Last updated: April 22, 2026
TrainedOn OÜ (“TrainedOn,” “us,” or “we”), an Estonian private limited company (registry code 14077044) with registered office at Voolu tn 20a, 10918 Tallinn, Estonia, respects the privacy and personal information of the members of the SessionLab community.This Privacy Policy applies to information we receive when you use our website or the SessionLab software (collectively, the “Service”).
Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. This policy is intended to help you understand:
This Privacy Policy describes how TrainedOn collects, uses, and shares your personal data when you use the Service. Please read carefully our Privacy Policy.
If you do not agree with this policy, do not access or use our Service or interact with any other aspect of our business.
Information related to the use of cookies is set out in our Cookie Policy.
If you have any feedback or suggestion on our Privacy Policy, please do not hesitate to share it with us under privacy@sessionlab.com.
Service: means the functionality of SessionLab that you can reach by visiting and using our website at www.sessionlab.com and any of its subdomains (e.g. app.sessionlab.com, www.sessionlab.com). It allows you to create and share session plans, organize your session content, and browse and create session resources.
Content: means any materials, such as session plans and resources, library blocks presentations, handouts, exercises, links, pictures, comments or any other content that you enter or upload to SessionLab.
Personal Data: means any information relating to an identified or identifiable natural person, within the meaning of Article 4 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation).
Data Controller and Processor Roles: SessionLab processes personal data in two distinct roles:
As Data Controller: For your account information (name, email, profile), billing data, service usage analytics, and communications we send you, TrainedOn acts as the data controller. This means we determine how and why this data is processed.
As Data Processor: For Content you create in SessionLab (sessions, blocks, files, comments), you act as the data controller and TrainedOn acts as your data processor. If your Content includes personal data of third parties (such as workshop participant names or contact details), you are responsible for:
Important: If a third party whose personal data appears in your Content wants to exercise their rights (e.g., request deletion), they should contact you directly as the data controller. You can then use SessionLab’s tools to fulfill their request.
Our Data Processing Agreement, which applies to all customers and forms part of our Terms of Service, is available at sessionlab.com/dpa
We collect and process different types of information from or through the Service. Some of this information qualifies as Personal Data. The legal bases for each processing purpose are described in Section 4 below, which are further explained in the “How We Use the Information We Collect” section of this Policy. We do not knowingly collect special categories of personal data (such as health information, political opinions, or biometric data). We may also collect and process information upon your consent, asking for it as appropriate.
When you use the Service, as a User you may provide, and we may collect Personal Data. Examples of Personal Data include name, email address, billing address and credit card information. Personal Data also includes other information, such as geographic area or preferences, when any such information is linked to information that identifies a specific individual.
We collect Personal Data about you when you register for an account, modify your profile, set preferences or make a purchases through the Service. For example, you provide your name, username and e-mail address when you register for the Service. You also have the option of adding a profile photo, bio, and other details to your profile information to be displayed in our Service. We keep track of your preferences when you select settings within the Service.
Your use of the Service will involve you upload or input various Content (as defined in the Terms of Service) into the Service. You control how your Content is shared with other users.
This Content includes any information about you that you may choose to include. Content also includes the files and links you upload to the Service. Examples of Content we collect and store include sessions and session blocks you create, files you attach to blocks, the name of a team, comments you enter in sessions.
By design, SessionLab is not intended to host Personal Data in the Content you create, however you still may decide to upload or input data in your sessions that qualify as Personal Data. For details on the respective responsibilities of you and TrainedOn regarding personal data in Content, see the “Data Controller and Processor Roles” definition in Section 2.
The Service also includes customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. When you contact us via our support channels, open a support ticket or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
We collect payment and billing information when you subscribe for any of our paid Service Plans. For example, we ask you to designate a billing representative, including name and contact information. You might also provide payment information, such as payment card details, which we collect and securely share with the payment processing service we use. We do not store your payment card details. Billing records (invoices, billing contacts, transaction history) are retained as described in Section 9.
