● Data Protection & Transparency

What data we process — and how we delete it again.

The Trainexus dialogue simulation lets learners practise exam and conversation situations with AI-powered avatars. This overview transparently shows what data is created in the process, where it is processed and how it automatically disappears again.

ControllerTrainexus UG (haftungsbeschränkt)
Legal frameworkGDPR — Art. 30 Record of Processing Activities
Status2 July 2026 · Version 1.5
At a glance

Four core principles

For us, data protection is anchored in the technology — not just a statement.

🇪🇺

Hosting in Germany

Accounts, conversations and feedback are stored in a PostgreSQL database at Hetzner in Germany — inside the EU.

🕵️

Pseudonymous accounts

Logins are pseudonymous identifiers — commercially always anonymised ones (@examsim.de), and in university deployments institutional identifiers (e.g. bt150952@…). No real names.

🚫

Short storage, no training

OpenAI deletes the data after the session — at the latest after 30 days (per the DPA); ElevenLabs stores nothing; HeyGen does not record the stream. No service uses the data for training.

🧹

Automatic cleanup

When a session ends, the data at OpenAI is deleted (fallback: cron ≤24 h) — with an audit log as GDPR proof. Feedback & conversation stay in our EU database.

Where data is created & where it goes

The data flow

Data is created during use in the browser and is transmitted only to the few service providers that are technically necessary for operation and functionality (hosting as well as the AI/streaming services).

Collection

In the user's browser

Access via claim link or Moodle/LTI · text input, uploaded documents, spoken language

Platform operation

Hetzner 🇩🇪

Server & database (Falkenstein) — pseudonymous accounts, conversation history, feedback; always in the EU

AI services (data processing)

OpenAI · ElevenLabs · HeyGen

AI responses, transcription, speech output, avatar streaming — under a DPA. OpenAI = EU contracting party (Ireland), with possible US sub-processing under SCCs; ElevenLabs/HeyGen headquartered in the USA. OpenAI: deletion ≤30 days + actively after the session; ElevenLabs: no storage; HeyGen: no recording

No disclosure to other third parties — except at the user's explicit request or where legally required.

What data — in detail

Data types, purpose & retention

The platform's processing activities (twelve in the record), condensed here to the essentials.

Data type Purpose Where processed Retention & deletion
Account & master data Login, authentication, usage quotas. The login is a pseudonymous identifier (commercially anonymised @examsim.de; institutional e.g. [email protected]) — no real names. Password encrypted. Hetzner 🇩🇪 For the duration of the business relationship · inactive accounts per retention policy
Access & claim (Moodle/LTI) Idempotent access provisioning via claim link, Moodle plugin or LTI 1.3. From the LMS only a pseudonymous identifier (moodle:… / lti:…), no real names. IP & pseudonymous browser ID only for abuse prevention. Operational hosting 🇩🇪 Mapping kept as long as the pool/account exists · abuse-prevention data (IP, browser ID) deleted after 90 days · single-use nonces short-lived
Conversation history AI-powered dialogue simulation: text input and AI responses (Conversations/Responses API). Hetzner 🇩🇪 OpenAI 🇮🇪/🇺🇸 History stays local (EU) until deleted by user/admin · at OpenAI, active deletion after the session (at the latest 30 days per the DPA)
Uploaded documents Document analysis (PDF/images), e.g. CV, learning material, presentations. OpenAI 🇮🇪/🇺🇸 Hetzner 🇩🇪 Content only temporarily in browser memory · at OpenAI, deletion after the session (≤30 days per the DPA) · file metadata local until the conversation is deleted
Audio data (speech) Real-time transcription of spoken answers (push-to-talk / live transcript) for oral simulations. OpenAI 🇮🇪/🇺🇸 Audio as a transient stream (no recording); the transcript flows into the local history · at OpenAI, deletion ≤30 days per the DPA
Speech output (TTS) Speech synthesis of the avatar's utterances in LITE mode. Only the AI-generated avatar text is transmitted — no user voice, no user input. ElevenLabs 🇺🇸 No storage (ElevenLabs does not store the texts) · pure audio stream, no recording
Avatar session (video) Interactive real-time video avatar streaming. IP address & connection metadata technically necessary. HeyGen 🇺🇸 Hetzner 🇩🇪 No recording (live stream) · session metadata 12 months for billing · HeyGen's logs are account-/content-related (no student data)
Feedback & assessments AI feedback, inline annotations, self-assessment, scenario rating, learning statistics. Hetzner 🇩🇪 OpenAI 🇮🇪/🇺🇸 For the duration of the business relationship · viewable and exportable at any time · at OpenAI, deletion ≤30 days per the DPA
Billing & quotas Usage/credit billing per organisation/group/user (seconds, tariff, credits) as well as user↔group↔course mapping. No real names; payment processing (Stripe or similar) runs separately. Hetzner 🇩🇪 For the duration of the business relationship or per commercial/tax-law retention
Server logs IT security, stability, error analysis. IP address, timestamp, requested URLs. Hetzner 🇩🇪 Per log rotation (data minimisation) · no profiling · IP pseudonymised where possible
Admin & group access Account management & support. Group admins see statistics for their own group — pseudonymous only (UUID). Hetzner 🇩🇪 As per the respective data type · conversation content only with explicit consent · least privilege
How deletion works

