Privacy Policy

Version 1.0-2026-07-05 · Last updated 5 July 2026

1. Who we are (data controller)

THEPS (“we”, “us”) operates the Erasmus+ Partner Matching Platform at this website. For the personal data described in this policy, THEPS acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR). For any privacy matter, contact privacy@theps.eu.

2. What data we collect and why

  • Account data — name, email address, password (stored as a hash), and optionally your organisation's Erasmus OID. Purpose: creating and securing your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Organisation profile (PIF) data — organisation details and the business contact details of the legal representative and contact person. Purpose: verification and partner matching, the core service of the platform. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Platform content — partner-search listings, applications, messages and reviews you create. Purpose: providing the collaboration features you use. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Billing data — subscription plan, billing status and payment records (card details are handled by Stripe and never stored by us). Purpose: charging for paid plans and accounting. Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoicing/tax records.
  • Newsletter data — name, email and optionally organisation, if you subscribe. Purpose: sending the THEPS newsletter. Legal basis: consent (Art. 6(1)(a)); you can withdraw at any time via the unsubscribe link in every email or in your account's Privacy & Data page.
  • Audit and security logs — records of significant account and platform actions. Purpose: security, abuse prevention and accountability. Legal basis: legitimate interest (Art. 6(1)(f)) in keeping the platform secure and trustworthy.

We practise data minimisation: we do not collect special categories of personal data (Art. 9 GDPR), we do not use your data for advertising, and we do not sell it.

3. Automated decision-making

THEPS does not subject you to decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22 GDPR). Organisation verification is performed by human administrators.

4. Who receives your data

Your organisation profile, listings and reviews are visible to other verified organisations on the platform — that visibility is the purpose of the service. Messages are visible only to the participating organisations and to platform administrators for moderation. We share personal data with a small number of processors listed in our sub-processor register, each bound by a data processing agreement under Art. 28 GDPR.

5. International transfers

Production personal data is hosted in the EU (Ireland). Where a processor transfers data outside the EEA (for example Stripe's US parent), the transfer is protected by an adequacy decision, the EU-US Data Privacy Framework or Standard Contractual Clauses, as set out in the sub-processor register.

6. How long we keep data

  • Account and organisation data — for the life of the account, then erased or anonymised on deletion.
  • Billing and invoicing records — as long as tax law requires (typically 10 years).
  • Audit and security logs — up to 24 months, then purged automatically.
  • Newsletter data — until you unsubscribe; unsubscribed addresses are kept only as a suppression record.
  • Privacy-request records — 36 months after closure, as proof of compliance.

7. Your rights

Under Articles 15–22 GDPR you have the right to:

  • access the personal data we hold about you;
  • receive a machine-readable copy of your data (portability);
  • have inaccurate data corrected;
  • have your data erased (“right to be forgotten”);
  • restrict or object to specific processing;
  • withdraw any consent at any time, without affecting past processing.

Signed-in users can exercise these rights directly from Privacy & Data in their account — including a one-click data export and an account-deletion request. You can also email privacy@theps.eu. We respond within 30 days (one month), as required by Art. 12(3) GDPR. You additionally have the right to lodge a complaint with your national data protection authority.

8. Security

All traffic is encrypted in transit (TLS) and data is encrypted at rest. Access to personal data is restricted by role-based permissions and database row-level security that isolates each organisation's data. Administrative actions are recorded in an audit log. In the event of a personal data breach likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay (Art. 34 GDPR).

9. Cookies

THEPS uses only strictly necessary cookies (authentication and security). See the Cookie Policy for details.

10. Changes to this policy

When we change this policy materially, we bump the version shown at the top and, where the change affects how we use your data, notify you by email or in-app notice before it takes effect.