Privacy Policy
Effective Date: January 15, 2026
At Tosmotex, we believe your personal information deserves real protection. This policy explains what we collect, why we need it, and how we keep it safe. We're based in Barcelona and operate under Spanish and EU data protection laws — which means you have strong rights, and we take them seriously.
Who We Are
Tosmotex operates educational programs focused on AR and VR game development. Our headquarters is at Carrer del Pi, 12, 08002 Barcelona, Spain. When you interact with our website or sign up for our courses, we become the data controller for your personal information.
You can reach our data protection team at info@tosmotex.com or by calling +34965443550. If something doesn't feel right about how we handle your data, we want to hear about it.
What Information We Collect
We only gather what we actually need to run our programs and communicate with you. Here's what that looks like in practice:
| Information Type | What We Collect | Why We Need It |
|---|---|---|
| Contact Details | Name, email address, phone number, mailing address | Course enrollment, communication, certification delivery |
| Account Information | Username, password (encrypted), profile preferences | Access to learning platform and progress tracking |
| Educational Records | Course progress, assignment submissions, grades, certificates | Program completion tracking and credential issuance |
| Payment Data | Billing address, transaction records (card details processed by secure payment provider) | Course fee processing and financial record keeping |
| Technical Data | IP address, browser type, device information, session logs | Platform security, troubleshooting, usage analytics |
We never sell your information to third parties. Period. That business model doesn't interest us, and it shouldn't interest anyone who values their students.
How We Use Your Information
Every piece of data we collect serves a specific purpose. We're not fans of collecting things "just in case" — storage and security cost time and money, so we keep things focused.
Primary Uses
- Processing your enrollment and managing your course access
- Tracking your learning progress and issuing certificates when you complete programs
- Sending important updates about schedule changes, technical issues, or program modifications
- Providing technical support when you run into problems with our platform
- Improving our courses based on how students actually use the materials
- Meeting legal obligations under Spanish education and tax regulations
Marketing Communications
Occasionally, we'll send information about new courses or features that might interest you. These are always optional — you can unsubscribe anytime through the link in our emails or by contacting us directly. We won't penalize you for opting out, and your access to purchased courses remains unchanged.
Legal Basis for Processing
Under GDPR and Spanish Law 3/2018, we need a valid legal reason to process your data. Here's what applies to different situations:
Contract Performance: Most of what we do with your data relates to delivering the courses you've enrolled in. When you sign up, we need your information to actually provide the service you're paying for.
Legitimate Interests: Some processing helps us run a better educational platform — like analyzing which course sections students find confusing so we can improve them. We balance this against your privacy rights and only proceed when it makes sense.
Legal Compliance: Spanish law requires us to maintain certain records for tax purposes and educational certification. We keep these for as long as legally required, then securely delete them.
Consent: For marketing emails and optional features, we ask for your explicit permission first. You can withdraw consent anytime without affecting your course access.
Your Rights Under EU and Spanish Law
These aren't just theoretical rights — they're practical tools you can actually use. We've set up straightforward processes to handle each one.
Access Your Data
Request a complete copy of what personal information we hold about you. We'll provide it in a readable format within 30 days.
Correct Inaccuracies
Found something wrong? Let us know and we'll fix it. You can update most information directly through your account settings.
Request Deletion
Ask us to delete your data when we no longer need it. Some records must be retained for legal compliance, but we'll erase everything else.
Restrict Processing
Put a hold on how we use your data while we resolve a concern or verify accuracy. Your account stays active but processing is limited.
Data Portability
Get your data in a machine-readable format to transfer elsewhere. Useful if you're moving to a different learning platform.
Object to Processing
Challenge how we use your data for specific purposes. We'll stop unless we have compelling legitimate grounds that override your interests.
Data Security Measures
Security isn't a checklist item for us — it's built into how we operate. Our approach combines industry-standard technical measures with careful operational practices.
Technical Protections
- SSL/TLS encryption for all data transmitted between your device and our servers
- Encrypted storage for sensitive information, including passwords (using bcrypt with proper salting)
- Regular security audits and vulnerability assessments by external specialists
- Firewalls and intrusion detection systems monitoring our network perimeter
- Automated backup systems with encrypted off-site storage
Operational Security
Technology alone doesn't keep data safe — people and processes matter just as much. Our team follows strict access controls, with staff only able to view information necessary for their specific role. We maintain detailed access logs and conduct quarterly reviews to ensure no one has more permissions than needed.
