Verified credentials. On-chain. Forever.Learn more
Ewance
Sign in

Legal

Privacy Policy

How we collect, use, and protect your personal data under GDPR.

Last updated · May 14, 2026

1. Introduction

This Privacy Policy explains how Aurea CV OÜ ("Aurea CV", "we", "us", "our") collects, uses, shares, and protects personal data when you use the Ewance platform at ewance.com and app.ewance.com, and the LearnCoin credential infrastructure operated by Aurea CV (collectively, the "Service").

We take privacy seriously. This policy is written to be readable, not to bury the important information in jargon. If anything here is unclear, please contact us at [email protected].

This policy should be read alongside our Terms of Service, Cookie Notice, and Acceptable Use Policy.

2. Who is the data controller

The data controller for personal data processed in connection with the Service is:

Aurea CV OÜ
Registration code: 16944269
VAT: EE102718876
Registered office: Saani 2/2-26, 10149 Tallinn, Estonia

Aurea CV is the sole controller for personal data processed through both the Ewance platform and the LearnCoin credential infrastructure. We are not part of a larger corporate group, and we do not share your personal data with parent or sister companies (because there are none).

For all data protection questions, contact: [email protected]

EU Representative

Because Aurea CV is established in the EU (in Estonia), we do not need to appoint a separate EU representative under Article 27 GDPR. You can contact us directly using the details above.

Lead supervisory authority

The lead supervisory authority for Aurea CV is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee). You have the right to lodge a complaint with the Inspectorate, or with the supervisory authority of your EU/EEA country of residence, if you believe your data protection rights have been breached.

3. What this policy covers

This policy applies to personal data we collect when you:

  • Visit ewance.com or app.ewance.com;
  • Create a Student or Recruiter account;
  • Use any feature of the Service, including completing challenges, building a portfolio, earning credentials, or contacting other users;
  • Communicate with us by email or other means;
  • Otherwise interact with us in connection with the Service.

It does not cover:

  • Information collected by third-party websites you reach through links from the Service (they have their own privacy policies);
  • Information you choose to make public outside the Service (for example, posting your credential link on LinkedIn);
  • Anonymised or aggregated data that no longer identifies you.

4. What personal data we collect

The personal data we collect depends on whether you are a Student, a Recruiter, or simply a visitor to the website.

4.1 If you are a Student

When you create a Student account, we collect:

  • Identity information: name, email address, country and (optionally) city.
  • Academic information: university or school, field of study, level of study, expected graduation, courses taken.
  • Profile information: skills, interests, languages, optional profile picture, optional short bio.
  • Challenge participation data: which challenges you have started, completed, or abandoned; your submissions and work products; feedback and evaluations.
  • Credential information: verifiable credentials issued to you, including the decentralised identifier (DID) we generate for you and the on-chain references.
  • Account activity data: login times, IP addresses used to access the Service, pages visited, features used.
  • Communications: messages you send through the Service (to teammates, to Recruiters if you have opted in), and any correspondence you have with us.
  • Payment information (if you have a paid plan): we use a third-party payment processor (currently Stripe) to handle payments. We see the last four digits of the card and the billing country, but the full payment details are held by the payment processor.

We do not collect, by default, special categories of personal data under Article 9 GDPR (such as race, ethnicity, religion, political opinions, health information, or sexual orientation). We do not need this information to provide the Service.

If at some point in the future we offer optional features that involve special category data (for example, accessibility accommodations), we will collect that data only with your explicit consent and only for the specific purpose disclosed at the time.

4.2 If you are a Recruiter

When you create a Recruiter account, we collect:

  • Identity information: your name, work email address, job title.
  • Organisation information: name of your organisation, organisation size, country, sector.
  • Account activity data: searches performed, profiles viewed, messages sent, features used.
  • Communications: messages you send through the Service, correspondence with us.
  • Payment information (if you have a paid plan): see Section 4.1.

4.3 If you are a visitor

When you visit ewance.com without creating an account, we collect a limited set of information automatically:

  • IP address (used to determine country for legal and security purposes, then truncated or hashed where reasonable);
  • Browser type and version, operating system, device type;
  • Pages visited, time spent on each page, referring URL;
  • Cookies and similar technologies (see our Cookie Notice for details).

