PRIVACY POLICY

One World Classroom (OWC)
www.oneworldclassroom.de
Version 1.4 | Effective Date: 15 April 2026
Language Note: This Privacy Policy is provided in both English and German. In the event of any inconsistency, the German version (Datenschutzerklärung) shall prevail.

1. Controller / Data Protection Contact

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Kasun Paththamperuma

Operating as: One World Classroom (OWC)

Business form: Einzelunternehmer (sole trader), registered in Germany

Website: https://www.oneworldclassroom.de

Email: info@oneworldclassroom.de

For all data protection enquiries, please contact us at info@oneworldclassroom.de. We will respond within one calendar month (with a possible two-month extension for complex requests, of which we will notify you).

2. Scope and Applicability

This Privacy Policy applies to the website at www.oneworldclassroom.de and all associated subdomains (including dev.oneworldclassroom.de), the OWC online tutoring platform, all electronic communications sent through or in connection with OWC services, and the processing of personal data of students, platform visitors, and freelance tutors contracting with OWC.

This Policy has been prepared in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

Accessing and using the OWC platform is subject to OWC's Terms and Conditions. The legal basis for the core processing activities described in this Policy is either the performance of a contract (Art. 6(1)(b) GDPR) or OWC's legitimate interests (Art. 6(1)(f) GDPR) — not consent. Where processing does require consent (specifically: session recordings under Section 5, and tutor profile publication under Section 4.2), that consent is obtained separately through a dedicated, freely-given, specific, and unambiguous opt-in mechanism at the relevant point in time, independently of any T&C acceptance.

3. Personal Data Processed — Students and Platform Users

3.1 Account Registration Data

When you register an account on the OWC platform, we collect and process the following personal data:

  • Full name
  • Email address
  • University / institution name
  • Field of study and enrolled modules
  • Password (stored in hashed form — never in plaintext)
  • Date of account creation and last login
Legal basis: Art. 6(1)(b) GDPR — processing is necessary for performance of the service contract between you and OWC.

3.2 Booking and Session Data

When you book a tutoring session, we process:

  • Subject module selected and booking channel used
  • Preferred date, time, and session duration
  • Session format (video conference platform used: Zoom or Google Meet; session ID and join link)
  • Attendance records, session start and end times
  • Tutor assigned to the session
Legal basis: Art. 6(1)(b) GDPR — necessary for contract performance.

3.3 Payment Data

OWC processes payments exclusively through Stripe, Inc. (USA). OWC does not store your full card number, CVV, or bank details on its own servers. When you make a payment, Stripe collects and processes your payment card data on OWC's behalf. OWC receives only a transaction reference, amount, currency, and anonymised card summary (e.g. last 4 digits) from Stripe. Stripe is a certified PCI-DSS Level 1 service provider. Stripe's privacy policy: https://stripe.com/privacy

Transfer to USA: Stripe has accepted the European Commission Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR pursuant to Stripe's standard Data Processing Agreement.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(c) GDPR (compliance with financial record-keeping obligations under §§ 238 ff. HGB, §§ 145 ff. AO).

3.4 Communication Data

If you contact OWC via email (info@oneworldclassroom.de) or through platform messaging, we process your email address, message content, and the date and time of communication. Email delivery is handled by Brevo (formerly Sendinblue), SAS, 7 rue de Madrid, 75008 Paris, France, under a Data Processing Agreement (DPA).

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in responding to enquiries and maintaining communication records.

3.5 Technical and Usage Data

When you access the OWC website or platform, our server and system logs automatically collect: IP address (anonymised after 7 days), browser type and version, operating system, pages visited and time spent, referral URL, and date and time of access. This data is processed solely for security, fault diagnosis, and aggregate usage analysis. Our server infrastructure is hosted by Hetzner Online GmbH (Nuremberg, Germany, EEA). All data remains within the European Economic Area.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure and reliable platform operation.

3.6 Ratings and Feedback Data

After each completed session, students may be invited to submit a star rating and optional written feedback about their tutor. This data is processed for the following purposes: (a) calculating and displaying aggregate tutor ratings on public tutor profiles; (b) quality assurance and platform improvement; and (c) identification of underperforming tutors.

Ratings and written reviews may be displayed publicly on the tutor's profile page on www.oneworldclassroom.de in aggregated or anonymised form. Individual student identities are not displayed publicly alongside reviews. If a tutor withdraws their profile consent, their name and identifying information will also be removed or anonymised from any publicly displayed student reviews associated with that tutor.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining platform quality and enabling informed student choice.

