).
By using our Services you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use of the Services.
2. Who We Are and How to Contact Us
Data Controller:
EZclass OÜ
Registry No. 16802842
Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
Email: [email protected]
Data Protection Officer (DPO):
At this time EZclass OÜ does not have a legal obligation to appoint a formal DPO under Article 37 GDPR, but we regularly review this position. Privacy enquiries are handled directly by our privacy team at [email protected].
Supervisory Authority:
The competent lead supervisory authority for EZclass OÜ is:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn, Estonia
Web: www.aki.ee
Email: [email protected]
Tel: +372 627 4135
You also have the right to lodge a complaint with the data protection authority of your EU/EEA Member State of habitual residence, place of work, or place of the alleged infringement.
3. Personal Data We Collect
We collect the following categories of personal data, depending on how you interact with our Services:
3.1 Account and Identity Data
- Full name
- Email address
- Password (stored in hashed form)
- Country of residence
- Preferred language
- Profile photograph (optional)
- Institutional or organisation affiliation (if applicable)
3.2 Placement Test Data
- Written responses entered during the AI placement test
- Audio recordings of spoken responses submitted during the test
- Transcribed text derived from audio recordings (speech-to-text output)
- AI evaluation prompts generated during the test session
- AI-generated scores and feedback (CEFR level output)
- Test metadata (timestamps, session identifiers, device type)
3.3 Learning and Progress Data
- Course enrolment and completion records
- Lesson progress and scores
- Certificates issued (GradingReport records)
- Assignment submissions
- Class attendance records
3.4 Communication Data
- Messages sent via in-platform messaging or email correspondence with our team
- Support tickets and associated metadata
3.5 Technical and Usage Data
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Pages visited and click patterns (collected via session analytics tools described in §5)
- Error logs and diagnostic data
- Referring URL
3.6 Payment Data
Payment transactions are handled directly by our payment processor. We do not store full card numbers or bank account details. We retain transaction references, amounts, and dates for accounting and legal compliance purposes.
3.7 Cookie and Consent Data
Cookie preference records, consent timestamps, consent version identifiers, and the region tier under which the consent banner was presented (see §9). We retain these records as evidence of consent compliance under GDPR Article 7(1).
4. How and Why We Use Your Personal Data
The table below sets out each processing purpose, the data categories involved, and the lawful basis under GDPR Article 6 (and Article 9 where applicable).
| Purpose | Data Categories | Lawful Basis |
|---|---|---|
| Creating and managing user accounts | Identity, contact data | Contract (Art. 6(1)(b)) |
| Providing and delivering the AI Placement Test | Test data, audio, transcripts, AI scores | Contract (Art. 6(1)(b)) |
| Delivering online courses and learning content | Learning and progress data | Contract (Art. 6(1)(b)) |
| Issuing certificates and GradingReports | Identity, learning data | Contract (Art. 6(1)(b)) |
| Processing payments and maintaining accounting records | Payment and identity data | Legal obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b)) |
| Communicating with users about their accounts and the Services | Identity, communication data | Contract (Art. 6(1)(b)) |
| Sending marketing communications (where opted in) | Identity, contact, usage data | Consent (Art. 6(1)(a)) |
| Improving and optimising the user experience (session analytics, heatmaps) | Technical, usage data | Consent (Art. 6(1)(a)) |
| Fraud prevention and security monitoring | Technical, usage data | Legitimate interests (Art. 6(1)(f)) |
| Bot and abuse prevention (reCAPTCHA v3) | Technical, device fingerprint data | Legitimate interests (Art. 6(1)(f)); Consent where required |
| Error tracking and system diagnostics | Technical, error log data | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | All relevant categories | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | All relevant categories | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and interests of data subjects. You may request a copy of our legitimate interests assessment by contacting [email protected].
Where we rely on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal (see §8).
4.5 System Observability and Monitoring
Datadog Inc. (USA) — Application performance monitoring, infrastructure metrics, log management, error tracking, and Real User Monitoring (RUM). Datadog may process personal data present in server logs, request traces, and error payloads, including IP addresses, user identifiers, and session metadata. EZclass OÜ configures Datadog to minimise personal data in logs where technically feasible. Transfer basis: EU-US Data Privacy Framework (DPF). Datadog is DPF-certified.
