Privacy policy
With this information, PhiAcademy GmbH (hereinafter “PhiAcademy“ or “we“) informs you about the processing of your personal data (“Data“) as well as your Data protection claims and rights:
1. Which Data are processed and from which sources do they come from?
We process the Data that we receive from you as user of our PhiCert Web platform (hereinafter “PhiCert“).
Those Data include:
- Master Profile Data: e.g. name, city and country of residence, e-mail address, telephone number, brand/course certified in, company details; certificates including Student’s Data
- Student Certificate Data: e.g. name, street, city and country of residence, e-mail address, telephone number, training/course Data
- Newsletter: name, e-mail
- Hotjar (depending which service is used): device’s IP address (stored in an de-identified format); device screen resolution; device type (unique device identifiers), operating system, and browser type; geographic location (country only); preferred language used to display the Hotjar enabled site; mouse events (movements, location and clicks); keypresses; referring URL and domain; pages visited and the date and time when website pages were accessed
If you are a Master, we receive your Profile Data from the following sources:
- PhiAcademy d.o.o.: Our parent company PhiAcademy d.o.o., Belgrade, Bulevar Oslobodjenja 137, has so far processed the Data of Masters. With the new PhiCert platform all Master Data will now be consolidated and processed together to offer a Master easier and more comprehensive access to his or her Data. For this purpose, the Master Profile Data will be transmitted based on the legitimate interest of our group in the fulfillment of internal administrative purposes, which lie in the provision of PhiCert, from PhiAcademy d.o.o. to PhiAcademy GmbH.
- Craftmaster App: Our affiliate company Craftmaster GmbH, Gartengasse 4, 1050 Vienna, operates the "Craftmaster App", where users can create a social network profile, Master can offer and hold courses and Students can book and complete these courses. If a Master offers a course via the Craftmaster App, his or her Data will be transferred to PhiCert in order to create a PhiCert Profile. This enables the Master to apply for and manage the certificates of his or her students. For this purpose, the Craftmaster App automatically transmits the Master Profile Data to PhiAcademy.
- From you: When you receive an invitation email from PhiCert, and you enter your details to create a PhiCert profile. PhiAcademy receives your Data directly from you or from our affiliates PhiAcademy d.o.o. and Craftmaster GmbH. These companies transmit the Data either because of the fulfillment of a contractual obligation towards you or because of the legitimate interest of our group in the fulfillment of internal administrative purposes, which lie in the provision of PhiCert.
If you are a Student, we receive your Certificate Data from the following sources:
- PhiAcademy d.o.o.: Our parent company PhiAcademy d.o.o., Belgrade, Bulevar Oslobodjenja 137, has so far processed the certificate Data of Students. With the new PhiCert platform all certificate Data will now be consolidated and processed together to offer the user easier and more comprehensive access to his or her Data. For this purpose, based on the legitimate interest of our group in the fulfillment of internal administrative purposes, which lie in the provision of PhiCert, the Student Certificate Data will be transmitted from PhiAcademy d.o.o. to PhiAcademy GmbH.
- Craftmaster App: Our affiliate company Craftmaster GmbH, Gartengasse 4, 1040 Vienna, operates the "Craftmaster App", where users can create a social network profile, Masters can offer and hold courses and Students can book and complete these courses. If a Student successfully completes a course using the Craftmaster App, he or she will receive a certificate from PhiAcademy in the name of the respective Master as part of this course. For this purpose, the Craftmaster App automatically transmits the Students Certificate Data to PhiAcademy.
- Your Master: If you successfully complete a course with a Master, you will receive a certificate from us as part of your course. For this purpose, the Master has to enter your Students Certificate Data in PhiCert.
2. For what purposes, duration and on which legal basis are Data processed?
We process your Data in accordance with applicable data protection law and for specific purposes and for a specific period. The purposes, duration and legal basis of the processing are listed below. If we collect Data from you for other purposes, we will inform you separately before collecting and processing that Data.