3.7 Session Summaries

After each session, the assigned tutor submits a written session summary within 24 hours. These summaries contain information about the session topic, the student's progress, and any follow-up recommendations. Session summaries are stored on OWC's Hetzner server (EEA) and are accessible to the student and OWC's administrative staff. They are retained in accordance with the retention periods in Section 9.

Legal basis: Art. 6(1)(b) GDPR — necessary for performance of the service contract.

3.8 Video Conference Session Data

All tutoring sessions are conducted via Zoom (Zoom Video Communications, Inc., USA) or Google Meet (Google LLC, USA). When a session takes place on these platforms, the respective provider processes data including participant display names, session duration, video and audio content of the session, and technical connection data. OWC does not independently record or store the video/audio stream except where session recording has been separately consented to under Section 5.

Zoom: OWC uses Zoom in its standard business configuration under Zoom's published GDPR Data Processing Addendum, which incorporates Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR. Zoom GDPR DPA: https://explore.zoom.us/en/gdpr/

Google Meet: Tutors on the OWC platform use Google Meet via personal Gmail accounts. In this configuration, Google LLC acts as an independent data controller under its standard consumer Privacy Policy, not under a business Data Processing Agreement. Google LLC is headquartered in the USA. Data transfers from the EEA to Google's US servers are covered by Standard Contractual Clauses incorporated into Google's Privacy Policy terms for EEA users, as described at https://policies.google.com/privacy. Students and tutors should be aware that when using Google Meet via a personal Gmail account, Google's consumer data processing terms apply. Additionally, from 15 April 2026, OWC integrates with Google Calendar via OAuth 2.0 for the automated creation of calendar events containing Meet links on the tutor's behalf; this distinct integration is described in full in Section 4.5.

Legal basis: Art. 6(1)(b) GDPR — necessary for the performance of the tutoring service contract.

4. Personal Data Processed — Freelance Tutors

4.1 Contractual and Identity Data

OWC engages tutors as independent freelancers. For this purpose, we process:

  • Full name, email address, and phone number
  • Nationality, country of residence, and tax identification information
  • Academic qualifications and professional credentials
  • Date of birth (collected for contract purposes)
  • Current institutional or professional affiliation
  • Languages of instruction
  • Bank account or payment details for Wise / Payoneer transfers
  • Session logs (subjects taught, dates, duration, earnings)
  • Contract documents and correspondence
Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(c) GDPR (legal obligations including tax reporting under German law).

4.2 Public Profile Data

Displaying a tutor's public profile is functionally necessary to operate the OWC platform: students cannot book a session with a tutor they cannot identify. The following core profile elements are therefore processed on the basis of Art. 6(1)(b) GDPR as necessary for the performance of the service contract with the tutor:

  • Full name and academic or professional title (e.g. Dr., Prof.)
  • Academic credentials and qualifications (degree, institution, country of award)
  • Current institutional or professional affiliation
  • Country of residence or professional base
  • Subjects offered and expertise areas
  • Languages of instruction
  • Aggregate student rating and number of completed sessions
  • Availability schedule as maintained in the platform's scheduling system

The following additional profile elements — which go beyond what is strictly necessary for matching and involve personal presentation choices — are processed on the basis of the tutor's separate, freely-given, specific, and documented consent provided at the time of onboarding:

  • Professional profile photograph
  • Session rate as displayed on the platform
  • Short professional biography
  • Use of the above in OWC marketing materials (social media, promotional content)

A tutor may withdraw consent to the optional elements at any time by written notice to info@oneworldclassroom.de. OWC will update the profile within 14 days. Withdrawal does not affect the lawfulness of any prior publication of those elements, and does not affect sessions already booked at the time of withdrawal. Upon full profile removal, the tutor's name and identifying information will also be removed or anonymised from any publicly displayed student reviews.

Legal basis: Art. 6(1)(b) GDPR for core profile elements (contract performance); Art. 6(1)(a) GDPR for optional elements (express consent, documented in the Freelancer Service Agreement onboarding process).

4.3 Performance and Ratings Data

OWC collects and processes tutor performance data including student ratings, attendance records, cancellation rates, and session completion records for the purpose of quality assurance, performance management, and tutor profile maintenance. This data is held confidentially by OWC and is not disclosed to third parties except where required by law.

Legal basis: Art. 6(1)(b) GDPR — necessary for the management of the freelance service relationship.

4.4 International Data Transfers (Tutor-Side)

Tutor payment is processed via Wise Payments Limited (UK/EEA) or Payoneer Inc. (USA). These providers act as independent data controllers for payment transactions. Their respective privacy policies govern the processing of payment data. For Payoneer (USA), transfers are covered by SCCs incorporated into Payoneer's standard DPA pursuant to Art. 46(2)(c) GDPR.

