Skip to main content
chunkx
Overview Everything the chunkx platform offers How It Works How personalized learning works
Compliance Training Soon Meet regulatory requirements at scale Employee Onboarding Soon Get new employees productive faster Sales Training Boost sales team performance Product Training Train teams on products and features
Blog Articles on corporate learning Case Studies How companies use chunkx Guides Best practices and resources
Pricing
About Us Our story and mission Security & Compliance Data protection and compliance Contact Book a demo or talk to us
DE
EN
Try chunkx Book a Demo
chunkx
OverviewHow It Works
Compliance Training Soon Employee Onboarding Soon Sales TrainingProduct Training
BlogCase StudiesGuides
Pricing
About UsSecurity & ComplianceContact
DE
EN
Try chunkx Book a Demo
Legal

Privacy Policy

How chunkx processes personal data — and how you can exercise your rights.

Last updated: 12.01.2026

Contents
  1. 1. Who is the Controller?
  2. 2. Scope and Roles within the Platform
  3. 3. What Data chunkx Processes
  4. 4. Retention Periods and Deletion
  5. 5. Recipients and Disclosure
  6. 6. Transfers to Third Countries
  7. 7. Security of Processing (Art. 32 GDPR)
  8. 8. Cookies and Similar Technologies
  9. 9. Overview of the Cookies Used
  10. 10. Your Rights as a Data Subject
  11. 11. Objections / Complaints
  12. 12. Changes to this Privacy Policy
  13. 13. Translation
  14. 14. Contact
  15. 15. Version

1. Who is the Controller?

Under the GDPR, the controller is the chunkx entity that determines the purposes and means of the respective processing activity:

  • a) Website / Marketing / Communications / Recruiting: The controller is Chunkx B.V. (including, among other things, the operator of the website(s), including chunkx.io, and the controller for the provision of registration/login, insofar as chunkx acts as controller in this context).
  • b) Contract initiation, contract performance, billing (B2B): The controller is the chunkx entity named as the contractual party in the respective offer/order form/contract (Chunkx B.V. or Chunkx GmbH).
  • c) Use of the chunkx platform within a company account (e.g., via an employer/customer): In this case, the customer/employer is the controller. chunkx processes personal data as a processor solely on the customer’s instructions and in accordance with the data processing agreement (DPA) concluded between the customer and chunkx.

These notices explain which data we process in which roles and how you can exercise your rights.

2. Scope and Roles within the Platform

The chunkx platform is provided for company accounts; content and configurations are the responsibility of the respective company account.

a) Use within a company account (standard case)

If you use chunkx via a company account (e.g., through your employer or an organization), the respective organization is the controller for the processing of personal data in connection with the use of the platform. chunkx processes personal data as a processor on behalf of that organization and solely in accordance with its instructions and pursuant to the data processing agreement (DPA) concluded between the organization and chunkx.

Where users are invited by the respective company account, contact details (e.g., name/email address) may be provided to chunkx by the controller (customer/employer). In this case, the controller is responsible for informing the data subjects pursuant to Art. 14 GDPR.

b) Registration / login on app.chunkx.io (technical onboarding)

For the provision of the registration and login process (e.g., email verification, security, abuse prevention, assignment/redirecting to the selected company account), chunkx processes certain data as a controller to the extent necessary for these purposes. Once you select a company account or join a company account, further processing within the platform generally takes place as a processor for the respective company account.

During this phase, chunkx does not process any learning or reporting data, but only the data required for registration/login and account assignment.

c) Selection of a company account

After confirming your email address, you can—if available—choose from a list of publicly visible company accounts. For company accounts that are not publicly visible, an invitation or a company-specific registration page is required. The respective company account (controller) decides which company accounts are publicly visible and which registration pathways users may use to join. chunkx implements this configuration technically.

d) Website / Marketing / Communications

For processing activities in connection with the use of our website(s), demo/contact requests, or other communications, the provisions in Section 3.B (Processing as Controller) and Sections 8/9 (Cookies), as applicable, apply.

