Last updated on 19 Mar, 2026
Reviewed: 24.08.2021
Updated: 18.10.2021
Privacy policy
The scope of this privacy policy does not cover, and it shall not be applied to the use of Xeropan Classroom in the Hungarian state education system when accessed using Kréta DKT.
1. Data Controllerâs data
Xeropan International Kft.
Seat: 2nd Floor, Building 4, 206/B, 2 VĂĄgĂłhĂd Street, 4034 Debrecen, Hungary
VAT number: 26304706-2-09
Company registration number: 09-09-029639
Representative: Mile Ferenc managing director, independently, AlGharawi Madzsid Attila managing director, independently
2. The processorâs data and contact information
Name: CodeYard Kft.
Seat: 4031. Debrecen, KĂŒrtös utca 8. 1. em
Email: info@codeyard.eu
Activity: Development
Name: Kurbli Kft.
Seat: 1143 Budapest, Gizella Ășt 42-44.
Activity: Computer consultancy activities
Name: Hetzner Online GmbH
Seat: Industriestr. 25 91710 Gunzenhausen Deutschland
Activity: hosting service Name: Facebook, Inc
Seat: 1601 Willow Road Menlo Park, CA 94025
Activity: analytic and remarketing
Name: Amazon.com, Inc.
Address: Customer service PO Box 81226 Seattle, WA 98108-1226
Activity: hosting service
Name: Google LLC
Seat: 1600 Amphitheatre Parkway Mountain View, CA 94043
Activity: Analytical and remarketing services
Name: Mailgun Technologies, Inc.
Seat: 535 Mission St. San Francisco, CA 94105
Activity: newsletters
Name: Branch Metrics, Inc.
Seat: 2443 Ash Street Palo Alto CA 94306
E-mail: privacy@branch.io
Activity: creation of deep links, helping to find compatible application for the device
Name: Apple Distribution International Limited
Seat: Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland
E-mail: dpo@apple.com
Activity: tracking the activities of Apple iOS users, related to the Xeropan iOS application, by utilizing Apple App Tracking Transparency tool
3. Description of personal data, the purpose, legal basis and duration of data processing
Xeropan Classroom is an application made available by the Data Controller which enables language teachers to assign tasks and track the progression of their students using the original Xeropan application (available on web, iOS and Android platforms, hereinafter referred to as: Learner App). Using this solution, the teacher can monitor the progress of the user of the Learner App (hereinafter referred to as: Student), assign tasks and check the fulfilment of it, and follow the improvements. Using Xeropan Classroom, a study group can be formed from multiple Students. The processing of personal data related to Learner App, the Xeropan website in general (Xeropan.com and aldomains), and the newletters sent by the Data Controller (and other relevant activities of the Data Controller) are subject to a different privacy policy. The processing of data by the Data Controller shall be made in accordance with Act CXII of 2011 on the right of informational selfdetermination and on freedom of information (hereinafter referred to as: Freedom of Information Act) and â in cases where applicable â on the basis of Act CVIII of 2001 on certain issues of electronic commerce and information society services and on the basis of the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: GDPR). The Service Provider does not verify the authenticity of the personal data received. The provider of the personal data, the data subject or contracting party shall bear the exclusive responsibility for the accuracy of the data provided.
The Data Subject undertakes to be the sole person using the services with the data provided. With respect to this, the Data Subject who registered the e-mail address shall bear all responsibility in relation to signing in with the data provided. The Data Subject may only provide his own personal data to the Service Provider, the Data Subject must refrain from discosing the personal data of third parties. Xeropan Classroom may only be used by persons over the age of 16 (unless otherwise provided in a separate specific document, in which case the approval of their legal representatives is required).
A. Using Xeropan Classroom on web platform
The legal basis of data processing: the Data Subjectâs voluntary consent pursuant to Section 5(1) Paragraph b) of the Freedom of Information Act and to Point b) Paragraph (1) of Article 6 of GDPR. Data Subjects: the users of the Xeropan Classroom
Description of processed data: the hardware type, the operating system, browser, the e-mail address of the Data Subject (for joining with Facebook or Google or in case it is provided by the Data Subject), the portrait of the Data Subject (in case it is uploaded to the user account or it is accessed by the Data Controller by connecting to a Facebook or Google account), the Data Subjectâs location (based on IP address), list of Facebook friends using the Xeropan Classroom, list of Google contacts (in case the Data Subject initiates the access of the list). The Data Controller uses an own identification number (Player ID) as well for the identification of the Data Subject in connection with the use of the application.