4.5 Google Account Integration (OAuth 2.0)

Tutors who choose to connect their Google Account to the OWC platform enable OWC to create Google Calendar events and Google Meet links on their behalf for confirmed tutoring sessions. This integration uses Google's OAuth 2.0 authorisation framework. Connection is voluntary; if a tutor does not connect a Google Account, OWC will instead request that the tutor supply a Google Meet link manually for each session.

Google user data accessed: When a tutor authorises the connection, OWC receives access to the following Google user data under the scopes granted:

  • https://www.googleapis.com/auth/calendar.events — to create and manage calendar events on the tutor's primary Google Calendar. OWC creates only events that represent confirmed OWC tutoring sessions; OWC does not read, modify, or delete any other events on the tutor's calendar.
  • https://www.googleapis.com/auth/userinfo.email — the email address of the Google Account the tutor connected, stored so the tutor can verify that the correct account is connected and so OWC can provide support if Meet links do not appear.
  • https://www.googleapis.com/auth/userinfo.profile — the tutor's name and basic profile information as recorded in their Google Account.
  • openid — standard OpenID Connect identifier, used for authentication only.

How this data is used: OWC uses this data solely to (a) create a Google Calendar event with an embedded Google Meet link for each confirmed tutoring session on the tutor's primary Google Calendar, (b) attach the paired student as an event attendee so that the student automatically receives the Meet link, and (c) display the connected Google Account email address on the tutor's OWC dashboard so the tutor can confirm that the correct account is connected. OWC does not use Google user data for advertising, profiling, machine-learning training, or any purpose other than delivering the core tutoring service. OWC does not sell Google user data under any circumstances.

How this data is stored: OAuth access tokens, refresh tokens, the Google Account email address, and the Google Account name are stored in OWC's MariaDB database hosted on OWC's Hetzner server in Nuremberg, Germany (EEA). Calendar events, once created, reside on the tutor's own Google Calendar and are not duplicated on OWC systems. OWC stores only the Meet link URL, which is required in order to send it to the paired student.

How this data is shared: OWC does not share Google user data with any third party. The student paired with the session receives the Google Meet link as an event attendee, which is necessary to deliver the booked session.

How tutors can revoke access: Tutors can revoke OWC's access to their Google Account at any time by either: (a) clicking "Disconnect Google Account" on the OWC tutor dashboard; or (b) visiting https://myaccount.google.com/permissions and removing OWC from the list of connected applications. Upon revocation, OWC deletes the stored access token, refresh token, Google Account email address, and Google Account name from its database within 24 hours. Calendar events already created on the tutor's Google Calendar remain on the tutor's Google Calendar (OWC does not delete them) and may be deleted by the tutor directly if desired.

Google API Services User Data Policy — Limited Use: OWC's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Legal basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of the service contract with the tutor (delivery of tutoring sessions via the agreed video conference platform). Transfers of the tutor's Google Account data to Google LLC (USA) are covered by Standard Contractual Clauses incorporated into Google's Privacy Policy terms for EEA users.

5. Session Recordings

OWC may record live tutoring sessions for the purpose of quality assurance, dispute resolution, or provision of replay materials for students who have purchased or been granted access to session recordings.

Session recordings will only take place with the express prior consent of both the student and the tutor. This consent is obtained through two separate mechanisms: (1) an explicit opt-in at the time of session booking on the platform; and (2) a separate consent prompt displayed in the session interface immediately before each recorded session commences. Each consent is freely-given, specific, and recorded independently. Acceptance of OWC's Terms and Conditions does not constitute consent to session recording.

Recordings are stored on OWC's Hetzner server (EEA) and are accessible only to the student who booked the session, the tutor, and OWC's administrative staff. Recordings are deleted after 90 days unless a different retention period has been agreed in writing.

Legal basis: Art. 6(1)(a) GDPR — separate, freely-given, specific consent of both the student and the tutor. Each party may withdraw their consent at any time before a session commences by contacting info@oneworldclassroom.de. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6. Cookies and Tracking Technologies

6.1 Strictly Necessary Cookies

OWC uses strictly necessary session cookies to maintain your login state and enable core platform functionality. These cookies do not track you for advertising purposes and cannot be disabled without impairing the service.

  • Session token cookie (secure, HttpOnly, SameSite=Strict) — expires at end of browser session
  • CSRF protection token — required for form security
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in secure operation of the platform.

6.2 Analytics and Non-Essential Cookies

OWC does not currently use third-party advertising networks or social media tracking pixels on its platform. If analytics tools or non-essential cookies are introduced in future, this Policy will be updated and your separate, specific consent will be sought via a cookie consent banner before any non-essential cookies are set.

Legal basis for any future non-essential cookies: Art. 6(1)(a) GDPR — consent.

7. Your Rights Under the GDPR

This section applies to all data subjects covered by this Policy: students, platform visitors, and freelance tutors. To exercise any right, contact us at info@oneworldclassroom.de. We will respond within one calendar month (with the possibility of a two-month extension for complex requests, of which we will notify you).

Art. 15 — Right of Access

You have the right to obtain confirmation as to whether we process personal data concerning you, and if so, to receive a copy of that data together with information about the purposes, categories, recipients, and retention periods of processing.

Art. 16 — Right to Rectification

You have the right to obtain correction of inaccurate personal data without undue delay, and to have incomplete personal data completed.

Art. 17 — Right to Erasure ('Right to be Forgotten')

You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where it has been unlawfully processed. This right is subject to legal retention obligations (e.g. the 10-year obligation under § 257 HGB). Where full deletion is not possible due to legal obligations, data will be anonymised instead.

Art. 18 — Right to Restriction of Processing

You may request that we restrict the processing of your data in certain circumstances, for example while the accuracy of your data is being contested.

Art. 20 — Right to Data Portability

You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format (e.g. JSON or CSV) and to transmit it to another controller, where the processing is based on contract or consent and carried out by automated means.

Art. 21 — Right to Object

You have the right to object at any time to processing based on Art. 6(1)(f) (legitimate interest). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Art. 21(2) — Right to Object to Direct Marketing

You have an absolute, unconditional right to object at any time to the processing of your personal data for direct marketing purposes, including any profiling carried out in connection with direct marketing. If you object to direct marketing processing, we will cease that processing immediately with no requirement to demonstrate compelling grounds. To exercise this right, email info@oneworldclassroom.de with the subject line 'Direct Marketing Objection'.

Art. 7(3) — Withdrawal of Consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Where you withdraw consent to session recording or tutor profile publication, we will act on that withdrawal within 14 days.

Art. 77 — Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority for OWC is:

Die Landesbeauftragte für den Datenschutz Brandenburg (LDA)

Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany

https://www.lda.brandenburg.de

8. Automated Decision-Making and Profiling (Art. 22 GDPR)

OWC uses an automated matching algorithm to suggest tutor assignments to students based on subject expertise, confirmed qualification areas, tutor availability, and aggregate student ratings. OWC is satisfied that this matching process does not constitute automated decision-making within the meaning of Art. 22(1) GDPR, for the following reasons:

  • The matching output is a suggested assignment, not a binding or self-executing decision. The assignment is subject to the involvement of OWC's operator before it is confirmed. In cases where the platform auto-confirms a match based on preset criteria, this reflects OWC's deliberate operational decision about which tutors are suitable for which subjects — it is not a decision produced solely by an algorithm with no human input.
  • The matching does not produce legal effects on the student or tutor, and does not similarly significantly affect them within the meaning of Art. 22(1). It determines which tutor is offered for a session, but does not affect access to the platform, pricing, or any right or obligation of either party.
  • Students retain the right to request a different tutor after their first session at no additional cost (Student Terms, Section 6.4).

OWC does not use automated processing to make decisions about any data subject that produce legal or similarly significant effects without any human involvement whatsoever. OWC does not engage in profiling for the purposes of Art. 22 GDPR.

If OWC introduces any processing that does trigger Art. 22 obligations in future, this Policy will be updated and the required safeguards (including the right to human review, the right to contest the decision, and the right to express one's point of view) will be put in place before any such processing commences.

Legal basis for matching: Art. 6(1)(b) GDPR — necessary for the performance of the service contract (pairing students with qualified tutors is the core function of the platform).

9. Data Retention Periods

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by applicable law:

  • Account data: For the duration of the contractual relationship and 3 years after termination
  • Financial and invoicing records: 10 years (§ 257 HGB, § 147 AO)
  • Communication logs: 3 years from date of communication
  • Session logs and session summaries: 3 years from session date
  • Session recordings: 90 days from session date (unless otherwise agreed in writing)
  • Server access logs: 7 days (IP addresses anonymised after this period)
  • Consent records: Duration of processing activity plus 3 years
  • Ratings and feedback data: Duration of account, then anonymised on account deletion

Upon deletion of an account by a student, OWC will anonymise the student's personal data, while retaining transaction records for the legally required retention period (§ 147 AO). Anonymised data retains no link to any individual and cannot be used to re-identify the former account holder.

10. Third-Party Service Providers (Data Processors and Independent Controllers)

OWC uses the following external service providers. Where acting as processors, they are bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. Where acting as independent controllers (marked *), their own privacy policies govern their data processing.

Processor / ControllerPurposeLocationTransfer Safeguard
Hetzner Online GmbHWeb hosting & server infrastructureGermany (EEA)DPA + EEA
Stripe, Inc. *Payment processingUSASCCs via Stripe standard DPA
Brevo (SAS)Transactional email deliveryFrance (EEA)DPA + EEA
Wise Payments Ltd. *Tutor payoutsUK / EEAUK GDPR adequacy decision
Payoneer Inc. *Tutor payouts (alternative)USASCCs via Payoneer standard DPA
Zoom Video Communications, Inc. *Live session video conferencingUSASCCs via Zoom GDPR DPA
Google LLC (Google Meet + Google Calendar via OAuth) *Live session video conferencing (alt.) + automated calendar event creation for tutoring sessions via OAuth 2.0 (see Section 4.5)USASCCs via Google Privacy Policy; Google API Services User Data Policy (Limited Use)

(* = independent data controller. Their processing is governed by their own privacy policies and published DPAs referenced in the relevant sections above.)

11. International Data Transfers

Where personal data is transferred to recipients outside the European Economic Area (EEA) — specifically to Stripe (USA), Payoneer (USA), Zoom (USA), and Google (USA) — OWC ensures appropriate safeguards are in place pursuant to Art. 46 GDPR. For Stripe and Payoneer, transfers are covered by SCCs incorporated into each provider's standard published DPA. For Zoom, transfers are covered by SCCs incorporated into Zoom's published GDPR DPA (https://explore.zoom.us/en/gdpr/). For Google Meet, which tutors access via personal Gmail accounts, transfers are covered by SCCs incorporated into Google's Privacy Policy terms applicable to EEA users. In the case of Wise Payments Ltd. (UK), transfers are covered by the European Commission's adequacy decision for the UK. No data is transferred to third countries without a lawful safeguard in place.

12. Data Security

OWC implements appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, loss, or destruction:

  • HTTPS/TLS encryption for all data in transit
  • Password hashing using industry-standard algorithms (plaintext passwords are never stored)
  • Server access restricted by SSH key authentication
  • Regular software updates and security patching on the Hetzner server
  • Stripe handles all payment card data under PCI-DSS Level 1 controls
  • Email authentication via SPF, DKIM, and DMARC
  • Access to personal data limited to personnel with a need-to-know basis
  • Session recordings accessible only to the relevant student, tutor, and OWC administrators

13. Data of Minors

The OWC platform is intended for university students (typically 18 years of age or older). OWC does not knowingly collect personal data from individuals under 18 years of age. If we become aware that personal data of a minor has been collected, we will delete such data promptly. If you believe a minor's data has been submitted to OWC, please contact info@oneworldclassroom.de immediately.

14. Tutor Data Obligations (International Transfers by Tutors)

Freelance tutors based outside the European Economic Area who receive EU student personal data in the course of delivering sessions acknowledge, by signing the OWC Freelancer Service Agreement, that this constitutes an international data transfer under GDPR Chapter V. Tutors agree to implement appropriate safeguards equivalent to EEA standards. Student personal data received by tutors must be used solely for delivering the assigned session, must not be shared with any third party, must be stored securely, and must be deleted promptly when no longer needed for session delivery. Communication with students must take place exclusively through OWC Platform-approved channels.

15. Changes to This Privacy Policy

OWC reserves the right to update this Privacy Policy at any time to reflect changes in legal requirements, service features, or processing activities. The current version will always be available at https://www.oneworldclassroom.de/privacy-policy. Registered users will be notified of material changes by email with at least 14 days' notice before the changes take effect.

Where a material change affects processing that is based on legitimate interest (Art. 6(1)(f)) or contract performance (Art. 6(1)(b)), continued use of the platform after the effective date of the change constitutes acknowledgement of the updated Policy. Where a material change introduces new processing that requires consent (Art. 6(1)(a)), fresh, specific consent will be sought before that new processing begins, and the change will not take effect for that processing activity until consent is given. Silence or inaction will never be treated as consent to new consent-based processing.

16. Language Note

This Privacy Policy is provided in both English and German. In the event of any inconsistency between the two versions, the German version (Datenschutzerklärung) shall prevail, as German data protection law applies to OWC as a German-registered business.