Privacy Policy

This Privacy Policy describes how FormaCash OU (hereinafter "FormaCash", "we", "us", or "our") collects, uses, stores, shares, and protects the personal data of its users, applicants, Students, and website visitors. FormaCash OU is the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, or GDPR). Data Controller details: - Company name: FormaCash OU - Commercial register number: 16284759 - Registered address: Parnu mnt 148, 11317 Tallinn, Estonia - Email: contact@formacash.com The data protection contact point for FormaCash can be reached for any questions, concerns, or requests relating to the processing of personal data, the exercise of data subject rights, or this Privacy Policy. Data protection contact: - Email: privacy@formacash.com - Postal address: FormaCash OU, Parnu mnt 148, 11317 Tallinn, Estonia

FormaCash collects and processes the following categories of personal data, depending on the nature of the interaction and the services used: Identification Data: - Full name (first name and surname) - Date of birth - Nationality - Government-issued identification number (where required for certification or regulatory purposes) - Photograph (for account profile, optional) Contact Data: - Email address (personal and/or professional) - Telephone number (mobile and/or landline) - Postal address (residential and/or professional) - Country of residence Payment and Financial Data: - Payment card details (processed and stored exclusively by Stripe; FormaCash does not store full card numbers) - Bank account details (for SEPA Direct Debit or refund processing) - Billing address - Transaction history and invoice records - Financing application data (income level, employment status, submitted to QuickFund with the Student's explicit consent) Training and Progress Data: - Enrolled programme(s) and session dates - Attendance records and participation data - Assessment results, grades, and feedback - Project submissions and code repositories - Certification status and certificate details - VMCloud Lab usage logs (resources consumed, environments provisioned) - Learning progress metrics and completion rates Connection and Browsing Data: - IP address - Browser type and version - Operating system - Device type and screen resolution - Pages visited on the Platform, time spent on each page - Referral source (how the user arrived at the Platform) - Session identifiers and timestamps - Language preference Application Data: - CV/resume (when submitted as part of the application process) - Cover letter or statement of motivation - Educational background and qualifications - Professional experience and employment history - Admission assessment results - Interview notes (recorded with the applicant's consent) Communication Data: - Emails and messages sent to or received from FormaCash - Support ticket content and history - Forum posts and comments on the Platform - Feedback and survey responses - Consent records and preference settings FormaCash does not knowingly collect sensitive personal data (also known as special categories of data under Article 9 of the GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data. If such data is inadvertently provided by the Student (for example, in a cover letter), it will not be processed for any purpose and will be deleted promptly.

FormaCash processes personal data for the following purposes, each associated with a specific legal basis under Article 6(1) of the GDPR: Management of the application and admission process: - Legal basis: performance of pre-contractual measures at the request of the data subject (Article 6(1)(b) GDPR). - Details: processing of application data, eligibility verification, admission assessment, and communication of admission decisions. Performance of the Training agreement: - Legal basis: performance of a contract to which the data subject is party (Article 6(1)(b) GDPR). - Details: enrolment management, Platform access provisioning, delivery of Educational Content, VMCloud Lab provisioning, attendance tracking, assessment management, certification issuance, and all administrative tasks necessary for the execution of the Training. Payment processing and invoicing: - Legal basis: performance of the contract (Article 6(1)(b) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR). - Details: processing of payments through Stripe, issuance of invoices, management of instalment plans and credit arrangements through QuickFund, and tax reporting. Financing application processing via QuickFund: - Legal basis: explicit consent of the data subject (Article 6(1)(a) GDPR). - Details: transmission of financial and personal data to QuickFund for the purpose of assessing eligibility for instalment plans or preferential credit. Data is shared with QuickFund only upon the Student's explicit consent, which may be withdrawn at any time. Technical support and customer service: - Legal basis: performance of the contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR). - Details: responding to support requests, troubleshooting technical issues, managing complaints. Platform improvement and analytics: - Legal basis: legitimate interest of FormaCash (Article 6(1)(f) GDPR). - Details: analysis of anonymised and aggregated browsing and usage data to improve the Platform's functionality, user experience, and content quality. FormaCash ensures that analytics processing does not unduly affect the rights and freedoms of data subjects. Marketing and commercial communications: - Legal basis: consent of the data subject (Article 6(1)(a) GDPR). - Details: sending newsletters, promotional offers, event invitations, and information about new Training programmes. Marketing communications are sent only to individuals who have given their explicit opt-in consent. The Student may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@formacash.com. Compliance with legal and regulatory obligations: - Legal basis: compliance with a legal obligation to which FormaCash is subject (Article 6(1)(c) GDPR). - Details: tax and accounting record-keeping, regulatory reporting, responding to lawful requests from public authorities, and compliance with anti-fraud and anti-money laundering regulations. Protection of FormaCash's legitimate interests: - Legal basis: legitimate interest (Article 6(1)(f) GDPR). - Details: fraud prevention and detection, enforcement of the Terms and Conditions, protection of intellectual property rights, security monitoring and incident response, and legal proceedings. FormaCash conducts a balancing test to ensure that its legitimate interests do not override the fundamental rights and freedoms of data subjects.