Deletion at OpenAI — safeguarded in three stages

The data created at OpenAI is actively deleted. Three interlocking stages ensure nothing is left behind. Feedback & conversation stay in our EU database (viewing/export by the user).

1

Immediately at session end

When the user ends a session properly, the app automatically deletes all resources created at OpenAI (files, feedback responses, conversation). Every deletion is logged as a delete_log/sweep_audit entry.

→ Immediately, on exit / logout
2

Cron job as a safety net

If the browser crashes or the connection drops, stage 1 cannot run. A server-side cron job regularly cleans up all “orphaned” conversations and carries out the same deletions afterwards.

→ Regularly, server-side
3

30-day limit at OpenAI

Even if stages 1 and 2 fail, OpenAI automatically deletes the data transmitted via the API after 30 days at the latest, per the data processing agreement — the outermost safety layer.

→ After 30 days at the latest (OpenAI DPA §8)
Processors

Service providers involved

Data processing agreements (DPAs) including EU Standard Contractual Clauses are in place with all service providers.

Service provider Location Data processed Safeguards
Hetzner Online GmbH Germany 🇪🇺 All database content (server hosting) Within the EU, GDPR-compliant
OpenAI Ireland Ltd. Contracting party EU/Ireland possibly USA (SCCs) Text data, transcriptions, documents, audio data DPA incl. SCCs · no AI training · deletion ≤30 days (DPA §8) + active deletion after the session
ElevenLabs Headquartered in the USA Avatar output text (TTS, LITE mode only) DPA incl. SCCs · no AI training · no storage
HeyGen Inc. / LiveAvatar Headquartered in the USA Streaming metadata, IP addresses (no recording) DPA incl. SCCs · EU-U.S. Data Privacy Framework · logs account-/content-related (no student data)

Third-country transfers: For the transfers to the USA, a transfer impact assessment was carried out. In addition to SCCs or the Privacy Framework, data minimisation, short or no retention, pseudonymous accounts and end-to-end TLS encryption reduce the risk. To ElevenLabs, only the AI-generated avatar output text is transmitted — no real user data and no user input; the text merely refers in content to the conversation.

Your control

Rights of data subjects

Please address requests to [email protected].

Access · Art. 15

Overview of all data stored about you.

Rectification · Art. 16

Correction of inaccurate or incomplete data.

Erasure · Art. 17

Account deletion; at OpenAI deletion after the session (≤30 days per the DPA), at ElevenLabs no storage, at HeyGen no recording.

Restriction · Art. 18

Account deactivation: login blocked, data retained.

Data portability · Art. 20

Export in a structured, machine-readable format (e.g. JSON).

Objection & withdrawal · Art. 21 / 7 (3)

Objection to processing, withdrawal of consent given.

Right to complain (Art. 77): The competent supervisory authority for Trainexus UG (a non-public body in Bavaria) is the Bavarian State Office for Data Protection Supervision (BayLDA), Ansbach — lda.bayern.de.

Contact

Controller & contact

Controller pursuant to Art. 4(7) GDPR

Trainexus UG (haftungsbeschränkt)
represented by Paul Dölle, Managing Director
Zum Wachtfels 17
91241 Kirchensittenbach, Germany

Requests & data subject rights

Email: [email protected]

Data processing agreements (DPAs) with OpenAI, ElevenLabs and HeyGen incl. EU Standard Contractual Clauses are on file and can be reviewed on request.