Privacy policy

This Privacy Notice explains how EDURINO GmbH, Kellerstraße 29, 81667 Munich, Germany (“EDURINO”, “we”, “us”) processes personal data in connection with our App, our websites (including https://edurino.com/), and our shops.

 

Controller (Art. 4(7) GDPR)

EDURINO GmbH, Kellerstraße 29, 81667 Munich, Germany

Represented by: Franziska Meyer and Irene Klemm

Contact for privacy matters: datenschutz@edurino.com


At a glance

  • We process only the personal data that is necessary to provide and improve our App and services. 
  • Player profiles can use first names or pseudonyms; we only collect age to adapt content. 
  • We do not disclose children’s data to third parties for their own purposes. 
  • With your consent, we may send updates and offers based on players’ progress. 
  • When you install our App or shop via our website, we may need your name, email address, and payment details to provide services and fulfil contracts. 
  • Below you will find details on purposes, legal bases, recipients, international transfers, storage periods, and your rights.


I. EDURINO App


1) Data processed in the App

Scope. We collect a first name (or a fantasy name/pseudonym) and the age of the player in order to personalise the learning experience.

If you contact us via the App’s contact form, we process the data you enter (first name, last name, email address, message), plus your IP address and log files with date and time of sending.


Purpose.

  • Display player name within the App and personalise media content. 
  • Use age to tailor learning methods, content, and age-appropriate offers. 
  • Respond to your inquiries sent via the contact form.


Legal basis.

  • Consent for storing/displaying the player name in the App: Art. 6(1)(a) GDPR
  • Legitimate interests: Art. 6(1)(f) GDPR (e.g., providing and safeguarding the App, responding to inquiries).


Legitimate interests. Communicating with (prospective) customers, preventing abuse, fraud and attacks on IT security.


Recipients. We process your data internally and share with external recipients only where necessary to handle your request.


International transfers. We do not transfer data abroad unless you consent.


Storage. We delete personal data when it is no longer needed for the purposes and after expiry of statutory retention periods. Application documents (recruiting) are kept for at least two months after rejection (§ 15(4) AGG). Accounting records are kept for 10 years, commercial letters for 6 years.


Right to object. You may object at any time on grounds relating to your particular situation to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21(1) GDPR). Processing based on consent or necessity for a contract is not subject to this objection right.


Provision. For the contact form, salutation, first name, last name, email are required; without them, we may be unable to reply.


2) Processing via **PlayFab / Microsoft**

Provider. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Privacy: https://privacy.microsoft.com/


Data categories. Device and technical data (e.g., model type, device type, unique ID, GPU data, OS, persistent data, CPU info, continent/country code, location data incl. latitude/longitude, Player ID, error data). Gameplay data that may be linked to a user (e.g., time to complete mini-games, number of games played, incorrect actions per mini-game, cutscene views/interactions, fine motor accuracy, progress/badges/avatar, average weekly playtime, average session length).


Purpose & legal basis. Provide and operate the App backend; ensure functionality, troubleshooting and security; Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interests). No marketing use in this context.


Transfers. Data may be transferred to the USA. We use SCCs, may rely on the EU–US Data Privacy Framework (DPF) where certified, and have concluded a data processing agreement (Art. 28 GDPR).


Storage. Session-based data for provision; log files may be stored for an indefinite period as technically necessary.


3) Processing via **Unity**

Provider. Unity Technologies, Inc. Addresses: https://unity.com/addresses ; Privacy: https://unity3d.com/legal/privacy-policy


Data categories. IP address; MAC/IMEI/MEID-based identifiers (modified), advertising ID (IDFA/Android Ad ID); device manufacturer/model; OS/version; browser; language; CPU make/cores; GPU type/manufacturer/driver & API; RAM/VRAM; screen resolution; Unity player/editor versions; OS identifier; checksum; App ID.


Products & purposes.

  • Unity Cloud Build: manage builds, test for errors, ensure release readiness. 
  • Unity Analytics: adapt difficulty and content to user behaviour to ensure learning success. 
  • Unity Asset Store: use third-party assets to provide the App. 

Legal bases: Art. 6(1)(b) and Art. 6(1)(f) GDPR.


Transfers & storage. As above for PlayFab/Microsoft.


