Privacy Policy
As of: February 2026 · Registered office: Darmstadt
General Information
Introduction
As a teacher, your focus should be on teaching, not legal complexity. We designed GoExam to support your daily school workflow.
We process personal data responsibly, transparently, and only to the extent necessary to operate and improve the platform.
Processing is carried out in compliance with the GDPR and applicable national data protection law.
This privacy policy explains which data we process, for what purposes, and which rights you have under the GDPR.
We may update this policy in the future, in particular when the platform evolves or legal requirements change.
Scope
This privacy policy applies to all pages under https://www.goexam.de and use of the GoExam platform.
It does not apply to linked websites or online presences of third-party providers.
Controller
Controller for personal data processing:
GoExam Labs GbR
Friedrich-Ebert-Straße 23
63225 Langen
Email: info@goexam.de
For data protection questions, you can contact us at the details above.
Security
We implement appropriate technical and organizational measures (e.g., SSL encryption, password hashing) and continuously adapt them to the state of the art.
Principles of Data Processing
Retention Periods and Deletion
We store personal data only as long as required for the stated purposes or statutory retention obligations.
Active accounts: Contract and master data are stored for the duration of your user relationship and deleted after account deletion unless legal obligations prevent this.
Automatic deletion for inactivity (Free plan): Free-plan accounts may be deleted after 24 months of inactivity. We notify you by email at least four weeks in advance.
Content after contract end: Publicly shared educational content may remain on the platform after account deletion to preserve platform knowledge resources.
In this case, personal references (e.g., name, profile photo) are irreversibly removed and content is retained in anonymized form.
If a specific content item itself contains personal data, you can request deletion of that specific item.
Tax and commercial retention: Invoice and payment data are archived for up to ten years under statutory obligations.
Technical log files are deleted or fully anonymized after up to 30 days, unless longer retention is required for incident analysis.
Support inquiries are deleted after case completion, at the latest after internal retention periods (typically up to 3 years where legally relevant).
Data used for analytics or AI training is anonymized first; anonymized data is not subject to GDPR deletion deadlines.
Contact and Support
When you contact us (e.g., by email, forms, support requests), we process the data you provide.
Processed data: name, email address, request content, and if needed account information.
Purpose: handling your request, communication, and fulfillment of contractual or pre-contractual obligations.
Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
Data is deleted after processing is complete unless legal retention obligations apply.
Log Files and Access Data
We automatically process technical access data required for secure and stable platform operation.
This includes IP address (truncated/anonymized where possible), date/time of access, accessed pages/functions, browser/OS data, and success/error status messages.
Purpose: system security, error analysis, misuse and attack detection.
Legal basis: Art. 6(1)(f) GDPR.
Storage duration: limited period followed by deletion or anonymization.
Right to Object to Legitimate Interest Processing
Where processing is based on Art. 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation.
After objection, we stop processing unless compelling legitimate grounds exist or processing is required for legal claims.
You can object informally, e.g., by email to datenschutz@goexam.de.
Minors and School Usage Context
No Direct Use by Minors
GoExam is intended for adult users, especially teachers and institutional administrators. Independent use by minors is not intended.
School Usage and Responsibility
In school/institutional contexts, processing of minors' data is carried out under responsibility of the respective institution.
Where required, GoExam acts solely as processor under Art. 28 GDPR.
The responsible institution must ensure lawful processing prerequisites, inform data subjects/legal guardians, and organize lawful platform use.
Your Rights as a Data Subject
You have rights to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3)).
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
Specific Processing Activities
Website Hosting (IONOS)
We use an external hosting provider for website and infrastructure operation.
Provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.
Purpose: technical delivery of the website and ensuring functionality/security.
Legal basis: Art. 6(1)(f) GDPR.
Cookies (technically necessary)
We only use technically necessary cookies for core functionality and security; no analytics or marketing cookies are used.
Processed data can include username, email, pseudonymous user ID, verification status, and authentication tokens.
Storage duration: 30 days if 'stay signed in' is enabled; otherwise session cookies are deleted when the browser closes.
Purpose: persistent login, user identification, and API request authorization.
Legal basis: § 25(2) no. 2 TDDDG and Art. 6(1)(f) GDPR.
Local storage: We additionally store non-personal settings (e.g., language, dashboard view options) locally in your browser.
Registration and User Account
Using GoExam requires a personal user account.
Processed data: username, email, password, and reCAPTCHA token for bot detection; optional profile data may be added voluntarily.
Authentication service: AWS Cognito (Amazon Web Services EMEA SARL), processing in AWS region Frankfurt (Germany).
Purpose: account provisioning/management and contractual service delivery.
Legal basis: Art. 6(1)(b) GDPR.
Contractual Services and Payment Processing
For paid services, we process personal data required to perform and settle the contract.
Processed data: name, billing address, email, payment-related data, and if needed discount proof documents.
Purpose: execution and settlement of paid contractual relationships.
