Privacy Policy

Last updated: March 2026

1. Data Controller

Mester is operated from Huelva, Spain. For data protection inquiries, contact us at privacy@mesteracademy.com.

2. Data We Collect

We collect the following personal data when you use our platform:

  • Account data: Full name, email address, and hashed password when you register.
  • Learning data: Course enrollments, module progress, quiz answers and scores, certificate completion dates.
  • Payment data: Order history, amounts, and pricing zone. Payment card details are processed exclusively by our payment provider and are never stored on our servers.
  • Technical data: Session cookies necessary for authentication. We do not use analytics or tracking cookies.

3. Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your account and learning data is necessary to provide the course services you registered for.
  • Legitimate interest (Art. 6(1)(f)): We may use aggregated, anonymised data to improve our courses.

4. Data Retention

We retain learning and account data for 3 years after your last active session, after which it is deleted automatically. You may request earlier deletion at any time by contacting privacy@mesteracademy.com. Certificate records are retained for verification purposes.

5. Your Rights

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten", Art. 17)
  • Port your data in a structured format (Art. 20)
  • Object to processing (Art. 21)

To exercise any of these rights, email privacy@mesteracademy.com.

For institutional customers, Mester acts as a Data Processor under GDPR Article 28. A standard Data Processing Agreement (DPA) is provided upon request and processed within 5 business days. Contact privacy@mesteracademy.com for your DPA.

6. Third-Party Processors

  • Payment processing: Payments are handled by our payment provider. Only your email address is shared with them to process the transaction. Card details are never transmitted to our servers.
  • Transactional email: We use an EU-hosted email service (data processed in Frankfurt, Germany) to send account and order notifications.

7. Data Transfers

Your data is stored on servers within the European Economic Area (EEA). We do not transfer personal data outside the EEA.

8. Data Security

We protect your data with industry-standard measures including encrypted passwords (PBKDF2 with 600,000 iterations), CSRF protection, and secure session management.

9. Cookies

We use only essential session cookies required for login functionality. See our Cookie Policy for details.

10. Supervisory Authority

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

11. Changes

We may update this policy. Material changes will be notified via email or platform notice.

Sub-processors

We use carefully selected third-party processors including payment providers, cloud hosting, and email delivery services. A full list of sub-processors is available on request at privacy@mesteracademy.com.

Data Breach Notification

In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours in accordance with GDPR Article 33.