We collect information about you when you use our Service, including browsing our websites and taking certain actions within the Service.
We keep track of certain information about you when you visit and interact with our Service. This information includes, but is not limited to the features you use; the actions you perform for example clicking on a button or on a link; the type, size and filenames of attachments you upload to the Service; frequently used search terms; and how you interact with other users within the Service.
We log an array of specific events (such as for example ‘Block created’, ‘Page loaded’, ‘Session view changed’, ‘Error’, etc…) with their attributes to allow us to analyse site usage, service improvement and to provide effective support in case of customer support requests.
We also may use these technologies to collect information regarding your interaction with email messages sent by us, such as whether you open, click on, or forward a message.
We collect information about your computer, phone, tablet, or other devices you use to access the Service. This device information includes your connection type and settings when you access or use our Service. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the device you use to access the Service.
This is information we collect from everybody, whether they have an account or not, in order to better understand how our website visitors use the Service and to monitor and protect the security of the website.
TrainedOn and our third-party partners, such as our analytics partners (for example Google Analytics and Mixpanel), use cookies and other tracking technologies (e.g. web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Service and devices. For more information, please refer to our Cookie Policy, which includes information on how to control or opt out of these cookies and tracking technologies.
We receive information about you from other Service users, from third party services and from potential business and channel partners.
Other users of our Service may provide information about you when they submit Content through the Service. For example, you may be mentioned by someone in a comment, or a collaborator may upload content about you to a session. We also receive your email address from other Service users when they provide it in order to invite you to the Service. Similarly, a team administrator may provide your contact information when they designate you as a billing contact for a team account.
If you choose to use our invitation service to invite a colleague or friend to the Service, we will ask you for that person’s contact information, which may include their email address and automatically send an invitation. We store the information you provide to send the invitation, to register the person if your invitation is accepted, and to track the success of your invitations.
We receive information about you when you integrate or link a third-party service with our Service. By authorizing us to connect with a third-party service, you authorize us to access and store your name, email address, profile picture, and other information that the third-party service makes available to us, and to use and disclose it in accordance with this Policy.
For example, if you create an account or log into the Service using your Google or LinkedIn credentials, we receive your name and email address as permitted by your Google or LinkedIn profile settings in order to authenticate you. We use this information only to log you into our Service with your Google or LinkedIn accounts, we do not use this information for any other purposes.
You may also integrate our Service with other services you use, such as to allow you to access, store, share and edit certain content from a third-party through our Service. For example, you may authorize our Service to access and display files from a third-party document-sharing service within the Service interface. The information we receive when you link or integrate our Service with a third-party service depends on the settings, permissions and privacy policy controlled by that third-party service. You should always check the privacy settings and notices in these third-party services to understand what data may be disclosed to us or shared with our Service.
We may obtain information, including Personal Data, from third parties and sources other than the Service. If we combine or associate information from other sources with Personal Data that we collect through the Service, we will treat the combined information as Personal Data in accordance with this Policy.
We use the information that we collect in a variety of ways in providing the Service and operating our business, including the following:
We use information about you to provide the Service to you, including to process transactions with you, authenticate you when you log in, and operate and maintain the Service.
Below you may find some of the most common examples how we use your information:
We may access your Content only as necessary (i) to maintain, provide and improve the Service; (ii) to resolve a support request from you; (iii) if we have a good faith belief, or have received a complaint alleging, that such Content is in violation of our Terms of Service; (iv) as reasonably necessary to allow TrainedOn to comply with or avoid the violation of applicable law or regulation.
Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
We are always looking for ways to make our Service smarter, faster, secure, integrated and useful to you. We collect and analyse events (such as Page Loaded, View Changed or Errors) and preferences of users in an aggregate way together with feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for improvement of the Service. We may also test certain new features with some users before rolling the feature out to all users.