2.1 PhiCert Master Profile
| Purpose: | We process your Data for the purpose of managing the Certification Data of your Students in order to issue Certifications. We also process your Data to offer you a platform to independently organize and monitor Student’s Data and the issuance of certificates. |
| Legal Basis: | We process this Data on the basis of our legitimate interests (to foster the certification progress and to enable a better workflow between PhiAcademy, Craftmaster App, Masters and Students). |
| Duration: | Your Data will be processed until you object to this processing. After an objection has been raised, a new weighing of interests will be carried out. If we determine that your interests outweigh our interests, we will stop processing your Data. |
2.2 Student Certificates
| Purpose: | We process your Data for the purpose of managing your Certification Data in order to issue a Certification. In addition, the PhiCert platform offers the possibility for the user to query his or her Data in a search mask and thus obtain information about the validity of his or her certificates. |
| Legal Basis: | We process the Data on the basis of our legitimate, prevailing interest. This lies in the uniform collection of Student Data in order to create a comprehensible and easily accessible database, to ensure that every Student who has successfully completed a course at PhiAcademy receives a certificate for this course that meets the content and quality requirements of PhiAcademy. In addition, PhiCert is intended to offer Students a central point of contact for their concerns in connection with the issue of a certificate and to provide an easily accessible source of information at any time. Since PhiAcademy and its affiliates operate worldwide and have a large and diversified organizational structure, it is of particular interest to be able to track in a central database whether a person has actually successfully completed a PhiAcademy course. In this way, any misuse of the protected trademarks and the good name of PhiAcademy should be detected early and prevented as far as possible. PhiAcademy understands, that Students have of course an interest in protecting their privacy. However, the Students' Data is not published and PhiAcademy offers a very high standard of data protection. Moreover, the Data (such as name, contact data and data about the course attended) are of a more general nature and, in the unlikely event of a data breach, do not present a high risk for the rights and freedoms of Students. |
| Duration: | Your Data will be processed until you object to this processing. After an objection has been raised, a new weighing of interests will be carried out. If we determine that your interests outweigh our interests, we will stop processing your Data. |
2.3 Newsletter
| Purpose: | We process the information you provide when you subscribe to the PhiAcademy Newsletter for the purpose of direct marketing. This means that we will send you personalized information by e-mail and inform you if we believe, based on your Data, that information about offers, services and events of PhiAcademy, Craftmaster or its affiliates is relevant and interesting to you. |
| Legal Basis: | We process this Data based on your consent. You can withdraw your consent any time by e-mail to info@phishop.com or if you click on the unsubscribe link in every Newsletter mail. |
| Duration: | As long as you do not withdraw your consent. At the latest 30 days after withdrawal of your consent all data (including backups) are deleted. |
2.4 Marketing
| Purpose: | We process the Data of Masters and Students for the purpose of direct marketing and social media marketing for offers, services and events of PhiAcademy, Craftmaster or its affiliates. We may combine Data we or our providers have collected with Data collected by our affiliates to provide a more detailed picture of the needs and interests of our Masters, Students and customers. |
| Legal Basis: | We process this data on the basis of our legitimate interest (Article 6 para 1 lit f GDPR) in direct advertising and marketing. |
| Duration: | Your Data will be processed until you object to this processing. After an objection has been raised, we will delete your Data. |
2.5 Facebook Customer List Audiences
We use the Facebook Customer List Audiences feature from Facebook Ireland Limited to measure the effectiveness of our advertising.
Facebook’s customer list custom audiences feature enables us to create an audience using data such as email addresses and phone numbers ("Audience"). When using this feature, your data is locally hashed on our system before we upload and pass it to Facebook ("Hashed Data") to be used to create an Audience.
| Purpose: | We process the Data of Masters and Students for the purpose of remarketing, direct marketing and social media marketing in the Facebook Customer List Audience tool. We may combine Data we or our providers have collected with Data collected by our affiliates to provide a more detailed picture of the needs and interests of our Masters, Students and customers. |
| Legal Basis: | We process this data on the basis of our legitimate interest (Article 6 para 1 lit f GDPR) in direct advertising and marketing and to measure the effectiveness of our advertising. |
| Duration: | Your Data will be processed until you object to this processing. |
The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in July 2020. To keep your data safe Facebook relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU/EEA, including the United States.
