Privacy Statement

Mysoly Group B.V. and its subsidiaries Mysoly E-Learn B.V. and Mysoly AI B.V.Company InformationMysoly Group B.V., together with its subsidiaries Mysoly E-Learn B.V. and Mysoly AI B.V., operates digital platforms including websites, digital education environments, artificial intelligence services, learning management systems, and online portals.Within the meaning of the General Data Protection Regulation (GDPR), Mysoly Group B.V. and its subsidiaries act as the data controller for the processing of personal data collected through their platforms and services.In this privacy statement Mysoly Group B.V., Mysoly E-Learn B.V., and Mysoly AI B.V. are collectively referred to as “the Company.”The Company processes personal data in accordance with the GDPR and applicable European data protection regulations and applies appropriate organisational and technical measures to protect personal information.This privacy statement explains which personal data may be collected and how the Company processes, protects, and stores such data.

ApplicabilityThis privacy statement applies to all personal data processed through:

  • websites
  • digital education platforms
  • learning management systems
  • artificial intelligence platforms
  • online portals
  • customer and partner portals
  • support or communication
  • channels related to the Company’s services

Personal data may be collected through platform registrations, course participation, service usage, communication, or contractual relationships with the Company.

Categories of Personal DataThe Company may process the following categories of personal data.

General personal data

  • First and last name
  • Address details
  • Email address
  • Telephone number
  • Company or organisation name
  • Billing and payment information
  • IP address
  • Browser and device type
  • Information about activities on the platform

Account data

  • Login credentials
  • User profile information
  • Course enrolment and learning progress
  • User generated data within the platform

Device data

  • Device type and operating system
  • Browser information
  • Technical identifiers required for service functionality and security monitoring

Location dataApproximate location information derived from IP addresses for security monitoring and fraud prevention.

Usage data

  • Login records
  • Course participation statistics
  • Platform interaction logs
  • System access logs

Communication data

  • Messages sent through platform tools
  • Customer support requests
  • Feedback or training responses
  • Documents or assignments uploaded by users

Other personal dataInformation voluntarily provided through forms, support interactions, or contractual communication.

Special Category Data (Healthcare or Sensitive Information)Some services provided through the platform may involve the processing of special categories of personal data, including healthcare-related information, where this is necessary for the functioning of specific services or integrations.Examples may include:

  • healthcare consultation notes
  • diagnostic information
  • therapy session records
  • audio or video communication records
  • health-related documentation

Processing of such information occurs only where a lawful basis exists under Articles 6 and 9 of the GDPR and where appropriate technical and organisational safeguards are implemented.Sensitive information is processed with enhanced security controls and restricted access.

Purpose of ProcessingPersonal data may be processed for the following purposes:

  • providing access to digital platforms and services
  • managing user accounts and subscriptions
  • delivering training or educational services
  • processing payments and subscriptions
  • providing customer support
  • improving platform functionality and user experience
  • monitoring system security and preventing misuse
  • complying with legal obligations

Legal Basis for ProcessingPersonal data is processed based on one or more of the following legal bases under Article 6 GDPR.Performance of a Contract (Article 6(1)(b))Processing necessary for providing access to platforms, courses, and digital services.Consent (Article 6(1)(a))Where explicit consent is required, such as for optional marketing communication or certain platform features.Compliance with Legal Obligations (Article 6(1)(c))Processing required to comply with financial, tax, or regulatory obligations.Legitimate Interests (Article 6(1)(f))Processing necessary for maintaining platform security, improving services, detecting misuse, or analysing platform usage.Vital Interests (Article 6(1)(d))In rare circumstances where processing is necessary to protect the vital interests of individuals.

Use of Artificial Intelligence and Advanced TechnologiesSome services provided by the Company may integrate advanced technologies including artificial intelligence systems, language models, text-to-speech tools, image generation systems, or external service APIs.These technologies may be used to:generate content or reports

  •  provide automated feedback
  • support personalised learning or workflow paths
  • enhance accessibility features
  • such as speech synthesis
  • generate visual or educational content

User inputs may be processed by these systems to deliver the requested functionality.To protect personal data, the Company applies data minimisation and data masking techniques where technically feasible. These measures are designed to prevent the disclosure of identifiable personal information to external technology providers.Before data is processed by AI systems or third-party APIs, the Company may apply technical controls such as:

  • masking or pseudonymisation of personal identifiers
  •  removal of direct personal identifiers
  •  data minimisation techniques that limit the amount of information shared
  •  processing through secure intermediary services
As a result, personally identifiable information is not intentionally transmitted to external AI providers unless strictly necessary for the requested functionality and permitted under applicable data protection regulations.External technology providers processing data on behalf of the Company are contractually required to comply with GDPR obligations, implement appropriate security measures, and process data only according to documented instructions.The Company continuously evaluates the security and privacy implications of AI technologies to ensure compliance with applicable European data protection regulations.