The purpose of data processing: statistical data analysis, making Xeropan Classroom and related services available to the Data Subject, verification of the functioning of Xeropan Classroom, improvement of user experience, customisation of the services, prevention of abuse.
The duration of data processing:until the receipt of the Data Subjectâs request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request, or after the deletion of the user account of the Data Subject without undue delay. The Data Subject may receive notifications from the applications (regarding his progress, the relevant information regarding the connected Students â especially regarding their progress). Notifications can be turned on and off in the applications.
B. Downloading, installing and running of the Xeropan Classroom mobile application (IOS and Android platforms)
The legal basis of data processing: the Data Subjectâs voluntary consent pursuant to Section5(1) Paragraph b) of the Freedom of Information Act and to Point b) Paragraph (1) of Article 6 of GDPR. Data Subjects: the users of Xeropan Classroom
Description of processed data: the unique device identifier of the Data Subjectâs mobile phone, the hardware type, the operating system version number of the mobile phone, the name of the mobile phone, the e-mail address of the Data Subject (for joining with Facebook or Google or in case it is provided by the Data Subject), the portrait of the Data Subject (in case it is uploaded to the user account or it is accessed by the Data Controller by connecting to a Facebook or Google account), the Data Subjectâs location (based on IP address), list of Facebook friends using Xeropan Classroom, list of Google contacts (in case the Data Subject initiates the access of the list). The Data Controller uses an own identification number (Player ID) as well for the identification of the Data Subject in connection with the use of the application.
The purpose of data processing: statistical data analysis, providing the services (Xeropan Classroom), verification and monitoring of the proper functioning of the services and the Xeropan Classroom application, improvement of user experience, customisation of the provided services, delivering the proper Xeropan Classroom mobile application version depending on the location and device of the Data Subject, prevention of abuse. The duration of data processing: until the receipt of the Data Subjectâs request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request, or after from the deletion of the user account of the Data Subject without undue delay. The Data Subject may receive notifications from the applications (regarding his progress, the progress of connected friends and the accessibility and price of the services of the Data Controller). Notifications can be turned on and off in the applications.
C. Processing of Student data
The user of Xeropan Classroom (hereinafter refrred to as: User) may connect its Xeropan Classroom profile to the profiles of the Students registered in the the Learner App (the established connection hereinafter referred to as: Connection; the Student the Connection is established with is hereinafter referred to as: Connected Student). Study groups can be formed from Connected Students (hereinafter referred to as: Study Group). By establishing the Connection, the User can assign tasks to their Students and track the progression of his Students. In the course of this, the User may have access to (especially, but not limited to):
- the name and picture of Connected Student;
- leader boards of Connected Students (in general and in study groups);
- tasks assigned to a given Connected Student;
- Study Groups the Connected Student belongs to;
- data and indicators on the performance of the Connected Student, and finished assignments. The Students in a Study Group may have access to the performance metrics and personal data of the other Students in the given Study Group, in case the User chooses to use this function. This function is turned on until the User turns it off, hence the User shall act with outmost care in acquiring all necessary consents and ensuring the fulfilment of all requirements of the applicable law (e.g. the appropriate legal basis) for the processing of the data of the Connected Students this way or turn off this function before forming a Study Group.
The Connection may only be established in case both parties (i.e. the Student and the User) express their intention to establish it (i.e. an invitation or code must be sent, and accepted or entered in the application). Establishing the Connection is in the sole discretion of the User and a Student; hence the User shall be responsible for acquiring all necessary consents and ensuring the fulfilment of all requirements of the applicable law (e.g. the appropriate legal basis) for the processing of the data of the Connected Students by the User. The Service Provider shall bear no responsibility regarding the processing of the data of the Students by the User. The legal relationship of the Connected Student and the User is subject to a separate agreement between them. The Data Controller is neither a party nor subject to this separate agreement. In the course of collecting and processing personal data of Students on behalf of the User, the Data controller shall be deemed as data processor and the user shall be deemed as data controller, where the Data Controller collects and processes the data of the Connected Students on behalf the User and in accordance with the settings of the account of the user.
