Privacy Policy

FoodTraining.online / TrainingWorld.online processes personal data when you visit our website, use an account, take online training courses or contact us.

This privacy policy explains what personal data we process, why we do so, how long we retain it and what your rights are.

1. Who are we?

FoodTraining.online / TrainingWorld.online Amsterdam, the Netherlands Chamber of Commerce (KvK) number: 68826370 VAT number: NL002130811B62 Email: hello@TrainingWorld.online Website: FoodTraining.online / TrainingWorld.online

2. Who does this privacy policy apply to?

This privacy policy applies to:

• visitors to our website;
• participants taking training courses;
• platform users;
• administrators of customer environments;
• contact persons at customers;
• people who contact us;
• people who request a quote or have a business relationship with us.

3. Our role: processor and sometimes controller

When your employer, client or organisation gives you access to FoodTraining.online, that organisation usually decides why you are taking the training and which progress data is needed. In that case, your employer, client or organisation is usually the controller, and we process personal data on its behalf as a processor.

For certain processing activities we are the controller ourselves. This applies for example to:

• our website;
• contact forms;
• quotes and administration;
• invoicing;
• security of our systems;
• logging;
• managing our business operations;
• our own legal obligations.

4. What personal data do we process?

Depending on your use, we may process the following data:

Account and identification data

• name;
• email address;
• username;
• organisation;
• department;
• role or job group;
• location;
• language preference;
• role on the platform.

Learning and progress data

• assigned training;
• started training;
• completed training;
• progress;
• test results;
• answers to test or reflection questions;
• certificates or proof of completion;
• date and time of completion.

Technical data

• IP address;
• browser data;
• device data;
• login times;
• error messages;
• log files;
• security data;
• cookie data.

Communication data

• support requests;
• emails;
• messages via forms;
• notes on contact moments.

Administrative data

• customer name;
• contact person;
• business contact details;
• quote details;
• invoice details;
• contract details.

5. What do we use personal data for?

We use personal data for the following purposes:

• creating and managing accounts;
• providing access to the platform;
• assigning training courses;
• recording progress;
• recording test results;
• generating certificates;
• reporting to the employer, client or organisation;
• supporting administrators;
• answering support questions;
• securing the platform;
• resolving incidents;
• improving how the platform works;
• managing quotes, contracts and invoices;
• complying with legal obligations.

We do not use learning and progress data to independently make employment-law decisions about participants. Responsibility for HR policy, evaluation and follow-up lies with the employer, client or organisation.

6. Legal bases

Depending on the processing, we or our customer rely on one or more of the following legal bases:

• performance of a contract;
• legitimate interest;
• legal obligation;
• consent, where required;
• legitimate interest of the employer or client in training, onboarding, compliance, safety and assurance.

When we process personal data on behalf of your employer or client, that organisation determines the legal basis.

7. Reporting to employer or client

If you have been granted access through your employer, client or organisation, that organisation may receive information about:

• which training courses are assigned to you;
• which courses you have started;
• which courses you have completed;
• your progress;
• test results;
• certificates or proof of completion;
• date of completion.

This information is used for training, onboarding, food safety, HSE, compliance, audits, internal assurance and organisational development.

8. Sharing certificates

If you receive a certificate or proof of completion, you may keep and share it yourself, for example with your employer or on professional social media such as LinkedIn.

You may not alter, falsify or use the certificate in a misleading way. You may also not share someone else's certificate without permission.

9. Cookies and similar techniques

Our website and platform may use cookies or similar techniques.

These may be needed for:

• logging in;
• security;
• session management;
• language settings;
• user preferences;
• analysis of website use;
• improvement of the platform.

For non-essential cookies we ask for consent where required. See our cookie notice for details.

10. Who do we share personal data with?

We only share personal data where necessary for the purposes set out in this privacy policy.

We may share data with:

• your employer, client or organisation;
• hosting providers;
• LMS or software vendors;
• email providers;
• support and technical service providers;
• administrative service providers;
• security providers;
• government authorities where legally required.

