Table of Contents

  1. Introduction
  2. About This Policy and Our Role
  3. Personal Information We Process
  4. How We Use Personal Information
  5. How and Why We Share Personal Information
  6. Data Security
  7. Data Retention
  8. International Data Transfers
  9. Your Data Protection Rights
  10. Children's Privacy
  11. Cookies
  12. Changes to This Privacy Policy
  13. Contact Us and Data Protection Officer
  14. Annex A: Definitions

1. Introduction

Welcome to DidactLabs. This Privacy Policy explains how DidactLabs BV, a Belgian private limited company with registered address at Tabakvest 87 / bus 4610, Antwerp 2000, Belgium, and company number 1026.185.467 ("DidactLabs", "we", "us", or "our") processes Personal Information in connection with our learning platform, associated services (collectively, the "Service"), and our marketing website (didactlabs.com).

Our core philosophy is built on transparency. We are committed to protecting the privacy and security of our Users, especially Students. To that end, we want to be explicit about our commitments:

  • We do not sell Personal Information.
  • We do not serve third-party advertisements within our Service.
  • We do not build profiles of Users for any purpose other than to support the authorized educational objectives of their educators.
  • We do not use your User Content or Writing Process Data to train or fine-tune any third-party or proprietary artificial intelligence models.
  • We do not use or monetize your User Content for any purpose other than providing and improving the Service as described in this policy.

2. About This Policy and Our Role

This policy applies to Personal Information we process as both a Data Controller and a Data Processor under the GDPR. Understanding our role is key to understanding your rights.

  • As a Data Processor (for Student Personal Information): When we process Student data, including their Submissions and Writing Process Data, accessed through assignment links created by Educators, we act as a Data Processor. Students do not create accounts on our Service. The Educator or their Institution is the Data Controller. The Data Controller determines the purposes and means of processing and is primarily responsible for the data under GDPR.
  • As a Data Controller (for other data): We act as a Data Controller for the Personal Information of Educators and Administrators who sign up for and manage the Service (e.g., account and contact details). We also act as a Data Controller for the student nickname, as it is collected to distinguish submissions for the Educator. We are also the Data Controller for Personal Information collected from visitors to our marketing website and for our own business and administrative purposes.

3. Personal Information We Process

We collect information necessary to provide and improve our Service. This information falls into three categories:

A. Information You Provide

  • Account Information (Educators only): We use Auth0, a secure third-party identity provider, to manage Educator accounts. Depending on your chosen sign-up method, we process the following information:
    • If you sign up with Email and Password: We collect your Email Address and a securely hashed password.
    • If you sign up using Single Sign-On (SSO) with Google or Microsoft: We receive your Name, Email Address and Profile Picture URL from the provider you authorize. We do not receive or store your password from these services.
  • Student Information:
    • On Free and Teacher Plans: When a Student accesses an assignment via a shared link, they are prompted to provide a nickname. This is the only identifier we collect directly from the Student. Students do not create accounts.
    • On Institutional Plans with LMS Integration: For institutional accounts using Learning Management System (LMS) integration (e.g., Moodle, Canvas, Google Classroom), student identifiers (such as name, email, or an institutional ID) may be automatically passed from the LMS to our Service. This processing is necessary to associate work with a specific student in the educator's gradebook. In this scenario, the Institution is the Data Controller, and we process this identifier solely on their instruction.
  • Educator Content: Assignment details (e.g., titles, descriptions, AI configuration).
  • Communications: Your name, email address, and the content of your message when you contact us for support or other inquiries.

B. Information Generated Through Your Use of the Service

  • Student User Content: The text, essays, and other documents Students create and submit within the Service ("Submissions").
  • Writing Process Data: Detailed, real-time data about how a document is created, which includes:
    • The complete version history of a document.
    • Keystrokes, copy-paste events (including source), and deletions within the editor.
    • The full conversation history (prompts and responses) with the integrated AI assistant.
    • AI-generated analyses of Student prompts and writing patterns.
    • Interaction data, such as time spent actively writing.

C. Information We Collect Automatically

  • Log and Usage Data: When you access our Service, our service providers automatically collect technical information, including your IP address, browser type, operating system, device information, and access timestamps. This is used for security, performance monitoring, and aggregated statistical analysis.
  • Cookie Data: Information collected via cookies and similar technologies as described in Section 11.

4. How We Use Personal Information

We only use your Personal Information for specific, legitimate purposes, and we always have a lawful basis for doing so under GDPR.

