Privacy Policy.

1. Introduction

Key User Training is committed to protecting your personal data. This policy informs you, in accordance with Regulation (EU) 2016/679 of April 27, 2016 (hereinafter the "GDPR") and the Luxembourg law of August 1, 2018 establishing the National Commission for Data Protection, of the conditions under which we collect and process your data.

2. Data Controller

The controller responsible for processing your personal data is:

Key User Training Sàrl
Private limited liability company under Luxembourg law
Registered office: 51, Rue de Strasbourg, L-2561 Luxembourg
RCS Luxembourg: B267856
EU VAT number: LU34049065
Phone: +352 47 18 1
Email: info@keyusertraining.com

For any question regarding the processing of your data or the exercise of your rights, you can write to us at the email address above.

3. Data We Collect

Depending on your interaction with Key User Training, we collect the following categories of data:

• Identity data: last name, first name, title.
• Contact data: email address, phone number (optional), country of residence.
• Professional data: company name, job title, industry sector, EU VAT number (where applicable).
• Billing data: billing address, purchase history. Banking data never passes through our servers and is handled exclusively by our payment provider.
• Account data: username, password (hashed), preferences, courses taken, learning progress.
• Usage and browsing data: pages viewed, visit duration, device type, operating system, IP address, technical cookies.
• Support and marketing interactions: the content of your emails, support requests, newsletter subscription status, open and click statistics.

Mandatory data is indicated in our forms. Without it, we may be unable to process your request or perform the contract.

4. Purposes and Legal Bases

Your data is processed for the following purposes:

Purpose	Legal basis
Managing your customer account and access to the Courses	Performance of the contract (Art. 6(1)(b) GDPR)
Processing orders, billing, and payment	Performance of the contract (Art. 6(1)(b) GDPR)
Retention of accounting records	Legal obligation (Art. 6(1)(c) GDPR)
Customer support and responding to requests	Performance of the contract or legitimate interest (Art. 6(1)(b) and 6(1)(f) GDPR)
Sending the newsletter and marketing communications	Consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time
Audience measurement and improvement of the Site	Legitimate interest (Art. 6(1)(f) GDPR), or consent for non-exempt tools
Site security, fraud prevention	Legitimate interest (Art. 6(1)(f) GDPR)
Compliance with legal obligations (responding to authorities, combating fraud)	Legal obligation (Art. 6(1)(c) GDPR)

5. Data Recipients

Your data is intended for the authorized staff of Key User Training and, where necessary, for processors strictly governed by contracts compliant with Article 28 of the GDPR. These processors act only on the instructions of Key User Training and solely for the purposes described.

The main categories of processors are:

• Site host: Hostinger International Ltd, 61 Lordou Vironos Street, 6023 Larnaca, Cyprus, www.hostinger.com.
• CRM and email marketing tool: Odoo SA, Belgium, for contact management, newsletter sending, and sales follow-up.
• Automation platform: Make (Celonis SE / Integromat), European Union, for integration flows between tools.
• Payment provider: Stripe Payments Europe Ltd, Ireland, and where applicable Stripe Inc. (United States), for secure payment processing.
• Audience analytics tools: Google Analytics, deployed via Google Tag Manager (Google Ireland Ltd, Ireland; Google LLC, United States), configured to respect your consent and limit the data collected.
• Advisors and auditors: accounting, legal, or audit firms, where applicable.

Your data is neither sold nor rented to third parties for commercial purposes.

6. Transfers Outside the European Union

Some of our processors may process data from countries located outside the European Economic Area, in particular the United States for Stripe and Google.

These transfers are governed by:

• the adequacy decisions of the European Commission, where they exist (for example, the EU-US Data Privacy Framework for certified organizations);
• failing that, the standard contractual clauses adopted by the European Commission, supplemented where necessary by additional measures.

You can contact us to obtain a copy of the applicable safeguards.

7. Retention Periods

Data is retained for the period necessary for the purposes for which it was collected, in particular:

• Active customer account data: for the entire duration of the contractual relationship, then five (5) years for administrative management and evidentiary purposes.
• Prospect data: three (3) years from the last effective contact (email open, form, purchase).
• Accounting and tax data: ten (10) years, in accordance with Luxembourg legislation.
• Connection and security data: up to one (1) year.
• Cookies and trackers: a maximum of thirteen (13) months for those subject to consent.
• Support interactions: three (3) years after the last interaction.