D. Other data processing
Data processing not covered by this Policy shall be notified by the Data Controller upon the recording of the data. The court, the prosecutor, the investigating authority, the misdemeanour authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, and other bodies, based on authorization conferred by law, may request the Data Controller to disclose information, transmit and disclose data, and hand over documents. The Data Controller shall only disclose personal data to the authorities -- where the purpose and description of data has been specified -- to the extent and for the purposes necessary for the fulfilment of the objective of the request.
E. Cookies and other tracking technologies In the interest of the proper functioning of certain features of Xeropan Classroom the use of cookies may become necessary, which can also fulfil certain convenience functions for the Data Subject. Cookies set by the Data Controller can help the Data Controller to identify the computer (IP address), to track browsing data, to remember the username and the password (autocomplete). Cookies may contain information for the identification of the Data Subject (User ID), which is processed by the Data Controller in order to customise the service according to the needs and interests of the Data Subject, and to ease the Data Subjectâs use to the Service. The Data Subject may disable or delete cookies in his web browser at any time and by doing so acknowledges that certain features of the Service may not function properly as a result. The Data Controller may use the Google Ads remarketing tracking code, which uses cookies to tag Data Subjects. With the help of the remarketing tracking codes, the Data Subject will be shown ads on the websites part of the Google Display network. The aforementioned shall apply accordingly to the handling of cookies. The Data Controller can offer the possibility to third-party advertising service providers to share advertisements during the use of the Service. These advertising service providers can place cookies on the computer and/or mobile phone of the Data Subject in order to track browsing data, viewed advertisements and to customise their services based on the interests and needs of the Data Subject. This Policy does not apply to and the Data Controller shall not be liable for the privacy practices of these third-party advertising service providers. The Data Controller uses the following types of cookies (the description of the individual cookies can be found in the tool at the bottom of the opening screen of the Xeropan website, where consent to the following groups of cookies can also be managed):
- Necessary: the ones making the Xeropan Classroom and the Xeropan website in general usable.
- Preferences: enables the settings, progress and preferences of the Data Subject to be saved.
-Statistics: by collecting anonymised data, enables the Data Controller to understand how visitors interact with the website.
- Marketing: aims to provide the Data Subject with more relevant advertisements. In better understanding the use of the services by the Data Subject - - through analysing the visitor data of the Xeropan Classroom, and through the measurement and auditing of other analytical data -- the Data Controller is helped by third-party servers (especially Google Analytics). These third-party servers may use cookies, APIs and SDKs. This Policy does not apply to and the Data Controller shall not be liable for the privacy practices of these third-party servers. The Data Subject can find information about their privacy policies at https://www.google.com/analytics/ Browsers offer the possibility to change cookie settings in general. Most browsers automatically accept cookies as default cookies, but this can be changed in order to prevent their automatic acceptance after the change of settings. More information about the settings of some popular browsers is available at the following links: Google Chrome; Firefox; Microsoft Internet Explorer 11; Microsoft Internet Explorer 10; Microsoft Edge
4. Methods of storing personal data, security of data processing
Personal data is stored at the premises of the Data Controller, at the premises of the data processors and (in case of the processing by Kurbli Kft.) the cloud storage operated by VENGIT Kft. (subprocecessor of Kurbli Kft.), accessible by CodeYard Kft., Tamas Szuromi, as well as the employees of Xeropan International Kft. The Data Controller implements appropriate technical, organisational measures for the adequate safeguarding of the security of data processing, and the Data Controller provides protection in particular against:
- unauthorized access,
- modification,
- transmission
- disclosure to the public
- inaccessibility due to the changes in the technology used.
With regard to ongoing technical developments, the Data Controller and the data processor(s) shall select data security measures that provide adequate levels of protection against the risks that arise during data processing, and, when faced with more options, shall apply the option that provides a higher level of security of personal data, except if such measure would represent a disproportionate burden for the Service Provider. The Data Controller employs personal data security measures on a server-side and application level.
