GDPR & Your Data Rights

Detailed information for EU/EEA users and institutions

1. Data Controller

Kunnátta ehf.
Email: kunnatta@kunnatta.is
Website: kunnatta.is
Country: Iceland (EU/EEA)

2. Legal Basis for Processing

We process your data based on the following legal grounds under GDPR Article 6:

Data Type	Legal Basis	GDPR Article
Account data (email, password)	Contract performance	Art. 6(1)(b)
Learning progress & scores	Contract performance	Art. 6(1)(b)
Subscription/payment data	Contract performance	Art. 6(1)(b)
Display name (optional)	Consent	Art. 6(1)(a)
Session cookies	Legitimate interest (service operation)	Art. 6(1)(f)

3. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. Contact us at kunnatta@kunnatta.is.

Right to Rectification (Article 16)

You can correct inaccurate data directly in your profile settings, or contact us for assistance.

Right to Erasure (Article 17)

You can delete your account at any time from your profile page. This permanently removes all your data. You can also contact us to request deletion.

Right to Restriction (Article 18)

You can request that we limit how we use your data while a complaint is being resolved.

Right to Data Portability (Article 20)

You can request your data in a machine-readable format (JSON/CSV). Contact us at kunnatta@kunnatta.is.

Right to Object (Article 21)

You can object to processing based on legitimate interest. Note this may affect service functionality.

Rights Related to Automated Decisions (Article 22)

Our AI scoring is used to assist learning, not to make significant decisions about you. You can always contact us to discuss any AI-generated feedback.

4. Data Retention

Data Type	Retention Period
Account data	Until you delete your account
Learning progress	Until you delete your account
Subscription records	7 years (legal/accounting requirement)
Technical logs	90 days
Voice recordings	NOT stored (real-time processing only)

5. International Data Transfers

Some data is processed by services located in the United States:

Google (Gemini AI, Speech API) - DPF certified, Standard Contractual Clauses
Microsoft Azure - DPF certified, EU data centers available

These transfers comply with GDPR Chapter V through the EU-US Data Privacy Framework and Standard Contractual Clauses.

6. For Schools & Educational Institutions

School GDPR Compliance

Data Processing Agreement (DPA): Available upon request - View template
Minimal data collection: We only collect what's necessary for learning
No advertising: Student data is never used for marketing
Parental consent: Schools are responsible for obtaining consent for students under 16
Bulk deletion: Schools can request deletion of all student accounts

7. Children's Data (Under 16)

For users under 16 years old:

Parental or guardian consent is required
Schools using our service are responsible for obtaining appropriate consent
We collect minimal data necessary for the educational service
Parents/guardians can request access to or deletion of their child's data

8. Data Breach Notification

In the event of a data breach that poses a risk to your rights:

We will notify the Icelandic Data Protection Authority within 72 hours
We will notify affected users without undue delay if there is high risk
We maintain incident response procedures

9. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Persónuvernd (Icelandic Data Protection Authority)
Website: www.personuvernd.is
Email: postur@personuvernd.is

10. Contact for Data Requests

For any GDPR-related requests or questions:

Email: kunnatta@kunnatta.is
Response time: Within 30 days (as required by GDPR)
Verification: We may need to verify your identity before processing requests

Back to Privacy Policy Back to Home