Better Stack, Inc. (Czech Republic, EU) — Uptime monitoring, log aggregation, and incident alerting. BetterStack may process server logs containing IP addresses, user identifiers, and request metadata. As a Czech Republic-registered entity, BetterStack operates within the European Economic Area and is subject to GDPR directly. No international transfer mechanism is required.
5. Data Sharing and Third-Party Processors
We do not sell your personal data. However, by operating the Services, we necessarily share data with a range of third-party processors and sub-processors as described below. Each processor is engaged under a written Data Processing Agreement (DPA) containing the obligations required by GDPR Article 28.
5.1 Sub-Processor Table
AI and Machine Learning Services
| Processor | Country | Processing Activity | Transfer Mechanism |
|---|---|---|---|
| OpenAI, LLC | USA | Speech-to-text transcription of placement test audio responses (Whisper API) | EU–US Data Privacy Framework (DPF) |
| OpenAI, L.L.C. | USA | AI-powered writing and speaking evaluation scoring within the placement test. User test responses (written text and transcribed speech text) are transmitted to OpenAI's API for CEFR-level assessment | EU–US Data Privacy Framework (DPF) |
Note on OpenAI: OpenAI does not use API inputs (i.e., data transmitted via the API endpoint) for training or improving its models. Processing is limited to generating evaluation outputs during the active API call. Transfers to OpenAI (USA) are covered by the EU–US Data Privacy Framework (DPF).
Analytics and User Experience
| Processor | Country | Processing Activity | Transfer Mechanism |
|---|---|---|---|
| Contentsquare SAS | France | Session analytics and user experience optimisation on placement.ezclass.io. Heatmaps and session replay to improve placement test usability | Within EU/EEA — no transfer mechanism required |
| Microsoft Corporation (Microsoft Clarity) | USA | Session analytics on ezclass.io. Heatmaps, session recordings, and anonymised usage metrics. Delivered via consent-gated Google Tag Manager (web container) | EU–US Data Privacy Framework (DPF) |
| Google LLC (reCAPTCHA v3) | USA | Bot protection and anti-abuse verification on data request forms. May collect device fingerprinting and behavioural data to assess whether a form submission is automated | EU–US Data Privacy Framework (DPF) |
| Google LLC (Google Analytics 4, Google Tag Manager web container) | USA | Aggregate usage analytics and tag delivery. GTM operates as a client-side (web) container; EZclass does not operate a server-side GTM container. Loading of analytics tags is gated by user consent in regions where consent is required (see §9) | EU–US Data Privacy Framework (DPF) |
| Meta Platforms Ireland Ltd. (Meta Pixel) | Ireland (EU); processing in USA | Conversion measurement and advertising-effectiveness reporting on placement.ezclass.io and ezclass.io. Pixel is delivered via consent-gated Google Tag Manager and is loaded only after analytics/marketing consent is granted in regions where required | Standard Contractual Clauses; EU–US Data Privacy Framework (where applicable to onward transfers to Meta US) |
Infrastructure and Operations
| Processor | Country | Processing Activity | Transfer Mechanism |
|---|---|---|---|
| Functional Software, Inc. (Sentry) | USA | Application error tracking and system diagnostics. Error events may include anonymised fragments of request data | EU–US Data Privacy Framework (DPF) |
| Stripe Payments Europe, Ltd. | Ireland (EU) | Payment processing for paid placement tests and course enrolments. Card data is handled directly by Stripe and is not transmitted to or stored by EZclass | Within EU/EEA for the contracting entity; onward transfers governed by Stripe's DPA |
Hosting and Cloud Infrastructure
Our platform infrastructure is hosted with cloud service providers operating within the EU/EEA or under adequate transfer mechanisms. Details are available on request at [email protected].
5.2 Legal Disclosure
We may also disclose personal data to:
- Competent authorities and regulators where required by law, court order, or to protect against fraud and abuse.
- Professional advisers (lawyers, auditors, accountants) bound by confidentiality obligations.
- Successors in interest in the event of a merger, acquisition, or asset sale, subject to equivalent data protection commitments.
