Privacy Policy
Last updated: 1 July 2026
1. The Data Controller
The controller of personal data is:
- Company name: GALIAN SOFTWARE DEVELOPMENT SRL
- Tax ID (CUI): RO45988048
- Trade Register No.: J12/2051/2022
- Registered office: Str. Tulcea 6, Postal Code 400594, Cluj-Napoca, Cluj County, Romania
- General email: contact@cursuri-ai.ro
1.1 Data Protection Contact Point
For any requests, questions or complaints related to the processing of personal data, or to exercise the rights provided for by the GDPR (access, rectification, erasure, portability, objection, restriction), Users may contact our dedicated data protection contact point:
- GDPR contact email: contact@cursuri-ai.ro (subject: "GDPR")
- Postal address: GALIAN SOFTWARE DEVELOPMENT SRL — Str. Tulcea 6, Postal Code 400594, Cluj-Napoca, Cluj County, Romania (marked "Attn: Data Protection Officer")
- Response time: a maximum of 30 calendar days from receipt of the request (Art. 12(3) GDPR)
Note: Under Art. 37 GDPR, GALIAN SOFTWARE DEVELOPMENT SRL is not required to designate a Data Protection Officer (DPO) — we are not a public authority, we do not process personal data on a large scale as a core activity, and we do not process special categories of data or data relating to criminal convictions. Nevertheless, we have voluntarily established a dedicated contact point to ensure prompt and specialised responses to GDPR requests.
1.2 The Supervisory Authority
If you have not received a satisfactory response to your request, you have the right to lodge a complaint with the supervisory authority:
- The National Supervisory Authority for Personal Data Processing (ANSPDCP) — the Romanian data protection authority
- B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, Postal Code 010336, Bucharest
- Phone: +40.318.059.211 / +40.318.059.212
- Email: anspdcp@dataprotection.ro
- Web: www.dataprotection.ro
The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation — GDPR) and Law no. 190/2018 on measures implementing the GDPR in Romania.
2. Categories of Personal Data Collected
2.1. Data provided directly by the User
- Identification data: first name, last name, email address.
- Authentication data: password (stored exclusively in encrypted/hashed form).
- Billing data: information required for issuing invoices (processed through Stripe).
- Voluntary feedback: answers to the satisfaction surveys displayed on the Platform (NPS recommendation score, CSAT satisfaction score and the associated optional comments). Completing these surveys is always voluntary and may be declined without any consequence.
- Questions and suggestions on the blog: when you voluntarily submit a question or a suggestion on a blog article, we collect the display name, the email address and the content of the message, together with the confirmation of your consent to publication and its date. Submission is always voluntary. After approval by a moderator, only the display name and the content of the message are published publicly on the article page; the email address is never published and is used exclusively for contacting you in connection with the message and for preventing abuse.
2.2. Data collected automatically
- Technical data: IP address, browser type, operating system, screen resolution.
- Usage data: pages visited, courses accessed, course progress, results in quizzes and skill assessments, time spent on the platform.
- Product events (first-party analytics): interactions within the Platform (for example: starting or completing a lesson, completing a course, completing the welcome guide, using search, starting a skill assessment). These events are collected and stored exclusively on our servers, without third-party analytics tools, and do not contain directly identifying data (name, email) in the event content.
- Cookies and similar technologies: in accordance with the Cookie Policy.
3. Purposes and Legal Bases of the Processing
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Creating and managing the account | Performance of the contract (Art. 6(1)(b)) |
| Providing access to courses and materials | Performance of the contract (Art. 6(1)(b)) |
| Payment processing and invoicing | Performance of the contract and legal obligation (Art. 6(1)(b) and (c)) |
| Monitoring course progress | Performance of the contract (Art. 6(1)(b)) |
| Transactional communications (confirmations, account notifications) | Performance of the contract (Art. 6(1)(b)) |
| Improving the Platform and analysing usage (including first-party product events) | Legitimate interest (Art. 6(1)(f)) |
| Collecting and analysing voluntary feedback (NPS/CSAT surveys) | Legitimate interest (Art. 6(1)(f)); participation is voluntary |
| Publishing questions and suggestions submitted on blog articles (after moderation) | Consent (Art. 6(1)(a)), given explicitly at submission and withdrawable at any time |
| Moderating blog messages and preventing abuse/spam | Legitimate interest (Art. 6(1)(f)) |
| Platform security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Compliance with legal obligations (fiscal, accounting) | Legal obligation (Art. 6(1)(c)) |
4. Data Retention Periods
- Account data: for the lifetime of the account and 3 years after account deletion (for the resolution of any disputes).
