Privacy notice
How we handle the information you give us when you apply
This notice describes what Koyo Learn collects from founding-cohort applicants, where we process it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR). It is intentionally short and plain. Last updated: 2026-05-12.
1. Who we are (data controller)
The data controller for the information you submit through this site is Koyo HQ, the company behind the Koyo Learn product. Contact: admin@koyohq.com, WhatsApp +263 71 210 4065.
For all data-protection enquiries, including data subject requests, write to admin@koyohq.com with the subject line "Data request" and we will respond within 30 days as required by GDPR Article 12.
2. What we collect
When you submit the founding cohort application form we collect:
- Your name, email, and WhatsApp number
- Your role (principal, teacher, parent, tutor, sponsor, etc.)
- Your country and city / region, and (for sponsors) the country the learner studies in
- The school or organisation you are applying on behalf of
- School type, learner count, tutor count, curriculum, current learning setup, and the needs you select
- Your pricing preference and the challenge you describe
- Your browser language and rough technical metadata (browser user-agent, IP address) for fraud prevention and security audit
- The fact that you gave explicit consent at the time of submission
3. Lawful basis under GDPR
We process your data on two GDPR Article 6 lawful bases:
- Article 6(1)(a) — your explicit consent, given by ticking the consent box on the application form. You can withdraw consent at any time (see §8).
- Article 6(1)(f) — our legitimate interest in fraud prevention and security audit, for the IP address and browser user-agent metadata. This interest is balanced against your right to privacy and these fields are not used for marketing.
4. What we use it for
- To contact you about your founding cohort application
- To match the cohort to schools that fit our pilot criteria
- To improve the signup experience, only in anonymised, aggregated form
- We do not sell your details. We do not share them with marketers or other third parties for their own marketing.
5. Where it is processed (data residency)
Application data submitted through this site (your name, email, WhatsApp number, school details, and the rest of the form) is stored on infrastructure located in Germany (Hetzner Online GmbH, Falkenstein data centre). All transmission is over HTTPS / TLS 1.2+. Database backups are encrypted at rest and retained inside the EU.
The signup form on this site does not send your application data to any AI model.
The separate Koyo Learn product (not this signup form) uses Anthropic's API as its AI processor. Anthropic's primary processing infrastructure is located in the United States. This is an international transfer outside the EU/EEA, performed under Standard Contractual Clauses (the EU Commission's 2021 SCCs) as part of Anthropic's Data Processing Addendum, which we have signed. Anthropic does not use API customer data (your conversations, assignments, or learner content) to train AI models.
See §10 below for full international-transfer detail.
6. How long we keep it
- Active application data: 24 months from the date of submission, unless you ask us to delete it sooner.
- Encrypted backups: rotated and deleted on a 90-day cycle.
- Audit / security logs (IP, user-agent): 12 months, then deleted.
7. Sub-processors
We use a small number of named sub-processors to operate this site and the founding-cohort process:
- Hetzner Online GmbH (Germany, Falkenstein data centre) — application data storage and site hosting. EU-based controller. Hetzner Data Processing Agreement signed.
- Anthropic, PBC (United States) — AI processor for the separate Koyo Learn product (not for this signup form). Standard Contractual Clauses + Data Processing Addendum signed. API customer data is not used to train Anthropic's AI models.
- Plausible Insights OÜ (Estonia, EU) — privacy-respecting analytics. Cookie-free, no personal data collected. Aggregated page view and CTA click metrics only.
A current sub-processor list, our Data Processing Addendum (DPA), and the Anthropic SCCs/DPA are available to schools considering the pilot — write to admin@koyohq.com.
8. Your rights under GDPR
If you are in the EU, the EEA, or the UK, you have the following rights:
- Right of access (Art. 15) — ask us what data we hold about you
- Right to rectification (Art. 16) — ask us to correct inaccurate data
- Right to erasure / "right to be forgotten" (Art. 17) — ask us to delete your data
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — get a copy of your data in a machine-readable format
- Right to object to processing (Art. 21)
- Right to withdraw consent at any time (Art. 7) — withdrawal does not affect lawfulness of processing before the withdrawal
- Right to lodge a complaint with a supervisory authority in your EU member state of residence, work, or where the alleged infringement took place
To exercise any of these rights, email admin@koyohq.com with the subject line that matches your request (e.g., "Erasure request"). We will respond within 30 days. We will not charge you for exercising your rights.
9. Children's data
The signup form on this site is intended for adults applying on behalf of a school, organisation, or family. We do not knowingly collect personal data from children under 16 through this form. The Koyo Learn product itself includes specific protections for under-16 learners — see the product documentation provided to schools considering the pilot.
10. International transfers
Application data submitted through this site stays in the EU (Germany). It is not transferred outside the EU/EEA.
Product AI processing in the separate Koyo Learn product is performed via Anthropic's API, whose primary infrastructure is in the United States. This is an international transfer of personal data outside the EU/EEA. The transfer is performed under the EU Standard Contractual Clauses (2021) incorporated into Anthropic's Data Processing Addendum, which we have signed. We have completed a Transfer Impact Assessment for this transfer; a copy is available to schools considering the pilot.
Anthropic's commitments under that DPA include: not using API customer data to train AI models, a 30-day retention window for trust-and-safety review followed by deletion, and security controls aligned with SOC 2 Type II.
We do not use any other sub-processor located outside the EU/EEA.
11. Cookies and tracking
This site does not use third-party advertising cookies. We use a privacy-respecting analytics tool (Plausible) that collects anonymous page views and CTA clicks. No personal data is collected through analytics, and no cross-site tracking cookies are set.
12. Changes to this notice
We will update this notice when our processing changes. Material changes (new sub-processors, changes to data residency, changes to retention periods) will be communicated to existing applicants by email before they take effect.
Contact
Email: admin@koyohq.com
WhatsApp: +263 71 210 4065