5.3 No Sale of Personal Data
EZclass OÜ does not sell, rent, or trade personal data to any third party for their own marketing purposes.
6. International Data Transfers
EZclass OÜ is established in Estonia (EU). Where we transfer personal data to countries outside the EU/EEA that do not benefit from an EU adequacy decision, we rely on the following safeguards:
| Destination | Mechanism |
|---|---|
| USA (OpenAI, Microsoft, Google, Meta, Sentry, Datadog) | EU–US Data Privacy Framework (DPF), as applicable per processor's certification; Standard Contractual Clauses where DPF does not apply |
You may request a copy of the relevant SCCs or a summary of the Transfer Impact Assessment by contacting [email protected].
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Our retention commitments are as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| AI Placement Test raw data — written responses, audio recordings, transcribed speech, AI evaluation prompts, AI scores generated during the session | Up to 90 days from the date of test completion, then permanently deleted | Operational necessity; proportionality |
| Test results and certificates (GradingReport) | Up to 3 years from the date of issue | Contract; user legitimate interest in proof of attainment |
| Class recordings | Up to 90 days from the date of the class, then permanently deleted | Operational necessity; proportionality |
| Account data | Duration of the account, plus up to 3 years following deletion request or account closure | Contract; legal obligation |
| Financial and payment records | 7 years from transaction date | Legal obligation (Estonian Accounting Act) |
| Consent records | 3 years from withdrawal of consent or end of the applicable consent period | Legal obligation (GDPR accountability) |
| Support and communication records | 3 years from the date of the last interaction | Legitimate interests (dispute resolution) |
| Security and access logs | 90 days | Legitimate interests (fraud and abuse prevention) |
AI evaluation prompts and responses, including transcribed test content, are stored securely for the duration of the 90-day retention period described above and are then permanently and irreversibly deleted from all systems, including backups that fall within the retention cycle.
Where data is held by sub-processors (e.g. OpenAI), their own data retention terms apply to transient processing within the API call. We contractually require that sub-processors do not retain personal data beyond the minimum necessary for the immediate service delivery.
8. Your Rights
Under GDPR, you have the following rights in relation to your personal data. We respond to all valid requests within one calendar month of receipt. In complex cases, this may be extended by a further two months; we will notify you of any such extension within the initial one-month period.
8.1 Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about the purposes, categories, recipients, retention periods, and your other rights.
AI Assessment Transparency: As part of your right of access, you may request information about how your placement test was scored, including which AI systems were used (OpenAI Whisper for transcription and OpenAI for evaluation scoring), the CEFR level assigned, and the general scoring criteria applied.
8.2 Right to Rectification (Art. 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
8.3 Right to Erasure / Right to Be Forgotten (Art. 17)
You have the right to request deletion of your personal data where:
- the data is no longer necessary for the purpose for which it was collected;
- you withdraw consent and there is no other lawful basis for processing;
- you object under Art. 21 and we have no overriding legitimate grounds;
- the data has been unlawfully processed; or
- erasure is required to comply with a legal obligation.
How to submit a deletion request:
Online form: ezclass.io/make-data-request — Email: [email protected]
Requests will be acknowledged within 5 working days and processed within one calendar month. Where we are unable to delete certain data due to a legal retention obligation (e.g. financial records), we will inform you of the specific basis and the data category affected.
8.4 Right to Restriction of Processing (Art. 18)
You may request that we restrict processing in certain circumstances, including while the accuracy of data is contested or while an objection is pending.
8.5 Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.
8.6 Right to Object (Art. 21)
You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims.
You have an unconditional right to object to processing for direct marketing purposes.
8.7 Rights Related to Automated Decision-Making (Art. 22)
Where automated processing produces significant effects, you have the right not to be subject to a decision based solely on automated processing. See §10 for our specific position on the AI Placement Test.
8.8 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time via:
- the cookie preference centre on our websites (see §9);
- your account settings; or
- emailing [email protected].
Withdrawal does not affect the lawfulness of processing before withdrawal.
8.9 Right to Lodge a Complaint
You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (details in §2) or the supervisory authority of your EU/EEA Member State of habitual residence.
