Privacy policy

This privacy statement applies to the use of:

• The website https://medu.game
• The web version of the learning platform: https://play.medu.game
• The learning management system (LMS): https://learn.medu.game
• The Medu.game apps (iOS and Android)

1. Who are we?

Medu.game is a learning platform operated by:

Medu.game B.V.
Trompweg 35
7441 HP Nijverdal
The Netherlands

Chamber of Commerce number: 57052875
Email: privacy@medu.game
Website: https://medu.game

Medu.game B.V. is the data controller for the processing of personal data as described in this privacy statement.

2. Who does this privacy statement apply to?

This privacy statement applies to:

• Visitors to https://medu.game
• Users of the Medu.game learning platform via https://play.medu.game and the Medu.game apps (iOS and Android)
• Users of the LMS environment via https://learn.medu.game
• Recipients of our newsletters and service emails

We work together with various educational institutions, companies and organizations. We do not store patient medical data.

3. What personal data do we process?

Depending on how you use our services, we process the following personal data, among others:

3.1 Medu.game account data

• Email address
• Hashed password
• Username or alias
• Internal user ID
• Settings and preferences within the platform

3.2 Game and learning data (Medu.game)

• Which scenarios/levels you play
• Scores, progress and achieved results (for example badges)
• Date and times when you start or complete scenarios
• Choices you make within scenarios (for learning purposes, not as medical records)

3.3 LMS data (learn.medu.game)

• Name
• Email address
• Login credentials
• Course registrations
• Progress and results in modules and tests

3.4 Technical data

• IP address
• Information about device, operating system and browser
• Log data (for example error messages)
• Crash reports

3.5 Newsletter and marketing

• Name (optional)
• Email address
• Your preferences (for example which mailings you want to receive)
• Information about whether an email has been opened and whether links have been clicked

We do not process special personal data such as medical diagnoses, religion, race or BSN, unless this would happen expressly and with separate information and consent. That is not currently the case.

4. What do we use your data for?

We only process personal data for clear and justified purposes.

4.1 Creating and managing your account

• Register as a user
• Allow you to log in to the platform (app, web and LMS)
• Save your settings and preferences

Legal basis: performance of the contract.

4.2 Performing virtual learning scenarios and displaying progress

• Offer scenarios and training modules
• Record progress and learning results
• (If agreed with your educational institution or employer) report progress and results to teachers or supervisors

Legal basis: performance of the contract.

4.3 Transactional service emails

• Activation emails and confirmations
• Password reset emails
• Notifications that you have completed a scenario or module
• Important service messages about your account or the platform

These are service emails necessary for platform use. You cannot unsubscribe separately, except by terminating your account.

Legal basis: performance of the contract and legitimate interest.

4.4 Newsletter and marketing

• Send news, updates, tips and relevant information about Medu.game
• Sometimes an invitation for surveys or customer satisfaction research

We only do this if you have explicitly consented or where permitted within an existing business relationship. Each email contains an unsubscribe link.

Legal basis: consent and where permitted, legitimate interest.

4.5 Analytics and product improvement

• Gain insight into how often and in what way scenarios and modules are used
• Improve content, user experience and technical operation of our services
• Prepare aggregated reports for clients (such as educational institutions and organizations) without unnecessary traceable data

We use Microsoft Power BI, Azure, PlayFab and Unity services. Where possible, we work with aggregated or pseudonymous data.

Legal basis: legitimate interest (product improvement and service delivery).

4.6 Security, logging and troubleshooting

• Prevent misuse and unauthorized access
• Detect and resolve technical issues
• Secure our systems and data

Legal basis: legitimate interest (security and reliability).

4.7 Financial administration and legal obligations

• Billing and accounting
• Comply with tax and other legal obligations

Legal basis: legal obligation and legitimate interest.

5. Who do we share personal data with?

We only share your personal data with third parties if necessary for our service delivery or if we are legally required to do so. We conclude a data processing agreement with parties processing personal data on our behalf.

Important processors include:

• Microsoft Azure – platform hosting, databases, storage and function apps
• Microsoft PlayFab – game backend and player and progress data storage
• Unity services – analytics and crash reporting for the game
• Hostinger – LMS environment hosting (learn.medu.game)
• MailerSend – transactional service email delivery (e.g., scenario completed, password reset)
• MailerLite – newsletter and marketing email delivery
• Microsoft Power BI – analytics and reporting

We may also share personal data with:

• Our accountant or auditor
• Government agencies such as the Tax Authority, when legally required

We do not sell your personal data to third parties.

