Privacy Policy for “Volta

Last updated: November 2, 2025

  1. Introduction

Welcome to “Volta”, an AI-Powered PMP® Exam Preparation tool and PMP Exam Simulator (hereinafter the “Application”). This Privacy Policy explains how we collect, use, and protect your personal data in accordance with Regulation (EU) 2016/679 (GDPR) of April 27, 2016 and as required by Article 13 of the same Regulation, including the most recent updates and guidelines.

By accessing and using the Application, you agree to the collection and use of information as described in this policy and you agree to comply with our Terms and Conditions.

This policy is based on the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality, as set out in Article 5 GDPR.

  1. Data Controller

The Data Controller is: Massimiliano Langosco di Langosco – 10. Oktoberstraße 18, 9020 Klagenfurt, Austria – Email: support@pmr2.at

An assessment of the obligation to appoint a Data Protection Officer (DPO) was carried out pursuant to Article 37 GDPR. Given that the application uses artificial intelligence to monitor users’ progress and to perform automated analyses of their performance, we evaluated whether the conditions under Article 37(1)(b) GDPR apply concerning “regular and systematic monitoring of data subjects on a large scale.” Based on the specific nature of the PMP® exam preparation service, it was concluded that appointing a DPO is not required. However, this assessment will be periodically reviewed should the service evolve or the user base significantly increase.

Requests to exercise privacy rights can be addressed directly to the Controller, who will act in accordance with the timelines and methods provided by the GDPR (Articles 12 et seq.).

  1. Purposes of Processing and Legal Basis

3.1 Purposes

Personal data are processed for the following purposes:

  • Creating and managing the user account;
  • Monitoring study progress;
  • Providing AI-based feedback during the learning journey (including generating reports, answers and quiz questions, and highlighting key concepts in exam preparation content);
  • Managing interactions with the AI and generating personalized content.

Data storage: Personal data such as first name, last name, and email address are stored on AWS servers. The application code is hosted on AWS servers. Data may also be processed for:

  • Internal statistical purposes and improving the user experience, in aggregated and non-identifiable form;
  • Preventing misuse and ensuring application security.

3.2 Legal Bases

  • Explicit consent: Article 6(1)(a) GDPR, i.e., the data subject has given consent to the processing of personal data (e.g., via authentication/consent flows).
  • Contractual obligations: Article 6(1)(b) GDPR, processing necessary for the performance of a contract to which the data subject is party and/or for pre-contractual measures at the data subject’s request.
  • Administrative/accounting purposes: Article 6(1)(b) GDPR, as above.
  • Legal obligations: Article 6(1)(c) GDPR, processing necessary for compliance with a legal obligation to which the Controller is subject.
  • Legitimate interest of the Controller: Article 6(1)(f) GDPR, for cybersecurity activities, service improvement, and operational management of the application, while respecting the data subject’s fundamental rights and freedoms.

Providing personal data for the above purposes is optional but necessary; failure to provide such data will make it impossible for the data subject to use the Application or access/purchase the simulator.

Personal data necessary to achieve the purposes described in this Section 3 are marked with an asterisk as mandatory in the request form.

  1. Collection of Personal Data

We collect the following personal data:

  • First name
  • Last name
  • Email address

This data is collected when an account is created either via Single Sign-On (SSO), if such a feature has been activated, or at the moment of registration.

In addition to the above, the following may be collected automatically during use of the Application:

  • Application logs and usage data (access times, session duration, features used)
  • Quiz and exercise performance data (answers provided, scores achieved, identified areas for improvement)
  • Technical data necessary for the Application to function (session identifiers, configuration preferences)
  • Any strictly necessary technical cookies for service operation

All such data are processed solely for the purposes indicated in this policy and in accordance with the principles of minimization and proportionality.

We do not collect other personal data or special categories of data, unless otherwise specified in the future; in such cases this policy shall be amended.

If additional data are collected in the future (e.g., study preferences or quiz history), a specific supplementary notice will be provided and, if necessary, new consent will be requested.

  1. Interaction with Artificial Intelligence (AI)

The Application uses AI components to analyze quiz answers, monitor your progress, and provide personalized study suggestions.

These processes occur automatically but do not produce legal effects nor decisions that significantly affect you.

AI-generated results and feedback are for informational and learning-support purposes only.

The Controller ensures transparency regarding the algorithms used, the right to human intervention, and the possibility for the user to contest or request clarifications about automated processing.

  1. Data Sharing and Transfers

6.1 Third-Party Services

Amazon Web Services (AWS): AWS servers are used to host the application code. AWS stores the code and manages data storage.

We do not share personal data with other third parties except as provided by law (e.g., competent authorities).

Employees and/or collaborators of the Controller tasked with managing the Project may become aware of personal data. Such persons, instructed pursuant to Article 29 GDPR, will process the data solely for the purposes indicated in this policy and in compliance with applicable law.

