LearnLoop

Privacy Policy

Last updated: October 13, 2025

At a glance

We will:

  • Protect educational data and maintain Data Processing Agreements with all AI and infrastructure providers.
  • Prohibit model training and data sharing for marketing.
  • Limit data retention by providers to a maximum of 30 days for incident analysis only.
  • Enable institutions to bring their own API keys and control provider routing and billing.

We will not:

  • Sell or share student data for advertising.
  • Target students directly.
  • Store data longer than necessary.

Introduction

LearnLoop ("LearnLoop," "we," "us," or "our") is committed to protecting the privacy of educational institutions, educators, and students. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered grading assistant platform ("Eval" or the "Service").

We recognize the sensitive nature of educational data and are committed to compliance with applicable data protection regulations including the General Data Protection Regulation (GDPR), the Family Educational Rights and Privacy Act (FERPA), and the EU AI Act.

We process educational data strictly under Data Processing Agreements with our AI and infrastructure providers, which guarantee no model training, no data sharing, and limited retention up to 30 days for incident analysis. LearnLoop acts as a data processor on behalf of the educational institution for assessment activities, and as a controller for account and service operations data.

1. Information We Collect

1.1 Educational Records and Student Work

When educators use Eval, we process:

  • Student submissions (essays, reports, assignments) uploaded for evaluation
  • Assessment rubrics and grading criteria
  • Grades and feedback generated through the platform
  • Chat messages and interactions with the AI assistant

Important: Student submissions may contain personally identifiable information, such as student names, as provided by educators or an LMS. LearnLoop does not independently collect or enrich personal data, and processes this content solely for assessment purposes on behalf of the institution.

1.2 Account Information

We collect:

  • Institutional email address (required for registration)
  • Password (encrypted and hashed using bcrypt with 10 salt rounds)
  • Educational institution domain
  • Account verification status
  • Login timestamps and authentication history

1.3 Usage Data and Analytics

We automatically collect:

  • Session identifiers (stored locally in browser)
  • Page visits (landing page, upload page, dashboard)
  • Feature usage (evaluation requests, chat interactions)
  • LLM API call counts (for rate limiting and usage monitoring)
  • IP addresses and user agent information
  • Source attribution (how users discovered our service)

1.4 Technical Data

We collect technical information including:

  • Browser type and version
  • Device type and operating system
  • Error logs and diagnostic data
  • Performance metrics

1.5 Data Minimisation and Institutional Control

We rely on educators and integrated LMS platforms to determine what student information is shared. We apply data minimisation and only store what is required for assessment. Where feasible, data is pseudonymised within the platform, and access is limited to authorised institutional accounts.

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Providing the Service

  • Processing student submissions through AI models to generate grades and feedback
  • Enabling communication between educators and our AI assistant
  • Storing evaluation history and rubric configurations
  • Supporting multi-modal assessment (text, images, PDFs)

2.2 Account Management

  • Creating and maintaining user accounts
  • Authenticating users and managing sessions
  • Sending verification emails and security notifications
  • Providing customer support

2.3 Service Improvement

  • Analyzing usage patterns to improve platform functionality
  • Monitoring system performance and reliability
  • Detecting and preventing technical issues
  • Understanding conversion rates and user engagement

2.4 Compliance and Security

  • Enforcing usage limits and preventing abuse
  • Maintaining audit trails for security purposes
  • Complying with legal obligations
  • Protecting against fraud and unauthorized access

We maintain Data Processing Agreements with all AI and infrastructure providers that prohibit model training and data sharing, and limit retention to a maximum of 30 days for incident analysis. Student data is never used for marketing or advertising. In the event of a personal data breach, LearnLoop will notify affected parties within 72 hours of becoming aware, consistent with GDPR and applicable state laws.

2.5 Legal Basis under GDPR

For assessment activities, LearnLoop acts as a processor on behalf of the institution, under contract as the legal basis. For account administration, security, auditing and product analytics, LearnLoop acts as controller based on contract and legitimate interests, limited to what is necessary to operate and secure the Service.

3. AI Processing and Data Processing Agreements

3.1 AI Model Providers

We use leading AI model providers to process educational content under DPAs that prohibit model training and data sharing, and limit retention to a maximum of 30 days for incident analysis. Depending on configuration, student submissions may be sent to one or more of:

  • OpenAI — US or EU processing
  • Azure OpenAI — EU or US processing
  • Anthropic — US processing
  • Google Gemini — EU or US processing
  • OpenRouter — Global routing to configured upstream providers

Limited Retention: Providers may retain input and generated metadata for up to 30 days solely for abuse detection and incident analysis, after which data is deleted. Providers are contractually barred from using data for model training or marketing.

Institution Control: Enterprise customers may exclude specific providers or supply their own API keys, which gives the institution full control of routing and billing and allows them to enforce their own DPAs directly.

