Privacy Policy
— ascENDIT Mobile Application

This Privacy Policy (the “Policy”) applies to all users of the ascENDIT mobile application and web-based administration portal (collectively, the “App”), including individual learners, employees of corporate clients, and any other persons whose personal data is processed through the App, regardless of their country of location.

End It is committed to the highest international standards of data protection. This Policy is governed by:

• Chilean Law No. 19.628 on the Protection of Private Life, as amended and as may be further amended;
• The EU General Data Protection Regulation (GDPR) 2016/679, voluntarily adopted by End It as its baseline global standard; and
• All applicable data processing agreements and data isolation confirmations executed between End It and its technology provider, governing the secure and isolated processing of personal data.

In the event of any conflict between these frameworks, the standard offering the greatest protection to the data subject shall prevail.

Data Controller: Centro Capacitaciones END.IT SPA (“End It”), incorporated under the laws of Chile. End It determines the purposes and means of processing personal data collected through the App and bears full legal responsibility for such processing.

Data Processor: End It engages a specialist AI technology provider (the “Technology Provider”) to deliver the AI-powered coaching functionality of the App. The Technology Provider acts exclusively as a data processor under End It’s documented instructions. It processes personal data solely to deliver the English coaching service on behalf of End It and has no independent right to use, retain, aggregate, or exploit such data for any purpose whatsoever, including AI model training. The identity of the Technology Provider is held on a confidential basis in End It’s internal records. It is available to competent regulatory authorities upon request and to corporate clients subject to execution of an appropriate confidentiality undertaking.

End It processes only the personal data strictly necessary for the provision of the English coaching service:

(a) Identity Data: Full name; email address; school or institution affiliation; and language proficiency levels.
(b) Technical Data: IP address; device identifier; operating system and version; application version; session timestamps.
(c) Educational and Performance Data: Text-based chat transcripts; pronunciation accuracy scores; intonation analysis metadata; and language performance or progress data. These data are classified by End It as heightened-sensitivity data and are subject to the enhanced protections described in Section 5.

Note: Where voice or audio data is processed for the purpose of generating speech-to-text transcripts, such processing occurs solely within End It’s private, logically isolated environment. Any resulting transcripts and metadata (but not raw audio recordings) are retained as set out in Section 6.

(d) Usage Metadata: Session duration; frequency of use; feature engagement data; error logs — collected solely for technical support and service improvement.
(e) Correspondence Data: Content of support requests submitted to ask@endit.school.

End It does not process personal data for marketing profiling, behavioural advertising, or sale to third parties.

Legal Basis

Performance of contract (Art. 6(1)(b) GDPR / Law 19.628)
Performance of contract (Art. 6(1)(b) GDPR)
Legitimate interest (Art. 6(1)(f) GDPR)
Legal obligation (Art. 6(1)(c) GDPR)
Legitimate interest (Art. 6(1)(f) GDPR)
Legitimate interest — subject to strict limits in Section 5.3

Purpose

Provision of AI-powered English coaching services
User account management and authentication
Technical support and incident resolution
Legal compliance and regulatory obligations
Security monitoring and fraud prevention
Aggregate, anonymised service improvement analytics

The following guarantees are contractually binding on End It’s Technology Provider and are incorporated into End It’s service agreements. They are set out here in full so that corporate clients — including cybersecurity companies, financial institutions, healthcare organisations, and other regulated-industry employers — can rely on them as enforceable commitments.

All data belonging to a specific corporate client is stored in a dedicated, logically segmented environment with strict multi-tenant isolation protocols applied at the architectural level:

• Client data is never co-mingled with data belonging to any other customer, partner, or third party under any circumstances.
• Cross-tenant data access is prohibited by both technical access controls and the underlying system architecture.
• Each client environment operates as a fully independent and isolated data silo with no shared data plane.

5.1 Multi-Tenant Logical Data Isolation

NEITHER END IT NOR ITS TECHNOLOGY PROVIDER SHALL, UNDER ANY CIRCUMSTANCES, USE ANY PERSONAL DATA, 
NEITHER END IT NOR ITS TECHNOLOGY PROVIDER SHALL, UNDER ANY CIRCUMSTANCES, USE ANY PERSONAL DATA, RECORDINGS, SPEECH DATA, TRANSCRIPTS, PRONUNCIATION ACCURACY SCORES, INTONATION ANALYSIS METADATA, OR ANY OTHER PERFORMANCE DATA TO TRAIN, FINE-TUNE, VALIDATE, EVALUATE, OR OTHERWISE IMPROVE ANY BASE AI MODEL, INCLUDING ANY LARGE LANGUAGE MODEL (LLM) OR SPEECH-TO-TEXT (STT) ENGINE.

All AI inferences are delivered using frozen models or dedicated client-specific instances. Session-specific processing is strictly confined to the client’s private data silo and cannot propagate to shared model weights or be accessed by any other client or third party. This commitment is absolute, contractually enforced, and does not admit exceptions.