6.2 International Data Transfers

Personal data may be transferred to countries outside the European Union (e.g., AWS servers located outside the EU). In such cases, appropriate safeguards are adopted (European Commission Standard Contractual Clauses) or other instruments recognized by the GDPR, particularly in accordance with Articles 45 (transfers based on an adequacy decision, such as the UK or the U.S. Data Privacy Framework) and 46 (transfers subject to appropriate safeguards) GDPR.

  1. Data Retention

Personal data are retained for different periods depending on the specific purpose:

  • Account data (first name, last name, email): retained for the duration of the active account and for 30 days after expiry, unless renewed.
  • Usage and performance data: retained for the duration of the account and deleted immediately upon closure, unless the user requests retention for learning continuity.
  • Technical log data: retained for up to 12 months for cybersecurity and service improvement.
  • Aggregated and anonymous statistical data: may be retained indefinitely as they are no longer attributable to the data subject.

In all cases, data are promptly deleted upon the data subject’s erasure request, consistent with any legal obligations.

The Controller applies documented data-retention procedures to ensure data are not kept longer than necessary for the stated purposes.

  1. Data Subject Rights

In accordance with Articles 15 et seq. GDPR and applicable national provisions, you have the following rights:

  1. Right of access;
  2. Right to erasure;
  3. Right to restriction of processing;
  4. Right to data portability;
  5. Right to object to processing, including processing based on legitimate interests;
  6. Right to withdraw consent at any time;
  7. Right not to be subject to a decision based solely on automated processing, including profiling, where applicable (Art. 22 GDPR);
  8. Right to lodge a complaint with a supervisory authority (ex.: in Italy: Garante per la protezione dei dati personali; in Austria: Österreichische Datenschutzbehörde) within the prescribed time limit.

How to exercise your rights:

You may:

  • Send a written request to the Controller’s email address indicated in this policy;
  • Use the dedicated section within the Application (when available);

The request must include:

  • Full identification details of the requester;
  • A copy of a valid identity document;
  • Specification of the right being exercised;
  • Any indication of a reply address different from the sender’s.

The Controller will respond within 30 days of receipt of the request, except in cases of particular complexity where the deadline may be extended by an additional 60 days with a reasoned notice to the data subject.

Once deleted, data cannot be recovered and a new registration will be required to use the service.

In the case of data correction, a new registration is required.

To exercise your rights, you may contact us at the email address indicated under “Data Controller.”

Data may be provided in a structured, commonly used, machine-readable format (Art. 20 GDPR).

  1. Data Security

We adopt appropriate technical and organizational measures to ensure the security of your personal data, including:

  • Encryption of data in transit and at rest;
  • Access to personal data limited to authorized personnel only;
  • Regular system monitoring to detect and prevent unauthorized access;
  • Backups and disaster-recovery procedures.

In the event of a personal data breach that may pose a high risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority and, where required, the data subject without undue delay (Articles 33 and 34 GDPR).

  1. Profiling, Automation, and Artificial Intelligence

As noted in Section 5, the Application performs AI-based automated analysis of user progress. Where profiling or automation could produce significant effects, we ensure:

  • Transparency: information to the data subject on the existence of profiling, the logic involved, and the envisaged consequences;
  • Rights: the right to human intervention, to express one’s point of view, and to contest decisions (Art. 22 GDPR).

Where no decisions with legal or similarly significant effects are foreseen, we specify that the analysis is purely indicative and not binding.

Should more advanced profiling be implemented in the future, a specific notice will be provided describing the logic used, relevance, and consequences for the data subject, as well as how to exercise the right to object.

The Application uses AI algorithms to:

  • Analyze quiz answers and identify areas for improvement;
  • Generate personalized feedback based on individual performance;
  • Suggest optimized study paths based on results;
  • Monitor progress over time and provide learning statistics.

Logic used: The algorithms analyze response patterns, completion times, and answer accuracy to identify strengths and weaknesses in learning. The system uses AI models trained on anonymized performance datasets in the PMP® domain.

Transparency and control: The user may at any time:

  • Request explanations of automated feedback received;
  • Contest assessments deemed inaccurate;
  • Request human review of results;
  • Disable all automated analysis features.

No automated decision produces legal effects nor significantly affects the data subject; the system is for learning support only.

  1. Data Protection Impact Assessment (DPIA)

Pursuant to Article 35 GDPR, a Data Protection Impact Assessment (DPIA) was carried out to evaluate risks arising from the use of AI technologies for automated processing of user data. The assessment identified limited risks given the educational nature of the service and the absence of automated decisions with significant legal effects. Appropriate technical and organizational measures have been implemented to mitigate identified risks, including encryption, access controls, and regular audit procedures.

  1. Changes to this Policy

We reserve the right to update this Privacy Policy to reflect legislative or operational changes. Changes will be published on this page. Updates will be posted in the Application or related website, indicating the date of the latest update. We encourage you to review the policy periodically. If changes involve new processing or a material change, we will seek your consent where required.

  1. Contact

For questions or requests regarding the protection of personal data, contact us at this email: support@pmr2.at