(English) Security and Data Privacy

Under Regulation (EU) 2016/679 of the European Parliament and Council, dated 27 April 2016, (GDPR), relating to the protection of physical individuals concerning the processing and free movement of personal data and Organic law 3/2018, December 5, of personal data protection and the guarantee of digital rights (LOPDGDD):

Who is your data controller?

Responsible: DIDACTIC LABS S.L. (hereafter referred as Additio)
Tax identification code: B55240162
Address: 10 Bescanó, 17007 Girona (Spain)
Phone number: +34 972 18 32 14
Email: info@additioapp.com
Privacy manager contact: privacy@additioapp.com
Data protection delegate contact: dpd@additioapp.com

When a Center or an individual Teacher contracts licenses for our products, Additio will be responsible for the treatment of the data of the School Center representative and the contact persons designated by him, or of the referred teacher. On the other hand, regarding the data of the teachers, students or legal representatives of the students that are processed by the School Center or by the Teacher, through Additio, those responsible will be the School Center or the Teacher, since in Additio this data will be processed on behalf of the School Center or the Teacher, who has hired us.

Additio will also be responsible for the people’s data who contact us through our website or other communication channels to ask us questions, as well as the data of the people who have asked us to keep them informed about our activities, products or services.

For what purpose do we process your data?

We process the data that our costumers provide us to offer and manage our services and products of the education sector.

If you contact us through the contact form of our web page, we are going to treat your data to manage your enquiry.

If you give us your consent, we can also process your data to send information about our activities, products or services, but the customer has the right to oppose to the treatment of his/her data with promotional purpose at any time.

What is the legitimacy of processing your data?

The legal bases for processing the personal data of the designed contacts of a School or teacher that hires our services individually is based on the contractual relationship that we establish with them.

On the case of the people that contact us via our web page or have requested us to send them information of our activity, products or services, will be the consent of the requestor what will legalize the treatment of his/her data.

How do we collect your data?

Some personal data we process in Additio is provided by the individual at the moment of signing up for the application, but most of the collected data refer to the one that school centres and/or teachers process through Additio.

Which data is processed on Additio?

The categories of the processed data are the following:

1. Identification data
2. Identification keys or codes
3. Postal and email addresses
4. Academic information

● Data is limited, as we only process that needed for the effective use of Additio.
● Data specially protected is not processed, as it’s being minors’ data we are aware of the fact that it is sensitive data. Therefore, we put a particular emphasis on that data being processed with the required legal consent, as well as on applying the security measures needed to safeguard it.

The data requested for the sing up of Additio user is mandatory because without it the user can not have access to the service.

How long are we going to keep your data?

The personal data provided in the contracting of our services will be kept as long as the contractual relationship with our clients is maintained and during the periods established to comply with our legal obligations, which in the case of accounting and tax documentation for commercial purposes will be 6 years, per Article 30 of the Commercial Code, and for tax purposes will be 4 years, under articles 66 to 70 of the General Tax Law.

The data of those interested in receiving information about our activity, products or services will be kept as long as they inform us that they want to stop receiving promotional information.

The data of the students or the families of the students that we treat on behalf of the School Center or the Teacher who has hired us will be kept as long as the service contract is maintained.

As a security measure against data loss, when a registered user unsubscribes or decides not to renew their license, their data will remain in the Additio database for fifteen months, however, the user can request at any time that the data from your account contacted with info@additioapp.com is completely deleted.

What recipients is your data going to be transmitted to?

The data will not be communicated to third parties unless required by law or is necessary to fulfil the purpose of the treatment.

Regarding auxiliary services that we use, we inform you that Additio contracts its virtual infrastructure according to a « cloud computing » model. For this, we use the services of Hetzner Online GmbH, based in Germany, and its privacy policy is available at Data privacy. We also use the services of Amazon Web Services, having the data hosted in data centres located in the European Union. You can get more information at the following link: AWS. Finally, we also use the Firebase service contracted with Google Ireland Limited.

What rights are you entitled to when you provide us with your data?

• Anyone is entitled to obtain confirmation related to whether in Additio we are processing personal data that concerns them or not.
• The individuals concerned shall have the right to access to their data, as well as to request the rectification of any inexact data or the deletion of such when, among other reasons, that data is not needed anymore for the purpose it was collected.
• In certain circumstances, the individuals concerned might request the limitation of the processing of their data, in which case we will only keep it for the exercise or defence of claims.
• In certain circumstances and for reasons relating to their particular situation, the individuals concerned might be able to object to the processing of their data. Additio will then stop processing such data, except for compelling legitimate grounds or the exercise or defence of potential claims.
• The individuals concerned are entitled to the portability of their data.
• Finally, the individuals concerned can turn to the competent supervisory authority to assert any claim they deem appropriate.
  .