5. Why we use your personal data (legal basis per purpose)

EU data protection law requires us to have a valid legal basis for each purpose for which we use your personal data. The table below sets out each purpose, the data involved, and the legal basis under Article 6 GDPR.

Purpose Data used Legal basis
Creating and maintaining your account Identity, account credentials, contact information Performance of contract (Art. 6(1)(b))
Enabling you to participate in challenges and earn credentials Identity, academic info, challenge submissions, credential data Performance of contract (Art. 6(1)(b))
Issuing verifiable credentials on the LearnCoin infrastructure Identity (via DID), challenge completion data, credential metadata Performance of contract (Art. 6(1)(b))
Making your profile visible to Recruiters (Students who have opted in) Profile, skills, challenge completions, visibility settings Consent (Art. 6(1)(a)), which you give by opting in and can withdraw at any time
Facilitating communications between users Communications data Performance of contract (Art. 6(1)(b))
Processing payments Payment-related data Performance of contract (Art. 6(1)(b))
Sending service-related communications (e.g. password resets, security alerts, terms updates) Identity, email address Performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Sending marketing communications (newsletters, product updates) Identity, email address, preferences Consent (Art. 6(1)(a)), which you give by ticking the relevant box and can withdraw at any time via the unsubscribe link
Protecting against fraud, abuse, and security incidents Account activity, IP address, device information Legitimate interest (Art. 6(1)(f)) — our interest in keeping the Service safe for all users
Improving the Service (analytics, feature usage, performance monitoring) Account activity, anonymised usage data Legitimate interest (Art. 6(1)(f)) — our interest in operating and improving a high-quality Service. We rely on anonymised or aggregated data wherever possible.
Producing anonymised aggregate statistics for public sharing (e.g. "X challenges completed this year") Aggregate counts derived from individual data Legitimate interest (Art. 6(1)(f)) — your individual identity is not exposed in these statistics
Complying with legal obligations (tax, accounting, regulatory) Whatever is required by the obligation Legal obligation (Art. 6(1)(c))
Responding to legal claims, regulatory investigations, or court orders Whatever is required by the matter Legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f))

You have the right to object to processing based on legitimate interest (Art. 6(1)(f)) for reasons relating to your particular situation. See Section 11 (Your rights).

6. AI and your data

We use AI tools in certain operational parts of the Service. We want to be transparent about how:

  • Challenge generation: many challenges in our catalog are initially drafted using AI systems and then reviewed and quality-gated by our team before publication. The AI is not making decisions about you; it is creating content that you may choose to work on.
  • Onboarding helpers: some onboarding flows use AI to extract information from materials you upload (for example, parsing a course syllabus into structured fields). The AI processes only the data you have explicitly provided for that purpose.
  • No training on your personal data. Your personal data, profile information, challenge submissions, and communications are not used to train any AI model — neither ours nor any third-party model. We have contractual commitments from our AI vendors that prohibit them from using our data (and therefore your data) to train their models.
  • AI vendors used: the current AI vendors we work with are listed in our Subprocessor list, available on request — contact [email protected].

If we ever introduce a new use of AI that affects your personal data in a material way, we will update this section and notify users where appropriate.

7. When we share your personal data

We share your personal data in limited and specific circumstances. We do not sell your personal data to anyone, and we do not share it with advertising networks or data brokers.

7.1 With other Service users

  • Student profiles are visible to Recruiters only if the Student has opted in (see Section 12.4 of the Terms of Service). The visibility level chosen by the Student determines what is shown.
  • Team members within a team challenge can see each other's contributions, communications, and team-context information.
  • Public credentials: verifiable credentials you have earned are designed to be shareable. If you share a credential link, anyone with that link can verify the credential cryptographically. The link itself does not reveal information you have not chosen to publish.

7.2 With service providers (data processors)

We use a number of third-party service providers to operate the Service. These providers process personal data on our behalf, under written data processing agreements that require them to:

  • Use your data only for the purposes we specify;
  • Not use your data for their own purposes;
  • Implement appropriate security measures;
  • Assist us in honouring your data protection rights.

The current list of our service providers (subprocessors) is available on request — contact [email protected]. The list includes categories such as:

  • Cloud hosting and database infrastructure;
  • Authentication and identity management;
  • Email delivery;
  • Payment processing;
  • Customer support tooling;
  • Analytics and product telemetry;
  • AI services for the limited purposes described in Section 6.

We notify users of material changes to our subprocessor list (typically by updating the page; we encourage you to check it occasionally if you are interested).

7.3 With professional advisors

We may share personal data with our accountants, lawyers, auditors, and insurers as necessary for the operation of our business — under confidentiality obligations and only to the extent reasonably required.

7.4 With authorities

We may share personal data with public authorities, law enforcement, or courts if:

  • We are legally required to do so (for example, in response to a valid court order or regulatory request);
  • We believe it is necessary to protect the rights, property, or safety of Aurea CV, our users, or the public;
  • We are exercising or defending legal claims.

We do not share personal data with authorities outside of these specific situations, and we challenge requests that appear overbroad or unlawful.

7.5 In a business transfer

If Aurea CV is acquired, merges with another company, or undergoes a restructuring, personal data may be transferred to the successor entity. We will notify affected users in advance of any such transfer and give them an opportunity to object or close their accounts before the transfer takes effect.

8. International data transfers

The Service is operated from the EU. Most of our service providers are based in the EU or EEA. However, some of our service providers (and some optional integrations) operate from outside the EU/EEA, including the United States.

When we transfer personal data outside the EU/EEA, we ensure that one of the following safeguards is in place:

  • Adequacy decision — the destination country has been recognised by the European Commission as providing an adequate level of data protection (current list at ec.europa.eu);
  • Standard Contractual Clauses — we use the European Commission's Standard Contractual Clauses (2021/914) with the recipient, supplemented by additional technical and organisational measures where required;
  • Other appropriate safeguards under Articles 46-49 GDPR, where applicable.

You can request a copy of the safeguards in place for any specific transfer by contacting [email protected].

9. Verifiable credentials and the blockchain

This section explains how we reconcile the use of a public blockchain (Base) with EU data protection law. The short version: your personal data is not on the blockchain.

9.1 What goes on-chain

When you earn a verifiable credential, only the following is written to the Base blockchain:

  • A cryptographic hash of the credential (a fixed-length string that does not reveal the contents);
  • A reference to the issuing organisation (Aurea CV);
  • Revocation status pointers (used to mark a credential as revoked if necessary).

The cryptographic hash cannot be reversed to reveal your personal data. Without the off-chain credential and your decentralised identifier (DID), the on-chain record is just a string of characters with no identifiable subject.

9.2 What stays off-chain

The credential itself — including your name, the challenge you completed, the date, and any other personal details — is stored off-chain in our systems, under the protections described in this Privacy Policy.

9.3 Your right to erasure and the blockchain

Under GDPR Article 17, you have the right to ask us to erase your personal data. We honour this right with respect to the off-chain credential and all associated personal data in our systems.

The cryptographic hash on the blockchain cannot be deleted (this is a fundamental property of the blockchain, not a choice we have made). However, once your off-chain personal data is erased, the on-chain hash becomes mathematically unlinkable to you. The hash remains, but it no longer constitutes personal data within the meaning of GDPR — it is just an opaque string with no identifiable data subject.

This approach follows guidance from the European Data Protection Board and ENISA on reconciling blockchain technology with GDPR.

9.4 Credential persistence after account closure

If you close your Ewance account but want to keep your verifiable credentials accessible, you have two options:

  • Export your credentials before closing your account, in a portable verifiable format (W3C Verifiable Credentials 2.0 / Open Badges 3.0). You can then store and share them yourself, independently of Ewance.
  • Leave them with us — we maintain the off-chain credential data for credentials we have issued, even after your account is closed, so that verifiers can continue to check them. Your associated personal data beyond what is strictly needed for verification is deleted in accordance with the retention schedule below.

