Effective date: 23 April 2026

1. Who We Are

Molo Academy VOF (“Molo Academy,” “we,” “us,” or “our”) provides AI-powered online business education.

Registered in the Netherlands (KvK 97991295)

Address: Wim Sonneveldlaan 31, 3584 ZN Utrecht, the Netherlands

Email: [email protected]

We are the data controller for the personal data described in this Privacy Policy.

2. What This Policy Covers

This Privacy Policy explains:

• what personal data we collect;

• how and why we use it;

• your rights under the General Data Protection Regulation (GDPR) and related laws; and

• how you can contact us or exercise your rights.

3. What Data We Collect

We collect and process the following categories of personal data:

Account & Identity Data

• Examples: name, email address, password, company affiliation

• Purpose: create and manage your account

Course & Progress Data

• Examples: enrolments, quiz results, completion status, certificates

• Purpose: deliver and track learning progress

Payment Data

• Examples: billing name, address, VAT number, partial card data (handled via Stripe)

• Purpose: process purchases and comply with tax law

Communications Data

• Examples: messages to support, feedback forms

• Purpose: provide customer support

Marketing Preferences

• Examples: newsletter opt-ins and unsubscribes

• Purpose: send updates if you consent

Device & Usage Data

• Examples: IP address, browser type, time zone, interactions with pages, cookies

• Purpose: security, analytics and performance

We do not intentionally collect special categories of data (e.g. health, religion, political opinions).

4. How We Obtain Data

• Directly from you when you register, purchase or use our platform.

• Automatically through cookies, analytics scripts and server logs.

• From third-party processors (e.g. payment platforms) where necessary to provide the Services.

5. Why We Use Your Data (Legal Bases)

Purpose — Legal Basis (GDPR Art. 6)

Providing and managing your account, delivering courses — Contract performance

Processing payments and invoicing — Contract performance / legal obligation

Communicating with you about courses or support — Contract performance / legitimate interests

Sending optional marketing emails — Consent

Security, fraud prevention, site analytics — Legitimate interests

Record-keeping, accounting, tax — Legal obligation

Product improvement and service development — Legitimate interests

You can withdraw consent or object to processing at any time (see section 10).

6. Cookies and Tracking

Our website uses cookies and similar technologies.

We distinguish between:

Strictly necessary cookies, which are required for the functioning of the website and do not require consent; and

Non-essential cookies (such as analytics and marketing cookies), which are only placed with your consent.

When you first visit our website, you are presented with a cookie banner that allows you to accept or reject non-essential cookies.

7. Sharing and Transfers

We share personal data only when necessary to operate our Services:

Service providers acting as data processors on our behalf, under contractual data processing agreements (for example, hosting providers and payment processors)

Payment processor: Stripe (to handle secure payments)

Legal or compliance: where required by law or to protect our rights

We do not currently share data with any AI-tutor or similar provider.

If, in future, we introduce such functionality, we will update this Privacy Policy accordingly.

Some of our service providers may process data outside the European Economic Area (EEA).

Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or reliance on adequacy decisions where applicable.

We do not sell personal data.

8. Retention

We retain personal data only as long as necessary for the purposes described:

• account data: while your account is active and up to 3 years after closure;

• transaction data: 7 years (to comply with Dutch tax law);

• marketing data: until you unsubscribe;

• server logs and analytics data: typically up to 12 months.

After this period, data is deleted or anonymized where possible.

9. Security

We use industry-standard technical and organisational measures to protect personal data against unauthorised access, loss, or alteration.

Access is limited to authorised staff under confidentiality obligations.

10. Your Rights

Under the GDPR, you have the right to:

• access and receive a copy of your personal data;

• request correction of inaccurate data;

• request deletion of your data;

• restrict or object to processing;

• withdraw consent at any time;

• request data portability (receive your data in machine-readable form).

To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with your local data protection authority, such as the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

11. Children

Our Services are intended for users aged 16 and above (or the applicable digital-consent age in their country).

We do not knowingly collect data from children below that age.

12. Changes to This Policy

We may update this Privacy Policy from time to time.

Material changes will be communicated via email or in-platform notice.

The date at the top indicates the latest version.

13. Contact

Questions or requests concerning privacy can be sent to:

• [email protected]