Additional information about the tool can be found here: https://www.facebook.com/legal/terms/customaudience
2.6 Google Customer Match
We use the Google Customer Match feature from Google Ireland Limited to increase the effectiveness of our advertising. Through the usage of Google Customer Match we can reach and re-engage with you in order to show relevant advertisements.
Google Customer Match feature enables us to create an audience using data such as email addresses and phone numbers. Google does not receive actual email addresses. Google’s system transforms the contact information we have into hashed codes using the secure hashing algorithm SHA256, a one-way hashing mechanism that is not unencrypted by Google.
| Purpose: | We process the Data of Masters and Students for the purpose of remarketing, direct marketing and social media marketing in the Google Customer Match tool. We may combine Data we or our providers have collected with Data collected by our affiliates to provide a more detailed picture of the needs and interests of our Masters, Students and customers. |
| Legal Basis: | We process this data based on your consent (Article 6 para 1 lit a GDPR). You can withdraw your consent any time by sending an e-mail to info@cert.phiacademy.com. |
| Duration: | Your Data will be processed until you withdraw your consent. |
The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in July 2020. To keep your data safe Google relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU/EEA, including the United States.
Additional information about the tool can be found here:
- https://support.google.com/google-ads/answer/6334160?hl=en
- https://policies.google.com/technologies/partner-sites?hl=en
- https://policies.google.com/privacy
3. Who receives your Data?
Within PhiAcademy and our affiliated Craftmaster GmbH and PhiAcademy d.o.o., those employees will receive your personal information, who need them for the purposes outlined above. If we are legally obliged to do so, we will also transfer your Data to public bodies and authorities. In addition, companies commissioned by us (in particular IT or payment services and back office providers) will receive your Data if they need them to fulfill their respective tasks. These providers are obliged to treat your Data confidentially and to process them only to the extent necessary for their service provision. If these companies provide their processing activities outside the European Economic Area, they have a Privacy Shield Certificate or have undertaken to ensure an adequate level of data protection.
We will transfer your Data to the following recipients:
| Company name | Registered office of the company | Place of Data processing; guarantee according to Art. 46 GDPR |
|---|---|---|
| PhiAcademy d.o.o. | Belgrade, Bulevar Oslobodjenja 137 | Serbia; EU standard contractual clauses (SCCs) |
| Craftmaster GmbH | Gartengasse 4, 1050 Wien | Austria |
| Google Ireland Limited | Gordon House, Barrow St, Dublin 4, Ireland | Ireland; USA SCCs |
| Facebook Ireland Limited | 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland | Ireland; USA SCCs |
| Klaviyo, Inc. | 125 Summer St Floor 6, Boston, MA 02111, USA | |
| Banibis GmbH | Dresdner Straße 68/3/1, 1200 Wien | Austria |
| Hotjar Ltd. | Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta | Malta, USA, SCCs |
4. Cookies
4.1 Technically required Cookies
We use cookies on PhiCert, which are small files stored on your device (web browser). On your next visit to PhiCert using the same device, the information stored in cookies will subsequently be returned to PhiCer. We use the Data collected through these cookies to better represent PhiCert and to make our offers user-friendly, for example to evaluate the use of PhiCert. Some cookies remain stored on your device until you delete them. They allow us to recognize your browser on your next visit. Other cookies are only stored on PhiCert for the duration of your visit.
