Privacy Policy

1. Introduction

DrillUP Platform ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and your rights under applicable data-protection laws (including the EU's GDPR). This policy covers our website at https://drillup.app/, our mobile application "DrillUp - Career Coaching" available at https://apps.apple.com/de/app/drillup-career-coaching/id6746066146?l=en-GB, and our learning platform services including personalized assessments, adaptive learning paths, progress tracking, and secure authentication services (such as Sign in with Apple and LinkedIn).

2. Data Controller

DrillUP Platform, located in Berlin, Germany, is the data controller for the personal data processed through our services.

3. Personal Data We Collect

3.1. Information You Provide

Account Information: Name, email address, account credentials, Apple ID details, and LinkedIn profile information (when using these third-party logins)
Apple Authentication Data: Apple ID, first name, last name, email address, and real user status (when authenticating via Sign in with Apple)
LinkedIn Profile Data: LinkedIn ID, profile picture, first name, last name, and email address (when authenticating via LinkedIn)
Assessment Data: Responses to skill assessments and learning evaluations
Learning Content: Progress through lessons, completion status, and performance metrics
Reflection Data: Personal reflections, notes, and self-assessment content
Communication: Messages, feedback, and support requests

3.2. Information We Collect Automatically

Usage Data: Learning path progression, lesson completion times, interaction patterns
Device & Technical Data: IP address, browser type, device identifiers, device model, operating system (OS), language, timezone, session data, and app usage metrics collected via Google Analytics and Crashlytics
Push Notification Data: Device push tokens for delivering relevant learning reminders, streak protections, and milestone alerts (if you opt-in)
Authentication Data: Login timestamps, authentication method used (Apple or LinkedIn), refresh tokens (for Apple, to support secure account deletion), and session management data
Performance Analytics: Response times, system performance metrics, error logs (including crash reports via Crashlytics)
Processing Data: Data generated during automated analysis of your learning patterns

4. How We Use Your Personal Data

4.1. Service Provision

Authenticate users through Sign in with Apple and LinkedIn OAuth integrations
Maintain secure user sessions and account access
Link third-party accounts (Apple, LinkedIn) to user accounts for seamless authentication
Analyze assessments to identify potential improvement areas
Generate personalized learning paths through automated processing
Provide adaptive content that may adjust to your performance
Track learning progress and manage content unlocking
Deliver dynamically generated educational content (accuracy not guaranteed)

4.2. Platform Improvement

Attempt to optimize algorithms for personalization
Work to improve system performance and response times
Strive to enhance content quality and educational effectiveness
Monitor and improve system reliability (no guarantees provided)

4.3. Communication & Push Notifications

Send push notifications for learning reminders, streak maintenance, and milestone alerts (manageable via your device settings)
Deliver learning progress updates, gamified achievements, and reward notifications
Provide customer support and technical assistance
Share product updates and new features (with consent)

5. Legal Basis for Processing

Contract Performance: Processing necessary to provide our learning services
Legitimate Interest: Improving our AI algorithms and platform performance
Consent: Marketing communications and optional features
Legal Obligation: Compliance with applicable laws and regulations

6. Data Sharing and Disclosure

6.1. Service Providers

We may share data with trusted third-party service providers who assist in:

Automated processing and machine learning services
Cloud hosting and data storage
Analytics and performance monitoring (including Google Analytics and Crashlytics for app and web tracking)
Customer support and communication
Authentication services (Apple and LinkedIn for secure login)

6.2. Legal Requirements

We may disclose personal data when required by law, court order, or to protect our rights and safety.

6.3. No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

6.4. Third-Party Authentication Services

We provide third-party sign-in options to improve user experience:

Sign in with Apple:

We receive your Apple ID, name, email address, and real user status.
We securely store an Apple refresh token strictly to comply with Apple's App Store guidelines regarding complete account deletion and token revocation.
Apple's privacy policy governs their data processing. You can manage Apple sign-in settings from your Apple device.

LinkedIn Authentication:

We receive limited profile information (name, email, LinkedIn ID, profile picture).
We do not store LinkedIn access tokens for enhanced security.
LinkedIn's privacy policy governs their data collection. You can revoke access through your LinkedIn settings.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit and at rest
Regular security assessments and updates
Access controls and authentication systems
Secure processing environments
Regular backups and disaster recovery procedures
Enhanced OAuth security - we do not store third-party access tokens

8. Data Retention

We retain personal data for as long as necessary to provide our services and comply with legal obligations:

Account Data: Until account deletion or 3 years of inactivity
Learning Progress: Until account deletion or as required for service provision
Assessment Data: Retained to maintain learning continuity and personalization
Third-Party Profile Data: Basic profile data (Apple/LinkedIn) retained until account deletion. Apple refresh tokens are securely revoked and deleted upon account termination.
Authentication Records: Login history retained for security purposes (12 months)
Technical Logs: Typically retained for 12 months for system optimization

9. International Data Transfers

Your data may be processed in countries outside the EU/EEA. We ensure adequate protection through:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions for certain countries
Other appropriate safeguards as required by law

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data
Restriction: Limit how we process your data
Portability: Receive your data in a structured format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent for marketing communications

To exercise these rights, contact us at support@drillup.app

11. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, including for OAuth authentication flows. For detailed information, please see our Cookie Policy.

12. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal data from children under 16 without parental consent.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through our platform.

14. Data Processing Disclaimers

AUTOMATED PROCESSING LIMITATIONS: Our automated systems are experimental and may not always function as expected. We make no guarantees about the accuracy, completeness, or reliability of dynamically generated assessments, learning paths, or content recommendations.

DATA ACCURACY: While we strive to process your data accurately, technical limitations may result in processing errors, data loss, or system failures. We are not liable for such occurrences.

THIRD-PARTY PROCESSING: Some data processing occurs through third-party automated processing services. We cannot guarantee the performance, security, or availability of these external services.

THIRD-PARTY AUTHENTICATION: Sign in with Apple and LinkedIn OAuth authentication are provided by Apple Inc. and LinkedIn Corporation, respectively. We are not responsible for their service availability, security, or broader data handling practices. Users must review the respective privacy policies of Apple and LinkedIn for their data processing practices.

15. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Email: support@drillup.app
Address: DrillUP Platform, Berlin, Germany

Data Protection Officer

If you have concerns about our data processing, you may also contact our Data Protection Officer at support@drillup.app

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.

Last updated: May 12, 2026