Privacy Policy

LearnCoin (“LearnCoin”, “we”, “us”, “our”) is a verifiable-credential infrastructure service operated by Aurea CV OÜ, a private limited company incorporated in the Republic of Estonia with its registered office in Tallinn, Estonia. Aurea CV OÜ is the data controller for all personal data processed through learncoin.me and the LearnCoin API.

You can reach us at [email protected] for any privacy-related question, request, or complaint.

LearnCoin processes personal data in four distinct contexts, each with its own legal basis and retention rules:

(a) Website visitors

When you visit learncoin.me, we automatically collect limited technical data: your IP address, the web browser and operating system you are using, the referring URL, and the pages you visit. We use this information to operate the website, detect abuse, and produce aggregate statistics about usage. We use privacy-friendly, cookie-less analytics; we do not use third-party advertising or cross-site tracking cookies.

(b) Contact and newsletter submissions

If you submit a contact form, request a demo, or subscribe to the newsletter, you provide us with your email address and (optionally) your name, company, and a message. We use this information to respond to your request and, if you have subscribed, to send you the newsletter. You can unsubscribe from the newsletter at any time.

(c) Tenant (issuer) accounts

When an organisation becomes a LearnCoin tenant to issue credentials, its administrators create accounts that include name, email address, organisation name, role, and billing details. This data is used to operate the service, fulfil the contract with the tenant, and comply with our tax and accounting obligations.

(d) Credential recipients

When a tenant issues a LearnCoin credential to a recipient (for example, a student completing a course or challenge), the tenant provides us with the recipient's name, email, and the details of the achievement being recognised. In this context, the tenant is the data controller (they decide what to certify and to whom); LearnCoin acts as processor under a data-processing agreement and processes the data only to sign, batch, anchor, and serve the credential.

LearnCoin anchors credentials on the Ethereum L2 network Base. Because the blockchain is public and immutable, this part of our data model deserves a dedicated explanation.

On-chain, we publish only a Merkle-root hash per credential batch. A Merkle root is a 32-byte cryptographic fingerprint. It contains no personal information — no names, no emails, no achievement details, no readable text of any kind. Anyone inspecting the Base blockchain can see that a LearnCoin batch transaction occurred at a given time but cannot derive any personal data from it.

Off-chain, in our GDPR-aware database, we store the credential subject data (recipient name, email, achievement, result) and the signed JSON-LD credential itself. The database uses tenant-scoped row-level security, is hosted in an EU region, and is protected by industry-standard encryption at rest and in transit.

This split means a credential can be verified by anyone against the on-chain anchor while the personal details remain under GDPR protection off-chain. It also means an erasure request can remove personal details from our systems without invalidating the cryptographic anchor — see section 5 below.

• Contract (Art. 6(1)(b)) — processing is necessary to provide the service you requested (for website accounts, tenant accounts, credential issuance).
• Legitimate interests (Art. 6(1)(f)) — for operating the website, detecting abuse, producing aggregate usage statistics, and running a minimal newsletter to people who have opted in.
• Consent (Art. 6(1)(a)) — for the newsletter subscription and any optional marketing preferences. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — for retaining invoicing, tax, and accounting records as required by Estonian and EU law.

LearnCoin distinguishes between two operations that are frequently confused:

• Revocation is a statement that a credential is no longer valid — for example, it was issued in error, the recipient was found to have cheated, or an accreditation has lapsed. Revocation is performed by the issuing tenant. The credential remains on record with a revoked status and a reason code.
• Erasure (the GDPR “right to be forgotten”, Art. 17) is a request by the credential recipient to remove their personal data. On an erasure request, LearnCoin tombstones the credential: the credentialSubject fields (name, email, personal identifiers) are replaced with null, and the credential record returns a subject_erased status. The on-chain Merkle anchor is not and cannot be removed — it is a permanent part of the public blockchain — but it contains no personal data, so this poses no privacy risk.

This means a recipient can exercise their GDPR right to erasure without breaking the cryptographic integrity of the credential system. It is a deliberate design commitment, not an accident.

We engage trusted sub-processors to deliver the service. Each has been assessed for GDPR adequacy and is bound by a data-processing agreement. The current list is:

• Google Cloud Platform (EU region) — signing keys held in Cloud KMS, cloud infrastructure.
• Supabase — Postgres database for the off-chain credential store (EU region).
• Clerk — authentication for tenant-admin and recipient accounts.
• Cloudflare — edge network, DDoS protection, and DNS.
• Stripe — payment processing for subscription billing.
• Base (public blockchain) — anchor network for Merkle-root transactions. The blockchain is decentralised and pseudonymous; we publish only non-personal hash data to it.

Some sub-processors (Clerk, Stripe) are based in the United States. Where personal data is transferred outside the EU, we rely on the European Commission's Standard Contractual Clauses or, where applicable, adequacy decisions. A detailed list of sub-processors is available on request.

• Website analytics — aggregate statistics retained for up to 24 months; raw access logs rotated after 30 days.
• Contact / newsletter data — retained until you unsubscribe or request deletion.
• Tenant accounts and billing — retained for the duration of the contract plus the minimum period required by Estonian tax law (currently seven years for invoices).
• Credential records — retained indefinitely by design, because the point of the service is that credentials remain verifiable across decades. Recipients can exercise their right to erasure at any time (see section 5).

LearnCoin uses industry-standard technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest, tenant-scoped row-level security in the database, hardware-backed signing keys (Google Cloud KMS) that never leave the KMS boundary, time-bound access tokens for internal operations, and audit logging of sensitive operations. No system is absolutely secure; we notify affected parties and the relevant supervisory authority without undue delay if a personal-data breach occurs, as required by GDPR Art. 33–34.

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

• Right to be informed (this policy).
• Right of access to your data.
• Right to rectification of inaccurate data.
• Right to erasure (the “right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing based on legitimate interests.
• Rights in relation to automated decision-making and profiling.

To exercise any of these rights, email [email protected]. We will respond within 30 days. If your data is being processed by LearnCoin on behalf of a tenant (for example, a credential issued to you by a university), we will direct your request to the tenant, who is the controller in that context.

You also have the right to lodge a complaint with a supervisory authority. For Aurea CV OÜ, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee). You may also complain to the data-protection authority in your own country of residence.

LearnCoin uses only essential cookies (for example, to maintain a login session). We do not use third-party advertising cookies or cross-site tracking. Analytics are gathered through privacy-friendly, cookie-less means. If we ever add optional cookies in the future, you will be asked to consent before any non-essential cookie is set.

The LearnCoin website links to external resources — open-standard specifications, blockchain explorers, and tenant websites. We are not responsible for the privacy practices of those sites. When you follow an outbound link, the destination's own privacy policy applies.

We may update this policy to reflect changes in the service, the sub-processor list, or applicable law. The effective date at the top of this page reflects the current version. Material changes will be communicated to tenants directly; website visitors will see the updated policy on their next visit.

For any privacy-related question, data-subject request, or complaint, contact us at [email protected]. For postal correspondence, reach out to the same address and we will share the registered office.