Legal basis: our legitimate interests in improving the Service (GDPR Art. 6(1)(f)).
Note: aggregate and anonymised analytics derived from Content usage (such as feature usage counts) are processed under our controller role, as this data no longer constitutes personal data.
We use your contact information to send transactional communications via email and within the Service, including confirming your purchases, reminding you of subscription expirations, responding to your comments, questions and requests, providing customer support, and sending you technical notices, updates, security alerts, and administrative messages.
Depending on your settings, we send you email notifications when you or others interact on the Service, for example, when you are invited to a session or a collaborator comments on a session where you are invited to.
We also provide tailored communications based on your activity and interaction with the Service. For example, certain actions you take in the Service may automatically trigger a message with a suggestion that would make that task easier. We also send you communications as you onboard to the Service to help you become more proficient in using it.
These communications are part of the Service, and in few cases, where regulations bind us, you cannot opt out of them. For example, we are mandated to send you a reminder for the renewal of an annual paid subscription. If an opt-out is available, you will find that option within the communication itself or in your account settings, as described below in “Opt out of communications.”
Legal basis: performance of our contract with you for transactional messages (GDPR Art. 6(1)(b)); our legitimate interests for service-related notifications (GDPR Art. 6(1)(f)).
We use your contact information and information about how you use the Service to send promotional communications that may be of specific interest to you. These communications are aimed at driving engagement and maximizing what you get out of the Service, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about new product offers, promotions and contests. You can control whether you receive these communications as described below in “Opt out of communications.”
Legal basis: where you are an existing customer and the communication relates to similar services, we rely on the “soft opt-in” under applicable ePrivacy laws and our legitimate interests in growing the Service (GDPR Art. 6(1)(f)). In all other cases, we rely on your consent (GDPR Art. 6(1)(a)). You can opt out of marketing communications at any time as described in Section 6.5.
We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Service. In order to provide effective support, we may need data about the technical setup you are using the application with (such as device and browser information) and contextual information about your usage the application (such as usage history of the application and navigational data)
Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
We may use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.
Legal basis: our legitimate interests in protecting the Service and its users (GDPR Art. 6(1)(f)).
Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
Legal basis: compliance with legal obligations (GDPR Art. 6(1)(c)) and our legitimate interests (GDPR Art. 6(1)(f)).
We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Service, with your permission, or we may send you additional content digest emails or newsletters with your consent. If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.
Legal basis: your consent (GDPR Art. 6(1)(a)).
Except as described in this Policy, we will not intentionally disclose your information, including your Personal Data or other Content that we collect or store on the Service to third parties without your consent.
We do not share, sell, rent, or trade Personal Data with third parties for their commercial purposes.
We may disclose information to third parties if you consent to us doing so, as well as in the following circumstances:
When you use the Service, we share certain information about you with other Service users.
You can create content, which may contain information about you, and grant permission to others to see, share, edit, copy and download that content based on settings you or your workspace administrator (if applicable) select.
Some of the collaboration features of the Service display some or all of your profile information to other Service users when you share or interact with specific content. For example, when you comment on a library block, we display your profile picture and name next to your comments so that other users with access to the block understand who made the comment. Similarly, when you join a team, your name and contact information will be displayed in a list for other team members so they can find and interact with you.
Please be aware that some content in the application can be made publicly available by its creator, for example, a block in the library, meaning any content posted on that block, including information about you, can be publicly viewed and indexed by and returned in search results of search engines. You can check both the session and library block settings at any time to confirm whether a particular piece of content is public or private.
Our Service offers publicly accessible content in certain areas of our website. You should be aware that any information you voluntarily choose to make public in the Service – including profile information associated with the account you use to post the information – may be read, collected, and used by any member of the public who accesses the website. Your posts may remain without personally identifiable profile information even after you terminate your account. We urge you to consider the sensitivity of any information you input into these areas of the Service.
