Dodona Learning Technologies BV - Privacy Policy

Last updated: 12 September 2025

IMPORTANT - PLEASE READ CAREFULLY. This privacy statement (the “Privacy Policy”) describes how Dodona Learning Technologies BV processes your personal data. This Privacy Policy concerns the personal data you provide us via our Services. We can change this Privacy Policy from time to time. Capitalized terms that are not otherwise defined in this Privacy Policy shall have the meaning given thereto in our Terms (which can be found here).

1. General

We distinguish between two types of Users: Institutional Users and Private Users. If you log on to the Platform using an account that belongs to an educational institution (including a school, college or university) (the “Institution”), you are an Institutional User. In every other case you are a Private User. Institutional Users that are studying at their respective Institution are referred to as “Students”. Institutional Users that are not studying at their respective Institution, such as faculty staff and administrative staff, are referred to as “Teachers”.

2. Who is the data controller, and how can you contact us?

a) Institutional Users

If you are an Institutional User, the data controller is the Institution to which you belong. We process any of your personal data that is provided to us via our Services on behalf of these Institutions. Any questions, comments or suggestions about the processing of your personal data should be addressed to the Institution to which you belong.

b) Private Users

If you are a Private User, the data controller is:

Dodona Learning Technologies BV
Ottergemsesteenweg-Zuid 808, box B226
9000 Ghent
Belgium

Any questions, comments or suggestions about the processing of your personal data can be addressed to the Dodona team at: [email protected].

3. What personal data is processed?

“Personal data” means information about an identified or identifiable person. The categories we process depend on how you use the Platform and whether you are an Institutional User (your Institution is controller; we are processor) or a Private User (we are controller).

3.1. Account and identity data (all users)

  • Identity & login data obtained via your chosen identity provider (e.g., Microsoft, Google, Smartschool, SAML): name, email address and (where provided) username/unique ID. We do not receive your password.
  • Profile & preferences: preferred language, time zone, Institution (when applicable).
  • Visibility: your name may be visible to teachers where the course setup requires it; teachers in a course can view participants enrolled in that course.

3.2. Course participation & content data (all users)

  • Courses & enrollments you join or are added to.
  • Exercises, submissions and results: your submitted code, submission timestamps, automated feedback and grading outcomes, and teacher feedback where applicable.
  • Progress data: completion state, attempts and scores/points awarded within a course.
  • Visibility: teachers for a course can view submissions and results for that course. Some teacher-only feedback artifacts may be hidden from students by design.

3.3. Device, log, and security data (all users)

  • Technical logs generated by our systems and security providers (e.g., IP address, timestamps, request identifiers, user-agent, error diagnostics).
  • Session data: cookies that keep you signed in and protect your session.
  • Retention: application/server logs are kept for 7 days for troubleshooting and security, then deleted.

3.4. Support and communications (all users)

  • Messages you send to our support team, including attachments and metadata (dates, times).
  • Your preferences for service announcements and operational emails.

3.5. Billing data (Private Users and self-pay scenarios only)

  • If you purchase a License directly from us: billing name, billing address, VAT/tax info, purchase history.
  • Payments are processed by Stripe; we do not store full card numbers. Stripe processes your payment data under its own privacy terms which can be found here.

3.6. Research and product improvement (all users)

  • We analyze Platform usage to improve pedagogy and features (e.g., recommending exercises, difficulty calibration). We use pseudonymization and, where possible, aggregation. We do not make decisions with legal or similarly significant effects based solely on automated processing.

We do not process special categories of personal data (“sensitive data”) that reveal race or ethnic origin, political views, religious or philosophical beliefs, or membership of a union, nor do we process genetic data, biometric data for the unique identification of persons, health data, or data relating to a person's sexual behavior or sexual orientation.

We do not knowingly allow Private Users under the age of 13 to create an account without verifiable parental or guardian consent. If we learn we collected personal data from a child under 13 without such consent, we will delete it promptly. If you believe that your child has provided us with personal data without your consent, please contact us immediately at [email protected]. For Institutional Users, your Institution is the controller and is responsible for ensuring a valid legal basis for Students' use of the Platform (including any necessary consents).

4. Purposes and legal bases for processing personal data

Institutional Users (we act as processor). Your Institution is the data controller. We process your personal data on the Institution's documented instructions under the agreement with the Institution to operate the Platform for educational purposes defined by the Institution. The Institution determines the lawful basis (e.g., public task or legitimate interests) and handles your privacy requests as controller.

Private Users (we act as controller). We process personal data for the following purposes and on the following legal bases:

  • Providing the Services (e.g., create and maintain your Account, enroll you in courses, store and grade submissions, provide support): performance of a contract.
  • Security, abuse prevention, service reliability and improvement (e.g., logs, anti-abuse, quality): legitimate interests.
  • Billing and tax compliance: legal obligation.
  • Optional communications or non-essential cookies: consent. You can withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal.