The following cookies are used:
| Cookie name | Purpose | Storage period |
|---|---|---|
| XSRF-TOKEN | This cookie is used to help with site security in preventing Cross-Site Request Forgery attacks. | 2 hours |
| phicert_session | This cookie is used to help with user navigation and security. | Session |
| phicert_cookie_consent | Tracks if the visitor has provided consent for the marketing & analytics cookies. | 1 year |
All these cookies are technically necessary for the presentation of PhiCert. You can deactivate the setting of cookies in the settings of your browser. Please note that a general deactivation of cookies may possibly lead to functional limitations of PhiCert.
4.2 Google Analytics
Furthermore we use the Cookies of Google Analytics, a web analysis service provided by Google LLC (hereinafter "Google"). These cookies transmit data about your usage of PhiCert to a Google server in the USA. However, your IP address will be shortened by Google prior to transmission and the transmitted data can no longer be associated with your person. Google will use this information to evaluate general usage data of PhiCert and to compile reports on PhiCert activities. If you want to prevent the use of Google Analytics cookies, you can either do this through your browser settings or you can install the browser plug-in available under the following https://tools.google.com/dlpage/gaoptout. For information about how Google and its affiliates use data and storage practices, please visit Google's Privacy Policy, currently available at: https://google.com/privacy.html.
| Cookie name | Purpose | Storage period |
|---|---|---|
| _gat | Determined by Google Analytics to identify unique sessions | 1 minute |
| _gid | Determined by Google Analytics to identify unique sessions | 24 hours |
| _ga | Determined by Google Analytics to identify unique sessions | 2 years |
4.3 Facebook Audience Pixel
We also use the Facebook Audience Pixel analysis tool from Facebook Ireland Limited to measure the effectiveness of our advertising. The pixel collects information about the use of PhiCert and transmits that information to Facebook's servers in Ireland. This information may also be cross-checked with other Facebook information or our information that we have about you. All data collected by this pixel is encrypted by Facebook using "hashes". Facebook Ireland Limited is located in the European Union. The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in July 2020. To keep your data safe Facebook relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU/EEA, including the United States.
The collection of data by Facebook Pixel only takes place with your consent. This consent can be withdrawn by you at any time. The comparison of the data with the data stored by us is based on our legitimate interest in marketing and customer loyalty. Your Data will be processed until you object to this processing.
4.4 Hotjar
We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
The processing of data through the usage of Hotjar only takes place with your consent (§ 165 para 3 TKG 2021 in conjunction with Art 6 para 1 lit a GDPR). This consent can be withdrawn by you at any time. The withdrawal of this consent does not affect the lawfulness of processing based on the consent before its withdrawal.
The Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, a legal mechanism for transatlantic data transfers, in July 2020. To keep your data safe Hotjar relies on Standard Contractual Clauses (SCCs) to transfer data to countries outside the EU/EEA, including the United States.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
The following Hotjar cookies are used:
| Cookie name | Purpose | Storage period |
|---|---|---|
| _hjSessionUser_{site_id} | Persists the Hotjar user ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. | 1 year |
| _hjid | Persists the Hotjar user ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. | 1 year |
| _hjFirstSeen | Used by Hotjar recording filters to identify new user sessions. | session |
| _hjUserAttributesHash | User attributes sent through the Hotjar Identify API are cached for the duration of the session. Enables us to know when an attribute has changed and needs to be updated. | session |
| _hjCachedUserAttributes | Stores User Attributes sent through the Hotjar Identify API, whenever the user is not in the sample. Collected attributes will only be saved to Hotjar servers if the user interacts with a Hotjar Feedback tool. | session |
| _hjViewportId | Hotjar: stores user viewport details such as size and dimensions. | 2 years |
| _hjSession_{site_id} | Hotjar: ensures subsequent requests in the session window are attributed to the same session. | 30 minutes |
