Privacy Policy
Last Updated: January 14, 2026
1. Introduction
Welcome to Intelligrade. This Privacy Policy explains how Intelligrade / Kevin Peters ("we", "us", "our") collects, uses, discloses, and protects personal data when you use our online exam management platform (the "Service").
We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
Contact Information:
- Email: kevin@intelligrade.de
- Address: Kevin Peters, Heidehofring 10, 22850 Norderstedt, Germany
2. Who We Are & Our Role
2.1 Data Controller vs. Processor
Intelligrade operates in different roles depending on the type of data:
-
For Student Data (data about students provisioned by teachers/schools): The teacher or educational institution is the data controller, and we act as a data processor on their behalf. Our data processing is governed by our Data Processing Agreement (DPA).
-
For Teacher Account Data (registration, billing, usage analytics): We act as an independent data controller.
-
For Communication Data (support requests, newsletters): We act as an independent data controller.
3. What Data We Collect
3.1 Teacher Account Data
When teachers create an account, we collect:
- Account Information: Name, email address, password (hashed)
- School/Institution Information: School name, subject areas (optional)
- Subscription & Billing Data: Payment information (processed by Creem), subscription plan, billing history
- Usage Data: Login times, exams created, features used, IP addresses, browser type
3.2 Student Data (Processed on Behalf of Teachers)
Teachers provision student accounts. We process:
- Identification Data: Student names (or pseudonyms chosen by the teacher), class/classroom affiliation
- Authentication Data: Student passwords (hashed), parent passwords (hashed)
- Exam Data: Exam submissions, answers (multiple choice, free text, image annotations, etc.), timestamps
- Grading Data: Scores, grades, teacher comments, AI-assisted grading results
- Correction Data: Student comments or corrections submitted after grading
Important: For Student Data, the teacher/institution determines the purposes and means of processing. We process this data solely on their instructions as outlined in our DPA.
3.3 Parent/Guardian Data
Teachers may enable parent/guardian access:
- Authentication Data: Parent passwords (hashed)
- Access Logs: When parents view results, confirmation timestamps
3.4 Communication Data
When you contact us or subscribe to updates:
- Support Requests: Email address, name, message content, attachments
- Marketing Communications: Email address (if you opt in)
3.5 Technical & Server Log Data
We automatically collect server-side technical data:
- Server Log Data: IP addresses, browser type and version, device information, operating system, timestamps
- Cookies: Session cookies for authentication, preference cookies only
- Server-Side Usage Data: Aggregated statistics about feature usage and performance based solely on server-side data
Important: We do not use client-side tracking scripts, cross-site tracking, or third-party analytics services (e.g., Google Analytics, Facebook Pixel). All data collection is server-side only.
4. How We Use Your Data
4.1 Teacher Account Data
We use teacher data to:
- Provide the Service: Create and manage your account, authenticate access
- Process Payments: Handle subscription billing via our payment processor (Creem)
- Communicate: Send transactional emails (account notifications, exam status updates)
- Improve the Service: Analyze server-side usage patterns, develop new features, fix bugs. We use only server-side data we collect directly—no third-party analytics tools or cross-site tracking.
- Comply with Legal Obligations: Tax reporting, fraud prevention, legal requests
Legal Basis: Performance of contract (GDPR Art. 6(1)(b)), legitimate interests (GDPR Art. 6(1)(f)), legal obligation (GDPR Art. 6(1)(c))
4.2 Student Data
We process student data solely on behalf of and according to the instructions of the teacher/institution:
- Exam Administration: Display exams to students, collect submissions
- Auto-Grading: Apply automated grading rules (multiple choice, exact matches)
- AI-Assisted Grading: Analyze free-text responses using Mistral AI (Premium feature only)
- Results Delivery: Display graded exams to students and parents
- Data Retention: Store data for the duration specified by the teacher/institution
Legal Basis: The teacher/institution is responsible for establishing a lawful basis (typically consent from parents/guardians for minors, or legitimate educational interest).
4.3 Marketing (Optional)
With your explicit consent, we may:
- Send newsletters about product updates and educational resources
- Notify you about new features
You can withdraw consent at any time by clicking "unsubscribe" in any marketing email.
5. AI-Assisted Grading
5.1 How It Works
For Premium subscribers, we offer AI-assisted grading of free-text responses:
- Student answers are sent to Mistral AI (EU-based AI provider)
- Mistral AI analyzes the text and suggests grades/feedback
- Results are returned to teachers for review and final decision
5.2 Data Sent to AI Provider
- Text Content: The student's written answer and the question/rubric
- No Personally Identifiable Information: We anonymize/pseudonymize data where possible (no names sent to AI)
5.3 AI Provider Details
- Provider: Mistral AI (France, EU)
- Purpose: Text analysis and grading suggestions
- Data Protection: GDPR-compliant, servers in EU
- Retention: Mistral AI does not retain data after processing (per their terms)
5.4 Teacher Responsibility
Teachers must:
- Review all AI-generated grades before finalizing
- Understand that AI outputs may contain errors
- Make independent grading decisions
6. Who We Share Data With
6.1 Sub-processors (for Student Data)
When processing Student Data on behalf of teachers, we use these sub-processors:
| Sub-processor | Location | Purpose | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Hosting, database, infrastructure | ISO 27001 certified, EU-based |
| Mistral AI | France (EU) | AI-assisted grading | GDPR-compliant, EU-based |
| Brevo | France (EU) | Transactional emails | GDPR-compliant, EU-based |
6.2 Payment Processor (for Teacher Data)
- Creem (Armitage Labs OÜ): Estonia (EU) – Handles payment processing and acts as merchant of record for Premium subscriptions. Creem has its own privacy policy.
