Privacy Policy
How Eco Heroes International SL collects, uses, and protects your personal data when you use our educational platform.
1. Who we are
Eco Heroes is an educational platform that teaches the 17 United Nations Sustainable Development Goals (SDGs) to children ages 8–17 through illustrated storybooks, interactive games, AI-powered trivia, and lesson plans for teachers. We operate in 8 languages and serve schools, families, and educational organizations across Europe and beyond.
The data controller responsible for processing personal data under this policy is:
Eco Heroes International SL
CIF: B44915940
Inscrita en el Registro Mercantil de Girona, España
Website: eco-heroes.org
Contact for privacy questions: info@eco-heroes.org
We are established in Spain and our lead supervisory authority under the General Data Protection Regulation (GDPR) is the Agencia Española de Protección de Datos (AEPD). If you are based in another European Union member state, you may also contact your local data protection authority.
We have not formally appointed a Data Protection Officer (DPO) because the scale and nature of our current processing activities does not legally require one under Article 37 of the GDPR. Privacy matters are handled directly by our leadership team, who can be reached at the contact address above.
2. What data we collect
We collect only the data we need to provide our service. This section lists every category of personal data we process, with examples of what falls under each.
2.1 Account and subscription data
When you create an account or subscribe to a paid plan, we collect:
- Email address (used for login, account recovery, and essential service communications)
- Display name or username
- Password (stored only in hashed form — we cannot see or retrieve your actual password)
- Country or region (to deliver content in the appropriate language and comply with local law)
- Account type (individual, family, school, hospitality, corporate)
- For school accounts: the school access code used during registration
2.2 Payment data
If you subscribe to a paid plan, your payment is processed by Stripe Payments Europe, Limited (our payment processor). Stripe collects and processes your card details, billing address, and transaction data directly. We never see or store your full card number. We receive from Stripe only a reference identifier for your subscription, the subscription status, and the amount and currency of payments — enough to manage your account but not enough to impersonate your payment method.
2.3 Learning and usage data
When you use the platform to play games, take trivia, or read books, we collect:
- Your progress through SDG content (which lessons or missions you have opened)
- Game scores, trivia answers, achievements earned
- Language preference
- Which books you have viewed (but not how long you spent on each page)
- Session timestamps (when you logged in and out)
This data is used to personalize your experience (for example, remembering which lessons you have completed) and to help teachers track classroom progress when you use the platform through a school account.
2.4 Technical data
Like all websites, we automatically collect certain technical information when your device connects to our servers:
- IP address (used for security, anti-abuse, and approximate country detection)
- Browser type and version
- Device type (desktop, tablet, mobile) and screen size
- Operating system
- Date and time of requests
- Pages visited and referrer URL
Web server access logs are retained for 30 days for security purposes and then deleted.
2.5 AI-generated trivia content
Our trivia feature uses Anthropic's Claude AI to generate new quiz questions in your chosen language. When you request an AI-generated question, your selected topic (SDG number, difficulty level, language) is sent to Anthropic for processing. We do not send your personal account information, email address, or any content you have written to the AI provider. The AI request contains only: "generate an SDG trivia question about [topic] at [difficulty] level in [language]."
2.6 Moodle LMS data
If you access our Learning Management System at eco-heroes.moodlecloud.com, Moodle collects additional data specific to course progress, quiz results, and cohort membership. This data is processed under a separate Data Processing Agreement with Moodle Pty Ltd (the MoodleCloud operator).
2.7 What we do NOT collect
- Precise location data (GPS coordinates)
- Phone numbers
- Photos, videos, or voice recordings
- Content of private messages (we do not offer chat or messaging features)
- Social media profiles or friends lists
- Biometric data
- Special category data under GDPR Article 9 (health, religion, political views, etc.)
