Privacy Policy
Privacy Policy
Last updated: June 2026
Responsible Party
Thinkable Education Technologies Lucia Happe, Kai Marquardt, Jens Happe GbR
Luisenstrasse 88
76137 Karlsruhe
Germany
Phone: +49 179 7939324
Email: education@thinkable.space
Overview
We process personal data only to the extent necessary to provide our educational platform, and in accordance with the General Data Protection Regulation (GDPR). This policy explains what data we collect, for what purpose, and on what legal basis.
Data We Process and Purposes
- Account and login data: We use the service Clerk for registration and sign-in. This processes data such as your name, email address and login information in order to provide your user account (Art. 6(1)(b) GDPR). See the Clerk Privacy Policy for more information.
- Payment data: Payment is handled by our reseller Paddle (see below). We do not store full payment details such as card numbers ourselves.
- Learning progress: To show your progress through the expeditions, we store which lessons have been completed (Art. 6(1)(b) GDPR).
- Technical data and server logs: When you access the website, technical data such as IP address, browser type, operating system and access time are processed to ensure operation and security (Art. 6(1)(f) GDPR).
- Communication data: We process content you send us by email in order to handle your request (Art. 6(1)(b) or (f) GDPR).
Payment Processing by Paddle
Order and payment processing is handled by Paddle.com, which acts as the Merchant of Record and as an independent data controller. To process the purchase, prevent fraud and meet tax and legal obligations, we share the data required for this (such as name, email address and billing country) with Paddle. Paddle may transfer data to third countries and bases such transfers on appropriate safeguards such as EU Standard Contractual Clauses. For details, see Paddle's privacy policy.
Service Providers and Recipients
We share personal data with carefully selected service providers. The hosting and authentication services listed below act as processors on our behalf and on our instructions (Art. 28 GDPR); Paddle acts as an independent controller (see "Payment Processing by Paddle"). Data is transmitted in encrypted form via SSL/TLS. Where data is transferred to third countries (such as the USA), we base such transfers on appropriate safeguards such as EU Standard Contractual Clauses and, where certified, the EU-US Data Privacy Framework.
- Clerk (authentication, processor): name, email address and session data; located in the USA. Clerk Privacy Policy
- Vercel (hosting and Web Vitals, processor): technical connection and request data; located in the USA. Vercel Privacy Policy
- Neon (database hosting, processor): account and progress data created in the platform; located in the USA/EU. Neon Privacy Policy
- Paddle (payment processing, Merchant of Record, independent controller): name, email address and billing country; located in the United Kingdom/EU and third countries. Paddle Privacy Policy
Performance Measurement (Web Vitals)
To measure and improve the loading speed of our website, we use Vercel Speed Insights. This collects performance metrics (so-called Core Web Vitals such as load times). Speed Insights sets no cookies, does not create user profiles, and evaluates the collected data only in aggregated, anonymised form. The legal basis is our legitimate interest in a fast and stable website (Art. 6(1)(f) GDPR). For more information, see the Vercel Privacy Policy.
Cookies
We use only technically necessary cookies that are essential for operating the platform. No consent under § 25(2) no. 2 TDDDG is required for these, as they are strictly necessary for the services you have expressly requested. We do not use tracking, advertising or marketing cookies.
- Sign-in and session cookies (Clerk): keep you logged in after sign-in and secure your session; required for protected areas.
NEXT_LOCALE: stores your language choice (German or English); lifetime around one year.
Data Retention and Deletion
We store personal data only for as long as necessary for the stated purposes or as required by statutory retention obligations:
- Account and login data: for the duration of your user account; after account deletion it is removed promptly (generally within 30 days), unless statutory retention obligations apply.
- Learning progress: for the duration of your user account; it is removed when the account is deleted.
- Payment and invoicing data: processed as part of the handling by Paddle. Tax- and commercial-law-relevant records are retained for the statutory periods (generally 6 to 10 years under § 257 HGB and § 147 AO).
- Technical data and server logs: generally deleted or anonymised within a few weeks.
- Communication data: deleted once your enquiry has been fully handled, unless statutory retention obligations apply.
Children's Data
Our service is aimed at children and young adults aged 10 and over. For users under the age of 16, the consent of a parent or legal guardian is required (Art. 8 GDPR). The paid account and payment are set up by an adult. We only process the data from children that is necessary for the learning service, and we explain how data is used in simple, easy-to-understand language. Parents and guardians may request access to their child's data, request its deletion, and withdraw a given consent at any time.
Automated Decision-Making
We do not carry out decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
Your Rights
You have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing. Where processing is based on consent, you may withdraw it at any time with effect for the future. You also have the right to lodge a complaint with a data protection supervisory authority.
Data Breaches
In the event of a personal data breach, we notify the competent supervisory authority without undue delay and, where there is a high risk to your rights and freedoms, also the affected individuals without undue delay (Art. 33 and 34 GDPR).
Privacy Contact
For privacy enquiries, you can reach us at education@thinkable.space.
We have not appointed a Data Protection Officer.