Privacy Notice
1. Data Controller
Name: Andreas Glombitza-Cevey / AGC Projects
Address: Kreuzstraße 52, 72074 Tübingen
Email: entrecomp@agcprojects.de
Website: https://entrecomp.agcprojects.de
Data Protection Officer: A separate Data Protection Officer has not been appointed, as the legal requirements for mandatory appointment are not met under the current scale of processing.
2. Categories of Personal Data Processed
2.1 Account Information
- First and last name
- Email address
- Username or pseudonym (if pseudonym mode is enabled for the account)
- Password (stored in encrypted, hashed form)
- Role (e.g. user, group member, group facilitator)
2.2 Usage and Assessment Data
- Responses to competence self-assessments
- Calculated scores and visualizations (such as competence “flower” diagrams, z-scores, or progress graphs)
- Longitudinal progress data over time
- Group membership and team configuration, if you participate in educational or enterprise groups
2.3 Technical Data
- Session Management: We use a technically necessary session cookie (PHPSESSID) and a heartbeat mechanism to maintain your login status and prevent data loss during assessments.
- Application logs: we record application activities linked to your User ID (pseudonymized), with IP addresses truncated to 2 octets
- Server logs: Our hosting provider records server logs for security.
2.4 Data Provided by Educational Institutions or Employers
When you are enrolled into a group by an educational institution or employer, we may receive:
- Your name and email address
- Information about the group, course or programme to which you are assigned
Where an educational institution or employer mandates the use of this service and manages your group, that institution acts as the Data Controller regarding your enrollment, and EntreComp Orchard acts as the Data Processor. In these cases, a Data Processing Agreement governs the relationship between us and the institution.
2.5 AI Analysis Data (Optional Feature)
When you explicitly request an AI-based analysis in the “AI Analysis” pod, the platform temporarily processes:
- Your selected self-assessment responses
- Derived competence scores relevant to the analysis
- A prompt describing the type of analysis you requested
To protect your privacy, no information that can directly identify you is transmitted to OpenAI. Only the content necessary to generate the analysis is sent.
The transmitted data is used solely for generating the specific analysis you requested. EntreComp Orchard does not store this data after the response is delivered.
Important: The content sent to OpenAI for the analysis may be used by OpenAI to improve its services, including for model training, in accordance with OpenAI’s privacy and security commitments. You can choose not to use the AI Analysis feature if you do not wish your data to be shared in this way.
3. Purposes of Processing
3.1 Account Creation and Management
To create and manage your user account, authenticate you when you log in, and maintain your user profile on the platform.
3.2 Provision of Self-Assessment and Learning Features
To deliver all core functions of EntreComp Orchard, including:
- Collecting and storing your self-assessment responses
- Calculating competence-related scores and visualizations
- Enabling you to track your progress over time
- Providing personalised feedback and learning resources where applicable
3.3 Group-Based Educational and Organisational Use
For educational and enterprise tiers, to support group management and teaching or organisational processes, including:
- Managing cohorts, classes, teams or other groups
- Providing aggregated and, where appropriate, individual assessment results to authorised facilitators
- Supporting benchmarking, team configuration and milestone tracking
- Generating dashboards and reports over time
3.4 Security, Maintenance and Improvement of the Service
To ensure the security and stability of the platform, including:
- Monitoring for and preventing abusive usage or technical attacks
- Maintaining server logs and error logs for troubleshooting
- Analysing technical performance and usage patterns in an aggregated form
- Storing IP addresses only in truncated (pseudonymized) form to support data minimisation
3.5 Communication
To send necessary service-related information, such as account confirmation, password reset messages or important notifications about changes to the platform.
3.6 Optional AI-Based Analysis (Only on Your Request)
The platform offers an optional “AI Analysis” feature. If you choose to use this feature, selected assessment data is transmitted to OpenAI to generate a personalised analysis. No personal identifiers (such as your name, email, user ID or pseudonym) are included.
This processing occurs only when you explicitly request the analysis. Because OpenAI may use the transmitted content to improve and train its models, your explicit consent is required before activating this feature.
The results are displayed immediately and are not stored by EntreComp Orchard unless you save them manually.
4. Legal Bases for Processing
4.1 Contract (Article 6(1)(b) GDPR)
Most processing activities are necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract.
