Privacy Policy

Edulyzer Ltd (hereinafter the ”Company”) is committed to following good privacy practices. The purpose of this document is to inform the user of this Application (hereinafter data subject) about the relevant privacy policies and practices. Personal data shall mean any information by which an individual can be identified.

Last updated: 02.10.2022

Company contact information:

Edulyzer Oy
Address: Mannerheiminaukio 1 / Spaces Postitalo, 00100 Helsinki, FINLAND
Telephone: +358 50 30 70 792

1. Data controller and processors

By offering the Edulyzer platform, we operate in the role of a data processor to an
organization or entity who uses our service for educational purposes. We advise you to
contact the applicable organization, if you have privacy-related questions regarding how they
use and handle personal data with the help of our Edulyzer Application.

The data controller is the party who is responsible for the handling of personal data. A processor, on the other hand, is the party who handles personal data on behalf of the controller based on a contract between the controller and the processor.

This privacy policy covers the applications where the Company receives and processes personal data and the handling of the received data, i.e. the following:

the web application

Personal data is not transferred to third parties. The Company does not use external data processors. Data is not transferred, processed or stored outside the EU/EEA area.

2. Categories of personal data and the legal basis for processing

Personal data will be processed in accordance with and in accordance with the provisions of the General EU Data Protection Regulation (hereinafter “GDPR”) and applicable national data protection law. Personal data will only be processed for the purposes mentioned below, and there is always a legal basis for such processing based on the data protection legislation mentioned above.

We collect, store and process personal data for predefined purposes. We also always make
sure that there is at least one legal basis for processing personal data. As a data processor,
our main purposes and the applicable legal basis for processing personal data are:

To provide our digital Edulyzer application
We collect and process personal data to provide our services and for fulfilling
contractual obligations. Edulyzer application can be used anonymously, however, a personal user account is required to be able to utilize personalized information provided by the Edulyzer application.
During the customer relationship, we also use personal data for handling complaints as well as for user support purposes.

The legal basis for this processing is a contract between Edulyzer and the Educational Organization, or preparations made for concluding a contract, as well as our legitimate interest.

Product and business development
We may also use anonymized data for developing our Edulyzer application as well as
developing our business relating to use of digital services platforms for learning and
educational purposes.
The legal basis for this processing is our legitimate interest.

Fulfilling legal obligations and other legal interests
We may use and process personal data also for fulfilling legal obligations (e.g.
bookkeeping, tax laws, companies act), responding to legal claims or preparing them,
fraud prevention and detection and also if required by a court or an authority.

The legal basis for this processing is fulfilling legal obligations, partly also our legitimate

The following categories of personal information will be processed in connection with the provision of the Edulyzer Application:​

School ID (most often via 3rd party system or API provided by Educational Organization)
information provided for the purpose of registering with the application (including name and email address, most often provided via 3rd party system or API provided by Educational Organization)
information about usage of Edulyzer Application;
if you prefer to login with your Facebook account (after registration), Edulyzer Application asks and uses your email address only
if you prefer to login with your Google account (after registration), Edulyzer Application asks and uses your Google basic profile only
standardized browser information, which includes internet protocol address, browser type and version, sites you visited (within Edulyzer Application), time, date, time used on each website, overall time used on website and other details and device information you are using to access the Edulyzer Application. These include device type, operating system, device identification information, device settings and location information. Our gathered information depends on device specific settings. We strongly advice you to check manufacturer’s and software provider policy.

3. Personal content

Edulyzer Application is a survey and content tool with authoring features to create surveys. This means that the Edulyzer Application can store data that users have created. It can be surveys, videos, texts, audios, images, pictures, tasks, stories that the teachers or pupils/students have created.

All the content created by pupil/student users is seen only by the homeroom teacher.

If a teacher user decides to share his/her survey into the Survey Library, he/she has
possibility to update or delete the survey in the user interface. If that survey is being used by another user (which the teacher must allow) and the teacher chooses to delete his/her
survey, the downloaded copies are not deleted.

4. Information security

The Company protects personal information related to the Company’s websites or services with reasonable, appropriate safeguards to prevent unintentional data leakage, unauthorized processing of personal information, and accidental or unauthorized destruction, use, alteration or disclosure of personal information. The company has implemented appropriate technical and organizational measures to secure personal information. The above measures, such as restricting the access of the Company’s personnel and processors to personal data and storing and processing personal data in encrypted form, have been decided taking into account the harmfulness and probability of possible data leaks, the sensitivity of processed personal data, the conditions under which they are stored and developments in security technology.

5. The data subject’s rights

The data subject under the GDPR has the following rights regarding personal data, as further explained in Articles 15-21 of the GDPR:

Right to access: the data subject has the right to request confirmation of the processing of his or her personal data in connection with the Company’s website or services and to have access to his or her data

Right to rectification: the data subject has the right to ask the data controller to correct their erroneous or incomplete personal data processed in connection with the Company’s website or services

Right to be forgotten: the data subject has the right to request that personal data concerning him or her be deleted if they are no longer needed for the purpose for which they were collected or processed, if the data subject opposes processing and there are no compelling legal grounds for processing, if personal data are processed unlawfully or if personal data are deleted in order to comply with a legal obligation

Right to restrict processing: the data subject has the right to request a restriction on the processing of personal data if the accuracy of the personal data is disputed, if the processing is illegal or the controller no longer needs such data, but the data subject has justified opposition to the deletion, or whether there is a legal basis for the processing

Right to object: the data subject has the right to object to the processing of his personal data insofar as the data is processed in connection with the Company’s website or services under Article 6 (1) (f) GDPR, in which case the controller must prove that there is a compelling legal basis for processing. processing of such personal data

Right to transfer: the data subject has the right to have personal data concerning him and the right to have the above data transferred to another controller in so far as the processing is based on Article 6 (1) (b) of the GDPR

In addition, the data subject always has the right to complain to the competent data protection authority about the processing of his or her personal data in connection with the Company’s website or services. The competent data protection authority in Finland is the Data Protection Commissioner:

6. Contact information for personal data matters

The Company strives to ensure that the personal information it processes is properly up-to-date, accurate and complete. If the data subject wishes to report inaccurate information, request the deletion of personal data relating to him or her or otherwise have questions, comments or other matters related to these security policies, or if the data subject wishes to complain about the processing of personal data of the Company or its customers, they can contact the Company at: In case of personal information processed by the Company on behalf of its customers, the data subject can contact the contact information provided by the customer (i.e., the data controller).

Upon contact, the data subject may be asked to provide proof of identity for data protection reasons.

7. Data retention period

We will not store personal data for a longer period than is necessary for its purpose or required by contract or law. The retention periods for personal data may vary based on its purpose and the situation as well as on the legal basis for processing personal data. The data may be deleted (1) when a person withdraws his/her consent or requests deletion of his/her data and we have no other grounds for processing personal data, (2) when a contractual relationship ends, (3) or when data becomes obsolete or is inaccurate. The retention period may also be based on laws (e.g. accounting, tax laws, employment contracts act, companies act). We may also update data from time to time.

8. Changes to the Privacy Policy

Changes to this Privacy Policy can be made from time to time by uploading an updated version of the document to the Company’s website, after which the updated version will apply. If material changes are made to the data protection policies, the Company will also endeavor to inform about them by other means, such as e-mail, notice in a service maintained by the Company or by notifying the website or social media pages within a reasonable time before the changes take effect.