How to exercise your rights: Submit requests via the online form at ezclass.io/make-data-request or by emailing [email protected]. We may ask you to verify your identity before processing the request.
9. Cookies and Tracking Technologies
9.1 Cookie Management Platform
Both ezclass.io and placement.ezclass.io use vanilla-cookieconsent, a self-hosted, open-source cookie consent tool, to manage cookie preferences. We do not use a third-party Consent Management Platform (CMP) such as Cookiebot or Usercentrics. Cookie preference records are stored on EZclass infrastructure and on the user's browser.
Region-aware banner presentation. The cookie consent banner is presented based on the user's detected region of access, in line with the consent requirements of applicable local law:
- Strict-consent regions (European Union, European Economic Area, United Kingdom, Switzerland, Norway, Iceland, Brazil, Chile, and any region where the country of access cannot be determined): the banner is presented on first visit with non-essential cookie categories defaulted to denied. No analytics, advertising, or session-replay cookies are loaded until the user grants consent. This implementation is aligned with the EU ePrivacy Directive, GDPR Article 7, the UK PECR, the Swiss FADP, and Brazilian LGPD Art. 7, I.
- Permissive-consent regions (United States, Mexico, Colombia, Peru, El Salvador, Argentina, and other jurisdictions where local law does not require prior opt-in for first-party analytics and advertising-measurement cookies): the banner may not be presented on first visit, and analytics/advertising cookies may load by default. In these regions, users retain the right to opt out at any time via the "Cookie Preferences" link in the website footer, and any specific opt-out rights granted by local law (including, where applicable, the CCPA "Do Not Sell or Share" right and the analogous rights under MX/CO/PE/SV/AR data protection laws) are available as described in §15 and §18.
You may change your preferences at any time, in any region, by clicking the "Cookie Preferences" link in the website footer.
Browser "Do Not Track" (DNT) and Global Privacy Control (GPC) signals. EZclass does not currently treat the legacy "Do Not Track" header as a withdrawal of consent. Where applicable law requires us to honour an opt-out preference signal — including the Global Privacy Control (GPC) signal under the CCPA / CPRA for California residents — EZclass will treat that signal as a valid request to opt out of the sale or sharing of personal information for cross-context behavioural advertising. Because EZclass does not sell or share personal information for cross-context behavioural advertising (see §5.3 and §15.3), the practical effect of an opt-out signal is limited to the analytics/marketing cookie categories and is honoured via the cookie consent mechanism.
9.2 Cookie Categories
| Category | Description | Basis |
|---|---|---|
| Strictly Necessary | Essential for the platform to function (session management, authentication, security) | Not subject to consent; necessary for contract / legitimate interests |
| Functional / Preference | Remember your language settings and UI preferences | Consent |
| Analytics | Aggregate usage data to improve the Services (Google Analytics 4, Microsoft Clarity, Contentsquare) | Consent (in strict-consent regions); legitimate interests / opt-out (in permissive-consent regions) |
| Advertising / Measurement | Conversion measurement via Meta Pixel (delivered through Google Tag Manager web container). EZclass does not operate cross-site retargeting or behavioural advertising | Consent (in strict-consent regions); legitimate interests / opt-out (in permissive-consent regions) |
| Session Replay | Heatmaps and session recordings via Contentsquare (placement.ezclass.io) and Microsoft Clarity (ezclass.io) | Consent |
Tag delivery. All third-party tags described above are delivered via Google Tag Manager operating as a client-side (web) container. EZclass does not operate a server-side Google Tag Manager container.
9.3 Google reCAPTCHA v3
Google reCAPTCHA v3 is deployed on the data request forms at ezclass.io/make-data-request and related forms to verify that submissions are made by humans rather than automated bots. reCAPTCHA v3 operates invisibly (without a CAPTCHA challenge) and may collect:
- IP address
- Browser and device characteristics
- User interaction patterns and timing data (device fingerprint)
- Cookies set by Google
This data is transmitted to Google LLC (USA) under the EU–US Data Privacy Framework and is governed by Google's Privacy Policy. The purpose is limited to fraud and abuse prevention. We rely on legitimate interests as the lawful basis for this processing; where required under national implementing law, consent is obtained via the cookie consent mechanism.