6. How long do we keep your data?

We do not retain personal data longer than necessary for the purposes for which it was collected, unless we are legally required to retain data longer.

Indicative retention periods:

• Accounts and game progress (Medu.game): while the account is active and up to 3 years after last activity. Data is then deleted or anonymized unless otherwise agreed with a customer organization.
• LMS accounts and course data: during the course/assignment period and 3 years thereafter, unless different agreements have been made with the customer (for example for accreditation or certification purposes).
• Newsletter and marketing data: until you unsubscribe or withdraw consent, plus 3 years for proof of consent.
• Transactional email logs (MailerSend): 1 year, unless longer needed for troubleshooting or legal evidence.
• Log files and technical data: 1 year, unless longer needed due to security incidents or ongoing investigation.
• Financial administration: minimum 7 years due to tax retention obligation.

Exact retention periods may vary by data type and customer agreement. Where possible, we anonymize data when no longer needed at individual level.

7. Transfer of data outside the European Economic Area (EEA)

We design our systems so that personal data is processed within the EEA as much as possible, particularly on European Azure data centers (such as West Europe).

Some processors may process personal data (partly) outside the EEA, for example in the United States. This may apply to certain services from Microsoft, Unity, MailerSend and MailerLite.

In those cases, we ensure appropriate safeguards are in place, such as:

• An adequacy decision by the European Commission (e.g., EU–US Data Privacy Framework); and/or
• Standard Contractual Clauses (SCCs) approved by the European Commission.

For more information, consult the privacy statements of these service providers.

8. How do we secure your data?

We take appropriate technical and organizational measures to protect your personal data against loss or misuse. These include:

• Encrypted connections (TLS/HTTPS)
• Secure password storage (hashing)
• Role-based access and "least privilege" for employees
• Use of multi-factor authentication (MFA) for admin accounts where possible
• Regular security updates of systems and software
• Backups and monitoring of our systems
• Internal procedures for handling data breaches and security incidents

No system can guarantee complete security, but we do everything to protect your data as well as possible.

9. Cookies and tracking

We use different domains for different purposes. Cookie usage varies per domain:

9.1 play.medu.game (learning platform)

On our main platform where you play 3D games and scenarios, we use no cookies.

For platform operation, we do use:

• Local storage for login and session management
• Local storage for preference settings
• Local storage for saving progress during a session

This technical storage is essential for our services to function and falls under "strictly necessary" data storage.

9.2 medu.game (information website)

Our information website (medu.game) is a static website and uses no cookies. The Dutch and English versions are separate pages; there is no visitor tracking or analytics.

9.3 learn.medu.game (LMS environment)

Our Moodle learning environment uses standard Moodle cookies for:

• Session management (login)
• Preference settings
• Course progress

These cookies are necessary for Moodle operation.

9.4 Analytics

We use no Google Analytics or similar external tracking services on play.medu.game.

For internal analytics we use:

• Microsoft Power BI (data remains within our Azure environment)
• PlayFab analytics (for game performance and error reporting)
• Unity Analytics (for app stability and error reporting)

These tools collect no personal data for marketing purposes.

10. Your rights

Under privacy legislation (GDPR), you have various rights:

• Right of access – you may ask what personal data we process about you.
• Right to rectification – you may have inaccurate or incomplete data corrected.
• Right to erasure – in certain cases you may request your data be deleted ("right to be forgotten").
• Right to restrict processing – you may in some cases request (temporary) restriction of data use.
• Right to data portability – you may request your data in structured, common and machine-readable format for transfer to another provider.
• Right to object – you may object to certain processing, for example direct marketing or processing based on legitimate interest.
• Right to withdraw consent – if we process your data based on your consent, you may always withdraw that consent. This has no retroactive effect.

Exercising your rights

You can exercise your rights by contacting us at: privacy@medu.game.

We will generally handle your request within one month. If a request is complex, we may extend this period by maximum two months; in that case we will inform you.

If you disagree with how we handle your personal data, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

11. Changes to this privacy statement

We may update this privacy statement, for example if our services change or legislation changes. The most current version is always available at: https://medu.game.

For important changes, we will inform you where possible, for example via the platform, app or email.

12. Contact

For questions about this privacy statement or your personal data:

Email: privacy@medu.game

Postal address:
Medu.game B.V.
Trompweg 35
7441 HP Nijverdal
The Netherlands

This privacy statement is drawn up in accordance with the General Data Protection Regulation (GDPR).