4.2 Legitimate Interests (Article 6(1)(f) GDPR)
We rely on legitimate interests to process certain technical data and usage data for the following purposes:
- Ensuring the security and integrity of our systems
- Detecting and preventing misuse
- Maintaining and improving platform functionality
- Providing aggregated insights to educational or organisational customers
4.3 Consent (Article 6(1)(a) GDPR)
Use of the optional AI Analysis feature is based on your consent. No AI-based analysis is performed unless you explicitly request it. We currently do not use optional tracking or analytics cookies; if introduced in the future, they will require your prior consent.
5. Sources of Personal Data
We obtain personal data from the following sources:
- Directly from you when you register, use the platform or communicate with us
- From your educational institution or employer when they create an account or group for you
- Automatically from your browser or device through technical logs
We do not purchase personal data from external sources.
Use of the optional AI Analysis feature requires your explicit consent, as the content you provide may be processed by OpenAI and may be used by OpenAI to improve its services and models. You may withdraw your consent at any time by choosing not to use this feature.
6. Recipients of Personal Data
6.1 Internal Recipients
- Platform administration and technical support (only where necessary for their tasks)
- Authorised group facilitators, teachers or organisational administrators accessing the data of users assigned to their groups
6.2 External Service Providers (Processors)
We may share personal data with carefully selected service providers who act as processors on our behalf and are bound by Data Processing Agreements under Article 28 GDPR. These include:
- Hosting provider for servers and databases, email and messaging services for transactional emails (netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe)
6.3 Other External Recipients (No Processor Relationship)
When you use the optional AI Analysis feature, selected assessment content is transmitted to OpenAI (USA). OpenAI processes this data as an independent service provider and not as a processor on our behalf.
- OpenAI (USA) — receives limited, non-identifying assessment content only when you explicitly request an AI-based analysis. No personal identifiers (such as your name, email address, pseudonym, or user ID) are sent. The transmitted content may be used by OpenAI to improve its services and models, in line with OpenAI’s privacy practices.
This transfer occurs only when you activate the AI Analysis feature and is based on your explicit consent.
We do not sell personal data to third parties.
7. International Data Transfers
All personal data stored by EntreComp Orchard (such as account information, assessment data and technical logs) is hosted and processed within the European Union. Our servers are operated by netcup GmbH (Germany), and no personal data is routinely transferred outside the EU/EEA.
An international data transfer occurs only when you choose to use the optional AI Analysis feature. In this case, selected assessment content (without any direct identifiers such as your name, email address, pseudonym or user ID) is transferred to OpenAI in the United States to generate the requested analysis.
The transmitted content may be used by OpenAI to improve its services and models, in accordance with OpenAI’s privacy and security practices. This processing takes place only with your explicit consent.
The transfer to the United States is carried out on the basis of the EU–U.S. Data Privacy Framework or, where necessary, on Standard Contractual Clauses with appropriate supplementary safeguards.
8. Data Retention Periods
8.1 Account and Profile Data
Stored for the duration of your active account. Deleted upon account deletion, subject to legal retention requirements.
8.2 Assessment Data
Stored as long as your account remains active for longitudinal tracking. Deleted or anonymised upon account deletion.
8.3 Technical and Log Data
Server logs are retained for 14 days. Application logs linked to User IDs are retained for the lifetime of your account.
8.4 Institutional or Organisational Data
For institutional customers, data may be retained for the duration of the contractual relationship and a reasonable period afterwards (e.g., 12 months), unless earlier deletion is requested.
9. Your Rights Under the GDPR
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Right to withdraw consent (Art. 7(3))
To exercise your rights, contact us at: entrecomp@agcprojects.de
10. Automated Decision-Making and Profiling
EntreComp Orchard does not use automated decision-making or profiling with legal or similarly significant effects. Algorithmic calculations such as scores and visualisations serve educational purposes only.
11. Obligation to Provide Data
Certain data is necessary to create an account and use the platform. Without this data, you cannot register or use core services.
12. Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority if you believe your data is being processed unlawfully.
13. Changes to This Privacy Notice
We may update this notice when introducing new features or to reflect legal changes. Significant updates will be communicated appropriately.