At the end of the periods indicated, the data is deleted or anonymized.

8. Your Rights

In accordance with the GDPR, you have the following rights over your personal data:

• Right of access: to obtain confirmation that data concerning you is being processed and to obtain a copy of it.
• Right to rectification: to have inaccurate or incomplete data corrected.
• Right to erasure: to have your data deleted in the cases provided for by the GDPR.
• Right to restriction of processing: to request that processing be suspended in certain situations.
• Right to data portability: to retrieve, in a structured format, the data you provided to us, or to request its transmission to another controller.
• Right to object: to object, on grounds relating to your particular situation, to processing based on legitimate interest, and at any time to the processing of your data for direct marketing purposes.
• Right to withdraw your consent: for processing based on consent, at any time and without affecting the lawfulness of prior processing.
• Post-mortem directives: you can provide us with directives regarding the handling of your data after your death.
• Right not to be subject to an automated decision producing legal or significant effects concerning you, apart from the exceptions provided for by law.

9. How to Exercise Your Rights

To exercise your rights, you can write to us at:

info@keyusertraining.com

Postal address: Key User Training Sàrl, 51, Rue de Strasbourg, L-2561 Luxembourg.

For security reasons, we may ask you for proof of identity in order to verify that the request actually comes from you. We undertake to respond within one (1) month of receiving your request, extended by two (2) months in the event of a complex request or a high number of requests.

10. Filing a Complaint with the CNPD

If, after contacting us, you believe that your rights are not being respected, you can file a complaint with the National Commission for Data Protection (CNPD), the competent supervisory authority in Luxembourg:

National Commission for Data Protection (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Website: www.cnpd.lu

You can also refer the matter to the data protection authority of your place of residence, place of work, or the place where the alleged breach occurred.

11. Security

Key User Training implements appropriate technical and organizational measures to ensure a level of security suited to the risks: encryption of communications (HTTPS), strict access management, regular backups, passwords stored in hashed form, awareness training for staff, and selection of processors offering sufficient guarantees.

No system is entirely secure. In the event of a data breach likely to result in a high risk to your rights and freedoms, you will be informed in accordance with Article 34 of the GDPR.

12. Diagnostics and AI Analysis

If you use the SAP Consultant Functional Know-How Diagnostic or any other similar diagnostic tool offered by Key User Training, your answers are processed under the following framework:

• Purpose: to generate your personalized report and trigger the follow-up email sequence suited to your identified level.
• AI and automation processors:
  • Make.com (Celonis SE / Integromat), Slovakia (European Union), for orchestrating the flows and sending the emails.
  • Anthropic PBC, United States, via the integrated Make Agent module, to automatically analyze your answers. The transfer outside the EU is governed by the Standard Contractual Clauses adopted by the European Commission.
• Data processed: first name, email, answers to the diagnostic's open-ended questions, technical metadata (IP address, language, completion time for fraud prevention purposes).
• Automated decision: your level (Consultant in the making, Operational, or Emerging confirmed) and the associated recommendations are produced by an AI model. You can at any time request additional human analysis by writing to us at info@keyusertraining.com.
• Storage of open-ended answers: thirty (30) days after the report is generated, then automatic purging from our systems and a purge request to the AI processor.
• Retention of the report: twelve (12) months maximum (accessible via a personal signed URL), then deletion upon request.
• Unsubscribe: 1 click in every follow-up email you receive.

You can at any time request the complete deletion of your report and associated data by writing to info@keyusertraining.com with the subject line "Diagnostic deletion" and the email address used for sign-up.

13. Cookies

The Site uses cookies and trackers. To find out the list, their purpose, and how to manage your consent, see the cookie policy.

14. Minors

The Courses offered on the Site are intended for an adult audience, in a professional or career change context. We do not knowingly collect data concerning persons under the age of 16. If you believe that such collection has taken place, please report it to us at info@keyusertraining.com: the data in question will be deleted without delay.

15. Changes to This Policy

This policy may be updated to reflect technical, legal, or product changes. The applicable version is the one published on this page on the date you consult it. In the event of a substantial change, you will be informed by an appropriate means (a banner on the Site, an email to account holders).