Applications
chunkx supports
Under the GDPR, the controller is the chunkx entity that determines the purposes and means of the respective processing activity:
a) Website / Marketing / Communications / Recruiting: The controller is Chunkx B.V. (including, among other things, the operator of the website(s), including about.chunkx.io, and the controller for the provision of registration/login, insofar as chunkx acts as controller in this context).
b) Contract initiation, contract performance, billing (B2B): The controller is the chunkx entity named as the contractual party in the respective offer/order form/contract (Chunkx B.V. or Chunkx GmbH).
c) Use of the chunkx platform within a company account (e.g., via an employer/customer): In this case, the customer/employer is the controller. chunkx processes personal data as a processor solely on the customer’s instructions and in accordance with the data processing agreement (DPA) concluded between the customer and chunkx.
These notices explain which data we process in which roles and how you can exercise your rights.
The chunkx platform is provided for company accounts; content and configurations are the responsibility of the respective company account.
a) Use within a company account (standard case):
If you use chunkx via a company account (e.g., through your employer or an organization), the respective organization is the controller for the processing of personal data in connection with the use of the platform. chunkx processes personal data as a processor on behalf of that organization and solely in accordance with its instructions and pursuant to the data processing agreement (DPA) concluded between the organization and chunkx.
Where users are invited by the respective company account, contact details (e.g., name/email address) may be provided to chunkx by the controller (customer/employer). In this case, the controller is responsible for informing the data subjects pursuant to Art. 14 GDPR.
b) Registration / login on app.chunkx.io (technical onboarding):
For the provision of the registration and login process (e.g., email verification, security, abuse prevention, assignment/redirecting to the selected company account), chunkx processes certain data as a controller to the extent necessary for these purposes. Once you select a company account or join a company account, further processing within the platform generally takes place as a processor for the respective company account.
During this phase, chunkx does not process any learning or reporting data, but only the data required for registration/login and account assignment.
c) Selection of a company account:
After confirming your email address, you can—if available—choose from a list of publicly visible company accounts. For company accounts that are not publicly visible, an invitation or a company-specific registration page is required. The respective company account (controller) decides which company accounts are publicly visible and which registration pathways users may use to join. chunkx implements this configuration technically.
d) Website / Marketing / Communications:
For processing activities in connection with the use of our website(s), demo/contact requests, or other communications, the provisions in Section 3.B (Processing as Controller) and Sections 8/9 (Cookies), as applicable, apply.
In connection with providing the platform, chunkx processes personal data either as a controller or as a processor, depending on the specific context.
Where chunkx processes personal data as a controller, this is based on Art. 6(1) GDPR, in particular:
Consent (Art. 6(1)(a) GDPR),
Performance of a contract / steps prior to entering into a contract (Art. 6(1)(b) GDPR),
Compliance with a legal obligation (Art. 6(1)(c) GDPR),
Legitimate interests (Art. 6(1)(f) GDPR).
Our legitimate interests include, in particular: operating and securing the platform, preventing abuse, error analysis, improving the user experience, internal administration, and the assertion/defence of legal claims.
Important: Where chunkx processes personal data as a processor within a company account, the respective company account (customer/employer), as the controller, determines the legal basis. In that case, chunkx processes the data solely on the customer’s documented instructions and in accordance with the DPA concluded between the customer and chunkx.
chunkx processes certain personal data as a controller to the extent necessary to provide the registration and login process and to operate the website:
Registration, Email Verification and Login (app.chunkx.io)
Categories of data: email address; login credentials (e.g., password in hashed form or SSO identifiers, where used); verification status; technical log/security data (e.g., IP address, timestamps, device/browser information, event logs); where applicable, selection/assignment to the (publicly visible) company account.
Purposes: account creation and authentication, email confirmation, technical provision of access, security/abuse prevention, and assignment/redirecting to the selected company account.
Legal basis: Art. 6 (1) (b) GDPR (provision of access / steps prior to entering into a contract) and Art. 6(1)(f) GDPR (security, abuse prevention).
Providing the email address and the data required for authentication is necessary to create a user account and provide access. Without this data, registration and use of app.chunkx.io are not possible.
2) Website Use (about.chunkx.io, etc.)
Categories of data: (temporary) IP address, referrer URL, browser type/version, operating system, access time, device type, and other technical data generated when the website is accessed; cookies/similar technologies in accordance with our Cookie Policy.
Purposes: technical provision, IT security, error analysis, and improving the usability/optimisation of the website.
Rechtsgrundlage: Art. 6 Abs. (1) (f) GDPR (operation, security, optimisation) and—where required—consent (Art. 6(1)(a) GDPR) for non-essential cookies/tracking.