6.3 Other Disclosures
We may disclose data when:
- Legal Requirement: To comply with court orders, subpoenas, or legal obligations
- Safety & Security: To protect against fraud, abuse, or security threats
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to affected users)
6.4 No Sale of Data
We never sell personal data to third parties.
7. International Data Transfers
Our primary infrastructure is located in Germany (EU) via Hetzner. All sub-processors are EU-based, so data generally remains within the European Economic Area (EEA).
If we engage non-EU sub-processors in the future, we will:
- Use EU Standard Contractual Clauses (SCCs) or equivalent safeguards
- Notify controllers (teachers) in advance
- Update this policy and our DPA
8. Data Retention
8.1 Student Data
We retain Student Data as long as the teacher's account is active or as instructed by the teacher/institution.
Upon account deletion or teacher request:
- Data is deleted from active systems within 30 days
- Backups are overwritten in the ordinary course within 90 days
8.2 Teacher Account Data
We retain teacher account data for:
- Active Accounts: Duration of subscription plus 30 days after cancellation
- Billing Records: Up to 10 years for tax/legal compliance
- Marketing Consents: Until withdrawn
8.3 Communication Data
- Support Tickets: Retained for 3 years for quality assurance
- Marketing Emails: Until you unsubscribe
9. Your Rights (GDPR)
9.1 Rights for Teachers
If we are the controller of your data (e.g., teacher account data), you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data (subject to legal retention requirements)
- Restriction: Limit how we process your data
- Data Portability: Receive your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: For marketing communications
9.2 Rights for Students/Parents
For Student Data, the teacher or school is the controller. To exercise rights regarding student data, contact your teacher or school directly.
We will assist teachers in responding to data subject requests as outlined in our DPA.
9.3 How to Exercise Rights
To exercise your rights, contact us at kevin@intelligrade.de. We will respond within 30 days (or as required by law).
9.4 Right to Complain
You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption: TLS/SSL for data in transit, encryption at rest for sensitive data
- Authentication: Secure password hashing (Argon2/Bcrypt)
- Access Controls: Role-based access, principle of least privilege
- Infrastructure Security: ISO 27001-certified hosting provider (Hetzner)
- Regular Backups: Automated backups stored securely on Hetzner Object Storage
- Monitoring: Security logging and monitoring for suspicious activity
Despite these measures, no system is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any incidents.
10.1 Data Breach Notification
In the event of a personal data breach:
- We will notify affected teachers/schools without undue delay (within 72 hours where feasible)
- For Student Data, we will assist teachers in notifying data subjects as required by law
- We will document and investigate all breaches
11. Cookies & Tracking
11.1 Cookies We Use
- Essential Cookies: Required for authentication and core functionality (cannot be disabled)
- Preference Cookies: Remember your settings (language, theme)
We do not use analytics cookies or tracking cookies. All usage statistics are derived from server-side logs only.
11.2 Third-Party Tracking
We do not use any third-party tracking services, analytics tools (such as Google Analytics), advertising pixels, or cross-site tracking mechanisms. All data analysis is performed using our own server-side logs.
11.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may impair functionality.
12. Children's Privacy
12.1 Age Restrictions
Intelligrade is designed for use in educational settings under teacher/school supervision. We do not knowingly collect personal data directly from children.
12.2 Parental Consent
Teachers/schools are responsible for:
- Obtaining parental consent where required by law (e.g., for children under 16 in the EU)
- Providing privacy notices to students and parents
- Ensuring they have authority to provision student accounts
12.3 Parent Access
Parents can view their child's exam results using credentials provided by the teacher. To request deletion of student data, parents should contact the teacher/school directly.
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
Material changes will be communicated via:
- Email notification to registered teachers
- Prominent notice on our website
Continued use of the Service after changes take effect constitutes acceptance. We recommend reviewing this policy periodically.
14. Data Protection Officer
As a small organization, we are not currently required to appoint a Data Protection Officer (DPO). For all privacy inquiries, contact:
Email: kevin@intelligrade.de
15. Additional Information for EEA/UK/Swiss Users
15.1 Legal Bases for Processing
We process personal data based on:
- Contract Performance: To provide the Service you signed up for
- Legitimate Interests: To improve our Service, prevent fraud, ensure security
- Consent: For marketing communications (explicit opt-in)
- Legal Obligation: For tax, accounting, and legal compliance
15.2 Your Rights Under GDPR
All rights listed in Section 9 apply to users in the EEA, UK, and Switzerland.
15.3 Supervisory Authority
For EEA users, you can contact your national data protection authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en
16. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect and how we use it
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, contact kevin@intelligrade.de.
17. Contact Us
For questions about this Privacy Policy or our data practices:
Email: kevin@intelligrade.de Website: www.intelligrade.de
Related Documents:
By using Intelligrade, you acknowledge that you have read and understood this Privacy Policy.