3.2 Infrastructure Providers

  • Vercel - Application hosting (SOC 2 Type II certified, global edge network)
  • MongoDB Atlas - Database hosting (EU regions available)
  • GitHub - Code repository and version control (US)

For EU customers, all primary data storage and processing occurs within the European Union. An up-to-date list of subprocessors, including AI providers and infrastructure vendors, is available in our Trust Center.

3.3 AI Transparency Note

Our AI Transparency Note explains how prompts, submissions and model outputs are processed, retained for up to 30 days by providers for incident analysis, and deleted, and how institutions can configure provider choices or bring their own keys. See our Trust Center.

4. Data Location and International Transfers

LearnLoop is based in the Netherlands, and we store all primary data within the European Union:

  • Application: Vercel Edge Network (global, with EU nodes)
  • Database: MongoDB Atlas (configurable, EU regions available)
  • File storage: Vercel Blob Storage (global infrastructure)

When student submissions are processed by AI providers located outside the EU, LearnLoop relies on Standard Contractual Clauses, DPAs that prohibit training and sharing, and a limited provider retention window of up to 30 days for incident analysis. We apply additional measures such as encryption in transit, access controls and data minimisation. No EU student data is permanently stored outside the EU.

5. Data Security

We implement industry-standard security measures:

5.1 Encryption

  • Data at rest: AES-256 encryption (provided by MongoDB Atlas)
  • Data in transit: TLS 1.2/1.3 (provided by hosting platform)
  • Password storage: Bcrypt hashing with salt rounds
  • Secure key storage via environment variables

5.2 Access Controls

  • Email-based authentication with verification
  • Institutional email requirement for registration
  • Session management with secure HTTP-only cookies
  • Advanced authentication features on roadmap (SSO, MFA)

5.3 Monitoring and Incident Response

  • Error monitoring and automated alerting
  • Activity logging for user interactions
  • Incident response procedures
  • Vulnerability reporting program: luc@learnloop.org

We commit to notifying affected parties within 72 hours of becoming aware of a personal data breach. Our incident response team operates 24/7 with a target initial response time under 4 hours.

5.4 Compliance

  • SOC 2 Type I certification (in progress)
  • GDPR alignment documentation
  • FERPA compliance statement
  • Regular security audits and assessments

Current audit status and reports are published in the Trust Center.

6. Data Retention

We retain different types of data for varying periods:

  • Student submissions and evaluations: Retained while your account is active and for 90 days after account deletion, unless you request immediate deletion
  • Account information: Retained while your account is active and for 30 days after account deletion to allow for account recovery
  • Usage analytics: Aggregated and anonymized data may be retained indefinitely for statistical purposes
  • Audit logs: Retained for 12 months for security and compliance purposes
  • AI provider processing: Limited retention. AI providers may retain data for up to 30 days solely for abuse detection and incident analysis, after which automatic deletion occurs.
  • Deletion triggers: Triggers for deletion include account closure, institution request, or expiry of the defined retention period. Institutions may request immediate deletion of all associated data by contacting luc@learnloop.org.

Institutions can request immediate deletion of all associated data by contacting us at luc@learnloop.org.

7. Your Rights Under GDPR and FERPA

7.1 GDPR Rights (EU Users)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time (where processing is based on consent)

7.2 FERPA Rights (US Educational Institutions)

LearnLoop acts as a "school official" with "legitimate educational interests" as defined by FERPA. We:

  • Do not sell or share student educational records
  • Restrict access to authorized educational personnel only
  • Maintain strict confidentiality of student records
  • Do not use student data for purposes outside the educational context

7.3 Exercising Your Rights

To exercise any of these rights, please contact us at luc@learnloop.org. We will respond to verified requests within 30 days.

We verify the identity and authority of the requester and may coordinate with the institution as controller before fulfilling a request related to student records.

8. Cookies and Tracking

We use the following types of cookies:

8.1 Essential Cookies

  • Session cookie: Maintains your login state (HTTP-only, secure)
  • User ID: Stored locally in browser for session management

8.2 Analytics Cookies

  • Source tracking: Records how users discovered our service
  • Usage tracking: Monitors feature usage and conversion rates

We do not use third-party advertising cookies or social media trackers. All analytics are processed internally.

We use only essential and first-party analytics cookies. Where required by law, we present a consent banner that allows you to manage non-essential cookies.

9. Children's Privacy

Eval is designed for use by educators in higher education settings. We do not knowingly collect personal information directly from students under 16 years of age. Student work is uploaded by educators, and we process this data solely on behalf of the educational institution.

If you believe we have inadvertently collected information from a child under 16, please contact us immediately at luc@learnloop.org.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes by:

  • Posting the updated policy on this page with a new "Last Updated" date
  • Sending email notifications to registered users for significant changes
  • Publishing updates in our Trust center

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

LearnLoop
Data Protection Officer
Email: luc@learnloop.org
Address: Netherlands

EU Representative:
LearnLoop
Netherlands

Supervisory Authority:
Autoriteit Persoonsgegevens (Dutch DPA)
autoriteitpersoonsgegevens.nl

Additional Resources

Terms of Service

Trust center

Security FAQ