FormaCash may share personal data with the following categories of recipients and sub-processors, each bound by contractual data protection obligations in accordance with Article 28 of the GDPR: Stripe Payments Europe, Ltd.: - Role: payment processing sub-processor. - Data shared: payment card details, billing address, transaction amounts, and related payment data. - Location: registered in Ireland; may process data in the United States (see Section 5 on International Transfers). - Guarantees: Stripe is PCI-DSS Level 1 certified, the highest level of certification in the payment card industry. Stripe maintains comprehensive security measures and is subject to a Data Processing Agreement (DPA) with FormaCash in accordance with Article 28 GDPR. - Privacy policy: https://stripe.com/privacy VMCloud OU: - Role: hosting infrastructure and VMCloud Lab environment sub-processor. - Data shared: Student identification data (for Lab account provisioning), Lab usage data, connection logs, and any data stored by the Student in Lab environments. - Location: registered in Estonia. All servers are located exclusively in the European Union: Paris (France), Amsterdam (Netherlands), and Frankfurt (Germany), operating on Vercel infrastructure. - Guarantees: VMCloud is bound by a Data Processing Agreement with FormaCash and implements appropriate technical and organisational measures to ensure data security, including encrypted data transmission, access controls, and regular security audits. QuickFund: - Role: financing application processing partner. - Data shared: Student identification data, contact data, and financial data (income, employment status) necessary for the assessment of financing eligibility. - Data sharing condition: personal data is shared with QuickFund only upon the Student's explicit, informed consent, obtained at the time of the financing application. - Location: European Union. - Guarantees: QuickFund is bound by a Data Processing Agreement and processes data in compliance with the GDPR and applicable financial regulations. Email service provider: - Role: email delivery sub-processor for transactional and marketing communications. - Data shared: email address, name, and communication content. - Location: European Union servers. - Guarantees: bound by a Data Processing Agreement; data encrypted in transit and at rest. FormaCash does not sell, rent, or trade personal data to any third party for marketing or commercial purposes. Personal data is shared with sub-processors exclusively for the purposes described in this Privacy Policy and in the minimum scope necessary to fulfil those purposes. All sub-processors are selected based on their ability to provide adequate data protection guarantees and are subject to regular compliance reviews by FormaCash. Sub-processors are contractually prohibited from processing personal data for any purpose other than those specified in the Data Processing Agreement with FormaCash. FormaCash may also disclose personal data to public authorities, regulatory bodies, or law enforcement agencies where required by applicable law or in response to a valid legal request (court order, subpoena, or regulatory inquiry).

FormaCash is committed to ensuring that all personal data is processed within the European Economic Area (EEA) wherever possible. The following arrangements apply to data transfers: VMCloud OU: - All hosting and Lab infrastructure servers are located exclusively within the European Union (Paris, Amsterdam, Frankfurt). No personal data processed by VMCloud is transferred outside the EEA. VMCloud's use of Vercel infrastructure is configured to ensure EU-only data residency. Stripe Payments Europe, Ltd.: - Stripe's primary operations for European customers are based in Ireland (EU). However, as a global company, Stripe may transfer certain personal data to its parent company, Stripe Inc., located in the United States, for payment processing, fraud prevention, and operational support. - Such transfers are conducted in compliance with Chapter V of the GDPR and are protected by the following safeguards: a) The EU-U.S. Data Privacy Framework (DPF): Stripe Inc. is certified under the Data Privacy Framework, which has been recognised by the European Commission as providing an adequate level of data protection (Adequacy Decision of 10 July 2023). b) Standard Contractual Clauses (SCCs): in addition to the DPF certification, FormaCash and Stripe have entered into Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) as a supplementary safeguard. c) Supplementary measures: Stripe implements additional technical and organisational measures, including encryption in transit and at rest, access controls, and regular security assessments, to ensure that transferred data receives a level of protection essentially equivalent to that guaranteed within the EEA. QuickFund: - QuickFund processes all personal data exclusively within the European Union. No international transfers occur. Email service provider: - The email service provider processes data exclusively on EU-based servers. No international transfers occur. FormaCash does not transfer personal data to any country outside the EEA other than the United States (via Stripe, under the safeguards described above). In the event that FormaCash engages a new sub-processor that requires data transfer outside the EEA, FormaCash will ensure that appropriate safeguards are in place (adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules) and will update this Privacy Policy accordingly. Students may request a copy of the relevant transfer safeguards (including Standard Contractual Clauses) by contacting privacy@formacash.com.

FormaCash retains personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law. The following retention periods apply: Application data (for applicants not admitted): - Retention period: twelve (12) months from the date of the admission decision. - Justification: enables applicants to reapply without resubmitting all documentation; legitimate interest in maintaining application records for programme improvement. - After this period, the data is anonymised or permanently deleted. Student account and identification data: - Retention period: duration of the Training plus five (5) years from the completion or termination of the Training. - Justification: necessary for certificate verification, alumni services, and compliance with contractual and legal obligations (Estonian statute of limitations for contractual claims). Payment and financial data: - Retention period: ten (10) years from the date of the transaction. - Justification: compliance with Estonian and EU accounting and tax regulations (Estonian Accounting Act, EU VAT Directive), which require retention of financial records for a minimum of seven years, extended to ten years for comprehensive compliance. Training and progress data (attendance, assessments, certifications): - Retention period: duration of the Training plus ten (10) years from the issuance of the Certificate. - Justification: necessary for long-term certificate verification, accreditation audits, and regulatory compliance. Certificates may be verified by employers or educational institutions for many years after issuance. Connection and browsing data (logs, analytics): - Retention period: thirteen (13) months from the date of collection. - Justification: necessary for platform security, performance monitoring, and analytics. This period is aligned with CNIL and EDPB guidance on analytics data retention. Marketing communication data (consent records): - Retention period: until consent is withdrawn, plus three (3) years for proof of consent. - Justification: legitimate interest in maintaining proof of consent in case of dispute or regulatory inquiry. Support tickets and communication data: - Retention period: three (3) years from the date of resolution. - Justification: necessary for quality improvement, dispute resolution, and potential legal proceedings. VMCloud Lab usage data: - Retention period: duration of the Training plus six (6) months. - Justification: necessary for billing reconciliation, security audit, and investigation of any misuse of Lab resources. At the expiration of the applicable retention period, personal data is either permanently and irreversibly deleted (using secure deletion methods) or anonymised such that it can no longer be linked to an identifiable individual. Anonymised data may be retained indefinitely for statistical and research purposes.

Under the GDPR, data subjects (Students, applicants, and users) have the following rights with respect to their personal data: Right of access (Article 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed by FormaCash. Where personal data is processed, you have the right to access the data and receive the following information: the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention period, the existence of other rights, the source of the data (if not collected directly from you), and the existence of any automated decision-making. FormaCash will provide a copy of the personal data undergoing processing, free of charge. Additional copies may be subject to a reasonable administrative fee. Right to rectification (Article 16 GDPR): You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by providing a supplementary statement. You may update certain personal data directly through your Account settings on the Platform. Right to erasure / right to be forgotten (Article 17 GDPR): You have the right to obtain the erasure of your personal data without undue delay where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for the processing; you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required for compliance with a legal obligation. This right does not apply where processing is necessary for compliance with a legal obligation, the establishment, exercise or defence of legal claims, or archiving purposes in the public interest. Right to restriction of processing (Article 18 GDPR): You have the right to obtain restriction of processing where: you contest the accuracy of the data (for the period necessary to verify accuracy); the processing is unlawful and you request restriction instead of erasure; FormaCash no longer needs the data but you require it for legal claims; or you have objected to processing pending verification of whether FormaCash's legitimate grounds override your interests. Right to data portability (Article 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to FormaCash, in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You have the right to transmit this data to another controller without hindrance from FormaCash, where the processing is based on consent or on a contract and is carried out by automated means. Right to object (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on legitimate interest (Article 6(1)(f) GDPR). FormaCash shall no longer process the data unless it demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time, and FormaCash shall cease processing for such purposes immediately. Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Consent can be withdrawn by contacting privacy@formacash.com or by using the relevant functionality on the Platform (e.g., unsubscribe link for marketing emails). How to exercise your rights: You may exercise any of the above rights by sending a written request to privacy@formacash.com or by post to FormaCash OU, Parnu mnt 148, 11317 Tallinn, Estonia. To verify your identity and prevent unauthorised access, you may be asked to provide a copy of a valid government-issued identification document. FormaCash will not use the identification document for any purpose other than identity verification and will delete it promptly after verification. FormaCash will respond to your request within one (1) month of receipt. This period may be extended by two (2) additional months where necessary, taking into account the complexity and number of requests. FormaCash will inform you of any such extension within one month of receipt, together with the reasons for the delay. If FormaCash decides not to take action on a request, it will inform you of the reasons and of the possibility of lodging a complaint with the supervisory authority. Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data by FormaCash infringes the GDPR, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): - Address: Tatari 39, 10134 Tallinn, Estonia - Email: info@aki.ee - Website: https://www.aki.ee - Phone: +372 627 4135 You may also lodge a complaint with the supervisory authority of your country of habitual residence or place of work within the European Union.

FormaCash uses cookies and similar tracking technologies on its Platform to ensure proper functionality, improve user experience, and analyse usage patterns. A cookie is a small text file stored on your device (computer, tablet, or smartphone) when you visit the Platform. The following categories of cookies are used: Strictly necessary cookies: These cookies are essential for the operation of the Platform and cannot be disabled. They enable core functions such as navigation, access to secure areas, and session management. - Session cookie: maintains the user's authenticated session while navigating the Platform. Duration: expires at the end of the browsing session (session cookie). - CSRF token: protects against cross-site request forgery attacks by validating the authenticity of form submissions. Duration: expires at the end of the browsing session. - Language preference cookie: stores the user's selected language to ensure a consistent experience across pages. Duration: twelve (12) months. - Cookie consent cookie: records the user's cookie preferences to avoid repeated consent prompts. Duration: twelve (12) months. Legal basis: legitimate interest (Article 6(1)(f) GDPR), as these cookies are strictly necessary for the provision of the service explicitly requested by the user and do not require consent under the ePrivacy Directive. Analytics cookies: These cookies collect anonymised and aggregated information about how visitors use the Platform, including pages visited, time spent on each page, bounce rates, and traffic sources. This data is used exclusively for the purpose of improving the Platform's functionality and content. - Analytics session cookie: tracks the user's navigation path during a single visit. Duration: thirty (30) minutes of inactivity. - Analytics persistent cookie: assigns an anonymised identifier to distinguish unique visitors. Duration: thirteen (13) months. FormaCash uses a privacy-respecting analytics solution that anonymises IP addresses before storage and does not create individual user profiles. Analytics data is processed exclusively on EU-based servers. Legal basis: consent (Article 6(1)(a) GDPR). Analytics cookies are placed only after the user has given explicit consent through the cookie consent banner. Advertising cookies: FormaCash does NOT use any advertising, retargeting, or third-party marketing cookies. No data is shared with advertising networks or social media platforms through cookies or tracking pixels. Managing and deleting cookies: You can manage your cookie preferences at any time through the cookie settings panel accessible via the link in the footer of the Platform. You can also configure your browser to refuse all or certain types of cookies, or to alert you when cookies are being set. Please note that disabling strictly necessary cookies may impair the functionality of the Platform. Instructions for managing cookies in common browsers: - Google Chrome: Settings > Privacy and security > Cookies and other site data - Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data - Safari: Preferences > Privacy > Manage Website Data - Microsoft Edge: Settings > Cookies and site permissions > Cookies and site data For more information about cookies and how to manage them, you may visit https://www.allaboutcookies.org.

FormaCash implements comprehensive technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, destruction, or accidental loss. These measures are designed to ensure a level of security appropriate to the risks associated with the processing, in accordance with Article 32 of the GDPR. Technical measures: - Encryption in transit: all data transmitted between the user's browser and the Platform is encrypted using Transport Layer Security (TLS) version 1.3, the most current and secure version of the protocol. HTTP Strict Transport Security (HSTS) is enforced to prevent protocol downgrade attacks. - Encryption at rest: all personal data stored on FormaCash's servers and databases is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys), an industry-standard encryption algorithm used by governments and financial institutions worldwide. - Firewall and network security: enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), and network segmentation are deployed to protect the infrastructure against unauthorised access and cyberattacks. - 24/7 monitoring: automated security monitoring systems operate around the clock to detect and respond to anomalous activity, potential intrusions, and security incidents in real time. - Annual penetration testing: FormaCash engages independent, qualified cybersecurity firms to conduct annual penetration tests of the Platform and infrastructure. Identified vulnerabilities are prioritised and remediated according to severity. - Vulnerability management: regular vulnerability scans are conducted, and software patches and security updates are applied promptly. FormaCash maintains an up-to-date inventory of all software components and monitors for known vulnerabilities (CVEs). - Secure development practices: the Platform is developed following secure coding guidelines (OWASP Top 10), and all code changes undergo security review before deployment. - Backup and disaster recovery: regular encrypted backups are performed, and a disaster recovery plan is maintained and tested to ensure data availability and business continuity. Organisational measures: - Need-to-know access: access to personal data is restricted to authorised personnel who require access to perform their specific duties. Role-based access controls (RBAC) are enforced throughout the organisation. - Employee training: all FormaCash employees and contractors who process personal data receive mandatory data protection training upon onboarding and at least annually thereafter. Training covers GDPR principles, data handling procedures, security awareness, and incident response. - Password and authentication policy: strong password requirements are enforced for all employee and Student accounts (minimum length, complexity, expiration). Multi-factor authentication (MFA) is required for all administrative and privileged access. - Confidentiality agreements: all employees, contractors, and sub-processors are bound by confidentiality and non-disclosure agreements that cover the processing of personal data. - Incident response plan: FormaCash maintains a documented incident response plan that defines procedures for detecting, containing, investigating, and recovering from security incidents. PCI-DSS compliance for payment data: All payment card data is processed exclusively by Stripe, which is PCI-DSS Level 1 certified. FormaCash does not store, process, or transmit full payment card numbers on its own servers. The Platform uses Stripe Elements, a pre-built UI component that securely collects card details directly on Stripe's infrastructure, ensuring that sensitive payment data never touches FormaCash's servers.

In the event of a personal data breach, FormaCash shall comply with the notification obligations set out in Articles 33 and 34 of the GDPR. Notification to the supervisory authority (Article 33 GDPR): Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, FormaCash shall notify the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach. The notification shall include: - A description of the nature of the personal data breach, including the categories and approximate number of data subjects and data records concerned. - The name and contact details of the data protection contact point. - A description of the likely consequences of the breach. - A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects. If it is not possible to provide all information at the time of the initial notification, the information may be provided in phases without undue further delay. Notification to affected data subjects (Article 34 GDPR): Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, FormaCash shall communicate the breach to the affected data subjects without undue delay. The communication shall describe, in clear and plain language: - The nature of the breach. - The likely consequences. - The measures taken or proposed to address the breach and mitigate its effects. - Recommendations for the data subject to protect themselves (e.g., changing passwords, monitoring accounts). - Contact details for further information: privacy@formacash.com. Communication to the data subject shall not be required where: (a) FormaCash has implemented appropriate technical and organisational protection measures (such as encryption) that render the personal data unintelligible to any person who is not authorised to access it; (b) FormaCash has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or (c) it would involve disproportionate effort, in which case a public communication or similar measure shall be made. FormaCash maintains a data breach register documenting all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, regardless of whether the breach was notifiable to the supervisory authority.

FormaCash does not engage in automated individual decision-making, including profiling, as defined in Article 22 of the GDPR. No decisions that produce legal effects concerning a data subject or that similarly significantly affect a data subject are made solely on the basis of automated processing of personal data. Specifically, FormaCash does not use personal data to automatically determine admission to Training programmes, assess creditworthiness for financing purposes (this is done by QuickFund under their own policies), set individual pricing, or restrict access to services based on automated profiling. All significant decisions concerning Students (admission, assessment grading, disciplinary actions, certificate issuance) involve meaningful human review and are made by qualified FormaCash personnel. Where FormaCash uses automated tools to support decision-making (for example, automated scoring of multiple-choice assessments or plagiarism detection software), these tools provide recommendations or flagged items that are reviewed by a human decision-maker before any action is taken that affects the Student. If FormaCash were to introduce any form of automated decision-making or profiling that produces legal or similarly significant effects, it would: (a) inform data subjects in advance; (b) implement suitable safeguards, including the right to obtain human intervention, express their point of view, and contest the decision; and (c) update this Privacy Policy accordingly.

FormaCash's Training programmes are designed for adults and are intended for individuals aged sixteen (16) years and older. FormaCash does not knowingly collect or process personal data from individuals under the age of sixteen (16) without the consent of a parent or legal guardian. For individuals aged between sixteen (16) and eighteen (18) years: - The consent of a parent or legal guardian is required for enrolment in any Training programme and for the processing of personal data. - The parent or legal guardian must co-sign the enrolment agreement and provide explicit consent for data processing. - FormaCash will provide age-appropriate privacy information to the minor and their parent or guardian. For individuals under the age of sixteen (16): - FormaCash does not accept enrolments from individuals under sixteen (16) years of age. - If FormaCash discovers that it has inadvertently collected personal data from a child under sixteen (16) without appropriate parental consent, it will take immediate steps to delete the data and terminate the Account. Parents or legal guardians who believe that their child has provided personal data to FormaCash without their consent may contact privacy@formacash.com to request access to, rectification of, or deletion of the child's data. The age threshold of sixteen (16) years is set in accordance with Article 8 of the GDPR and the Estonian Personal Data Protection Act, which permits EU Member States to set the age of digital consent between thirteen (13) and sixteen (16) years.

FormaCash reserves the right to update or modify this Privacy Policy at any time to reflect changes in applicable data protection laws, regulatory guidance, our data processing practices, or the services we offer. Any material change to this Privacy Policy will be communicated to registered users and Students at least thirty (30) calendar days before the updated policy takes effect. Notification will be made by: - Email to the address associated with the user's Account. - A prominent notice on the Platform (e.g., a banner or pop-up notification). - Publication of the updated Privacy Policy on the Platform with a clearly visible "Last updated" date. Minor changes that do not materially affect data subjects' rights (such as formatting corrections, clarifications, or updates to contact information) may be made without prior notice, but the "Last updated" date will always be revised to reflect the most recent modification. Users are encouraged to review this Privacy Policy periodically to stay informed of how their personal data is being protected. Previous versions of this Privacy Policy are archived and made available upon written request to privacy@formacash.com. Each version includes the effective date and the date on which it was superseded. If a change to this Privacy Policy requires your consent under the GDPR (for example, processing your data for a new purpose that was not covered by your original consent), FormaCash will obtain your explicit consent before implementing the change.

For any questions, concerns, or requests relating to this Privacy Policy, the processing of your personal data, or the exercise of your data subject rights, please contact FormaCash: Data protection contact point FormaCash OU Parnu mnt 148 11317 Tallinn, Estonia Email: privacy@formacash.com General inquiries (non-data protection): contact@formacash.com Legal inquiries: legal@formacash.com FormaCash will respond to data protection inquiries within the following timelines: - Acknowledgment of receipt: within five (5) business days. - Substantive response to data subject rights requests: within one (1) month, extendable by two (2) additional months for complex requests, with notification of the extension. - General privacy inquiries: within fifteen (15) business days. If you are not satisfied with FormaCash's response to your inquiry or request, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at Tatari 39, 10134 Tallinn, Estonia (info@aki.ee, https://www.aki.ee), or with the supervisory authority of your country of habitual residence or place of work.