Skolon Privacy Policy

1. Introduction

This privacy policy (this "Policy") describes how we, Skolon AB, Reg. No. 556958-4120 ("Skolon", "we", "us", "our"), with address Pirgatan 13, 374 35 Karlshamn, Process your Personal Data (both as defined below).

Skolon provides a platform that enables easy access to digital resources for students and teachers. The Skolon Platform also provides tools used by school and system administrators for managing and distributing licenses through the platform.

Skolon cares about privacy and protecting the Personal Data handled by us. All Personal Data is Processed in accordance with Applicable Law (as defined below). In this Policy we describe how, and the purposes for which, we use and Process your Personal Data as well as what lawful bases we use and what measures we take to protect your Personal Data. We also provide information on how you exercise the rights you have connected to our Processing of Personal Data.

This Policy provides information on how we handle Personal Data when you communicate with us, use our platform (available on app.skolon.com) and/or visit our website www.skolon.com (together named "Services").

The intended recipient(s) of the information provided in this Policy is:

Depending on the context of Personal Data you provide, Skolon may be the Controller or the Processor of your Personal Data under this Policy. Skolon is a Processor of Personal Data submitted to or collected through our Services on behalf of or at the direction of our customers. Skolon is a Controller of Personal Data which is collected for our own business purposes, such as marketing (including but not limited to our newsletter(s)), statistics, analytics, and similar.

This Policy may be amended from time to time as new legal requirements arise or new technical features are introduced. Before we make any major changes to the Policy, we will inform you in a timely and appropriate manner so you will be able to review the changes beforehand.

2. Definitions

"Applicable Law" refers to the legislation applicable to the processing of Personal Data, including the GDPR, supplementary national legislation, as well as practices, guidelines and recommendations issued by a national or EU supervisory authority.

"Controller" is the company/organisation that decides for what purposes and in what way Personal Data is to be processed and is responsible for the Processing of Personal Data in accordance with Applicable Law.

"Data Subject" is the living, natural person whose Personal Data is being Processed.

GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).

Policy” is defined in Section 1.

"Process" means any operations or set of operations which is performed on Personal Data, e.g. storage, modification, reading, handover or similar.

"Processor" is the company/organisation that processes Personal Data on behalf of the Controller and can therefore only process the Personal Data according to the instructions of the Controller and the Applicable Law.

Services” is defined in Section 1.

Skolon” is defined in Section 1.

Sub-Processor” shall have the meaning ascribed to it in the GDPR.

The definitions above shall apply in the Policy regardless of whether they are capitalised or not. Other terms, defined or not defined, shall have the meaning ascribed to them in the EU General Data Protection Regulation (GDPR).

3. Our Processing of Personal Data

We have a responsibility to describe and demonstrate how we fulfill the requirements that are imposed on us when we Process your Personal Data. This section aims to describe (i) the lawful bases for Processing your Personal Data, (ii) for how long we keep your Personal Data (storage), (iii) the type of Personal Data we collect, (iv) the methods used for collecting your Personal Data, and (v) the purposes for which we Process your Personal Data.

You are informed that Skolon may share or transfer your Personal Data to certain third parties (Processors or Sub-Processors), but never for other purposes than for which they were collected in the first place, and always in accordance with Skolon’s explicit instructions.

4. What are our lawful basis for Processing Personal Data?

We collect, use and share the Personal Data we have using the following legal bases.

Legitimate interest: Skolon may Process Personal Data if we have assessed that a legitimate interest overrides the interest of fundamental rights and freedoms of the Data Subject, and if the Processing is necessary for the purpose in question.

Performance of a contract: The Processing is necessary for the performance of a contract entered between us and the Data Subject.

Consent: Skolon may Process your Personal Data after you have given your consent to the Processing. Information regarding the Processing is always provided in connection to the request of consent. You may withdraw your consent at any time.

Legal obligation: Skolon will Process your Personal Data where we are required by laws and regulations to do so as a result of our business.

5. For how long do we store your Personal Data?

We will keep your Personal Data as long as it is necessary for the purpose(s) for which it was collected. Depending on the lawful basis on which the Processing is supported, this may (i) be regulated in a contract, (ii) be dependent on valid consent, (iii) be stated in legislation or (iv) follow by an internal assessment based on a legitimate interest assessment. We will automatically delete Personal Data if an automated sync contract is terminated or if it has been requested via our system or by e-mail.

