Our Commitment to GDPR
Flux Learning is fully committed to complying with the General Data Protection Regulation (GDPR) (EU) 2016/679. We have implemented comprehensive measures to protect the personal data of individuals in the European Economic Area (EEA) and to ensure their privacy rights are respected.
Data Controller vs. Data Processor
As Data Processor
When you use Flux Learning to create and manage learning content for your organization, we act as a Data Processor. Your organization is the Data Controller for any personal data processed through your courses.
As Data Controller
For your account information and direct interactions with us (support, marketing), Flux Learning acts as the Data Controller and is responsible for determining how your personal data is processed.
Legal Basis for Processing
Under GDPR Article 6, we process personal data based on the following lawful bases:
Contract Performance (Art. 6(1)(b))
Processing necessary to provide our services, manage your account, and fulfill our contractual obligations.
Examples: Account creation, service delivery, billing
Legitimate Interests (Art. 6(1)(f))
Processing for our legitimate business interests where not overridden by your rights.
Examples: Security monitoring, fraud prevention, service improvement
Consent (Art. 6(1)(a))
Processing based on your freely given, specific, informed consent.
Examples: Marketing communications, non-essential cookies
Legal Obligation (Art. 6(1)(c))
Processing necessary to comply with legal requirements.
Examples: Tax records, regulatory compliance
Your GDPR Rights
As a data subject under GDPR, you have the following rights regarding your personal data:
Right of Access
Article 15Request a copy of your personal data and information about how it is processed.
Right to Rectification
Article 16Request correction of inaccurate or incomplete personal data.
Right to Erasure
Article 17Request deletion of your personal data ("right to be forgotten").
Right to Restriction
Article 18Request limitation of processing of your personal data.
Right to Data Portability
Article 20Receive your data in a structured, machine-readable format.
Right to Object
Article 21Object to processing based on legitimate interests or direct marketing.
Rights Related to Automated Decisions
Article 22Not be subject to decisions based solely on automated processing.
Right to Withdraw Consent
Article 7(3)Withdraw consent at any time for consent-based processing.
How to Exercise Your Rights
To exercise any of these rights, please contact our Data Protection Officer:
- Email: dpo@fluxlearning.com
- Or through your account settings (for access, rectification, and deletion)
We will respond to your request within 30 days as required by GDPR.
International Data Transfers
As Flux Learning is based in the United States, personal data from the EEA may be transferred to and processed in the United States. We ensure adequate protection through:
Standard Contractual Clauses (SCCs)
We use EU-approved Standard Contractual Clauses as adopted by the European Commission to provide adequate safeguards for international data transfers.
Data Processing Agreements
All our subprocessors have signed Data Processing Agreements that include appropriate safeguards and comply with GDPR requirements.
Technical & Organizational Measures
We implement supplementary security measures including encryption, access controls, and security monitoring to protect transferred data.
Data Processing Agreement (DPA)
For customers who need a formal Data Processing Agreement under GDPR Article 28, we provide a comprehensive DPA that covers:
- Subject matter, duration, nature, and purpose of processing
- Types of personal data and categories of data subjects
- Rights and obligations of the controller and processor
- Technical and organizational security measures
- Sub-processor engagement and notification
- Assistance with data subject rights
- Data deletion and return upon termination
- Audit rights and compliance demonstration
Request a DPA
Download our standard DPA or request a custom agreement.
Subprocessors
We use carefully vetted subprocessors to help deliver our services. All subprocessors:
- Have signed Data Processing Agreements with GDPR-compliant terms
- Implement appropriate technical and organizational measures
- Are subject to our ongoing security assessments
View our complete subprocessor list in the Trust Center.
Subprocessor Change Notification
We provide at least 30 days' notice before engaging new subprocessors, giving you the opportunity to object. Subscribe to subprocessor updates by emailing privacy@fluxlearning.com.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with GDPR Article 5(1)(e) (storage limitation):
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account Data | Duration of account + 30 days | Contract performance |
| Content Data | Until deletion or account closure | Contract performance |
| Security Audit Logs | 1 year | Legitimate interests |
| Billing Records | 7 years | Legal obligation |
| Analytics (Anonymized) | Indefinite | Legitimate interests |
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO for any privacy-related inquiries:
Data Protection Officer
Email: dpo@fluxlearning.com
Privacy Team
Email: privacy@fluxlearning.com
Right to Lodge a Complaint
Under GDPR Article 77, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR.
While we encourage you to contact us first so we can address your concerns, you may contact your local data protection authority. A list of EU data protection authorities can be found at: European Data Protection Board