4) Processing via **Google Cloud Storage**

Provider. Google Ireland Ltd., Gordon House, 4 Barrow St, Dublin D04 E5W5, Ireland.


Data categories.

  • Gaming Data (may include email address, IP address, device ID). 
  • Technical Data (device and gameplay metrics as described above). 
  • Traffic Data (email addresses and profile names from social media, SEO, ads and third party data, e.g., Criteo, The Trade Desk, Webgains). 
  • Website Behavior Data (Google Analytics, if consented; cookies, browser fingerprint, IP). 
  • Purchase Data (from Amazon/Shopify: email address; from Amazon also name).


Purposes & legal bases. Provide the App and downloads; ensure functionality and security; analyse usage to individualise communications and inform about similar goods/services: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

Where Gaming Data qualifies as player personal data and is used to send personalised updates/offers, we rely on consent (Art. 6(1)(a) GDPR).


Recipients, transfers, storage. Data may be processed by Google as processor; transfers to the USA possible under DPF/SCCs; deletion when no longer necessary; account deletion triggers immediate deletion of personal data.


5) **Google Workspace**

Purpose. Sending emails and responding to contact requests.

Legal basis. Art. 6(1)(b) GDPR.

Recipient/Transfers. Google Ireland Ltd. (processing may involve transfers to the USA under DPF/SCCs).

Storage. Beyond the results of the services used, we do not store personal data.


6) **Skyvia** (Devart Inc.)

Scope & purpose. Cloud platform for data integration, preparation, visualisation, workflow automation, and low-code data apps; used for contact data and usage information.

Legal basis. Art. 6(1)(b) GDPR.

Transfers. Data may be transferred to Hong Kong/China under SCCs.

Storage. No additional storage beyond the outputs of the service.


 


II. Privacy information for the website https://edurino.com/


Controller: Edurino GmbH, Kellerstraße 29, 81667 Munich, represented by Franziska Meyer and Irene Klemm.

Data Protection Officer: datenschutz@edurino.com


1) Communications

Scope. We can be contacted by post, email, contact form (if available), phone or social networks. If identification is necessary to respond, we process your contact details. For the contact form we process first name, last name, email, message, plus IP address and timestamp/logs.


Purpose. Identify you, assign messages to a contract/vacancy/business relationship, store, answer and where necessary forward your request.


Legal basis. Art. 6(1)(a) (consent), Art. 6(1)(b) (contract or pre-contractual steps), Art. 6(1)(f) GDPR (legitimate interests).


Legitimate interests. Respond to product interest, assess applications, fulfil or defend claims.


Recipients/Transfers/Storage/Objection/Provision. As described for the App section above.

 

2) Log files

Scope. When you access our website, our systems automatically record data in server log files (including IP address, browser used, date/time, system). We store anonymised IP addresses (e.g., 123.123.123.XXX).


Purpose & legal basis. Provide the website, ensure functionality, detect transmission errors, optimise and secure our systems; Art. 6(1)(f) GDPR.


Recipients/Transfers/Storage/Objection/Provision. As above. Log files may be stored for an indefinite period as technically necessary; without IP address the website cannot be displayed.


3) Cookies

Scope. We use cookies.

  • Strictly necessary cookies enable core functions; no profiling. 
  • Functional & marketing cookies may store preferences (e.g., language) or optimise marketing.


Purpose. Provide and improve the website, learn about audiences and interests, and conduct direct marketing.


Legal basis. Consent (Art. 6(1)(a) GDPR) for non-essential cookies via our cookie banner; Art. 6(1)(f) GDPR for strictly necessary cookies.


Recipients. Internal teams and hosting/IT providers (e.g., 1&1 IONOS SE; STRATO AG).


Transfers/Storage/Objection/Provision. See above; you have control via browser settings. If you disable cookies, some functions (e.g., the shop cart) may not work fully.


4) Cookie banner / **Usercentrics**

Provider. Usercentrics GmbH, Munich, Germany.

Scope & purpose. Process cookies and IP addresses to manage your consent.

Legal basis. Art. 6(1)(f) GDPR (legitimate interest in obtaining/managing consent).

Recipients/Transfers/Storage/Objection. As stated; you can object to the cookie storing the banner settings.


5) **The Trade Desk**

Scope. Cookies and tracking technologies collect browsing history, device info (OS, browser, IP) and approximate location.