3) Contact Requests / Support Outside of a Company Account
Categories of data: contact and communication data (e.g., name, email address, content of the request), and communication metadata.
Purposes: handling inquiries, providing support, and documentation for quality assurance.
Legal basis: Art. 6 (1) (b) GDPR (steps prior to entering into a contract/contract performance) or Art. 6(1)(f) GDPR (efficient handling/quality assurance).
Providing the data marked as mandatory fields is required in order to process your request; without this data, we may not be able to process your request, or may only be able to do so to a limited extent.
4) Marketing/Newsletter (if used)
Categories of data: contact/profile data (e.g., email address, if applicable name), opt-in/double opt-in records, usage data (e.g., opens/clicks), where applicable.
Purposes: sending information/updates and marketing communications.
Legal basis: generally consent (Art. 6(1)(a) GDPR); you may unsubscribe at any time.
5) Applications (Recruitment)
Categories of data: application and contact data, CV/resume, certificates/references, and communications.
Purposes: conducting the application process, review, and decision-making.
Legal basis: Art. 6 (1) (b) GDPR (steps prior to entering into a contract) and/or Art. 6(1)(f) GDPR; where applicable, consent if required.
Once you join a company account (e.g., via an invitation, a company-specific registration page, or by selecting a publicly visible account), chunkx processes personal data as a processor on behalf of the respective company account (controller).
1) User account and profile within the company account
Typical categories of data: name, email address, user ID, roles/permissions, and, where configured by the customer, profile details (e.g., department, location, job title).
Purposes: user administration, authentication within the account, role/permission management, and provision of the platform functionalities.
2) Learning and usage data
Typical categories of data: interactions with learning content, progress, results/responses, timestamps, activity data, and, where applicable, certificates/reports.
Purposes: delivering and documenting learning processes, and generating reports/certificates in accordance with the controller’s configuration.
3) Customer content (e.g., documents/materials) & AI-powered features
Typical categories of data: content uploaded to the platform by the customer (e.g., documents, learning materials, instructions); where applicable, personal data contained therein.
Purposes: providing the agreed services (e.g., content creation/optimisation, tagging, search/RAG functionalities), in each case on the controller’s instructions.
Note: The controller determines whether, and which, content contains personal data. chunkx processes such content solely within the scope of the engagement.
Operations, security, and error analysis (on behalf of the controller)
Typical categories of data: technical usage/log data, device/app information, crash/error data, security events.
Purposes: operating the platform, troubleshooting, maintenance, IT security, and abuse/fraud prevention—each to the extent necessary to provide the services and as commissioned by the controller.
Legal basis: The legal basis is determined by the respective company account as the controller. chunkx processes personal data as a processor pursuant to Art. 28 GDPR and in accordance with the DPA.
Automated decision-making: In the context of providing registration/login, we do not make decisions based solely on automated processing within the meaning of Art. 22 GDPR. To the extent that AI-powered personalisation or evaluations are used within company accounts, this is done under the responsibility of the respective company account (controller) and according to its configuration.
chunkx stores personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations. The specific retention periods depend on whether chunkx acts as a controller or as a processor.
1) Registration/Login (app.chunkx.io) – technical onboarding
We store data for registration and authentication (e.g., email address, login credentials in hashed form, verification status) for as long as a user account exists and/or until deletion is requested, or until the account is deactivated for security/abuse reasons and subsequently deleted.
We generally store technical log/security data (e.g., IP address, timestamps, event logs) only for as long as necessary to ensure security, prevent abuse, and perform error analysis.
2) Website logs
Server logs and comparable technical data are generally stored only for a limited period and then deleted or anonymised, unless longer storage is necessary to prevent or investigate security incidents.
3) Contact requests / pre-contractual communications
We store data from contact requests for as long as necessary to handle the request and any follow-up communication. Thereafter, we delete the data unless statutory retention obligations apply or longer storage is necessary for the assertion, exercise, or defence of legal claims.
4) Applications
As a rule, we delete application documents and communication data after the recruitment process has been completed, unless consent has been given for longer retention (e.g., a talent pool) or longer retention is necessary to defend against legal claims.
5) Statutory retention obligations
Where data is subject to commercial or tax law retention obligations (e.g., business correspondence, invoices), we store such data for the statutory retention periods and delete it thereafter.
Where chunkx processes personal data as a processor on behalf of a company account, the respective customer/employer, as the controller, determines the retention period and deletion. In such cases, chunkx deletes or returns personal data in accordance with the controller’s documented instructions and the provisions agreed in the DPA, or deletes it upon termination of the services, unless statutory obligations prevent deletion.