10. Automated Processing and AI-Based Assessment
10.1 How the AI Placement Test Works
EZclass's AI Placement Test uses automated processing to generate CEFR level scores (A1–C2) for English language placement purposes. The assessment process involves:
- The user completes written and spoken tasks within the placement test interface.
- Audio responses are transcribed to text by OpenAI Whisper (speech-to-text).
- Both written responses and transcribed speech are evaluated by OpenAI to generate CEFR-level scores and diagnostic feedback.
- The resulting placement level is presented to the user and, where applicable, shared with the user's institution.
10.2 Article 22 GDPR Position
EZclass's AI Placement Test uses automated processing to generate CEFR level scores. This does not constitute automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR. Results are for placement guidance only — they are used to suggest an appropriate course level and do not produce legal effects, significantly affect legal rights, or have similarly significant consequences for data subjects. Human review and override are available; students may request a manual review of their placement at any time by contacting [email protected].
10.3 Transparency About AI Scoring
As part of your right of access (§8.1), you may request:
- the CEFR score assigned to your placement test;
- the AI systems used in scoring (OpenAI Whisper + OpenAI);
- a general explanation of the scoring criteria applied; and
- a human review of the placement outcome.
To make such a request, use the form at ezclass.io/make-data-request or email [email protected].
11. Voice Recordings and Speech Data
11.1 Collection and Processing
During the AI Placement Test, users are invited to submit spoken responses. These audio recordings are:
- Transmitted to OpenAI (Whisper API) for speech-to-text transcription.
- The resulting transcript (not the original audio) is then transmitted to OpenAI for language evaluation and CEFR scoring.
The original audio recording is retained by EZclass for a maximum of 90 days and then permanently deleted (see §7).
11.2 Scope of Processing — Important Clarification
EZclass does not use voice data for:
- biometric identification or identity verification;
- voice recognition for authentication purposes;
- the creation of voice profiles or biometric templates;
- profiling based on voice characteristics unrelated to language assessment.
Processing of voice recordings is strictly limited to:
- speech-to-text transcription for the purpose of language assessment; and
- CEFR-level English language evaluation.
11.3 Children's Voice Data
Where a user aged 16 or 17 takes the placement test with appropriate institutional or parental authorisation, their voice recordings are subject to the same 90-day retention and deletion commitment, and no biometric processing occurs.
12. Children's Privacy
The Services are intended for users aged 16 and above, consistent with the minimum age requirement set out in our Terms and Conditions. We do not knowingly collect personal data from individuals under 16 except where an educational institution or guardian has provided appropriate consent for participation in a supervised programme. If we discover that we have inadvertently collected personal data from an individual under 16 without appropriate consent, we will delete it promptly.
Where EZclass is deployed by educational institutions for younger learners, the institution acts as a controller (or joint controller) for those students' data, and is responsible for obtaining appropriate consents under applicable law.
13. Security
We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Measures include:
- Encryption of data in transit (TLS 1.2 or higher) and at rest
- Access controls and role-based permissions for staff
- Regular security assessments and penetration testing
- Incident response procedures aligned with GDPR 72-hour breach notification requirements
- Contractual security requirements imposed on all sub-processors
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and, where required, notify affected individuals without undue delay.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services. When we make material changes, we will:
- update the Effective Date at the top of this document;
- post the revised Policy on our websites; and
- notify registered users by email (for material changes) or via an in-platform notice.
We encourage you to review this Policy periodically. Continued use of the Services after the effective date of a revised Policy constitutes acceptance of the changes, to the extent permitted by applicable law.
Previous versions of this Policy are available on request from [email protected].
15. CCPA / CPRA Addendum (California Residents)
This section supplements the main Policy and applies to residents of California, USA, pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
15.1 Categories of Personal Information Collected
In the preceding 12 months, EZclass has collected the following CCPA categories of personal information:
| CCPA Category | Examples Collected |
|---|---|
| Identifiers | Name, email address, IP address, account identifiers |
| Personal information (Cal. Civ. Code §1798.80(e)) | Name, email address |
| Internet or network activity | Browsing history on the Services, usage data |
| Audio/electronic data | Voice recordings submitted during the placement test |
| Education information | Placement test results, course progress, certificates |
| Inferences | CEFR placement level derived from test performance |
15.2 Purposes of Use
Personal information is used for the purposes described in §4 of the main Policy: providing the Services, processing transactions, improving the Services (with consent), security and fraud prevention, and legal compliance.