We have appropriate agreements (data processing agreements) in place with parties that process personal data on our behalf.

11. Sub-processors and service providers

To deliver the platform, we use the following sub-processors:

• Supabase / Lovable Cloud — database, authentication and file storage (EU region where available).
• Google — only if you sign in with Google (OAuth).
• Apple — only if you sign in with Apple (OAuth).
• ElevenLabs — text-to-speech for training content. Only the training text is sent, never participants' personal data.
• Email provider — for transactional email (account notifications, invitations, reminders).

Where a sub-processor is located outside the European Economic Area, transfers are protected by EU Standard Contractual Clauses or an equivalent safeguard.

When we process personal data on behalf of a customer, specific arrangements about sub-processors are set out in the data processing agreement with that customer.

12. Transfers outside the European Economic Area

We aim to process personal data within the European Economic Area as much as possible.

If personal data is processed outside the European Economic Area, we put appropriate safeguards in place, such as an adequacy decision, Standard Contractual Clauses or another legal safeguard.

13. Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction.

Examples of measures include:

• access controls;
• personal accounts;
• password protection;
• roles and authorisations;
• secure connections (HTTPS) where possible;
• logging;
• backups;
• updates;
• restricting access to authorised persons;
• agreements with suppliers.

No digital system is completely risk-free. We do our best to secure data and we expect users to handle their account with care.

14. Retention periods

We do not retain personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is legally required or reasonably necessary.

Indicative periods:

• Account and learning data: for as long as your account is active.
• Email logs: up to 90 days.
• Invite tokens: up to 30 days after expiry.
• Residual data after account deletion: removed within 30 days, except where legally required.
• Financial records: 7 years (statutory tax retention).
• Customer contract and invoice data: for as long as the customer relationship is active, and thereafter for the statutory retention period.

After a customer agreement ends, data may be deleted or anonymised according to the arrangements with the customer and our technical backup cycles.

15. Deleting an account and leaving an organisation

Users can request deletion of their own account from their profile page. A 30-day grace period applies. During this period the deletion can still be cancelled. After the grace period the account is permanently deleted.

When an account is permanently deleted, the related account data, progress data, training assignments, organisation memberships and authentication data are also deleted, unless we are legally required or otherwise validly required to retain certain data longer.

An organisation administrator can remove a user from the organisation. In that case only the link between the user and that organisation is removed. The user keeps their own account. Any training progress, certificates and memberships in other organisations remain.

A FoodTraining.online global administrator may fully and permanently delete a user when necessary for administration, security, execution of a privacy request or at the request of the responsible organisation. In that case the account and its data are permanently removed.

Please note: once data has been permanently deleted, it cannot be restored. Certificates, progress data and reports that were exported or stored by the organisation before deletion may continue to exist outside the platform. The relevant organisation is responsible for those copies.

16. Your rights

Under the GDPR you have a number of rights, including:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object;
• right to data portability;
• right to withdraw consent, where processing is based on consent.

If your account is provided through your employer, client or organisation, we may forward your request to that organisation because it is the controller.

17. Questions or requests

For questions about your training, account, progress or certificate, please contact the administrator within your organisation first.

For privacy questions, contact us at:

Email: hello@TrainingWorld.online

If we process personal data on behalf of your employer or client, we may forward your request or ask you to contact that organisation.

18. Complaints

If you feel that we or your organisation are not handling your personal data properly, we would like to hear from you so we can look for a solution.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or another competent supervisory authority.

19. Changes

We may amend this privacy policy. The latest version is available on our website. For material changes we may actively inform users or customers.

20. Governing law

This privacy policy is governed by Dutch law. It has been drawn up in Dutch; translations are provided for convenience. In the event of any discrepancy, the Dutch text prevails.

21. Contact

FoodTraining.online / TrainingWorld.online Email: hello@TrainingWorld.online