Privacy Policy
Last updated: April 13, 2026 — Version 2.0
1. Data Controller
GeraLearn is operated by Gera Systems (registered in England and Wales), an education and skills training platform. We are the data controller under the UK GDPR and Data Protection Act 2018.
- Website: geralearn.com
- Data Protection: privacy@gera.services
2. What Personal Data We Collect
2.1 Identity and Contact Data
Full name, email address, phone number, country, profile photo.
2.2 Learning Data
Course enrolments and completions, quiz scores, assignment submissions, progress percentages, certificates issued, learning streaks, and GeraCoins earned through learning activities.
2.3 Instructor Data (for course creators)
Business or personal name, bank account for payouts, course content, student ratings received, and payout history.
2.4 Transaction Data
Course purchase history, payment type and last four digits, subscription status.
2.5 Usage and Technical Data
IP address, browser type, device identifiers, video watch time, session data, crash logs.
3. Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Account and enrolment management | Contract (Art. 6(1)(b)) |
| Delivering course content and tracking progress | Contract (Art. 6(1)(b)) |
| Issuing certificates of completion | Contract (Art. 6(1)(b)) |
| Processing payments and instructor payouts | Contract (Art. 6(1)(b)) |
| Personalising course recommendations | Legitimate Interests (Art. 6(1)(f)) |
| Analytics to improve courses | Legitimate Interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
4. Data Retention
- Account and enrolment data: while active + 2 years after closure
- Certificates and completion records: 5 years (to support verification requests)
- Financial records: 6 years (HMRC)
- Analytics: 13 months rolling
5. Who We Share Your Data With
We do not sell your data. We share only as necessary:
- Course instructors — aggregated (not individual) student progress data only
- Stripe — payment processing and instructor payouts
- Railway, Neon, Vercel — infrastructure
- PostHog (EU, anonymised analytics); Sentry (EU, errors)
- Resend — transactional email (certificates, receipts)
- Legal/regulatory authorities — when required by law
6. Children's Privacy
GeraLearn is intended for users aged 16 and over. Users under 16 require verifiable parental consent. We comply with the UK Age-Appropriate Design Code (Children's Code).
7. Your Rights
Access, rectify, erase, restrict, port, or object to your data. Email privacy@gera.services — one month response. Complaints to the ICO.
8. Security
TLS 1.2+ in transit, AES-256 at rest, MFA on admin, regular audits. ICO notified within 72 hours of qualifying breach.
9. Cookies
Essential, functional, and (with consent) analytics cookies. See our Cookie Policy.
10. Contact
- Data Protection: privacy@gera.services
- Support: support@geralearn.com