Security and data privacy

In accordance with Organic Law 15/1999, dated 13 December, on Personal Data Protection, and Regulation (EU) 2016/679 of European Parliament and Council, dated 27 April 2016, (GDPR), we offer the following information on the processing of your personal data:

Data controller	DIDACTIC LABS S.L.
Data processing purpose	Managing the Edvoice application to improve the communication between school centers, teachers, students and families.
Legitimacy of the processing	The processing is necessary to use the Edvoice application, and that’s why we request the consent of the users. They are are entitled to withdraw their consent it at any moment.
Data origin	Data will be provided by the users, school centers or teachers that use Edvoice.
Data communication	Your data will be passed on to the public administrations, as long as it is required by the current legislation, and to all those institutions whenever it is necessary to fulfill the purpose of the processing.
Data processor	The third parties that provide services for the maintenance of the application are based in the UE or are under the Privacy Shield agreement.
Rights	The individuals concerned are entitled to exercise the rights of access, rectification, processing limitation, elimination, portability and opposition against the data controller. Moreover, they can turn to the competent supervisory authority to assert any claim they deem appropriate.
Additional Information	Additional and detailed information on the data processing are available below under section “Frequently asked questions about privacy”.

Who is your data controller?

Identity: DIDACTIC LABS S.L. (hereafter referred as Additio App)

Tax identification code: B55240162

Address: 10 Bescanó, 17007 Girona (Spain)

Phone number: +34 972 18 32 14

Email: [email protected]

Privacy manager:

Contact: http://www.additioapp.com/contactar

For what purpose do we process your personal data?

In Additio App we process the data that the individuals concerned provide us in order to offer and manage our services and products for the education sector.

How long are we going to keep your data?

The provided personal data will be kept as long as the individuals concerned use Additio App.

As Additio App is aimed at school management, not using the application for a long time is seen as having lost its purpose. Therefore, in the event that a user registered in Additio App keeps their account inactive for more than 12 months in a row, we will proceed to delete the account and all data associated with it.

What is the legitimacy of processing your data?

The legal basis for processing your data is the consent Additio App’s users give the school center or teacher to use the application, and the one they give at the moment of signing up for it.

What recipients is your data going to be transmitted to?

Additio App contracts its virtual infrastructure following a cloud computing model. To that end we use the services of Hetzner Online GmbH, based in Germany, which is compliant with the Federal Data Protection Act (BDSG) and the Tele Media Act (TMG), its privacy policy being available at: Data privacy. We also use Amazon Web Services and Google’s Firebase, both under the provisions of the EU-US Privacy Shield framework. Information available at: Amazon.com, Inc, and Google LLC.

What rights are you entitled to when you provide us with your data?

• Anyone is entitled to obtain confirmation related to whether in Additio App we are processing personal data that concerns them or not.

• The individuals concerned shall have the right to access to their personal data, as well as to request the rectification of any inexact data or the deletion of such when, among other reasons, that data is not needed anymore for the purpose it was collected.

• In certain circumstances, the individuals concerned might request limitation of processing of their data, in which case we will only keep it for the exercise or defence of claims.

• In certain circumstances and for reasons relating to their particular situation, the individuals concerned might be able to object to the processing of their data. Additio App will then stop processing such data, except for compelling legitimate grounds or the exercise or defence of potential claims.

• The individuals concerned are entitled to the portability of their data.

• Finally, the individuals concerned can turn to the competent supervisory authority to assert any claim they deem appropriate.

How do we collect your data?

• Some of the personal data we process in Additio App is provided by the individual concerned at the moment of signing up for the application, but most of the collected data refers to the one the school centers and/or teachers process through Additio App with their consent.

• The categories of the processed data are the following:
  1. Identification data
  2. Identification keys or codes
  3. Postal and email addresses
  4. Academic information

• Data is limited, as we only process that needed for the effective use of Edvoice.

• Data specially protected is not processed, although it being minors’ data we are aware of the fact that it is sensitive data. Therefore, we have put a particular emphasis on that data being processed with the required legal consent, as well as on applying the security measures needed to safeguard it.

What security measures do we apply?

After carefully analyzing the data processing that is to be performed, we have taken the required security measures to make sure that the security level against the risk of such processing is appropriate, through mechanisms that allow us to guarantee the confidentiality, integrity, availability and permanent resilience of the systems and services of processing.

Edvoice implements the security measures provided under article 32 of the GDPR and those required by Royal Decree 1720/2007, of 21 December, which approves the Regulation implementing Organic Law 15/1999, of 13 December, on the Protection of Personal Data.

How do we process data on behalf of third parties?

The data controller is the school center or the teacher that uses the services of Additio App, so we will process that data for the appropriate provision of our services, doing it as data processor, as established in article 28 of the Regulation (EU)  2016/679 of the European Parliament and the Council, dated 27 April 2016 (GDPR). Thus Additio App will:

1. Process the personal data only following documented instructions from the controller, including with respect to personal data transfers to a third country or international organization, unless it is obliged to it in accordance with the Member States or Union law that applies to Additio App. In that case, Additio App will inform the controller of that legal requirement prior to the processing, unless that law forbids it for important reasons of public interest.
2. Guarantee that the authorized individuals to process personal data have committed to respect confidentiality or are subject to an obligation of confidentiality of statutory nature.
3. Take all necessary security measures in accordance with article 32 (GDPR).
4. Respect the specified conditions indicated in the GDPR to turn to another data processor.
5. Assist the controller, taking into account the nature of the processing through appropriate technical and organizational measures, as long as it is possible, so that they can fulfill their obligation to respond to requests with the aim of exercising the rights of the individuals concerned established in chapter III of the GDPR.
6. Help the controller ensure compliance with the obligations established in articles 32-36 of the GDPR, in consideration of the processing nature and the information available to the processor.
7. Delete or return, at the discretion of the controller, all personal data once the provision of processing services has finished, and will delete the existing copies unless the keeping of personal data is required by the Member States or Union law.
8. Provide the data controller with all required information to prove compliance with the established obligations in article 28 of the GDPR, as well as to allow and contribute to carrying out audits, including inspections, by the controller or another auditor authorized by such individual.

Additio App informs the data controllar that subcontracts its virtual infrastructure of cloud computing with Hetzner Online GmbH, based in Germany, which is compliant with the Federal Data Protection Act (BDSG) and the Tele Media Act (TMG), its privacy policy being available at Data privacy, and with Amazon Web Services and Google’s Firebase, both under the provisions of the EU-US Privacy Shield framework. Information available at Amazon.com, Inc and Google LLC.

 

Exclusion of liability

The school center and/or teacher is under obligation to obtain the data that is going to process in Edvoice following the legal prescriptions established in the regulations relating to the personal data protection. And specially has to obtain the consent of the parents or legal guardians of the students under the age of 16, or, as the case may be, the minimum age for children to give their consent established by the legislation of the State in which they are located, as provided in article 8.1 of the GDPR.

Edvoice accepts no responsibility for any failure by the school center and/or teacher to comply with the obligations derivative of the GDPR, and/or any other current regulation in the part in which its activity corresponds and which is related to the execution of the contracted services or any other relationship it has with Edvoice.