3. What Data chunkx Processes, for What Reasons and Purposes

In connection with providing the platform, chunkx processes personal data either as a controller or as a processor, depending on the specific context.

A. Legal Bases (only where chunkx acts as Controller)

Where chunkx processes personal data as a controller, this is based on Art. 6(1) GDPR, in particular:

  • Consent (Art. 6(1)(a) GDPR),
  • Performance of a contract / steps prior to entering into a contract (Art. 6(1)(b) GDPR),
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR),
  • Legitimate interests (Art. 6(1)(f) GDPR).

Our legitimate interests include, in particular: operating and securing the platform, preventing abuse, error analysis, improving the user experience, internal administration, and the assertion/defence of legal claims.

Important: Where chunkx processes personal data as a processor within a company account, the respective company account (customer/employer), as the controller, determines the legal basis. In that case, chunkx processes the data solely on the customer’s documented instructions and in accordance with the DPA concluded between the customer and chunkx.

B. Processing as Controller (Registration/Login & Website)

chunkx processes certain personal data as a controller to the extent necessary to provide the registration and login process and to operate the website:

1) Registration, Email Verification and Login (app.chunkx.io)

Categories of data: email address; login credentials (e.g., password in hashed form or SSO identifiers, where used); verification status; technical log/security data (e.g., IP address, timestamps, device/browser information, event logs); where applicable, selection/assignment to the (publicly visible) company account.

Purposes: account creation and authentication, email confirmation, technical provision of access, security/abuse prevention, and assignment/redirecting to the selected company account.

Legal basis: Art. 6(1)(b) GDPR (provision of access / steps prior to entering into a contract) and Art. 6(1)(f) GDPR (security, abuse prevention).

Providing the email address and the data required for authentication is necessary to create a user account and provide access. Without this data, registration and use of app.chunkx.io are not possible.

2) Website Use (chunkx.io, etc.)

Categories of data: (temporary) IP address, referrer URL, browser type/version, operating system, access time, device type, and other technical data generated when the website is accessed; cookies/similar technologies in accordance with our Cookie Policy.

Purposes: technical provision, IT security, error analysis, and improving the usability/optimisation of the website.

Legal basis: Art. 6(1)(f) GDPR (operation, security, optimisation) and—where required—consent (Art. 6(1)(a) GDPR) for non-essential cookies/tracking.

3) Contact Requests / Support Outside of a Company Account

Categories of data: contact and communication data (e.g., name, email address, content of the request), and communication metadata.

Purposes: handling inquiries, providing support, and documentation for quality assurance.

Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract/contract performance) or Art. 6(1)(f) GDPR (efficient handling/quality assurance).

Providing the data marked as mandatory fields is required in order to process your request; without this data, we may not be able to process your request, or may only be able to do so to a limited extent.

4) Marketing/Newsletter (if used)

Categories of data: contact/profile data (e.g., email address, if applicable name), opt-in/double opt-in records, usage data (e.g., opens/clicks), where applicable.

Purposes: sending information/updates and marketing communications.

Legal basis: generally consent (Art. 6(1)(a) GDPR); you may unsubscribe at any time.

5) Applications (Recruitment)

Categories of data: application and contact data, CV/resume, certificates/references, and communications.

Purposes: conducting the application process, review, and decision-making.

Legal basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) and/or Art. 6(1)(f) GDPR; where applicable, consent if required.

C. Processing as Processor (Company Accounts)

Once you join a company account (e.g., via an invitation, a company-specific registration page, or by selecting a publicly visible account), chunkx processes personal data as a processor on behalf of the respective company account (controller).

1) User account and profile within the company account

Typical categories of data: name, email address, user ID, roles/permissions, and, where configured by the customer, profile details (e.g., department, location, job title).

Purposes: user administration, authentication within the account, role/permission management, and provision of the platform functionalities.

2) Learning and usage data

Typical categories of data: interactions with learning content, progress, results/responses, timestamps, activity data, and, where applicable, certificates/reports.

Purposes: delivering and documenting learning processes, and generating reports/certificates in accordance with the controller’s configuration.

3) Customer content (e.g., documents/materials) & AI-powered features

Typical categories of data: content uploaded to the platform by the customer (e.g., documents, learning materials, instructions); where applicable, personal data contained therein.

Purposes: providing the agreed services (e.g., content creation/optimisation, tagging, search/RAG functionalities), in each case on the controller’s instructions.

Note: The controller determines whether, and which, content contains personal data. chunkx processes such content solely within the scope of the engagement.

4) Operations, security, and error analysis (on behalf of the controller)

Typical categories of data: technical usage/log data, device/app information, crash/error data, security events.

Purposes: operating the platform, troubleshooting, maintenance, IT security, and abuse/fraud prevention—each to the extent necessary to provide the services and as commissioned by the controller.

Legal basis: The legal basis is determined by the respective company account as the controller. chunkx processes personal data as a processor pursuant to Art. 28 GDPR and in accordance with the DPA.

Automated decision-making: In the context of providing registration/login, we do not make decisions based solely on automated processing within the meaning of Art. 22 GDPR. To the extent that AI-powered personalisation or evaluations are used within company accounts, this is done under the responsibility of the respective company account (controller) and according to its configuration.

4. Retention Periods and Deletion

chunkx stores personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations. The specific retention periods depend on whether chunkx acts as a controller or as a processor.

A. Retention Periods Where chunkx Acts as Controller (Website, Registration/Login, Communications, Recruiting)

1) Registration/Login (app.chunkx.io) – technical onboarding

We store data for registration and authentication (e.g., email address, login credentials in hashed form, verification status) for as long as a user account exists and/or until deletion is requested, or until the account is deactivated for security/abuse reasons and subsequently deleted. We generally store technical log/security data (e.g., IP address, timestamps, event logs) only for as long as necessary to ensure security, prevent abuse, and perform error analysis.

2) Website logs

Server logs and comparable technical data are generally stored only for a limited period and then deleted or anonymised, unless longer storage is necessary to prevent or investigate security incidents.

3) Contact requests / pre-contractual communications

We store data from contact requests for as long as necessary to handle the request and any follow-up communication. Thereafter, we delete the data unless statutory retention obligations apply or longer storage is necessary for the assertion, exercise, or defence of legal claims.

4) Applications

As a rule, we delete application documents and communication data after the recruitment process has been completed, unless consent has been given for longer retention (e.g., a talent pool) or longer retention is necessary to defend against legal claims.

5) Statutory retention obligations

Where data is subject to commercial or tax law retention obligations (e.g., business correspondence, invoices), we store such data for the statutory retention periods and delete it thereafter.

B. Retention Periods Where chunkx Acts as Processor (Company Accounts)

Where chunkx processes personal data as a processor on behalf of a company account, the respective customer/employer, as the controller, determines the retention period and deletion. In such cases, chunkx deletes or returns personal data in accordance with the controller’s documented instructions and the provisions agreed in the DPA, or deletes it upon termination of the services, unless statutory obligations prevent deletion.

C. Restrictions on Deletion

In individual cases, deletion may be restricted to the extent that further processing is necessary to comply with legal obligations or for the assertion, exercise, or defence of legal claims.

5. Recipients and Disclosure of Personal Data

chunkx discloses personal data only where this is necessary to provide the services, where there is a legal obligation, or where another applicable legal basis exists. Which recipients may receive personal data depends on whether chunkx acts as a controller or as a processor.

A. Recipients Where chunkx Acts as Controller (Website, Registration/Login, Communications, Recruiting)

Where chunkx processes personal data as a controller, the following categories of recipients may in particular have access to such data:

  • IT/hosting and infrastructure service providers for the provision, maintenance, and safeguarding of the website, registration/login, and internal systems.
  • Communication and support service providers for handling inquiries and support cases outside of a company account.
  • Sales and CRM service providers (if used) for handling demo/contact requests and maintaining business relationships.
  • Payment and financial service providers / banks / tax advisors (where applicable) for processing payments, accounting, and fulfilling statutory obligations.
  • Public authorities / courts / legal advisors where we are legally required to do so or where this is necessary for the assertion, exercise, or defence of legal claims.

Where recipients process personal data on our behalf, we engage them as processors pursuant to Art. 28 GDPR and contractually oblige them accordingly.

B. Recipients Where chunkx Acts as Processor (Company Accounts)

Where chunkx processes personal data as a processor on behalf of a company account, the respective customer/employer is the controller and decides on recipients and access permissions within the scope of the platform configuration.

  • Company account controller (customer/employer): The customer/employer and any administrators and users authorised by it may access, within the platform, the data processed in the respective company account, in accordance with the roles and permissions configured by the customer.
  • Sub-processors: To provide the services, chunkx may engage sub-processors (e.g., for hosting/infrastructure, monitoring/security, support/communications, and, where applicable, providers of AI functionalities). The engagement of sub-processors is governed by the DPA; in particular, sub-processors are contractually bound and may process personal data only in accordance with the instructions and contractual requirements.
  • Public authorities / courts / legal advisors: Where chunkx is required in an individual case to disclose data (e.g., due to official orders), this will be done in compliance with applicable legal requirements. Where legally permissible, we will inform the controller (customer) about such requests.

C. No Disclosure for Our Own Advertising Purposes

chunkx does not sell personal data and does not disclose personal data to third parties for its own advertising purposes.

6. Transfers of Personal Data to Third Countries (Outside the EU/EEA)

Personal data is generally processed within the European Union (EU) or the European Economic Area (EEA). Where we use service providers, processing in, or access from, so-called third countries (countries outside the EU/EEA) may occur in individual cases. Which transfer mechanisms we apply depends on whether chunkx acts as a controller or as a processor.

A. Transfers Where chunkx Acts as Controller (Website, Registration/Login, Communications)

Where chunkx processes personal data as a controller and engages recipients in third countries, or where access from third countries cannot be ruled out, a transfer will take place only if one of the following requirements is met:

  • an adequacy decision of the European Commission (Art. 45 GDPR), or
  • appropriate safeguards (Art. 46 GDPR), in particular the conclusion of the EU Standard Contractual Clauses (SCCs), where applicable supplemented by additional measures, or
  • derogations under Art. 49 GDPR, where applicable in the individual case.

Upon request, we will provide you—where legally permissible—with further information about the safeguards applied in the individual case.

B. Transfers Where chunkx Acts as Processor (Company Accounts)

Where chunkx processes personal data as a processor on behalf of a company account, any transfers to third countries and the engagement of recipients/sub-processors are governed by the data processing agreement (DPA) and the documented instructions of the respective controller (customer/employer). chunkx engages sub-processors only within the framework of the DPA and ensures that appropriate safeguards (e.g., SCCs and, where applicable, additional measures) are in place for any third-country transfers.

C. No “Consent by Use”

Transfers to third countries do not take place on the basis of “consent by use”, but solely on the basis of the applicable transfer mechanisms under the GDPR.

7. Security of Processing (Art. 32 GDPR) and Technical and Organisational Measures

chunkx implements appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, unauthorised disclosure, alteration, or destruction. These measures are based on Art. 32 GDPR and take into account, in particular, the state of the art, implementation costs, the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights and freedoms of natural persons. Which measures apply in detail depends on whether chunkx acts as a controller or as a processor.

A. Security Measures Where chunkx Acts as Controller (Website, Registration/Login, Communications)

Where chunkx processes personal data as a controller (in particular in connection with the website and registration/login), we implement, among other things, measures that typically cover the following areas:

  • Access controls and authorisation concepts (need-to-know/least privilege),
  • Authentication and account security (e.g., protection of credentials, secure password handling),
  • Encryption in transit and, where applicable, encryption at rest in line with the state of the art,
  • Logging/monitoring to detect disruptions and security events,
  • Security and patch management as well as protection against typical attacks,
  • Backup, recovery, and availability concepts, where required.

B. Security Measures Where chunkx Acts as Processor (Company Accounts)

Where chunkx processes personal data as a processor on behalf of a company account, the security measures agreed between the customer/employer (controller) and chunkx pursuant to Art. 32 GDPR apply, as set out in the data processing agreement (DPA) and the technical and organisational measures (TOMs) referenced therein. chunkx ensures in particular that:

  • persons who process personal data are bound by confidentiality obligations,
  • appropriate access and authorisation concepts are implemented,
  • measures are in place to ensure the integrity, availability, and resilience of systems,
  • processes are in place to restore availability and access to data after incidents, and
  • a process exists for the regular review, assessment, and evaluation of the effectiveness of the measures, as appropriate.

C. Security Incidents / Incident Handling

In the event of security incidents, chunkx has processes in place to investigate, contain, and remediate them. Where chunkx acts as a processor, chunkx supports the controller within the framework of the DPA in fulfilling any notification and communication obligations pursuant to Arts. 33 and 34 GDPR.

8. Cookies and Similar Technologies

On our websites and web apps (e.g., chunkx.io and app.chunkx.io), we use cookies and similar technologies (e.g., local storage, pixels, SDKs) to provide and protect our services technically and—where you consent—to analyse and improve them.

What are cookies? Cookies are small text files stored on your device that can recognise our service for a period of time (e.g., session status, language settings).

A. Technically Necessary Cookies

We use technically necessary cookies and comparable technologies where they are strictly necessary to provide the function you have expressly requested (e.g., login/session management, security functions, load balancing). Under German law, consent is generally not required for these technologies, provided they are strictly necessary for the provision of the service. Any processing of personal data that may occur in this context (e.g., IP address, technical IDs) is based on our legitimate interests in secure and functional operation (Art. 6(1)(f) GDPR) or, where necessary, on the performance of pre-contractual measures/a contract (Art. 6(1)(b) GDPR).

B. Optional Cookies (Statistics/Marketing)

We use optional cookies (e.g., statistics/analytics or marketing/tracking technologies) only after you consent via our consent/cookie banner. The legal bases are then your consent pursuant to Art. 6(1)(a) GDPR and your consent to the storage of, and access to, information on your device under German cookie law (TDDDG). You can withdraw or change your consent at any time with effect for the future via the cookie settings.

C. Specific Optional Services in Use

Where you consent via our consent/cookie banner, we currently use the following optional services. Without your consent, these services are not loaded and set no cookies and transmit no data to the respective providers.

  • Google Analytics 4 (statistics). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). We use Google Analytics 4 to analyze the use of our website on a pseudonymized basis (e.g., pages viewed, approximate location, devices/browsers used) and to improve our offering. This sets cookies (including _ga, _ga_<ID>, storage period up to 2 years). A transfer of personal data to the USA cannot be excluded; Google LLC is certified under the EU-US Data Privacy Framework, and EU Standard Contractual Clauses apply in addition (Art. 46 GDPR). Legal basis: your consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).
  • lemlist – website pixel (marketing). The provider is lemlist SAS, France (EU). Via a website pixel we recognize returning or known visitors in order to support our sales team in serving prospective customers. As the provider is based in the EU, no transfer to a third country generally takes place in this respect. Legal basis: your consent (Art. 6(1)(a) GDPR; Section 25(1) TDDDG).

You can withdraw your consent at any time with effect for the future via the cookie settings. Further details on the individual cookies (names, providers, storage periods) can be found in our Cookie Policy.

D. Further Third-Party Technologies

Depending on the features used, cookies/similar technologies may also be set by further third parties (e.g., embedded content). Information on categories, providers, storage periods, and the respective purposes can be found in our Cookie Policy and in the cookie settings. Where a transfer to third countries may occur with third-party providers, the provisions in the “Transfers to Third Countries” section apply.

E. Relation to Controller/Processor

For cookies and similar technologies required for the technical provision of website/registration/login, chunkx acts as a controller to the extent necessary for these purposes. Where cookies/similar technologies are used in the context of use within a company account and usage/learning data is processed in this regard, further processing generally takes place as a processor for the respective company account (customer/employer) in accordance with the DPA.

9. Overview of the Cookies Used and Adjustments

Details on the cookies/similar technologies used (categories, purposes, providers, storage periods), as well as the option to give, refuse, or withdraw your consent, can be found in our Cookie Policy and in the cookie settings (consent banner/consent manager). The cookie settings can be accessed at any time via a corresponding link on our website. In addition, you can delete or block cookies via your browser settings. Please note that this may limit functions of the website or web app.

10. Your Rights as a Data Subject

As a data subject, you generally have the following rights under the GDPR, provided the respective legal requirements are met:

  • Access (Art. 15 GDPR),
  • Rectification (Art. 16 GDPR),
  • Erasure (Art. 17 GDPR),
  • Restriction of processing (Art. 18 GDPR),
  • Data portability (Art. 20 GDPR),
  • Objection to processing based on legitimate interests (Art. 21 GDPR),
  • Withdrawal of consent with effect for the future (Art. 7(3) GDPR), where processing is based on consent,
  • Lodging a complaint with a supervisory authority (Art. 77 GDPR).

A. How to exercise your rights where chunkx acts as Controller

Where chunkx processes personal data as a controller (e.g., for website use, registration/login, contact requests, marketing/newsletter, applications), you can assert your rights directly against us. The contact details can be found in the “Contact” section.

B. How to exercise your rights where chunkx acts as Processor (Company Accounts)

If you use chunkx within a company account (e.g., through your employer or an organization), the respective customer/employer is the controller for the processing of your personal data in connection with the use of the platform. In this case, please contact the controller (customer/employer) as a matter of priority to exercise your rights. In such cases, chunkx processes your data as a processor and supports the controller in fulfilling data subject rights within the framework of the data processing agreement (DPA). Please note that, as a processor, chunkx is generally not entitled to fulfil data subject requests independently without involving the controller (customer/employer).

C. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

11. Objections / Complaints

If you have any questions or complaints about the processing of your personal data, you can contact us at any time using the contact details below. Notwithstanding this, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. For Germany, this is typically the respective competent state data protection supervisory authority (e.g., in North Rhine-Westphalia, the supervisory authority of the federal state); for the Netherlands, the Autoriteit Persoonsgegevens.

12. Changes to this Privacy Policy

We may amend this privacy policy where this is necessary due to changes in the legal situation, technical developments, or changes to our processing activities. The current version is available on our website at any time. In the event of material changes, we will point this out in an appropriate manner. The date of the last update can be found in Section 15.

13. Translation

This privacy policy is drawn up in German and English. In the event of any discrepancies between these versions, the German version shall prevail.

14. Contact

For general data protection inquiries, please contact us at privacy@chunkx.io. Which chunkx entity is the controller follows from Section 1 (Who is the Controller?) or from the respective offer/order form/contract.

Chunkx GmbH
Birkenstr. 23
40233 Düsseldorf
Germany
Commercial register: HRB 83246
Email: privacy@chunkx.io
Chunkx B.V.
High Tech Campus 6, Unit A
5656AE Eindhoven
Netherlands
Chamber of Commerce number: 84701358
Email: privacy@chunkx.io

15. Version

This privacy policy was last edited on 12.01.2026.

chunkx

AI-powered corporate learning — personalized for every employee.

Product
OverviewHow It WorksPricing
Company
AboutCareersBlogCase StudiesContact
Resources
GuidesFAQSecurity & ComplianceBook a Demo
Awarded by
eLearning Journal Award 2026
BSFZ FuE Siegel 2023
Comenius Siegel 2022
de:hub Karlsruhe
EdTechNext Incubator

© 2026 chunkx GmbH. All rights reserved.

PrivacyTermsImprintCookie Policy

We value your privacy

We use cookies to operate our website, to analyse its use (statistics) and for marketing. Necessary cookies are always active — you decide which other categories to allow. Privacy policy · Cookie policy

Cookie settings

Choose which categories of cookies you allow. You can change this at any time.

These cookies are required for the website to work, e.g. to remember your cookie choice. They cannot be disabled.

Help us understand how visitors use the website by collecting and reporting usage information in pseudonymised form (e.g. Google Analytics).

Used to recognise visitors and make our outreach more relevant (e.g. lemlist website pixel).