5. The recipients of the personal data
CodeYard Kft., Kurbli Kft., Tamas Szuromi, Hetzner Online GmbH:Userâs identification, Family name Given name, Facebook identification, Google identification, Date of birth, Email address, Sex, Facebook profile picture, preferred language, language settings of the device, Application user activity, List of Facebook friends
Mailchimp: Family and given name, Email address
Mailgun: Email address, User activity Facebook (including Facebook ads): e-mail address, Facebook identification, User activity, list of Facebook friends
Google (including Google ads): Userâs identification, Facebook identification , e-mail address, sex, preferred language, Google identification, User activity
Branch Metrics, Inc.: Userâs identification, language settings of the device, list of Facebook friends Apple Distribution International Limited: Userâs identification, preferred language, language settings of the device, list of Facebook friends, User activity
Hotjar Limited: Userâs identification, User activity Kochava Inc.: Userâs identification, preferred language, language settings of the device, List of Facebook friends, User activity
6. The Userâs rights and the possibilities of the enforcement thereof
6.1 The right to information The controller informs the Data Subject of the existence of the right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.
6.2 The right of access by the data subject The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
6.3 Right to rectification The Data Subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him.
6.4 Right to erasure
The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning him without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. the data subject withdraws his or her consent on which the data processing is based, and if there is no other legal ground for the data processing;
c. the data subject objects to the data processing and there are no overriding legitimate grounds for the data processing, or if the personal data are processed for direct marketing purposes;
d. the personal data have been unlawfully processed;
e. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Data Controller is subject;
f. the personal data have been collected in relation to the offer of information society services.
The erasure of data may not be requested if data processing is necessary
a. for exercising the right of freedom of expression and information;
b. for compliance with a legal obligation which requires processing by Union or Member State law to which Data Controller is subject or for the performance of a task carried out in the public interest;
c. for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment or for the management of health or social care systems and services, on the basis of Union or Member State law or pursuant to contract with a health professional and if those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
d. for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular as for professional secrecy;
e. for reasons of public interest in the area of public health and if those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
f. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if the right of erasure would make such data processing impossible or the right of erasure would seriously jeopardize such data processing; or
g. for the establishment, exercise or defence of legal claims.
6.5 Right to restriction of processing The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
6.6 Right to data portability
The Data Subject shall have the right to receive the personal data concerning him, which he has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where: the processing is based on consent or on a contract the processing is carried out by automated means. The Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. The right to portability shall not adversely affect the rights and freedoms of others.
6.7 Right to object
The Data Subject has the right to object, on grounds relating to his particular situation, at any time to processing of his personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the purposes of the legitimate interests pursued by the Controller or the third party including the profiling carried out upon the following provisions. The Controller no longer processes the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
6.8 Automated individual decision-making, including profiling The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
6.9 The right to withdraw consent The data subject has the right to withdraw his consent at any time if processing is based on the Data Subjectâs consent.
6.10 The right to bring infringement to the court The Data Subject has the right to bring the violations of his right to the Court. The court proceeds as a matter of priority in the case.
6.11 Official proceedings of data protection
The Data Controller reserves the right to unilaterally modify this Privacy Policy subject to prior notification of the Data Subjects through the Xeropan© website and the Xeropan© mobile Complaint may be submitted to the National Data Protection and Information Authority:
Name: National Data Protection and Information Authority
Seat: 1125 Budapest, Szilågyi Erzsébet fasor 22/C.
Postal addres: 1530 Budapest, Pf.: 5.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
7. Communication of a personal data breach to the data subject
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Data Controller shall communicate the personal data breach to the data subject without undue delay in clear and plain language.
The communication to the data subject shall not be required if any of the following conditions are met:
- Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
8. Other provisions
The Data Controller reserves the right to unilaterally update its data processing practice and as a result this Privacy Policy subject to prior notification of the Data Subjects through the Xeropan website and the Xeropan Classroom application, respecting the rights of the data subject.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards protecting the rights and freedoms of the data subject. These safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimisation. These measures may include pseudonymisation provided that these purposes can be fulfilled in that manner. If these purposes can be fulfilled by further data processing which does not permit or no longer permits the identification of data subjects, these purposes shall be fulfilled in that manner.