10. How long we keep your personal data

We do not keep personal data longer than necessary. Our retention schedule is:

Category of data Retention period
Active account data (profile, submissions, settings) For as long as your account is active.
Account data after closure (soft delete) 30 days after account closure, during which you can restore the account by contacting us.
Account data after closure (hard delete) After the 30-day soft-delete period, personal data is deleted or anonymised. Some data may be retained longer where required by law (see below).
Inactive account data (no login for 24 months) After 24 months of inactivity, we notify the account holder by email. If there is no response within 90 days, the account is soft-deleted; if no response within a further 90 days, hard-deleted.
Communications (emails, support tickets) 36 months after the communication, unless related to a dispute or legal matter.
Activity logs and security logs 13 months, then deleted.
Payment records 7 years (Estonian accounting law requirement).
Tax-relevant records 7 years (Estonian Tax and Customs Board requirement).
Off-chain credential records Indefinite, to support verification by third parties. After account closure, only the minimum data needed for verification is retained.
On-chain credential hashes Indefinite, by design of the blockchain (see Section 9).
Anonymised analytics Indefinite — these data are no longer personal data once anonymised.

If you are involved in a dispute, regulatory investigation, or legal matter, we may retain relevant personal data for longer than the periods above, until the matter is fully resolved.

11. Your rights

Under EU and UK data protection law, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR): you can ask us for a copy of the personal data we hold about you.
  • Right of rectification (Art. 16 GDPR): you can ask us to correct inaccurate or incomplete data.
  • Right of erasure (Art. 17 GDPR): you can ask us to delete your personal data. See Section 9 for how this works with verifiable credentials.
  • Right to restrict processing (Art. 18 GDPR): you can ask us to pause certain processing of your data.
  • Right to data portability (Art. 20 GDPR): you can ask us to give you a copy of your data in a portable, machine-readable format, or to send it directly to another service. Our credential export feature (Section 9.4) is one expression of this right.
  • Right to object (Art. 21 GDPR): you can object to processing that we carry out on the basis of legitimate interest. We will stop unless we have compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7 GDPR): where we process your data based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right not to be subject to solely automated decisions (Art. 22 GDPR): we do not make decisions about you that have legal or similarly significant effects based solely on automated processing. Credential issuance is based on objective completion of challenges; it does not require special algorithmic protection.
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): you can complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) or to the supervisory authority in your country of residence.

How to exercise your rights

To exercise any of these rights, contact us at [email protected]. We will respond within one month (extendable by two further months if your request is complex, in which case we will tell you within the first month). There is no fee for most requests, but we may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive.

Some rights can also be exercised directly from the account settings page (for example, downloading a copy of your data, or deleting your account).

We may need to verify your identity before acting on a request, to protect you against impersonation.

12. Security

We take security seriously. Our measures include:

  • Encrypted data transmission (HTTPS / TLS) across the entire Service;
  • Encrypted data at rest in our databases;
  • Row-level security policies enforcing access controls in our data layer;
  • Strict access controls for our team — only those who need to access personal data for their work are granted access, and access is logged;
  • Two-factor authentication for our internal admin systems;
  • Regular security reviews and penetration testing;
  • A responsible disclosure programme for security researchers (details on our website).

No system is perfectly secure. If a personal data breach occurs and poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (where required under Article 33 GDPR) and, where the risk is high, we will notify affected users without undue delay (Article 34 GDPR).

13. Children's data

The Service is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have collected personal data from a child under 16, we will delete it as quickly as possible.

If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do:

  • For material changes (changes that significantly affect your rights or how we use your data), we will notify you by email at least 30 days before the change takes effect.
  • For non-material changes (corrections, clarifications, contact details), we may make the change without advance notice. The "Last Updated" date at the top of this policy will always reflect the most recent change.

If you do not agree with a material change, you can close your account before the change takes effect.

15. Contact

For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal data:

If you are not satisfied with our response, you have the right to lodge a complaint with:

  • The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee
  • The supervisory authority in your country of residence, if different.

Version history

  • 2026-05-14 — Initial version published.

This Privacy Policy is provided to help you understand how we treat your personal data. It is not legal advice. We have written it carefully and intend to honour it in practice. If you spot anything unclear or inconsistent, please let us know at [email protected].