Purpose of ProcessingLegal Basis (under GDPR)Categories of Personal Information Processed
To Provide and Operate the Service: Delivering core features, creating and managing/authenticating educators accounts, and fulfilling our contractual obligations to the educator.Performance of a Contract (with the Educator, which covers our processing as a Processor). Legitimate Interest (for Educator accounts and distinguishing student submissions via nicknames).Account Data, Educator Content, Student User Content, Writing Process Data, Student Nickname
To Communicate with You: Responding to support requests, sending service-related announcements (e.g., updates, security alerts), and gathering feedback.Legitimate Interest (to provide effective support and manage our service).Account Data, Communications
For Security, Compliance, and Fraud Prevention: Monitoring for malicious activity, enforcing our terms, and complying with legal obligations.Legal Obligation; Legitimate Interest (to protect our service, users, and legal rights).Account Data, Log and Usage Data, Writing Process Data
To Improve and Enhance the Service: Analysing usage patterns to understand what works, fix issues, and develop new features.Legitimate Interest (to improve our service for users).Anonymised and aggregated Log and Usage Data, Writing Process Data, and User Content.
To Manage our Business Operations: Including billing, account management, and maintaining business records.Legitimate Interest (to operate our business efficiently)Account Information (Educators/Admins), Communications.

Our Commitment on AI Model Training: We state unequivocally: We do not use your User Content or Writing Process Data to train or fine-tune any third-party or proprietary artificial intelligence models. The AI features within our Service, provided through Google Vertex AI, use your data only "in-context" to provide an immediate response and are not retained for future model training by us or our AI provider.

5. How and Why We Share Personal Information

We do not sell Personal Information. We only disclose it in the following limited circumstances:

  • To Educators: Educators who create assignments can view the User Content and Writing Process Data of Students who submit work through their assignment links. Educators can only access data from assignments they created.
  • With Our Service Providers (Sub-processors): We use a limited number of third-party providers to operate our Service. They are contractually bound to protect your data and are only permitted to use it to provide services to us. We maintain a complete and up-to-date list of these providers, their purpose, and their location on our dedicated DidactLabs Subprocessors page.
  • For Legal Reasons: We may disclose information if required by law or in the good-faith belief that such action is necessary to comply with a legal obligation, protect our rights, prevent fraud, or protect the safety of our users.
  • In Connection with a Business Transfer: If DidactLabs is involved in a merger, acquisition, or sale of assets, your Personal Information may be transferred as part of that transaction. We will notify you of any such change in control or use of your Personal Information.

6. Data Security

We implement appropriate technical and organisational measures to protect your Personal Information against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access Controls: Access to Personal Information is strictly limited to authorised personnel on a need-to-know basis, governed by the principle of least privilege.
  • Infrastructure Security: We leverage the security infrastructure of our enterprise-grade cloud providers (Google Cloud).
  • Secure Authentication: We use a specialized third-party identity provider (Auth0) to manage secure Educator authentication, including support for SSO.
  • Internal Policies: We enforce strong password policies, mandate multi-factor authentication (MFA) for internal systems, and provide regular security training to our team.

While we take security seriously, no system is impenetrable. We cannot guarantee the absolute security of your information.

7. Data Retention

We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

  • Student Data: All Student data, including nicknames, User Content, and Writing Process Data, is linked to an Educator's assignment. It is retained as long as the Educator's account is active and is deleted according to the policies for Educator account deletion or subscription termination.
  • Active Educator Accounts: We retain data for the duration of the active subscription.
  • Educator Account Deletion: Upon an Educator requesting account deletion, the account enters a 60-day grace period during which data can be exported. After this period, the data is permanently deleted from our production systems. It is then fully erased from all backups within an additional 30 days.
  • Subscription Termination: Upon an Educator’s subscription ending, we will contact you to determine whether their data should be deleted immediately or retained for a specified period (60 days) to facilitate re-subscription. After this period, it will be permanently deleted.

8. International Data Transfers

Our primary data processing and storage for the Service occurs within the European Union. All core Service data, including all Student data and Educator account information, is processed and stored exclusively within the European Union.

  • Service Data: Our backend infrastructure (GCP) is hosted ineurope-west1-d (Belgium).

  • AI Processing: Our AI provider is Google Vertex AI, and all processing occurs within the europe-west1 region (Belgium).

  • Educator Authentication: We use Auth0 for educator authentication. Our Auth0 tenant is hosted in the EU-2 region (Germany).