3. Why we collect it (lawful bases)
GDPR requires us to identify a lawful basis for every type of processing we do. We rely on the following:
| Processing purpose | Lawful basis |
|---|---|
| Creating and managing your account, delivering subscribed content | Contract (Art. 6(1)(b) GDPR) |
| Processing payments through Stripe | Contract (Art. 6(1)(b) GDPR) |
| Storing progress, scores, and learning history | Contract (Art. 6(1)(b) GDPR) |
| Security, fraud prevention, access logs | Legitimate interest (Art. 6(1)(f) GDPR) |
| Responding to data subject requests and legal inquiries | Legal obligation (Art. 6(1)(c) GDPR) |
| Tax and accounting records retention | Legal obligation (Art. 6(1)(c) GDPR) |
| Optional cookies (analytics, functionality) | Consent (Art. 6(1)(a) GDPR) |
| Processing children's data (under 14 in Spain) | Parental consent (Art. 8 GDPR + LOPDGDD) |
We do not use your personal data for marketing purposes. We do not send promotional newsletters. We do not share data with advertising networks. We do not sell user data to anyone. If this changes in the future, we will update this policy and seek separate consent for marketing communications.
4. How long we keep it
We only retain your data as long as we have a reason to keep it. The following retention periods apply:
| Data category | Retention period |
|---|---|
| Active account data | Duration of the account + 30 days after deletion request |
| Inactive accounts (no login for 24 months) | Deleted automatically after 24 months of inactivity, preceded by a warning email |
| Learning progress and scores | Same as account |
| Payment transaction records | 6 years (Spanish tax law requirement, Ley General Tributaria Art. 66) |
| Web server access logs | 30 days |
| Cookie consent records | 12 months from last update |
| Data subject request correspondence | 3 years from resolution (for audit purposes) |
When a retention period expires, data is either deleted permanently or anonymized (stripped of any information that could identify an individual) so it cannot be traced back to you.
5. Who we share it with
We share your personal data only with the parties listed below, and only to the extent needed for them to perform their services.
| Recipient | Purpose | Location |
|---|---|---|
| Stripe Payments Europe, Limited | Payment processing | Ireland (EU) |
| Moodle Pty Ltd (MoodleCloud) | Learning management system hosting | Australia (Standard Contractual Clauses) |
| Anthropic PBC | AI trivia question generation (no personal data sent) | United States (Standard Contractual Clauses) |
| Google LLC (Google Fonts) | Web font delivery (IP address exposed) | United States (Standard Contractual Clauses) |
| Our hosting provider | Web server hosting | European Union |
Each of these recipients is bound by either a Data Processing Agreement (for processors under Art. 28 GDPR) or by their own legal obligations as independent controllers. We do not share data with any party not listed above without either your consent or a legal obligation to do so.
We do not share data with governments except where legally compelled by a valid court order or equivalent lawful request. If we receive such a request, we will notify you unless legally prohibited from doing so.
6. International transfers
Some of our processors are located outside the European Economic Area (EEA), specifically in the United States (Anthropic, Google) and Australia (Moodle). Where data is transferred outside the EEA, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Data Privacy Framework certification for US-based processors where available
- Technical measures including minimized data sharing (we send the least amount of personal data possible)
We are aware of the Schrems II ruling (CJEU C-311/18, July 2020) and the limitations it places on transfers to the United States. We continuously review our processor relationships for compliance with post-Schrems II requirements and take additional technical measures where appropriate.
7. Your rights under GDPR
Under the GDPR and Spanish LOPDGDD, you have the following rights regarding your personal data:
7.1 Right of access (Art. 15)
You can request a copy of all personal data we hold about you. We will provide it in a commonly-used electronic format within 30 days at no cost.
7.2 Right to rectification (Art. 16)
You can ask us to correct any personal data that is inaccurate or incomplete.
7.3 Right to erasure / right to be forgotten (Art. 17)
You can ask us to delete your personal data. We will do so unless we have a legal obligation to keep specific information (for example, tax records for transaction history). When we cannot fully delete, we will explain why and delete what we legally can.
7.4 Right to restriction of processing (Art. 18)
You can ask us to stop actively processing your data while a dispute is being resolved, without deleting it.
7.5 Right to data portability (Art. 20)
You can ask us to provide your data in a machine-readable format so you can transfer it to another service.
7.6 Right to object (Art. 21)
You can object to processing we carry out under legitimate interest. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
7.7 Right to withdraw consent (Art. 7)
Where processing is based on consent (for example, optional cookies), you can withdraw that consent at any time, with no effect on processing that already took place before withdrawal.
7.8 Right not to be subject to automated decisions (Art. 22)
We do not make any decisions about you that have legal or significant effects using purely automated means. Your trivia questions are AI-generated, but no automated decisions are made about your account, access, or eligibility.
7.9 How to exercise these rights
To exercise any of these rights, send an email to info@eco-heroes.org with a clear description of your request. We will respond within 30 days (extendable to 60 days for complex requests, with notification). There is no fee for reasonable requests. We may ask you to verify your identity before processing the request to prevent unauthorized data disclosure.
The email address above (info@eco-heroes.org) is a general inbox monitored for data protection requests. To ensure your request is handled promptly, please include "GDPR Request" in the subject line.
8. Children and young users
Eco Heroes is specifically designed for children ages 8–17. We take additional care with young users' data, beyond the general GDPR requirements.
Under Article 8 of the GDPR and Article 7 of Spain's Organic Law 3/2018 (LOPDGDD), the threshold for a child to consent to information society services in Spain is 14 years old. This differs from other EU member states (13–16 depending on jurisdiction).
A detailed Children's Privacy Notice, including parental consent procedures and age verification, is available at eco-heroes.org/legal/children/. Please read it alongside this Privacy Policy.
In summary:
- Users under 14 in Spain (or under the local threshold in their member state) require verifiable parental consent before creating an account
- We do not profile children for marketing purposes
- We minimize data collection for child users to what is strictly necessary
- Parents have full rights to access, correct, and delete their child's data on the child's behalf
9. Security
We implement the following technical and organizational measures to protect your data, appropriate to the risks involved:
- Encryption in transit: All connections to eco-heroes.org use HTTPS with TLS 1.2 or higher
- Password hashing: Passwords are stored using industry-standard one-way hashing (bcrypt or equivalent)
- Access controls: Administrative access to user data is limited to authorized personnel on a need-to-know basis
- Regular updates: We apply security patches to our server software as they are released
- Incident response: In the event of a personal data breach affecting rights and freedoms, we will notify the Spanish AEPD within 72 hours as required by Article 33, and affected users without undue delay as required by Article 34
No system can guarantee absolute security. If you have concerns about the security of your account, contact us immediately at info@eco-heroes.org.
10. Cookies and tracking
We use cookies and similar technologies. A detailed explanation of every cookie we set — including its purpose, category, and expiration — is available in our Cookie Notice.
You can manage your cookie preferences at any time by clicking "Privacy Settings" in the footer of any page on our site.
11. Changes to this policy
We may update this Privacy Policy to reflect changes in our services, legal requirements, or best practices. When we make material changes, we will:
- Update the "Effective" date at the top of this document
- Post a notice on our homepage for at least 14 days
- Notify registered users by email for significant changes
We will retain previous versions of this policy and make them available upon request.
12. How to contact us and complain
12.1 Contact us directly
Email: info@eco-heroes.org
Subject line: Include "GDPR Request" for faster handling
Website: eco-heroes.org
12.2 Complain to a supervisory authority
If you believe we have mishandled your personal data, you have the right to file a complaint with a data protection authority. Our lead supervisory authority is:
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es
Citizen services phone: 901 100 099 / +34 91 266 35 17
If you are in another EU member state, you may contact your local data protection authority instead. A full list is maintained by the European Data Protection Board at edpb.europa.eu.
We encourage you to contact us first before filing a complaint, so that we have the opportunity to address your concerns directly.
