PRIVACY POLICY

    Last Updated: August 2025

    This policy describes how we collect, use, and handle your personal data when you use AuthPractice.com and our services ("Services").

    Storage Location

    We store your personal information on servers located in Germany. Germany provides an adequate level of data protection as required by Art 45 (1) GDPR.

    Data Controller

    The data controller according to Art. 4 (7) GDPR is:

    SUPREMATIC Technology Arts GmbH
    Hospitalstr. 35
    70174 Stuttgart, Germany

    Managing Directors: Sergey Vasiliev, Alexey Aristov
    General questions: info@suprematic.de
    Data Protection Officer: privacy@suprematic.de

    Purposes and Legal Basis for Processing

    We process your personal information only with your knowledge and consent (Art. 6 (1) (a) GDPR), except where permitted by law or defined in this Privacy Policy. You can withdraw consent at any time without affecting prior lawful processing.

    We process your personal information to:

    • Provide course access and interactive lab environments (Legal basis: Art. 6 (1) (b) GDPR)
    • Process payments including subscriptions (Legal basis: Art. 6 (1) (b) GDPR)
    • Track your course progress and completion (Legal basis: Art. 6 (1) (b) GDPR)
    • Communicate about your learning experience (Legal basis: Art. 6 (1) (b) GDPR)
    • Provide technical support (Legal basis: Art. 6 (1) (b) GDPR)
    • Ensure security of our systems and prevent misuse (Legal basis: Art. 6 (1) (f) GDPR)
    • Improve our courses and Services (Legal basis: Art. 6 (1) (f) GDPR)

    Using Our Services

    Server Log Files

    For technical provision of the website and lab environments, we automatically collect:

    • Browser type and version
    • Operating system
    • Referrer URL
    • Hostname of accessing computer
    • Date and time of access
    • IP address

    This data is stored for at least 30 days for IT security purposes. In case of suspected illegal activities, we may retain this data longer.

    Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in system security and functionality)

    Account Information

    We collect and associate with your account:

    • Email address, first and last name
    • Billing information
    • Course enrollment and progress data
    • Subscription status

    Legal basis: Art. 6 (1) (b) GDPR

    Learning Data

    This includes:

    • Course progress and completion status
    • Quiz answers and scores
    • Lab environment usage and commands executed
    • Configuration changes in interactive Keycloak labs
    • Time spent on lessons and labs
    • Community forum posts (if applicable)

    Important: Since students have full control over lab environments, we retain lab activity logs for at least 30 days for security and abuse prevention purposes.

    Legal basis: Art. 6 (1) (b) GDPR

    Device Information

    We collect:

    • Browser type and device information
    • Pages visited before our site
    • Device identifiers

    Legal basis: Art. 6 (1) (b) GDPR for service provision, Art. 6 (1) (f) GDPR for security

    Usage Information

    We track how you interact with our Services:

    • Course navigation patterns
    • Lab environment interactions
    • Feature usage
    • Learning performance metrics

    Legal basis: Art. 6 (1) (b) GDPR

    Voluntary Provision of Data

    You are not obligated to provide personal data to us. However, without providing certain data, we cannot grant access to our courses, process payments, or provide the full functionality of our Services. Data marked as optional can be omitted without affecting core service functionality.

    Marketing Communications

    We may contact you about:

    • New courses or modules
    • Course updates
    • Learning tips and best practices

    We use double opt-in for newsletters. You can unsubscribe anytime via:

    Legal basis: Art. 6 (1) (a) GDPR (consent)

    Transfer of Personal Information

    We share your data with trusted third parties to provide our Services. We don't sell your information.

    Service Providers

    • Infrastructure: Amazon Web Services (EU)
    • Payment Processing: Stripe (EU), PayPal (US)
    • Analytics: PostHog (EU)
    • Lab Environments: Hetzner (EU)

    All providers must comply with GDPR requirements. For US-based services, data transfer is based on appropriate safeguards including the EU-US Data Privacy Framework.

    Other Users

    If you participate in community features, other users may see your name and profile picture.

    Legal Requirements

    We may disclose information to comply with legal obligations, prevent fraud, or protect users from harm.

    Data Security

    We use SSL/TLS encryption for all data transmission. Your data is encrypted both in transit and at rest on our servers.

    Cookies

    We use cookies for:

    • Essential cookies: Login sessions, preferences (Legal basis: Art. 6 (1) (b) GDPR)
    • Analytics cookies: Understanding usage patterns via PostHog (Legal basis: Art. 6 (1) (f) GDPR)

    You can control cookies via browser settings, though this may limit functionality.

    Data Retention

    • Server logs: Minimum 30 days (longer if security incident detected)
    • Active accounts: Data retained while account is active
    • Closed accounts: Deleted after 180 days
    • Lab activity logs: Minimum 30 days (longer if security incident detected)
    • Financial records: Retained per German tax law (10 years)
    • Course progress: Retained for certificate verification
    • Security incidents: If we detect illegal activities or terms of service violations, we may retain relevant data longer as necessary for investigation or legal compliance (Legal basis: Art. 6 (1) (f) GDPR)

    Contact privacy@suprematic.de for details about our retention policy.

    Your Rights

    Under GDPR, you have the right to:

    • Access your personal data (Art. 15)
    • Rectify incorrect data (Art. 16)
    • Erase your data under certain conditions (Art. 17)
    • Restrict processing (Art. 18)
    • Object to processing (Art. 21)
    • Data portability (Art. 20)

    Contact privacy@suprematic.de to exercise these rights. We aim to respond within 14 days.

    Supervisory Authority

    You have the right to lodge complaints with the supervisory authority:

    Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
    Lautenschlagerstraße 20
    70173 Stuttgart
    Tel: 0711/615541-0
    Email: poststelle@lfdi.bwl.de

    No Automated Decision Making

    We do not use automated decision-making or profiling.

    Changes

    We'll post updates here and notify you of significant changes.

    Contact

    Questions? Contact our Data Protection Officer at privacy@suprematic.de