| _hjSessionTooLarge | Causes Hotjar to stop collecting data if a session becomes too large. Determined automatically by a signal from the WebSocket server if the session size exceeds the limit. | session |
| _hjSessionRejected | If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to the WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. | session |
| _hjSessionResumed | Set when a session/recording is reconnected to Hotjar servers after a break in connection. | session |
| _hjLocalStorageTest | Checks if the Hotjar Tracking Code can use local storage. If it can, a value of 1 is set. Data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created. | 1 second |
| _hjIncludedInPageviewSample | Hotjar: set to determine if a user is included in the data sampling defined pageview limit. | 30 minutes |
| _hjIncludedInSessionSample | Hotjar: set to determine if a user is included in the data sampling defined daily session limit. | 30 minutes |
| _hjAbsoluteSessionInProgress | Hotjar: used to detect the first pageview session of a user. | 30 minutes |
| _hjTLDTest | Hotjar tries to store the _hjTLDTest cookie for different URL substring alternatives until it fails. Enables them to try to determine the most generic cookie path to use, instead of page hostname. It means that cookies can be shared across subdomains (where applicable). After this check, the cookie is removed. | session |
| _hjRecordingEnabled | Hotjar: set when a Recording starts. Read when the Recording module is initialized to see if the user is already in a recording in a particular session. | session |
| _hjRecordingLastActivity | Hotjar: set in Session storage as opposed to cookies. Updated when a user recording starts and when data is sent through the WebSocket (the user performs an action that Hotjar records). | 30 minutes |
| _hjClosedSurveyInvites | Hotjar: set when a user interacts with a Link Survey invitation modal. Ensures the same invite does not reappear if it has already been shown. | 365 days |
| _hjDonePolls | Hotjar: Set when a user completes an on-site Survey. Ensures the same Survey does not reappear if it has already been filled in. | 365 days |
| _hjMinimizedPolls | Hotjar: set when a user minimizes an on-site Survey. Ensures that the Survey stays minimized when the user navigates through your site. | 365 days |
| _hjShownFeedbackMessage | Hotjar: set when a user minimizes or completes a Feedback widget. Ensures the Feedback widget will load as minimized if the user navigates to another page where it is set to show. | 365 days |
Additionally, we use pixels and tags from the following third parties (which may in turn place cookies):
| Third Party | Description / purpose | Privacy Policy | Appropriate safeguards to third countries transfer | Storage period |
|---|---|---|---|---|
| Google Analytics | We use Google Analytics to help measure how users interact with our websites. | https://policies.google.com/privacy | SCCs | 2 years |
| Google Ads | We use Google Ads to deliver targeted advertisements to individuals who visit our websites. | https://policies.google.com/privacy | SCCs | 2 years |
| We use Facebook Custom Audiences to deliver targeted advertisements to individuals who visit our websites. | https://www.facebook.com/policy.php | SCCs | 2 years |
5. Are you obliged to provide Data?
Students are not obliged to provide any Data.
As a Master, it is necessary that you provide the Data we need to fulfill our contractual obligations to you. Those Data are marked with (*) as mandatory. Unless you provide those mandatory Data, we will generally be unable to provide our services.
6. Your rights in the context of the processing of your Data
You have the right:
- to request information about which of your personal Data we process (Article 15 GDPR);
- to rectify or erase your Data (Article 16 GDPR);
- to restrict the processing of your Data (Article 18 GDPR);
- to withdraw your consent (Article 7 GDPR);
- to object to the processing of your Data (Article 21 GDPR);
- to Data portability (Article 20 GDPR).
If you believe that we violate your rights under the GDPR or national data protection law when processing your Data, please contact us. This is the only way we can treat your concerns as quickly as possible. You also have the right to lodge a complaint with a supervisory authority (in Austria: www.dsb.gv.at).
7. Automated decision-making
We do not use automated decision-making or profiling according to Article 22 GDPR.
8. Who can you contact?
If you have any requests or concerns, you can contact us directly by e-mail or by post at the following address:
PhiAcademy GmbH
Gartengasse 8/8, 1050 Vienna
E-Mail: info@cert.phi-academy.com