We work with third party service providers who provide hosting, maintenance, backup, storage, analytics, help desk, payment processing and other services for us. These third parties may have access to, or process Personal Data as part of providing those services for us. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions, and our data protection agreements with them require them to maintain the confidentiality of such information. You may find more information about the measures we take for International Data transfer in Chapter8.
You may find here the list of third party service providers we work with.
SessionLab offers AI-powered features (AI Assistant). When you use AI features, you are interacting with an artificial intelligence system. AI-generated content may contain inaccuracies, biases, or errors. You control whether and how you use AI features. Certain AI features may be disabled at the account level where applicable. SessionLab does not use AI to make automated decisions that produce legal effects or similarly significantly affect you. We do not engage in profiling that produces legal or similarly significant effects. You remain in full control of all decisions. When used, your session content is processed by our AI service providers. We select providers whose data handling practices align with our privacy commitments. For complete details, please refer to our AI Usage, Privacy, and Controls article.
Legal basis: your consent (GDPR Art. 6(1)(a)), given when you use AI features. Where AI features are available by default, your continued use of those features constitutes consent. You can disable AI features at the account level.
We may disclose Personal Data or other information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a facially valid court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
We also reserve the right to disclose Personal Data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Service and any facilities or equipment used to make the Service available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.
Information about you, including Personal Data, may be disclosed and otherwise transferred to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets and only if the recipient of the Personal Data commits to a Privacy Policy that has terms substantially consistent with this Privacy Policy.
Content you created in the Service may be transferred to an acquirer, or successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets, for the sole purpose of continuing the operation of the Service, and only if the recipient of the Content commits to a Privacy Policy that has terms substantially consistent with this Privacy Policy.
You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations. We will respond to requests about this within a reasonable timeframe.
You have the following rights regarding your personal data:
You can exercise some of these rights by logging into the Service and using settings available within the Service or your account. For all other requests, you may contact us at privacy@sessionlab.com.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we are permitted by law or have compelling legitimate interests to keep. If you have unresolved concerns, or if you believe your right to privacy granted by applicable data protection laws has been infringed upon, please contact us at privacy@sessionlab.com. You also have a right to lodge a complaint with the supervisory authority in your Member State of residence, place of work, or place of the alleged infringement.
Our Service gives you the ability to access and update certain information about you from within the Service. For example, you can access your profile information from your account and update your profile information within your profile settings.
If a session is shared with you and you no longer want to have that session available to you, you can deactivate your own access to it within the Service.
If you want to leave a team you were added to, you may ask the administrator of the team to remove you.
Please be aware that deactivating your access to a session or to a team does not delete the information, for example, comments you created within that session or team, your information remains visible to other Service users. For more information on how to delete your information, see below.
Our Service gives you the ability to delete certain information about you from within the Service. For example, you can remove or modify Content that contains information about you using the keyword search and editing tools associated with that content and you can remove certain profile information from your profile settings. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
If you wish to terminate your account, all your information, including your Personal Data and Content you created in the Service will be permanently deleted, subject to the retention periods described in Section 9. Termination can be initiated by sending an email at account-removal@sessionlab.com.
Please bear in mind that your information might not be removed from our servers immediately at the time of termination. Residual copies of your deleted Personal Data and Content might be kept for backup purposes however we do make sure not to keep them for longer than 30 days after terminating your account.
Note on shared Content: If you delete your account, all Content you created will be deleted from the Service, and other users you shared it with will lose access. If collaborators wish to retain access to shared Content, they must make copies to their own workspaces before your account is removed.
You may opt out of receiving promotional and service related communications from us by using the unsubscribe link within each email, updating your email preferences within your Service account settings menu, or by contacting us at privacy@sessionlab.com to have your contact information removed from our promotional email list or registration database.
Please be aware that if you opt-out of receiving commercial email from us or otherwise modify the nature or frequency of promotional communications you receive from us, it may take up to ten (10) business days for us to process your request. Additionally, even after you opt out from receiving promotional messages from us, you will continue to receive certain transactional and essential administrative messages from us regarding our Service.