15.3 Sale or Sharing of Personal Information
EZclass does not sell personal information as defined by CCPA/CPRA. EZclass does not share personal information with third parties for cross-context behavioural advertising.
15.4 Sensitive Personal Information
Under CPRA, voice recordings may constitute "sensitive personal information." EZclass processes voice recordings solely for language assessment purposes as described in §11. We do not use sensitive personal information to infer characteristics about users beyond CEFR English language level. You may direct us to limit our use of sensitive personal information to that which is necessary to perform the Services by contacting [email protected].
15.5 Your California Rights
California residents have the right to:
- Know what personal information we collect, use, disclose, and sell.
- Delete personal information we hold about you, subject to exceptions.
- Correct inaccurate personal information.
- Opt out of sale or sharing (not applicable — we do not sell or share for advertising).
- Limit use of sensitive personal information to necessary processing.
- Non-discrimination — we will not discriminate against you for exercising your rights.
15.6 How to Submit a Request
Submit requests via ezclass.io/make-data-request or email [email protected]. We will respond within 45 calendar days, with an option to extend by a further 45 days with notice.
We will verify your identity before processing any request. We do not charge a fee for reasonable requests.
16. UK GDPR Addendum (United Kingdom Residents)
This section applies to users in the United Kingdom. The UK GDPR (the retained version of EU GDPR, as amended by the Data Protection Act 2018) applies independently to the processing of personal data of UK-based individuals, regardless of the EU GDPR's application.
16.1 UK Representative
EZclass OÜ processes personal data of UK residents in the course of offering services to individuals in the UK. Users in the UK may exercise their rights under UK GDPR by contacting [email protected].
16.2 Supervisory Authority (UK)
The competent supervisory authority for UK residents is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Web: ico.org.uk
Tel: 0303 123 1113
You have the right to lodge a complaint with the ICO if you consider that our processing of your personal data infringes UK GDPR.
16.3 International Transfers (UK)
Transfers of UK residents' personal data to non-adequate countries are safeguarded using:
- the International Data Transfer Agreement (IDTA) (for transfers under UK GDPR); or
- the EU SCCs supplemented by the ICO's UK Addendum (where applicable),
in each case as agreed with the relevant sub-processor.
16.4 Your Rights Under UK GDPR
UK residents enjoy the same rights as described in §8 of the main Policy (access, rectification, erasure, restriction, portability, objection, and rights regarding automated decision-making), exercisable against EZclass OÜ as controller.
17. Brazil LGPD Notice (Brazilian Residents)
This section applies to users located in Brazil, pursuant to the Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13,709/2018.
17.1 Legal Bases Under LGPD
Processing of personal data of Brazilian residents is carried out on the following LGPD bases:
| LGPD Basis | Processing Activities |
|---|---|
| Consent (Art. 7, I) | Analytics cookies, session replay, marketing communications |
| Contract performance (Art. 7, V) | Account creation, service delivery, placement test, certificates |
| Legal obligation (Art. 7, II) | Financial records, regulatory compliance |
| Legitimate interests (Art. 7, IX) | Security monitoring, fraud prevention, error tracking |
17.2 Your Rights Under LGPD
Brazilian residents have the right to:
- Confirm the existence of processing and access personal data (Art. 18, I–II)
- Correct incomplete, inaccurate, or outdated data (Art. 18, III)
- Anonymise, block, or delete unnecessary or excessive data (Art. 18, IV)
- Data portability (Art. 18, V)
- Delete personal data processed with consent (Art. 18, VI)
- Information about third parties with whom data is shared (Art. 18, VII)
- Information on the possibility of denying consent and the consequences (Art. 18, VIII)
- Withdraw consent (Art. 18, IX)
- Lodge a complaint with the ANPD (Art. 18, X)
17.3 How to Exercise Rights
Submit requests via ezclass.io/make-data-request or email [email protected]. We will respond within 15 days as required under LGPD.