Product analytics and research. We analyze pseudonymized and, where possible, aggregated Platform usage to improve pedagogy and features. We do not make decisions with legal or similarly significant effects based solely on automated processing.

5. Who has access to your personal data?

Only authorized Dodona administrators can access personal data, and only on a strict need-to-know basis for the purposes described in this Privacy Policy.

When we act as a processor for Institutions, your institution is the data controller. We may engage sub-processors under a general authorization model as described in our agreement with Institutions. We maintain a current list of sub-processors here. Institution administrators may opt in to receive change notifications of such list by emailing us at [email protected]. We will send an e-mail to such registered administrators at least seven days before we add or replace a sub-processor; during this seven-day objection window an Institution may object on reasonable, documented privacy or security grounds. We will work with the Institution to disable the affected feature or, if that is not feasible, provide an appropriate remedy. To address urgent security, availability or continuity issues, we may onboard a sub-processor without prior notice and will inform subscribed Institutions promptly thereafter; the same seven-day objection right applies from the time of notice. We impose data-protection terms on sub-processors that provide at least the same level of protection required by this Privacy Policy, and we remain responsible for their performance.

When we act as controller, we rely on providers appropriate to deliver and secure the Service. Our current providers can be found here. Any material changes will also be reflected on that page. Private Users may request e-mail updates via [email protected].

We do not otherwise share personal data with third parties except where you have given prior consent or where access, use, preservation or disclosure is reasonably necessary, including to comply with law, to detect or prevent security incidents or abuse, or to protect the rights, property or safety of Dodona, our users or the public.

6. Location of data processing

We host the Platform and store account, course, and submission data in the European Economic Area (“EEA”) using Microsoft Azure data centers and servers located in the Sweden Central region.

To protect the Platform from abuse and ensure availability, we use Cloudflare (content delivery network, DDoS/WAF). Cloudflare may process network-level data (e.g., IP addresses, request headers, limited request content necessary for security features) in data centers outside the EEA. Cloudflare's privacy terms can be found here.

Where personal data is transferred outside the EEA, we use the European Commission's Standard Contractual Clauses (SCCs) and/or additional technical and organizational measures. We also minimize what Cloudflare can cache and process by (i) enforcing origin TLS (HTTPS end-to-end), (ii) avoiding caching of pages that contain personal data (e.g., using Cache-Control: private, no-store where appropriate), and (iii) limiting Cloudflare features to those strictly necessary for security and performance.

7. How long are your personal data processed?

We do not store your personal data any longer than necessary for the objectives for which we use your personal data (including to enable continuous monitoring of Users' progress throughout their learning process, provide improved User experiences, and detect and remedy technical issues). We shall automatically delete your personal data when your Account is terminated.

At the request of an Individual User, the processing of your data can be stopped if this is in accordance with the provisions in “What rights do you have with regard to the processing of your personal data?” For an Institutional User we will first coordinate your request with your Institution.

Log files are only stored by us for 7 days, after which they are automatically deleted. These log files are only consulted to detect and remedy technical issues.

8. Security of your personal data

We implement technical and organizational measures appropriate to risk, including encryption in transit and at rest, access controls and MFA, least privilege and periodic access reviews, logging and monitoring, regular patching and vulnerability management, backups and disaster recovery, and employee confidentiality undertakings. We maintain a written incident response plan. Where required by law, we notify the competent data protection authority within 72 hours of becoming aware of a personal data breach and, where applicable, affected users. Where we act as processor, we notify the controller without undue delay.

9. What rights do you have regarding the processing of your personal data?

Depending on your situation, you may have the right to access your personal data, rectify inaccuracies, erase data, restrict or object to processing, and receive your data in a portable format. Where we rely on consent, you may withdraw it at any time. We respond at the latest within one month of verifying your identity.

Institutional Users should contact their Institution first as controller, we will support them as processor. Private Users can contact us at [email protected].

If you believe that your requests have not been adequately handled, you can contact the Belgian Data Protection authority:

Address: Drukpersstraat 35, 1000 Brussels
Telephone number: +32 (0)2 274 48 00
Website: https://www.dataprotectionauthority.be/
Complaint form: complaint
Email: [email protected]

10. Cookies

When you visit the Site, we use strictly necessary session cookies containing encrypted information to allow us to uniquely identify you. Each time you log into the Platform, a session cookie containing an encrypted, unique identifier that is tied to your account is placed in your browser. These session cookies allow us to uniquely identify you when you are logged into the Platform and to process your online transactions and requests. Session cookies exist only during one session. We do not use analytics or advertising cookies without consent.

11. Changes to the Privacy Policy

This Privacy Policy can be amended to continue to comply with applicable regulations. If this Privacy Policy is amended, this will be reported on the Site, with a reference to the amended privacy policy in the relevant news item. A reference to the most recent version of the privacy statement can always be found in the Site's footer.