Data RetentionPersonal data is retained only for as long as necessary for the purposes for which it was collected or as required by applicable law.General personal dataRetention period: during the active relationship and up to two years afterwards unless legal obligations require longer retention.Account dataRetention period: retained during the account lifetime and up to twelve months after account inactivity.Usage and system logsRetention period: maximum twenty four months.Location and device dataRetention period: maximum twelve months.Communication dataRetention period: maximum twelve months unless required for legal purposes.Financial or accounting informationRetention period: retained in accordance with statutory financial retention obligations (for example tax legislation).

Deletion and AnonymisationAfter the applicable retention period expires, personal data will be securely deleted or anonymised.Anonymised data may be retained for statistical analysis, system improvement, or research purposes.

Disclosure to Third PartiesPersonal data may be shared with third parties where necessary for providing services or fulfilling legal obligations.Examples include:

  • cloud infrastructure providers
  • payment processors
  • IT service providers
  • technical support providers
  • analytics services
  • legal or regulatory authorities where required by law

Where third parties process personal data on behalf of the Company, Data Processing Agreements (DPAs) are established to ensure confidentiality and GDPR compliance.

Cloud InfrastructurePlatform infrastructure is hosted on secure European cloud infrastructure.Personal data processed by the Company is stored and processed on EU-based servers operated by certified cloud providers implementing appropriate security and data protection measures.

Information SecurityThe Company implements appropriate technical and organisational measures aligned with recognised security standards including:

  • ISO 27001
  • NEN 7510 (Healthcare Information Security)

Security controls include:

  • identity and access management
  • encryption of data in transit and where appropriate at rest
  • monitoring and logging of system activity
  • vulnerability management
  • incident management procedures
  • secure cloud infrastructure

These controls form part of the Company’s Information Security Management System (ISMS).

SubprocessorsExternal service providers may be engaged as subprocessors for infrastructure or operational services.Subprocessors are contractually required to:

  • process data only on documented instructions
  • implement appropriate security controls
  • comply with GDPR obligations
  • maintain confidentiality

Where possible subprocessors are located within the European Union.

International Data TransfersWhere personal data is transferred outside the European Economic Area, such transfers are performed in accordance with GDPR safeguards such as:Standard Contractual Clauses (SCCs)adequacy decisions by the European Commissionother legally recognised safeguards

Children’s PrivacyThe Company’s platforms are generally intended for users aged 16 years or older.The Company does not knowingly collect personal data from children under the age of 16 without appropriate parental or guardian consent where required by law.If the Company becomes aware that personal data from a child has been collected without appropriate consent, steps will be taken to delete such data.

Limitation of LiabilityWhile the Company implements appropriate security measures to protect personal data, no digital system can be guaranteed to be completely secure.The Company shall not be liable for damages resulting from circumstances beyond its reasonable control, including cyber incidents, infrastructure failures, or actions of third-party service providers, except where liability arises from wilful misconduct or gross negligence as defined by applicable law.

Rights of Data SubjectsIndividuals have the following rights under the GDPR:

  • right of access
  • right to rectification
  • right to deletion
  • right to restriction of processing
  • right to data portability
  • right to object to processing
  • right to withdraw consent 

Requests can be submitted via the contact information below.

ComplaintsIndividuals may submit complaints to the competent supervisory authority.In the Netherlands this authority is:Autoriteit Persoonsgegevens

Data Protection ContactFor questions regarding personal data processing or privacy matters, contact:B. CangalPrivacy Contact / Data Protection CoordinatorEmail: bcangal@mysoly.nlOperational security contact:Y. BaytemurCloud Infrastructure / DevOpsEmail: yavuz@mysoly.com

Contactinfo@mysoly.com

VersionLast updated: Feb 2026Version 1.2