In individual cases, deletion may be restricted to the extent that further processing is necessary to comply with legal obligations or for the assertion, exercise, or defence of legal claims.
chunkx discloses personal data only where this is necessary to provide the services, where there is a legal obligation, or where another applicable legal basis exists. Which recipients may receive personal data depends on whether chunkx acts as a controller or as a processor.
Where chunkx processes personal data as a controller, the following categories of recipients may in particular have access to such data:
1) IT/hosting and infrastructure service providers
for the provision, maintenance, and safeguarding of the website, registration/login, and internal systems.
2) Communication and support service providers
for handling inquiries and support cases outside of a company account.
3) Sales and CRM service providers (if used)
for handling demo/contact requests and maintaining business relationships.
4) Payment and financial service providers / banks / tax advisors (where applicable)
for processing payments, accounting, and fulfilling statutory obligations.
5) Public authorities / courts / legal advisors
where we are legally required to do so or where this is necessary for the assertion, exercise, or defence of legal claims.
Where recipients process personal data on our behalf, we engage them as processors pursuant to Art. 28 GDPR and contractually oblige them accordingly.
Where chunkx processes personal data as a processor on behalf of a company account, the respective customer/employer is the controller and decides on recipients and access permissions within the scope of the platform configuration.
1) Company account controller (customer/employer)
The customer/employer and any administrators and users authorised by it may access, within the platform, the data processed in the respective company account, in accordance with the roles and permissions configured by the customer.
2) Sub-processors
To provide the services, chunkx may engage sub-processors (e.g., for hosting/infrastructure, monitoring/security, support/communications, and, where applicable, providers of AI functionalities). The engagement of sub-processors is governed by the DPA; in particular, sub-processors are contractually bound and may process personal data only in accordance with the instructions and contractual requirements.
3) Public authorities / courts / legal advisors
Where chunkx is required in an individual case to disclose data (e.g., due to official orders), this will be done in compliance with applicable legal requirements. Where legally permissible, we will inform the controller (customer) about such requests.
chunkx does not sell personal data and does not disclose personal data to third parties for its own advertising purposes.
Personal data is generally processed within the European Union (EU) or the European Economic Area (EEA). Where we use service providers, processing in, or access from, so-called third countries (countries outside the EU/EEA) may occur in individual cases.
Which transfer mechanisms we apply depends on whether chunkx acts as a controller or as a processor.
Where chunkx processes personal data as a controller and engages recipients in third countries, or where access from third countries cannot be ruled out, a transfer will take place only if one of the following requirements is met:
an adequacy decision of the European Commission (Art. 45 GDPR), or
appropriate safeguards (Art. 46 GDPR), in particular the conclusion of the EU Standard Contractual Clauses (SCCs), where applicable supplemented by additional measures, or
derogations under Art. 49 GDPR, where applicable in the individual case.
Upon request, we will provide you—where legally permissible—with further information about the safeguards applied in the individual case.
Where chunkx processes personal data as a processor on behalf of a company account, any transfers to third countries and the engagement of recipients/sub-processors are governed by the data processing agreement (DPA) and the documented instructions of the respective controller (customer/employer). chunkx engages sub-processors only within the framework of the DPA and ensures that appropriate safeguards (e.g., SCCs and, where applicable, additional measures) are in place for any third-country transfers.
Transfers to third countries do not take place on the basis of “consent by use”, but solely on the basis of the applicable transfer mechanisms under the GDPR.
chunkx implements appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, unauthorised disclosure, alteration, or destruction. These measures are based on Art. 32 GDPR and take into account, in particular, the state of the art, implementation costs, the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights and freedoms of natural persons.
Which measures apply in detail depends on whether chunkx acts as a controller or as a processor.
Where chunkx processes personal data as a controller (in particular in connection with the website and registration/login), we implement, among other things, measures that typically cover the following areas:
Access controls and authorisation concepts (need-to-know/least privilege),
Authentication and account security (e.g., protection of credentials, secure password handling),
Encryption in transit and, where applicable, encryption at rest in line with the state of the art,
Logging/monitoring to detect disruptions and security events,
Security and patch management as well as protection against typical attacks,
Backup, recovery, and availability concepts, where required.
Where chunkx processes personal data as a processor on behalf of a company account, the security measures agreed between the customer/employer (controller) and chunkx pursuant to Art. 32 GDPR apply, as set out in the data processing agreement (DPA) and the technical and organisational measures (TOMs) referenced therein.
chunkx ensures in particular that:
persons who process personal data are bound by confidentiality obligations,
appropriate access and authorisation concepts are implemented,
measures are in place to ensure the integrity, availability, and resilience of systems,
processes are in place to restore availability and access to data after incidents, and
a process exists for the regular review, assessment, and evaluation of the effectiveness of the measures, as appropriate.
In the event of security incidents, chunkx has processes in place to investigate, contain, and remediate them.