17.4 Supervisory Authority (Brazil)
Autoridade Nacional de Proteção de Dados (ANPD)
Web: www.gov.br/anpd
17.5 International Transfers (Brazil)
Transfers of Brazilian residents' personal data to countries not recognised as providing adequate protection under LGPD are carried out under standard contractual clauses or other safeguards as permitted by ANPD regulation.
18. Latin America Notice (MX, CO, PE, SV, AR, CL Residents)
This section applies to users located in Mexico, Colombia, Peru, El Salvador, Argentina, or Chile, and supplements the main Policy where applicable local law differs from GDPR.
18.1 Applicable Laws
Your personal data is processed in accordance with the following local regulations as applicable:
- Mexico: Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Reglamento
- Colombia: Ley 1581 de 2012 ("Régimen General de Protección de Datos Personales") and Decreto 1377 de 2013
- Peru: Ley N° 29733, Ley de Protección de Datos Personales, and its reglamento (Decreto Supremo N° 003-2013-JUS)
- El Salvador: Ley de Protección de Datos Personales (Decreto Legislativo N° 11, 2024)
- Argentina: Ley 25.326 de Protección de los Datos Personales
- Chile: Ley N° 19.628 sobre Protección de la Vida Privada (and, with effect from December 2026, Ley N° 21.719)
18.2 Your Rights ("derechos ARCO" and equivalents)
Under these laws, you have the right to:
- Access the personal data we hold about you (Acceso);
- Rectify inaccurate or incomplete data (Rectificación);
- Cancel / delete data processed without an adequate legal basis or that is no longer necessary (Cancelación);
- Object to processing for specific purposes, including direct marketing and ad personalisation (Oposición);
- Withdraw consent where processing is based on consent;
- Data portability, where granted by local law;
- In Colombia, the right to file a habeas data claim before the Superintendencia de Industria y Comercio (SIC).
18.3 Cookies and First-Party Analytics in Permissive-Consent Regions
In jurisdictions where local law does not require explicit prior consent for first-party analytics and advertising-measurement cookies (Mexico, Colombia, Peru, El Salvador, Argentina), EZclass discloses such use in this Privacy Policy as required by the applicable transparency principle, and provides browser-level and in-product opt-out mechanisms via the "Cookie Preferences" link in the website footer (see §9). Where local law requires explicit prior consent (notably Brazil under LGPD, and Chile from December 2026 under Ley 21.719), EZclass presents a cookie consent banner with non-essential categories defaulted to denied.
18.4 How to Exercise Your Rights
Contact our privacy team at [email protected] with proof of identity and a description of the right you wish to exercise. We will respond within the timeframes required by your local law:
- Mexico: 20 business days from the date the request is received (LFPDPPP Art. 32);
- Colombia: 15 business days, extendable by an additional 8 business days (Ley 1581 Art. 14);
- Peru: 20 business days (Ley 29733 Art. 19); and
- For Argentina, El Salvador, and Chile: within the timeframes established under the applicable local statute.
Where local law designates a specific data-protection authority, you also have the right to lodge a complaint with that authority:
- Mexico: Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — home.inai.org.mx
- Colombia: Superintendencia de Industria y Comercio (SIC) — sic.gov.co
- Peru: Autoridad Nacional de Protección de Datos Personales (ANPD-PE), Ministerio de Justicia — gob.pe/anpdp
- Argentina: Agencia de Acceso a la Información Pública (AAIP) — argentina.gob.ar/aaip
- Chile: Currently the Consejo para la Transparencia and ordinary courts; from December 2026, the Agencia de Protección de Datos Personales established under Ley 21.719.
18.5 International Transfers
Transfers of personal data of Latin American residents to countries outside the user's country of residence are carried out under the same safeguards described in §6 of this Policy (EU–US Data Privacy Framework or Standard Contractual Clauses, as applicable). In Mexico, transfers comply with LFPDPPP Art. 36; in Colombia, with Ley 1581 Art. 26 and Decreto 1377 Art. 24; in Peru, with Ley 29733 Art. 15.
EZclass OÜ — Privacy Policy — Effective Date: April 9, 2026
Questions? Contact us at [email protected] or write to: EZclass OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia.