Privacy Policy

1. Data Controller

The data controller within the meaning of data protection laws is:

LyftOff

Luckenbachweg 2, 79115 Freiburg, Germany

Email: privacy@lyftoff.tech

2. Collection of General Information

When you access our website, information of a general nature is automatically collected. This information (server log files) includes the type of web browser, the operating system used, the domain name of your Internet Service Provider, and similar data. This is exclusively information that does not allow any conclusions to be drawn about your person.

This information is technically necessary to correctly deliver the content of web pages you have requested and is an unavoidable consequence of using the Internet. Anonymous information of this kind is statistically evaluated by us to optimise our website and the underlying technology.

3. Data We Collect

Account details

When you register, we collect your name, email address, and password (hashed). Optionally, you may provide your date of birth, country, education level, and career interests.

Reflection data

During onboarding, you provide information about your strengths, values, interests, constraints, and goals. This data is encrypted at rest (AES-256) and is never shared with parents, institutions, or third parties.

Usage data

We collect anonymised analytics data such as page views, feature usage, and engagement metrics to improve the platform.

4. Cookies

Like many other websites, we use so-called “cookies”. Cookies are small text files that are transferred from a web server to your hard drive. This automatically provides us with certain data such as your IP address, the browser you use, your operating system, and your connection to the Internet.

Cookies cannot be used to launch programs or transfer viruses to a computer. Using the information contained in cookies, we can make navigation easier for you and enable the correct display of our web pages.

Under no circumstances will the data we collect be passed on to third parties or linked to personal data without your consent.

Of course, you can view our website without cookies. Internet browsers are normally set to accept cookies. You can deactivate the use of cookies at any time via your browser settings. Please note that some features of our website may not work if you have deactivated the use of cookies.

5. Purpose and Legal Basis

We process your data for the following purposes:

• Providing and operating the LYFTOFF platform (Art. 6(1)(b) GDPR — contractual performance)
• Personalising career roadmaps, skill analyses, and recommendations (Art. 6(1)(b) GDPR)
• Sending notifications and updates you have opted into (Art. 6(1)(a) GDPR — consent)
• Improving the platform through anonymised analytics (Art. 6(1)(f) GDPR — legitimate interest)
• Fulfilling legal obligations (Art. 6(1)(c) GDPR)

6. SSL Encryption

To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g. SSL) via HTTPS.

7. Data Storage and Security

Your data is stored on Supabase infrastructure in the EU region (Frankfurt, Germany) to ensure GDPR compliance. All data is encrypted at rest with AES-256 and in transit with TLS 1.3.

Your data is retained for as long as your account is active. Upon account deletion, all personal data is removed within 72 hours. Anonymised analytics data and audit logs are retained for up to 2 years.

8. AI-Powered Features

LYFTOFF uses artificial intelligence to generate career roadmaps, skill gap analyses, and guidance recommendations. AI-generated content is clearly labelled and is for informational purposes only. Your reflection data is never used to train third-party AI models.

9. Newsletter

When you subscribe to our newsletter, the data you provide is used exclusively for this purpose. Subscribers may also be informed by email about circumstances relevant to the service or registration (such as changes to the newsletter offering or technical conditions).

For effective registration, we require a valid email address. To verify that a subscription is actually made by the owner of an email address, we use the “double opt-in” procedure. No additional data is collected. The data is used exclusively for newsletter distribution and is not passed on to third parties.

You can revoke your consent to the storage of your personal data and its use for newsletter distribution at any time. You can also unsubscribe directly on this website or contact us using the contact details provided at the end of this privacy policy.

10. Contact Form

If you contact us by email or contact form, the information you provide will be stored for the purpose of processing the enquiry and for any follow-up questions.

11. Data Sharing

We do not sell your personal data. Data may be shared with:

• Supabase(database hosting, EU Frankfurt) — as a data processor
• Vercel(frontend hosting) — as a data processor
• Resend(email delivery) — for transactional emails only
• Parents/guardians— aggregated progress data only, never reflection data
• Institutions— anonymised cohort statistics only, never individual data

12. Deletion and Blocking of Data

We adhere to the principles of data avoidance and data minimisation. We therefore only store your personal data for as long as is necessary to achieve the purposes mentioned here or as provided for by the various storage periods stipulated by law. After the respective purpose ceases to apply or these periods expire, the corresponding data is routinely blocked or deleted in accordance with statutory provisions.

13. Web Analytics

This website uses Vercel Analytics, a privacy-friendly web analytics service. Vercel Analytics collects anonymised usage data without the use of cookies and without storing personal data. No data is transmitted to third parties.

14. Your Rights

You have the right to obtain information about your personal data stored by us at any time. Under the GDPR, you have the following rights:

• Right of access(Art. 15) — request a copy of your data
• Right to rectification(Art. 16) — correct inaccurate data
• Right to erasure(Art. 17) — account deletion within 72 hours
• Right to data portability(Art. 20) — export your data
• Right to restriction(Art. 18) — restrict processing
• Right to object(Art. 21) — object to processing
• Right to withdraw consent (Art. 7(3))

To ensure that data can be blocked at any time, such data must be kept in a blocking file for control purposes. You may also request deletion of data insofar as there is no statutory archiving obligation. You can make changes or revoke consent by notifying us with effect for the future.

15. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence.

16. Changes to This Privacy Policy

We reserve the right to amend this privacy policy from time to time to ensure it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. Your next visit will be subject to the new privacy policy.

17. Questions About Data Protection

If you have questions about data protection, please send us an email at: privacy@lyftoff.tech