5.2 Absolute Prohibition on AI Model Training

5.3 Data Sovereignty and Non-Aggregation

End It and its Technology Provider implement and maintain:

• Pseudonymisation and encryption of personal data at rest and in transit (AES-256 / TLS 1.3 or equivalent);
• Measures ensuring ongoing confidentiality, integrity, availability, and resilience of all processing systems;
• Capacity to restore availability of and access to personal data in a timely manner following any incident;
• Regular testing and evaluation of the effectiveness of all security measures;
• Role-based access controls ensuring only authorised and trained personnel access personal data;
• Mandatory data protection training for all personnel with access to personal data; and
• Contractual confidentiality obligations binding on all personnel.

5.4 Technical and Organisational Security Measures

Corporate clients may, upon reasonable written notice to ask@endit.school, request:

• A written technical summary of the data separation and isolation architecture;
• A current third-party security attestation (including, where available, a SOC 2 Type II report); and
• Written confirmation that cross-tenant isolation measures and AI training exclusions are active and verified.

5.5 Right to Technical Audit

End It’s current Technology Provider is presently the sole sub-processor engaged for core AI functionality.Additional sub-processors may be engaged in accordance with applicable contractual and data protection requirements. Any future engagement of additional sub-processors requires: (i) prior written notification to the corporate client and to End It as Controller; (ii) execution of a sub-processing agreement imposing equivalent data protection obligations; and (iii) compliance with applicable international data transfer mechanisms described in Section 7.

5.6 Sub-Processor Management

Active service period: Personal data is retained for the duration of the applicable service or license agreement.

Post-termination: Upon written request, End It will provide the corporate client with a complete copy of all client data in a standard machine-readable format within 30 days of termination, then cause the secure deletion of all personal data from all production and backup systems within 90 days of the date on which the data copy was provided.

Note: The 30-day period following termination is the window for final data extraction by the corporate client. The subsequent 90-day period is the certified deletion window. These periods run consecutively, not concurrently.

Certificate of Deletion: Upon request, End It will issue a formal written Certificate of Deletion confirming permanent deletion of all personal data relating to specified data subjects from all systems, including backups. This is available to any data subject exercising their right of erasure, including the Derecho de Cancelación under Chilean Law 19.628 Article 12.

Legally mandated retention: Where law requires longer retention, End It will notify the corporate client in writing of the specific obligation and its duration before commencing such retention.

The App is available globally (excluding Afghanistan, Belarus, Mainland China, and Russia). Where personal data is transferred outside the EEA or Chile, End It ensures at least one of the following applies:

• An adequacy decision by the European Commission in respect of the destination country;
• Execution of the European Commission’s Standard Contractual Clauses (Decision 2021/914/EU, Module 2: Controller to Processor) or any successor instrument; or
• For transfers to the United States: compliance with the EU–U.S. Data Privacy Framework where applicable.

Transfer documentation is maintained by End It and available for inspection upon written request.

All users may exercise the following rights by contacting ask@endit.school. End It will respond within 30 calendar days, extendable by 60 days in complex cases with prior written notice.

• (a) Access — Obtain confirmation of processing and a copy of your personal data.
• (b) Rectification — Correct inaccurate or incomplete data.
• (c) Erasure / Right to be Forgotten — Request permanent deletion, with a Certificate of Deletion issued within 90 days.
• (d) Restriction — Request temporary restriction of processing pending resolution of a dispute.
• (e) Portability — Receive your data in a structured, machine-readable format.
• (f) Objection — Object to processing based on legitimate interests.
• (g) Withdrawal of Consent — Withdraw consent at any time without affecting the lawfulness of prior processing.

In the event of a personal data breach:

• Internal detection and escalation within 24 hours;
• Notification to the affected corporate client without undue delay and, where feasible, within 72 hours of becoming aware, per Article 33 GDPR;
• Notification to include: nature of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed;
• Documentation of all breaches in an internal register, available for audit upon request.

IMPORTANT: All AI-generated pronunciation scores, fluency assessments, and language proficiency metrics are for educational practice purposes only. They are approximate indicators and do not constitute official certification scores for any examination, including IELTS, TOEFL, TOEIC, Cambridge CAE/FCE, or the Duolingo English Test. They must not be used as the sole or primary basis for academic applications, employment decisions, immigration applications, or regulatory compliance assessments. Scores may vary between sessions due to environmental or technical factors.

The App uses only essential session cookies and device identifiers strictly necessary for authentication, session management, and technical performance monitoring. End It does not use third-party tracking cookies, advertising pixels, or cross-site tracking technologies.

Material changes will be communicated by email and/or in-app notification at least 30 calendar days before they take effect. Continued use after the effective date constitutes acceptance. The “Last Updated” date at the top of this document reflects the most recent revision.

This Policy is governed by the laws of the Republic of Chile. Disputes between End It and data subjects shall be submitted to the competent courts of Santiago, Chile. For data subjects in the EEA, End It acknowledges the competence of the relevant national data protection supervisory authority. For the avoidance of doubt, separate enterprise agreements, including any Data Processing Addendum, may contain different governing law and jurisdiction provisions applicable solely between End It and the relevant corporate client or processor. 

Note: This governing law clause applies to End It’s relationship with individual data subjects and corporate clients under this Policy only. It does not affect the governing law of separate B2B service agreements, which are governed by their own terms.

Data Protection Contact: ask@endit.school
Centro Capacitaciones END.IT SPA, Santiago, Chile
Website: endit.school

If unsatisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your country of residence.

ascENDIT: