Privacy Statement
Careons B.V.
Company Information
Careons B.V. operates digital platforms including websites, digital education environments, artificial intelligence services, learning management systems, and online portals.
Within the meaning of the General Data Protection Regulation (GDPR), Careons B.V. acts as the data controller for the processing of personal data collected through its platforms and services.
In this privacy statement, Careons B.V. is referred to as “the Company.”
The Company processes personal data in accordance with the GDPR and applicable European data protection regulations and applies appropriate organisational and technical measures to protect personal information.
This privacy statement explains which personal data may be collected and how the Company processes, protects, and stores such data.
Applicability
This privacy statement applies to all personal data processed through:
websites
digital education platforms
learning management systems
artificial intelligence platforms
online portals
customer and partner portals
support or communication channels related to the Company’s services
Personal data may be collected through platform registrations, course participation, service usage, communication, or contractual relationships with the Company.
Categories of Personal Data
The Company may process the following categories of personal data.
General personal data
First and last name
Address details
Email address
Telephone number
Company or organisation name
Billing and payment information
IP address
Browser and device type
Information about activities on the platform
Account data
Login credentials
User profile information
Course enrolment and learning progress
User generated data within the platform
Device data
Device type and operating system
Browser information
Technical identifiers required for service functionality and security monitoring
Location data
Approximate location information derived from IP addresses for security monitoring and fraud prevention.
Usage data
Login records
Course participation statistics
Platform interaction logs
System access logs
Communication data
Messages sent through platform tools
Customer support requests
Feedback or training responses
Documents or assignments uploaded by users
Other personal data
Information voluntarily provided through forms, support interactions, or contractual communication.
Special Category Data (Healthcare or Sensitive Information)
Some services provided through the platform may involve the processing of special categories of personal data, including healthcare-related information, where this is necessary for the functioning of specific services or integrations.
Examples may include:
healthcare consultation notes
diagnostic information
therapy session records
audio or video communication records
health-related documentation
Processing of such information occurs only where a lawful basis exists under Articles 6 and 9 of the GDPR and where appropriate technical and organisational safeguards are implemented. Sensitive information is processed with enhanced security controls and restricted access.
Purpose of Processing
Personal data may be processed for the following purposes:
providing access to digital platforms and services
managing user accounts and subscriptions
delivering training or educational services
processing payments and subscriptions
providing customer support
improving platform functionality and user experience
monitoring system security and preventing misuse
complying with legal obligations
Legal Basis for Processing
Personal data is processed based on one or more of the following legal bases under Article 6 GDPR.
Performance of a Contract (Article 6(1)(b)): Processing necessary for providing access to platforms, courses, and digital services.
Consent (Article 6(1)(a)): Where explicit consent is required, such as for optional marketing communication or certain platform features.
Compliance with Legal Obligations (Article 6(1)(c)): Processing required to comply with financial, tax, or regulatory obligations.
Legitimate Interests (Article 6(1)(f)): Processing necessary for maintaining platform security, improving services, detecting misuse, or analysing platform usage.
Vital Interests (Article 6(1)(d)): In rare circumstances where processing is necessary to protect the vital interests of individuals.
Use of Artificial Intelligence and Advanced Technologies
The Company may integrate advanced technologies including artificial intelligence systems, language models, text-to-speech tools, or external service APIs to enhance its services.
To protect personal data, the Company applies data minimisation and data masking techniques where technically feasible. These measures are designed to prevent the disclosure of identifiable personal information to external technology providers.
Before data is processed by AI systems or third-party APIs, the Company may apply technical controls such as:
masking or pseudonymisation of personal identifiers
removal of direct personal identifiers
data minimisation techniques that limit the amount of information shared
processing through secure intermediary services
As a result, personally identifiable information is not intentionally transmitted to external AI providers unless strictly necessary for the requested functionality and permitted under applicable data protection regulations.
Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected or as required by applicable law.
General personal data: during the active relationship and up to two years afterwards unless legal obligations require longer retention.
Account data: retained during the account lifetime and up to twelve months after account inactivity.
Usage and system logs: maximum twenty four months.
Location and device data: maximum twelve months.
Communication data: maximum twelve months unless required for legal purposes.
Financial or accounting information: retained in accordance with statutory financial retention obligations (for example tax legislation).
Disclosure to Third Parties
Personal data may be shared with third parties where necessary for providing services or fulfilling legal obligations. Examples include cloud infrastructure providers, payment processors, and IT service providers. Where third parties process personal data on behalf of the Company, Data Processing Agreements (DPAs) are established to ensure confidentiality and GDPR compliance.
Information Security
The Company implements appropriate technical and organisational measures aligned with recognised security standards including:
ISO 27001
NEN 7510 (Healthcare Information Security)
Security controls include identity and access management, encryption of data in transit and at rest, and monitoring of system activity. These controls form part of the Company’s Information Security Management System (ISMS).
Limitation of Liability
While the Company implements appropriate security measures to protect personal data, no digital system can be guaranteed to be completely secure. The Company shall not be liable for damages resulting from circumstances beyond its reasonable control, including cyber incidents or infrastructure failures, except where liability arises from wilful misconduct or gross negligence as defined by applicable law.
Rights of Data Subjects
Individuals have the following rights under the GDPR:
right of access
right to rectification
right to deletion
right to restriction of processing
right to data portability
right to object to processing
right to withdraw consent
Requests can be submitted via the contact information below
Data Protection ContactFor questions regarding personal data processing or privacy matters, contact:B. CangalPrivacy Contact / Data Protection CoordinatorEmail: bcangal@mysoly.nlOperational security contact:Y. BaytemurCloud Infrastructure / DevOpsEmail: yavuz@mysoly.com
Contactinfo@mysoly.com
VersionLast updated: Feb 2026Version 1.2