Storage: up to ten years after contract end due to statutory retention obligations.
Legal basis: Art. 6(1)(b) GDPR.
Payment Service Provider § Stripe
We use Stripe Payments Europe, Ltd. for secure online payment processing.
Processed data may include billing address, email, selected payment method data, and tax-relevant information.
Purpose: payment processing and fraud prevention.
Stripe may use cookies/related technologies for fraud prevention and transaction security.
Legal basis: Art. 6(1)(b) GDPR.
Shared Use and Publication of Content (Public Pool)
You can voluntarily publish teaching materials to share with other users.
Processed data: selected username/pseudonym, profile image (if set), published content, publication date/time.
Purpose: collaborative exchange and lawful attribution under selected license models.
Visibility: published content may be visible worldwide to registered users and, depending on settings, also to non-registered visitors.
Legal basis: Art. 6(1)(b) GDPR.
Revocation/deletion: publication can be revoked via account; however, already downloaded copies or lawful derivatives under open licenses cannot always be removed.
Institutions and Data Processing Agreements
In institutional contexts, GoExam may process student/performance data strictly on behalf of and under instruction from the institution.
Role: processor under Art. 28 GDPR for institutional data; controller for your own account data (e.g., email, password, billing data).
The relationship with institutions is governed by a separate data processing agreement.
For questions regarding student/performance data, please contact the responsible institution directly.
AI-Powered Features (OpenAI)
GoExam offers AI features such as task generation, sample solution generation, and AI chat assistance.
Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA.
Processed data may include entered task/exam texts, uploaded learning materials, AI chat messages, and related metadata.
Purpose: providing AI-supported functionality including generation, retrieval-assisted document work, and interactive support.
Uploaded documents may be stored in an external vector database to enable document retrieval; corresponding external copies are removed when the source file is deleted on our platform.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR.
Third-country transfer: data may be transferred to the USA based on Standard Contractual Clauses and a data processing addendum with OpenAI.
Use of AI features is voluntary.
AI Training (Internal)
We may process certain content for internal research and development.
Data used for training is anonymized before use and does not include direct identifiers such as name or email.
Purpose: improving internal AI models and algorithms.
Legal basis: Art. 6(1)(f) GDPR.
You may object to this processing under Art. 21 GDPR.
Infrastructure and Third-Country Transfers
Platform operation relies on cloud infrastructure from an external provider.
Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.
Primary server location: Frankfurt (Germany).
Purpose: secure, scalable, and highly available platform infrastructure.
Legal basis: Art. 6(1)(f) GDPR.
If data transfer to the USA occurs, it is based on an appropriate transfer mechanism (e.g., DPF certification and/or SCCs).
Web Analytics (Plausible Analytics)
We use a privacy-friendly analytics service for statistical platform usage analysis.
Provider: O§ Plausible Insights, V§striku tn 2, Tartu 50403, Estonia.
Processing is cookie-free and no personal user profiles are created.
Typical processed data: anonymized/truncated IP, user agent, pages visited, and time on page.
Legal basis: Art. 6(1)(f) GDPR.
Bot Protection (Google reCAPTCHA)
We use Google reCAPTCHA v2 to protect registration from automated abuse.
Provider: Google Ireland Ltd. (parent: Google LLC, USA).
Processed data may include IP address, browser/device information, and interaction data.
Purpose: prevent automated misuse and maintain platform integrity.
Legal basis: Art. 6(1)(f) GDPR.
Third-country transfer to the USA cannot be excluded and is based on an appropriate transfer mechanism.
PDF Generation (Adobe)
We use an external service to generate print-ready PDF documents from exam/task content.
Provider: Adobe Inc., 345 Park Avenue, San Jose, CA 95110, USA.
Processed data: exam/task content, formatting data, and related metadata required for document generation.
Purpose: generate downloadable and printable PDF documents.
Legal basis: Art. 6(1)(b) GDPR.
Third-country transfer to the USA cannot be excluded and is based on an appropriate transfer mechanism.
External Content
YouTube
On selected pages we embed external video content using privacy-friendly settings.
Provider: YouTube LLC / Google Ireland Ltd.
Possible processed data: IP address, device information, visited page, and account data if logged into Google.
Legal basis: Art. 6(1)(f) GDPR.
We link to or embed social media content for communication and public information.
Provider: Instagram LLC / Meta Platforms Ireland Ltd.
Possible processed data: IP address, technical access data, and interaction data if logged in.
Legal basis: Art. 6(1)(f) GDPR.
We link to our Facebook presence for public communication.
Provider: Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, Ireland.
Possible processed data: IP address, technical access data, and interaction data if logged in.
Legal basis: Art. 6(1)(f) GDPR.
We link to our company profile on LinkedIn for company information and job-related communication.
Provider: LinkedIn Ireland Unlimited Company (parent: LinkedIn Corporation, USA).
Possible processed data: IP address, technical access data, and interaction data if logged in.
Legal basis: Art. 6(1)(f) GDPR.