New team members undergo security training before accessing any student data. We also have an incident response plan ready if something goes wrong — because hoping nothing bad happens isn't a security strategy.
Data Retention and Deletion
We don't keep your information forever. Different types of data have different retention periods based on practical needs and legal requirements.
| Data Category | Retention Period | Reason |
|---|---|---|
| Active Course Records | Duration of course plus 2 years | Support inquiries, certificate reissuance, dispute resolution |
| Financial Records | 7 years from transaction date | Spanish tax law compliance (required by law) |
| Marketing Consent | Until consent withdrawn or 3 years of inactivity | GDPR requires regular reconfirmation |
| Technical Logs | 90 days | Security monitoring and troubleshooting |
| Account Information | 30 days after account closure | Allow for accidental deletion recovery |
When retention periods expire, we don't just delete files from active servers. We follow a secure deletion process that overwrites data multiple times to prevent recovery. Backup copies are purged according to our backup rotation schedule, typically within 90 days of the primary deletion.
Third-Party Services
Running an online learning platform requires working with specialized service providers. We're careful about who we partner with and what access they get.
Current Service Providers
- Payment Processing: We use PCI-DSS compliant payment processors within the EU. They handle credit card information directly — we never see or store your full card numbers.
- Email Services: Course notifications and communications are sent through EU-based email infrastructure with appropriate security controls.
- Cloud Hosting: Our platform runs on servers physically located in EU data centers, selected for their security certifications and GDPR compliance.
- Analytics Tools: We use privacy-focused analytics that don't track individual users across websites or create detailed profiles.
Each provider signs a data processing agreement that limits how they can use your information. They're contractually required to maintain security standards and only process data according to our instructions.
International Data Transfers
We keep student data within the European Union whenever possible. Our servers, backups, and primary service providers are all EU-based, which means your information stays protected under strong European privacy laws.
In rare cases where we need to work with providers outside the EU — for example, specialized software tools — we ensure adequate protections are in place. This means using Standard Contractual Clauses approved by the European Commission or working with companies certified under adequacy frameworks.
If you're accessing our courses from outside the EU, your data will still be processed and stored within EU borders according to these same protections.
Cookies and Tracking
Our website uses a limited set of cookies — small files stored in your browser to remember preferences and maintain your session.
Essential Cookies
These keep you logged in and remember your language preference. They're necessary for the platform to function and don't require consent under EU law.
Analytics Cookies
We use privacy-respecting analytics to understand which course materials work well and which need improvement. These are optional, and we ask for your permission before activating them. They don't track you across other websites or build advertising profiles.
You can control cookie preferences through your browser settings. Disabling essential cookies will affect platform functionality, but you can safely block analytics cookies without losing access to course content.
Children's Privacy
Our courses are designed for adults and learners aged 16 and older. We don't knowingly collect information from younger children. If you're under 16 and interested in our programs, please have a parent or guardian contact us to discuss appropriate arrangements.
If we discover we've inadvertently collected data from someone under 16 without proper parental consent, we'll delete it promptly. Parents who believe their child's information has been collected can contact us at info@tosmotex.com for immediate assistance.
Changes to This Policy
Technology evolves, regulations change, and our practices improve over time. When we update this policy, we'll post the new version here with a revised effective date at the top.
For minor clarifications or additions, we'll simply update the document. If we make significant changes that affect how we handle your data — like adding new processing purposes or changing retention periods — we'll notify active students by email at least 30 days before the changes take effect.
We keep an archive of previous policy versions. If you want to see what's changed over time, just ask and we'll share the comparison.
Your Rights Authority
We hope to resolve any privacy concerns directly with you. But if you're not satisfied with our response or want to file a formal complaint, you have the right to contact the Spanish Data Protection Authority (Agencia Española de Protección de Datos).
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Website: www.aepd.es
This right exists regardless of whether you've contacted us first, though we'd appreciate the chance to address your concerns before escalation.
Questions About Your Privacy?
If anything in this policy isn't clear, or if you want to exercise any of your rights, reach out to us directly.