To exercise your rights, you can send your request to our physical or electronic address.

What security measures do we apply?

By article 32 of the RGPD, we have adopted the necessary security measures to guarantee a level of security appropriate to the risk of the data processing that we carry out, with mechanisms that allow us to guarantee the confidentiality, integrity, availability and permanent resilience of the systems. and treatment services. These measures include but are not limited to, those already mentioned so far, as well as:

• Information on data processing policies for staff.
• Making daily backups.
• Data access control.
• Regular verification, evaluation and valuation processes.

How do we process data on behalf of third parties?

As explained in the section dedicated to the Data Controller, the School Center or the individual Teacher who hires our services will be the Data Controller for the teachers, students and legal representatives of the students. / as they deal with through the Additio application, so in these cases, Additio will process this data on behalf of the School Center or the Teacher, who has hired us, doing so as the person in charge of the treatment, following the provisions of article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 (RGPD). Therefore, in Additio:

1. We will process personal data only based on documented instructions from the Controller, including concerning transfers of personal data to a third country or an international organization unless we are obliged under Union or Member State law to which we are subject… In this case, we will inform the Responsible for this legal requirement before treatment, unless this right prohibits it for important reasons of public interest.
2. We guarantee that the persons authorized to process personal data have undertaken to respect its confidentiality or are subject to a confidentiality obligation of a statutory nature.
3. We apply the appropriate technical and organizational measures to guarantee the level of security appropriate to the risk of the treatments we carry out, following article 32 of the RGPD.
4. We will respect the conditions indicated in sections 2 and 4 of article 28 of the RGPD to resort to another person in charge of the treatment, so we will not subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except those auxiliary services necessary for the normal operation of our services, as explained in the section of this privacy policy regarding the recipients of the data.
   If it were necessary to subcontract any other treatment, this would only be contracted with entities that give guarantees of compliance with the RGPD and this contracting will be communicated to the Responsible, indicating the treatments that are intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its data of Contact. The subcontracting may be carried out if the person in charge does not express his opposition within 10 days of that communication.
   
5. When the affected persons exercise their rights of access, rectification, deletion and opposition, limitation of treatment, portability of data and no longer be the subject of automated individualized decisions before Additio , taking into account our condition of the data controller, we will communicate it by email to the Responsible at the email address that he has indicated. The communication will be done immediately and in no case beyond the day after the business day on which we have received the request, together with other information that may be relevant to resolve the request.
6. f. We will help the Responsible to guarantee compliance with the obligations on data security established by articles 32 to 36 of the RGPD, taking into account the nature of the treatment and the information made available to us, therefore, in case of knowing If there has been any data security violation that constitutes a risk to people’s rights, we will notify the Responsible without delay together with all the relevant information for the documentation and communication of the incident. If available, the following information will be provided at least:
   • • Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of affected interested parties and the categories and the approximate number of affected personal data records.
     • The name and contact details of the Data Protection Officer or other contact points where more information can be obtained.
     • Description of the possible consequences of the violation of the security of personal data.
     • Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, where appropriate, the measures adopted to mitigate the possible negative effects.

   If it is not possible to provide the information simultaneously, it will be provided gradually without undue delay.

7. At the choice of the Controller, we will delete or return all personal data once the provision of the treatment services has ended, and we will delete existing copies unless the conservation of personal data is required under Union or State law members.
8. We will make all the information necessary to demonstrate compliance with the obligations established in art. 28 of the RGPD, as well as to allow and contribute to the performance of audits, including inspections, by the Controller or another auditor authorized by this Controller.

As those in charge of the treatment, the type of data that we can process on behalf of the Controllers will be identifying data, data of personal characteristics and academic and professional data, of teachers, students and legal representatives of the students. Regarding the treatments that we can carry out, they will be those necessary for the operation of Additio, among which are, but not limited to, the collection, organization, structuring, storage, conservation, consultation, visualization and communication by transmission.

The School Center and / or the Teacher have the obligation to obtain the data that will be processed in Additio, observing the legal prescriptions established in the regulations regarding the protection of personal data, therefore Additio will not assume any responsibility for the breach, by the School Center and / or the Teacher, of the obligations derived from the RGPD, the LOPDGDD, or any other current regulations, in the part in which their activity corresponds and that is related to the execution of the contracted services or with any other relationship that it maintains with Additio.