The Trainexus dialogue simulation lets learners practise exam and conversation situations with AI-powered avatars. This overview transparently shows what data is created in the process, where it is processed and how it automatically disappears again.
For us, data protection is anchored in the technology — not just a statement.
Accounts, conversations and feedback are stored in a PostgreSQL database at Hetzner in Germany — inside the EU.
Logins are pseudonymous identifiers — commercially always anonymised ones (@examsim.de), and in university deployments institutional identifiers (e.g. bt150952@…). No real names.
OpenAI deletes the data after the session — at the latest after 30 days (per the DPA); ElevenLabs stores nothing; HeyGen does not record the stream. No service uses the data for training.
When a session ends, the data at OpenAI is deleted (fallback: cron ≤24 h) — with an audit log as GDPR proof. Feedback & conversation stay in our EU database.
Data is created during use in the browser and is transmitted only to the few service providers that are technically necessary for operation and functionality (hosting as well as the AI/streaming services).
Access via claim link or Moodle/LTI · text input, uploaded documents, spoken language
Server & database (Falkenstein) — pseudonymous accounts, conversation history, feedback; always in the EU
AI responses, transcription, speech output, avatar streaming — under a DPA. OpenAI = EU contracting party (Ireland), with possible US sub-processing under SCCs; ElevenLabs/HeyGen headquartered in the USA. OpenAI: deletion ≤30 days + actively after the session; ElevenLabs: no storage; HeyGen: no recording
No disclosure to other third parties — except at the user's explicit request or where legally required.
The platform's processing activities (twelve in the record), condensed here to the essentials.
| Data type | Purpose | Where processed | Retention & deletion |
|---|---|---|---|
| Account & master data | Login, authentication, usage quotas. The login is a pseudonymous identifier (commercially anonymised @examsim.de; institutional e.g. [email protected]) — no real names. Password encrypted. |
Hetzner 🇩🇪 | For the duration of the business relationship · inactive accounts per retention policy |
| Access & claim (Moodle/LTI) | Idempotent access provisioning via claim link, Moodle plugin or LTI 1.3. From the LMS only a pseudonymous identifier (moodle:… / lti:…), no real names. IP & pseudonymous browser ID only for abuse prevention. |
Operational hosting 🇩🇪 | Mapping kept as long as the pool/account exists · abuse-prevention data (IP, browser ID) deleted after 90 days · single-use nonces short-lived |
| Conversation history | AI-powered dialogue simulation: text input and AI responses (Conversations/Responses API). | Hetzner 🇩🇪 OpenAI 🇮🇪/🇺🇸 | History stays local (EU) until deleted by user/admin · at OpenAI, active deletion after the session (at the latest 30 days per the DPA) |
| Uploaded documents | Document analysis (PDF/images), e.g. CV, learning material, presentations. | OpenAI 🇮🇪/🇺🇸 Hetzner 🇩🇪 | Content only temporarily in browser memory · at OpenAI, deletion after the session (≤30 days per the DPA) · file metadata local until the conversation is deleted |
| Audio data (speech) | Real-time transcription of spoken answers (push-to-talk / live transcript) for oral simulations. | OpenAI 🇮🇪/🇺🇸 | Audio as a transient stream (no recording); the transcript flows into the local history · at OpenAI, deletion ≤30 days per the DPA |
| Speech output (TTS) | Speech synthesis of the avatar's utterances in LITE mode. Only the AI-generated avatar text is transmitted — no user voice, no user input. | ElevenLabs 🇺🇸 | No storage (ElevenLabs does not store the texts) · pure audio stream, no recording |
| Avatar session (video) | Interactive real-time video avatar streaming. IP address & connection metadata technically necessary. | HeyGen 🇺🇸 Hetzner 🇩🇪 | No recording (live stream) · session metadata 12 months for billing · HeyGen's logs are account-/content-related (no student data) |
| Feedback & assessments | AI feedback, inline annotations, self-assessment, scenario rating, learning statistics. | Hetzner 🇩🇪 OpenAI 🇮🇪/🇺🇸 | For the duration of the business relationship · viewable and exportable at any time · at OpenAI, deletion ≤30 days per the DPA |
| Billing & quotas | Usage/credit billing per organisation/group/user (seconds, tariff, credits) as well as user↔group↔course mapping. No real names; payment processing (Stripe or similar) runs separately. | Hetzner 🇩🇪 | For the duration of the business relationship or per commercial/tax-law retention |
| Server logs | IT security, stability, error analysis. IP address, timestamp, requested URLs. | Hetzner 🇩🇪 | Per log rotation (data minimisation) · no profiling · IP pseudonymised where possible |
| Admin & group access | Account management & support. Group admins see statistics for their own group — pseudonymous only (UUID). | Hetzner 🇩🇪 | As per the respective data type · conversation content only with explicit consent · least privilege |
The data created at OpenAI is actively deleted. Three interlocking stages ensure nothing is left behind. Feedback & conversation stay in our EU database (viewing/export by the user).
When the user ends a session properly, the app automatically deletes all resources created at OpenAI (files, feedback responses, conversation). Every deletion is logged as a delete_log/sweep_audit entry.
If the browser crashes or the connection drops, stage 1 cannot run. A server-side cron job regularly cleans up all “orphaned” conversations and carries out the same deletions afterwards.
Even if stages 1 and 2 fail, OpenAI automatically deletes the data transmitted via the API after 30 days at the latest, per the data processing agreement — the outermost safety layer.
Data processing agreements (DPAs) including EU Standard Contractual Clauses are in place with all service providers.
| Service provider | Location | Data processed | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Germany 🇪🇺 | All database content (server hosting) | Within the EU, GDPR-compliant |
| OpenAI Ireland Ltd. | Contracting party EU/Ireland possibly USA (SCCs) | Text data, transcriptions, documents, audio data | DPA incl. SCCs · no AI training · deletion ≤30 days (DPA §8) + active deletion after the session |
| ElevenLabs | Headquartered in the USA | Avatar output text (TTS, LITE mode only) | DPA incl. SCCs · no AI training · no storage |
| HeyGen Inc. / LiveAvatar | Headquartered in the USA | Streaming metadata, IP addresses (no recording) | DPA incl. SCCs · EU-U.S. Data Privacy Framework · logs account-/content-related (no student data) |
Third-country transfers: For the transfers to the USA, a transfer impact assessment was carried out. In addition to SCCs or the Privacy Framework, data minimisation, short or no retention, pseudonymous accounts and end-to-end TLS encryption reduce the risk. To ElevenLabs, only the AI-generated avatar output text is transmitted — no real user data and no user input; the text merely refers in content to the conversation.
Please address requests to [email protected].
Overview of all data stored about you.
Correction of inaccurate or incomplete data.
Account deletion; at OpenAI deletion after the session (≤30 days per the DPA), at ElevenLabs no storage, at HeyGen no recording.
Account deactivation: login blocked, data retained.
Export in a structured, machine-readable format (e.g. JSON).
Objection to processing, withdrawal of consent given.
Right to complain (Art. 77): The competent supervisory authority for Trainexus UG (a non-public body in Bavaria) is the Bavarian State Office for Data Protection Supervision (BayLDA), Ansbach — lda.bayern.de.
Trainexus UG (haftungsbeschränkt)
represented by Paul Dölle, Managing Director
Zum Wachtfels 17
91241 Kirchensittenbach, Germany
Email: [email protected]
Data processing agreements (DPAs) with OpenAI, ElevenLabs and HeyGen incl.
EU Standard Contractual Clauses are on file and can be reviewed on request.