- Billing data: 10 years in accordance with Romanian fiscal legislation (the Accounting Law no. 82/1991).
- Usage and progress data: for the lifetime of the account; anonymised upon account deletion.
- Product events (first-party analytics): for the lifetime of the account; upon account deletion, the link to the user is permanently removed and the data remains exclusively in anonymous, aggregated form.
- Voluntary feedback (NPS/CSAT): for the lifetime of the account; permanently deleted upon account deletion.
- Questions and suggestions on the blog: approved messages remain published for as long as the article is available or until the withdrawal of consent or a deletion request; rejected or unapproved messages are deleted within a maximum of 12 months. You may withdraw your consent or request the removal of your message at any time by writing to the contact address in Section 1.1.
- Technical data (logs): a maximum of 12 months.
- Cookies: in accordance with the durations specified in the Cookie Policy.
5. Recipients of the Data
Personal data may be transmitted to the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Card payment processing | USA (standard contractual clauses, Art. 46 GDPR) |
| SmartBill (Intelligent IT SRL) | Issuing fiscal invoices and automatic transmission to the ANAF SPV (e-Invoice / e-Factura) for B2B transactions | Romania |
| Hosting providers (AWS, eu-central-1 / Frankfurt region) | Hosting the Platform and storing the data | EU/EEA |
| Sendinblue (Brevo) | Sending transactional and marketing emails | EU (France) |
| Anthropic, PBC | Generation of AI text answers (Virtual AI Professor) | USA (standard contractual clauses, Art. 46 GDPR) |
| OpenAI, L.L.C. | Synthetic voice generation (TTS) and audio transcription (Whisper) | USA (standard contractual clauses, Art. 46 GDPR) |
| Google Firebase Cloud Messaging | Push notifications on mobile devices (only upon opt-in from the browser/app) | USA (standard contractual clauses, Art. 46 GDPR) |
| 2Performant Network SA | Sales attribution through the affiliate programme (30-day tracking cookie) | Romania |
| Public authorities | In accordance with legal obligations (ANAF via the SPV, courts) | Romania |
We do not sell, rent or exchange Users' personal data with third parties for marketing purposes.
6. International Data Transfers
In the case of data transfers outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:
- Standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR).
- Adequacy decisions of the European Commission, where available.
7. Rights of Data Subjects
In accordance with the GDPR, Users have the following rights:
- The right of access (Art. 15) — the right to obtain confirmation of the processing and a copy of the data.
- The right to rectification (Art. 16) — the right to correct inaccurate or incomplete data.
- The right to erasure ("the right to be forgotten") (Art. 17) — the right to request the deletion of the data, subject to certain legal exceptions.
- The right to restriction of processing (Art. 18) — the right to limit the processing in certain circumstances.
- The right to data portability (Art. 20) — the right to receive the data in a structured, commonly used and machine-readable format.
- The right to object (Art. 21) — the right to object to processing based on legitimate interest.
- The right not to be subject to an automated decision (Art. 22) — the right not to be subject to a decision based solely on automated processing.
To exercise these rights, the User may send a request to contact@cursuri-ai.ro. We will respond within 30 days of receiving the request.
7.0 Processing through Artificial Intelligence Systems
The Platform uses artificial intelligence ("AI") systems to provide the Virtual AI Professor feature (text chat, synthetic voice, summaries, adaptive quizzes). These systems process:
- The content of your requests (text questions or transcribed audio) — for the purpose of generating an answer relevant to the accessed lesson.
- The lesson context (title, educational content) — so that the AI answers based on the exact content of the course.
- Internal identifiers (the user's ID, the lesson's ID) — for accounting for usage and preventing abuse (fair use).
7.0.1 Storage of Conversations in Our Database
In order to give you access to the history of your conversations with the Virtual AI Professor and for the continuity of your learning experience, we store the conversations (questions + answers) in our database on our servers in the European Union. Conversations are associated with your account and the lesson in which they were initiated.
- What we store: your text questions, the AI-generated answers, the lesson ID, the time of the conversation, the number of messages exchanged.
- What we do NOT store in our database: raw audio recordings (they are processed in real time and deleted immediately after transcription), voice biometric data.
- Legal basis: performance of the contract (Art. 6(1)(b) GDPR) — access to the conversation history is part of the Virtual AI Professor service included in the subscription.
- Storage duration: conversations remain stored for the lifetime of your account. Upon account deletion (section 7 — The right to erasure), conversations are permanently removed from our database within a maximum of 30 days.
- Access to your conversations: only you (from your account) and our technical staff strictly necessary for troubleshooting (under a confidentiality clause). They are not visible to other users.