Where chunkx acts as a processor, chunkx supports the controller within the framework of the DPA in fulfilling any notification and communication obligations pursuant to Arts. 33 and 34 GDPR.
We use cookies and similar technologies (e.g., local storage, pixels, SDKs) on our websites and web apps (e.g., about.chunkx.io and app.chunkx.io) to technically provide and protect our services and—where you consent—to analyse and improve them.
What are cookies?
Cookies are small text files that are stored on your device and can recognise our services for a certain period of time (e.g., session status, language settings).
We use strictly necessary cookies and comparable technologies to the extent that they are essential to provide a function you have expressly requested (e.g., login/session management, security features, load balancing). Under German law, consent is generally not required for such technologies where they are strictly necessary to provide the service.
Any processing of personal data that may occur in this context (e.g., IP address, technical identifiers) is based on our legitimate interests in operating a secure and functional service (Art. 6(1)(f) GDPR) or—where necessary—for taking steps prior to entering into a contract/performance of a contract (Art. 6(1)(b) GDPR).
We use optional cookies (e.g., analytics/statistics or marketing/tracking technologies) only after you have given your consent via our consent/cookie banner. The legal bases are your consent pursuant to Art. 6 (1) (a) GDPR and your consent to the storage of, or access to, information on your device under German cookie law (TDDDG).
You can withdraw or change your consent at any time with effect for the future via the cookie settings.
Depending on the features used, cookies/similar technologies may also be set by third-party providers (e.g., embedded content). Information on categories, providers, storage periods, and the respective purposes can be found in our Cookie Policy and in the cookie settings.
To the extent that transfers to third countries may occur in connection with third-party providers, the provisions in the section “Transfers to Third Countries” apply.
For cookies and similar technologies that are required for the technical provision of the website/registration/login, chunkx acts as a controller to the extent necessary for that purpose.
Where cookies/similar technologies are used in the context of usage within a company account and usage/learning data is processed in this context, further processing generally takes place as a processor for the respective company account (customer/employer) in accordance with the DPA.
Details on the cookies/similar technologies used (categories, purposes, providers, storage periods) as well as the option to give, refuse, or withdraw your consent can be found in our Cookie Policy and in the cookie settings (consent banner/consent manager). The cookie settings are available at any time via a corresponding link on our website.
In addition, you can delete or block cookies via your browser settings. Please note that this may restrict functions of the website or web app.
As a data subject, you generally have the following rights under the GDPR, provided that the respective legal requirements are met:
Right of access (Art. 15 GDPR),
Right to rectification (Art. 16 GDPR),
Right to erasure (Art. 17 GDPR),
Right to restriction of processing (Art. 18 GDPR),
Right to data portability (Art. 20 GDPR),
Right to object to processing based on legitimate interests (Art. 21 GDPR),
Right to withdraw consent at any time with effect for the future (Art. 7(3) GDPR), where processing is based on consent,
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
Where chunkx processes personal data as a controller (e.g., when you use our website, during registration/login, for contact requests, marketing/newsletters, or applications), you can exercise your rights directly against us. You can find our contact details in the section “Contact”.
If you use chunkx within a company account (e.g., via your employer or an organisation), the respective customer/employer is the controller for the processing of your personal data in connection with the use of the platform. In this case, please contact the controller (customer/employer) first in order to exercise your rights.
In these cases, chunkx processes your data as a processor and supports the controller in fulfilling data subject rights within the framework of the data processing agreement (DPA). Please note that, as a processor, chunkx is generally not authorised to fulfil data subject requests independently without involving the controller (customer/employer).
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
If you have questions or complaints regarding the processing of your personal data, you can contact us at any time using the contact details provided below.
Notwithstanding the above, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
In Germany, this is typically the competent state data protection supervisory authority (e.g., in North Rhine-Westphalia, the supervisory authority of that federal state); in the Netherlands, the Autoriteit Persoonsgegevens.
We may update this Privacy Policy where this is necessary due to changes in applicable law, technical developments, or changes to our processing activities. The current version is available on our website. We will give appropriate notice of material changes.
You can find the date of the most recent update in Section 15.
For general data protection inquiries, please contact us at privacy@chunkx.io. Which chunkx entity acts as the controller depends on Section 1 (“Who is the Controller?”) and/or the respective offer/order form/contract.
Chunkx GmbH
Birkenstr. 23
40233 Düsseldorf
Germany
Commercial register: HRB 83246
E-mail address: privacy@chunkx.io
Chunkx B.V.
High Tech Campus 6 Unit A
5656AE Eindhoven
Netherlands
Chamber of Commerce number: 84701358
E-mail address: privacy@chunkx.io
This Privacy Policy was last updated on 12 January 2026.
chunkx supports