Purpose. Personalise advertising and measure campaign effectiveness.

Legal basis. Art. 6(1)(f) GDPR.

Recipients/Transfers. Hosting/IT providers; transfers to the USA under DPF/SCCs; data transfer impact assessment carried out.

Storage/Objection. See cookie settings and browser controls; blocking may affect functionality.


6) **Shopify** (Hosting/Shop)

Provider. Shopify International Limited, Ireland.

Scope. Hosting our website/shop; personal data stored on Shopify servers (e.g., IPs, contact requests, meta/communication data, contact details, names, website accesses).

Purpose & legal basis. Provide a secure, fast and efficient online shop; Art. 6(1)(f) GDPR.

Recipients/Transfers. Shopify (including possible transfers to Canada and other countries under adequacy/SCCs). If you pay via third-party payment providers, we transfer data to the payment providers named in our Terms.

Storage. According to statutory retention periods.


7) **Northbeam**

Provider. North Beam, Inc., USA.

Scope & purpose. With your consent, track events during purchase journeys to analyse and improve offers.

Legal basis. Art. 6(1)(a) GDPR and, where applicable, § 25(1) TDDDG.

Recipients/Transfers/Storage/Withdrawal. Northbeam (USA) under SCCs; consent can be withdrawn at any time via cookie settings.


8) Payments (overview)

We use PayPal, Klarna, Google Pay, Apple Pay, Sofortüberweisung, and giropay. Legal basis: Art. 6(1)(b) GDPR; fraud prevention under Art. 6(1)(f) GDPR; credit checks may rely on Art. 6(1)(a) GDPR. International transfers may occur under DPF/SCCs.


9) Social Media (Meta: Instagram & Facebook)

Profiles: instagram.com/edurinoapp/ ; facebook.com/edurino_de. Providers process data for market research/advertising; we receive aggregated statistics. Possible international transfers under DPF/SCCs.


10) **Chatarmin** (WhatsApp newsletters)

Consent-based processing of phone numbers and WhatsApp profile names via WhatsApp API to send newsletters; possible international transfers under SCCs/DPF.


11) **Email marketing with Klaviyo**

Newsletter with double opt-in; existing customers may receive updates/offers; player data-based updates only with guardian consent. Possible transfers to USA under DPF/SCCs; unsubscribe any time.


12) Customer account on edurino.com

Account registration data (name, email, password; optional delivery address) for identification, password reset, address storage, order history. Legal basis: Art. 6(1)(a) GDPR and contract usage.


13) **Google Analytics (GA4)** and **Google Ads**

Used with consent for reach measurement and advertising effectiveness. IP anonymisation active in GA4. Transfers under DPF/SCCs; you can withdraw consent via cookie settings; Google provides an opt-out add-on.


14) **Google reCAPTCHA**

Used with consent to distinguish humans from bots (IP, time on site, mouse movements). Transfers under DPF/SCCs.


15) **AWIN** and **Hotjar**

AWIN for affiliate/performance marketing (pseudonymous transaction/device data) under Art. 6(1)(f) GDPR.

Hotjar to improve usability (behaviour/device data) under Art. 6(1)(f) and/or Art. 6(1)(a) GDPR; opt-out available.




III. Business customers (B2B)

Processing in Shopify Partner Portal (company/contact details, VAT ID/trade licence, etc.) for onboarding and automated ordering. Legal bases: Art. 6(1)(a) and Art. 6(1)(b) GDPR. Possible transfers to USA with Art. 49(1)(a) GDPR (explicit consent).

Helium Customer Fields app (USA) for custom forms and segmentation: Art. 6(1)(f) GDPR; transfers under DPF/SCCs; right to object (Art. 21 GDPR).


IV. Your rights (GDPR)

Withdraw consent (Art. 7(3)); access (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction (Art. 18); portability (Art. 20); complaint (Art. 77) — BayLDA, Postfach 1349, 91504 Ansbach, Germany; object (Art. 21).

Contact: datenschutz@edurino.com

 

International transfers & retention. Where data is transferred outside the EEA (incl. USA), we rely on adequacy, SCCs, and (where appropriate) DPF; retention follows purpose necessity and statutory duties (e.g., 10 years for accounting records, 6 years for commercial letters).