- Selective deletion: you can delete an individual conversation at any time from the Virtual AI Professor interface, without affecting your account.
This storage is distinct from the processing at the AI providers (Anthropic / OpenAI) described below. The processing at the providers is ephemeral (a maximum of 30 days at the provider); the storage with us lasts for the lifetime of the account, in order to give you access to the history.
7.0.2 AI Providers and International Transfers
AI providers used: artificial intelligence models provided by Anthropic (USA, text models) and OpenAI (USA, synthetic voice and transcription). Data transfers outside the EEA are covered by standard contractual clauses approved by the European Commission (Art. 46(2)(c) GDPR).
Your content is NOT used for training the models. We have DPA agreements with the providers that exclude use for training. Conversational content is automatically deleted at the provider within a maximum of 30 days.
7.0.3 Logging of AI Operations (Audit Trail)
In accordance with the requirements of Regulation (EU) 2024/1689 (the AI Act, in particular Art. 12 and 50), we keep a technical log ("audit log") of each AI operation performed on the platform. It contains metadata only — it does NOT contain the text of the questions or of the answers:
- The type of operation (chat, summary, quiz, flashcards, voice, transcription)
- The AI model used (e.g. "claude-haiku-4-5"), the provider (Anthropic / OpenAI)
- The number of tokens consumed and the estimated cost
- The status (success / failure) and the duration of the operation
- The internal user ID and the lesson ID (without direct personal data)
Purpose: technical investigations, troubleshooting, regulatory reporting (AI Act), abuse prevention. Legal basis: legal obligation (Art. 6(1)(c) GDPR) — the AI Act Regulation + legitimate interest (Art. 6(1)(f) GDPR) for security and quality. Retention period: 24 months from the date of the operation, after which the logs are automatically deleted.
7.0.4 AI Transparency (Art. 50 AI Act)
In accordance with Art. 50 of Regulation (EU) 2024/1689 (the AI Act), we explicitly inform you that you are interacting with an AI system, that the answers may contain errors, and that the audio played is a synthetic voice. See the Terms and Conditions, section 10.1, for full details.
7.1 Marketing Communications and the Right to Unsubscribe
On the basis of legitimate interest (Art. 6(1)(f) GDPR) and in accordance with Art. 13 of Directive 2002/58/EC (ePrivacy), registered Users receive marketing emails related to our services (course recommendations, promotional offers, re-engagement messages).
Users have the right to object at any time to the processing of their data for direct marketing purposes (Art. 21(2) GDPR). We process unsubscribe requests immediately through the following channels:
- The "Unsubscribe" link present in the footer of every marketing email — access the link and confirm the unsubscription with a single click.
- The native "Unsubscribe" button in the email client (Gmail, Yahoo, Apple Mail, Outlook) — implemented in accordance with RFC 8058 (List-Unsubscribe / List-Unsubscribe-Post One-Click).
- The "Email preferences" section in your account (at /app/profile) — toggle between receiving / not receiving marketing emails.
- Email to contact@cursuri-ai.ro with the subject "Unsubscribe" — we process it manually within a maximum of 24 hours.
Unsubscribing from marketing does not affect the transactional emails necessary for the performance of the contract (Art. 6(1)(b) GDPR) — payment confirmations, invoicing notifications, subscription changes, failed payments, course completions and renewal reminders. To completely stop receiving any emails, you must delete your account (see section 7 — The right to erasure).
We keep a history of the consent status (the date of unsubscription, the source) in order to demonstrate compliance with the GDPR record-keeping obligations (Art. 5(2) — accountability).
8. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit (HTTPS/TLS).
- Storage of passwords exclusively in hashed form (bcrypt).
- Role-based access control.
- Single session enforcement.
- Access monitoring and activity logging.
- Regular security updates of software components.
9. Children's Data
The Platform is not intended for persons under the age of 16. We do not knowingly collect personal data of minors under this age. If we discover that we have collected such data, we will delete it immediately.
10. Changes to the Privacy Policy
We reserve the right to update this policy. Users will be notified by email and/or through an announcement on the Platform of significant changes. The date of the last update is displayed at the top of this page.
11. Complaints
If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with:
- The National Supervisory Authority for Personal Data Processing (ANSPDCP) — the Romanian data protection authority
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania
- Website: dataprotection.ro
- Email: anspdcp@dataprotection.ro
12. Contact
For any questions regarding the processing of personal data:
- Email: contact@cursuri-ai.ro
- Address: GALIAN SOFTWARE DEVELOPMENT SRL, Str. Tulcea 6, Postal Code 400594, Cluj-Napoca, Cluj County, Romania