The usage of browser-based cookies and your choices to control them are described in our Cookie Policy.
According to Article 20 of Regulation (EU) 2016/679, you have the right to receive the Personal Data concerning you, which you have provided to us. Should you request it, we will provide you with an electronic file of your account information from the Service.
We work with data hosting service providers in the territory of the European Union to host the information we collect, and we use technical measures to secure your data. We use generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, managerial and technical safeguards to protect Personal Data and Content against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data and Content in our possession.
We maintain industry-recognized security certifications and undergo regular independent audits. We conduct regular penetration testing and maintain comprehensive security practices. For current information about our security certifications, compliance status, and detailed security practices, please visit our Trust Center.
This includes, for example, firewalls, password protection and other access and authentication controls. We continuously and regularly back up your data to help prevent data loss and aid in data recovery. We use SSL technology to encrypt data during transmission through public internet to better protect your information, and we also employ application-layer security features to further anonymize Personal Data.
If you have additional questions about security on our Service, you may find more technical details at our Security support page or contact us as set forth in the “How to Contact Us” section.
However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store on the Service, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your Personal Data or Content has been compromised, please contact us as set forth in the “How to Contact Us” section.
If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.
We collect information globally and we work with data hosting service providers in the territory of the European Union to store the information we collect. This means that the Content you create in the application, for example, sessions you create and files you upload to the sessions are stored at data centers within the territory of the European Union.
We also use the services of further third party service providers to operate certain aspects of the service, for example emailing and analytics services. These services providers are either located in the European Union or in the United States. Some of information we forward to them falls into the category of Personal Data, such as your name, email address and IP address. We also forward device and browser information and usage data (events such as Blocks created, View Changed, Page Loaded, etc.).
When we share information about you with third party service providers, we use standard contractual data protection clauses approved by the European Commission to ensure that your Personal Data receives an adequate level of protection. When we select US-based third party service providers, we make sure that they have executed Standard Contractual Clauses (as approved by the European Commission) or hold certification under the EU-US Data Privacy Framework (DPF), that both provide legal grounds for assuring that your Personal Data will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General Data Protection Regulation). The EU-US Data Privacy Framework is recognized by the European Commission as providing an adequate level of protection under its adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), in accordance with GDPR Art. 45.
We only retain the information collected from you until you delete your account or otherwise for a limited period of time as long as we need it to fulfil the purposes for which we have initially collected it, unless otherwise required by law. We will retain and use information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements as follows:
Protecting the privacy of young children is especially important. Our Service is not directed to children under the age of 16, and we do not knowingly collect Personal Data from children under the age of 16 without obtaining parental consent. If you are under 16 years of age, then please do not use or access the Service at any time or in any manner. If we learn that Personal Data has been collected on the Service from persons under 16 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 16 years of age has obtained an Account on the Service, then you may alert us at privacy@sessionlab.com and request that we delete that child’s Personal Data from our systems.
The Service is not intended to be used by minors and is not intended to be used to post content to share publicly or with friends. To the extent that a minor has posted such content on the Service, the minor has the right to have this content deleted or removed using the deletion or removal options detailed in this Privacy Policy. If you have any question regarding this topic, please contact us as indicated in the “How to Contact Us” section. Please be aware that, although we offer this deletion capability, the removal of content may not ensure complete or comprehensive removal of that content or information.
TrainedOn reserves the right to make changes to this Policy. If we make material changes, we will notify you, either through the user interface, in an email notification, or through other reasonable means. We encourage you to review the updated Policy. If you do not agree with the changes, you may stop using the Service. If any provision of this Policy is found to be unenforceable, the remaining provisions will continue in full force and effect.
Please contact us with any questions or comments about this Policy, your Personal Data, our use and disclosure practices, or your consent choices by email at privacy@sessionlab.com.