  • Marketing & Support Data: For our public marketing website (didactlabs.com), we use services from providers based in the United States. This means that certain data may be transferred to the US:

    • Contact Form Submissions: Information you submit through our website contact forms is managed by HubSpot.
    • Analytics & Advertising Data: If you provide your consent via our cookie banner, data collected by trackers from Google (for Google Analytics), Meta (for the Meta Pixel), and LinkedIn (for the Insight Tag) is processed by these companies.

    HubSpot, Google, Meta, and LinkedIn are all US-based companies and are certified under the EU-U.S. Data Privacy Framework. We rely on this framework, supplemented where necessary by the European Commission's Standard Contractual Clauses (SCCs), to ensure that any such data transfers are lawful and that your information is adequately protected.

9. Your Data Protection Rights

Under GDPR, you have specific rights regarding your Personal Information. We have created a dedicated page on your Data Protection Rights under GDPR, that explains these rights in plain language and how they apply to different types of users. A summary of these rights is provided below.

  • Your Rights: You have the right to access, rectify (correct), erase, restrict processing of, and request data portability of your Personal Information. You also have the right to object to processing based on our legitimate interests and the right to withdraw consent at any time (though this will not affect the lawfulness of processing based on consent before its withdrawal). You have the right to lodge a complaint with a data protection authority (a "Supervisory Authority") if you believe our processing of your Personal Information infringes GDPR. For UK residents, this is the Information Commissioner's Office (ICO). For EU residents, it is the authority in your country of residence.
  • How to Exercise Your Rights:
    • For Educators and Administrators: As we are the Data Controller for your account information, you may exercise your rights by contacting our Data Protection Officer at dpo@didactlabs.com.
    • For Students: As your educator is the Data Controller, you must direct any requests to exercise your rights to your teacher. We will cooperate fully with the Educator to facilitate your request in accordance with our legal obligations as a Data Processor.

10. Children's Privacy

The Service is intended for use by educational institution educators. We do not knowingly collect Personal Information from children under the age of digital consent (which may be up to 16 in some EU countries) without the consent of their school. Our platform is designed to minimize the collection of student Personal Information; students do not create accounts and are only asked for a nickname to identify their work for their teacher. It is the responsibility of the educator to comply with all applicable laws, such as the Children's Online Privacy Protection Act (COPPA) and GDPR-K, and to obtain any necessary verifiable parental or guardian consent before allowing students to use our Service.

11. Cookies

We use cookies, which are small text files placed on your device, for essential functionality and to understand how you use our services.

  • Strictly Necessary Cookies (The Service): These are essential for the operation of the DidactLabs platform, such as maintaining an Educator's login session and ensuring security. You cannot opt out of these cookies as the Service will not function without them. Our Service does not use any analytics or marketing cookies.
  • Analytics and Marketing Cookies (Marketing Website Only): On our marketing website, we use cookies and tags from third-party providers like Google, Meta (Facebook), and LinkedIn to analyse visitor traffic, measure the effectiveness of our advertising campaigns, and deliver targeted marketing content. These are non-essential and will only be activated with your explicit consent, which you can manage via the cookie banner that appears when you first visit our site.

You can control and manage your cookie preferences for our marketing site at any time through your browser settings.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the new policy on this page and, where appropriate (e.g., for Educators and Administrators), by email, providing a reasonable period of notice before the changes take effect.

13. Contact Us & Data Protection Officer

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us.

DidactLabs BV
Tabakvest 87 / bus 4610
Antwerp 2000
Belgium

General Privacy Inquiries: Email: privacy@didactlabs.com

Data Protection Officer (DPO): You can contact our DPO by email or by post at the address above, marked "For the attention of the Data Protection Officer". Email: dpo@didactlabs.com

14. Annex A: Definitions

  • "Data Controller": The entity that determines the purposes and means of the processing of Personal Information.
  • "Data Processor": The entity that processes Personal Information on behalf of the Data Controller.
  • "Educator" / "Administrator": An individual, such as a teacher or tutor, who creates an account with the Service to create and manage assignments.
  • "GDPR": The General Data Protection Regulation (EU) 2016/679 and, where applicable, the UK GDPR.
  • "Institution": The educational organisation (e.g., school, college, university) that subscribes to the Service.
  • "Personal Information": Any information relating to an identified or identifiable natural person.
  • "Service": The DidactLabs learning platform, associated services, and our marketing website.
  • "Student": An individual who accesses an assignment on the Service via a link provided by an Educator. Students do not create accounts on the Service.
  • "User": Any individual using the Service, including Students, Educators, and Administrators.
  • "User Content" / "Submissions": The text, essays, and documents that Students write and submit within the Service.