6. The Personal Data we collect and Process

The types of Personal Data we collect depends on in what capacity you are using our Services. Skolon collects and Processes Personal Data on the behalf of our customers under a Data Processing Agreement (DPA). If you want a copy of the DPA that you are under, please consult your organizational administrator of the Skolon platform.

Generally we collect Personal Data through an automated synchronisation with the school administration system or a similar database. Note that we do not always collect and/or Process all of the Personal Data described below. We also collect your Personal Data when you register for one of our events or webinars.

The Personal Data we may collect include:

Contact information: Your name(s), e-mail address, residential address, personal identification number, telephone number and information regarding the organisation you represent as well as any agreements you have entered into with us on your or your organisation’s behalf.

User account information:  Username, password, photo (profile picture).

Usage data: How you set up your access rights, who has license to which educational tools, share your results and judgements to services set up by you.

Browser information: What type and version of browser, website from which you have been referred, pages you use on our website, your IP-address and a rough location estimate based on your IP-address, information about your web activity on our site or your interaction in e-mails we send to you, information on your use of our Services.

Calendar and event information: If you interact with a third-party service (such as G Suite or Microsoft Teams) when using our Services, the applicable third-party service will give us access to your calendar and events. We only store and Process information for events if it was created by our Services, in order to present this information to invited users. We also process calendar information to determine what types of video conferences are available.

Document information: If you interact with a third-party service (such as G Suite or Microsoft Teams) when using our Services, the applicable third-party service will give us access to your files. We only interact with files provided to our Services by the end user. Our Services interact with provided files by sharing and copying files to a Service Account. Files copied by our Service Account will be made available to other end users for export to Classroom or Teams. When exported, the files will be copied onto the end users account.

7. How do we collect your Personal Data?

We collect Personal Data directly from you, as well as automatically through your use of our Services and, in some cases, from third parties. Below is a list describing how we collect Personal Data.

Information that you give us: The information we collect directly from you is typically user contact details and user account information shared by you in connection with registering an account (and profile), and other information you may share with us when using our Services. This information also includes the personal data provided to Skolon by the Controller through integrations such as user roles, classes and teaching groups as well school, class and course placements for users.

Information collected automatically: When you use or interact with our Services, we receive and store information generated by your activity, like usage data and other information automatically collected from your browser or mobile device. This information may include information on what type and version of browser you are using, websites from which you have been referred, pages you use on our website, your IP address and a rough location estimate based on your IP address, information about your web activity on our site or your interaction with e-mails we send to you, and information about your use of our Services.

In most cases, this information is generated by various tracking technologies, which may include "cookies" and/or "web beacons". You can read about how we use cookies and other tracking technologies in our Cookie Policy (info.skolon.com/cookie-policy/) and also about the choices you can make to limit their use.

8. Processing purposes

#1 - Enable access to the Services

Purpose: Register a user account and profile to enable the user to access the Services.

Personal Data: Name, e-mail address, password, address (optional), phone number (optional), profile picture (optional).

Source: Directly from the Data Subject or from the school/organisation to which the Data Subject belongs.

Lawful basis: The legitimate interest of providing the Services.

Storage period: As long as the Data Subject holds an account on our platform.

#2 - Increase security and prevent abuse

Purpose: Verify user login credentials to increase security and prevent abuse.

Personal Data: Name, e-mail address.

Source: Directly from the Data Subject or a representative representing the Data Subject.

Lawful basis: The legitimate interest of verifying the user identity to increase security and prevent abuse.

Storage period: As long as the Data Subject holds an account on our platform.

#3 - Provide our Services

Purpose: Live up to the agreements agreed upon purchase for each customer

Personal Data: The personal data processed when using Skolon is determined by the customer when installing the Skolon environment. The personal data processed required to access the service are Name, Email, and roster information regarding class and groups. In some cases the customer may choose to let Skolon process profile pictures, birthdates and social security numbers.

Source: Each customer's Student information system or other sources provided by the customer.

Lawful basis: The legitimate interest of providing the Service.

Storage period: As long as the Data Subject holds an account on our platform.

#4 - Support and communication

Purpose: Communicate in order to efficiently help our customers with any problems and provide relevant information regarding the Service.

Personal Data: Name, e-mail address, phone number, organisation.

Source:  Directly from the Data Subject or a representative representing the Data Subject.

Lawful basis: The legitimate interest of providing the Service.

Storage period: As long as the Data Subject has an account on our Services, or when the user requests to withdraw consent.

#5 - Conducting business

Purpose: Activities to increase awareness of the Service for sales purposes.

Personal Data: Name, e-mail address, phone number.

Source: Directly from the Data Subject and sourcing.

Lawful basis: The legitimate interest of conducting business and networking.

Storage period: 2 years or until the Data Subject unsubscribes.

9. Your rights under the GDPR

You are the one in control of your Personal Data and we always strive to ensure that you can exercise your rights as efficiently and smoothly as possible.

Access: You always have the right to receive information about the Processing of Personal Data that concerns you. We only provide information if we have been able to fully verify that it is you that are requesting the information.

Rectification: If you find that the Personal Data we process about you is incorrect, you have the right to have it rectified.

Erasure: You have the right to be forgotten and request deletion of your Personal Data when the Processing is no longer necessary for the purpose for which it was collected.

Objections: If you disagree with any of our assessments, such as that a legitimate interest for Processing your Personal Data overrides your interest in protecting your privacy, you have the right to object and demand we review our assessment. When making the new assessment, we add your objection to the balance when considering whether Processing your Personal Data can still be justified. If you object to direct marketing, we will immediately delete your Personal Data without making an assessment.

Restriction: You can also ask us to restrict our Processing of your Personal Data (i) while we are processing a request from you for any of your other rights, (ii) if, instead of requesting erasure, you want us to limit the Processing of Personal Data for a specific purpose, such as if you do not want us to send advertising to you in the future, for which we would still need to save your name in order to know that we should not contact you in the future, or (iii) in cases where we no longer need the information in relation to the purpose for which it was collected, provided that you do not have an interest in retaining it to make a legal claim.

Data portability: We may provide you with the data you have submitted to us or that we have received from you in any other way. You will receive your information in a commonly used and machine-readable format that you can transfer to another personal data manager.

Withdraw consent: If you have given consent to one or several specific Processing(s) of your Personal Data, you have the right to withdraw your consent at any time and ask us to terminate the Processing immediately. Please note that you can only withdraw your consent for future processing of Personal Data and not for Processing that has already taken place.

How to exercise your rights

Send us an e-mail at privacy@skolon.eu and tell us what right(s) you wish to exercise, and we will make sure you can exercise them.

10. Transfers of personal data

In order to provide our platform and run our business, we may need help from others who will Process Personal Data on our behalf. Our Processors does not transfer Personal Data outside the EU/EEA.

We have entered into Data Processing Agreements (DPAs) with all our Sub-Processors. The DPAs set out, among other things, how the Sub-Processor may process the Personal Data and what security measures are required for the Processing.

We may also need to disclose your Personal Data to certain designated authorities in order to fulfill obligations under Applicable Law or legally binding judgments.

11. Our sub-processors

Processor: GleSys AB.

Personal data being processed: All the data provided to us by you, and some of the data collected by us (contact details, user account details, financial information, passport details, browser information).

Details: Our servers are hosted with GleSys at their premises in Sweden and/or Finland. All Personal Data collected by us are stored on their services.

Processor: Ungapped AB

Personal data being processed: Some of the user data provided to us by you (contact details, user account details, browser information)

Details: Ungapped’s services are used by us for user support and communication.

12. Security measures

Skolon has employed technical and organisational measures to ensure that your Personal Data is processed securely and protected from loss, abuse and unauthorised access.

Organisational security measures: We have multiple routines and policies documented for the following areas:

Technical security measures: Measures implemented through technical solutions, such as:

13. Cookies

Skolon uses cookies and similar tracking technologies to analyse the use of our Services so that we can improve them and give you a superior user experience. For more information on how we use cookies, please see our Cookie Policy at info.skolon.com/cookie-policy/.

14. Complaints to a supervisory authority

If you think that we are not Processing your Personal Data correctly, even after you have notified us of this, you are always entitled to submit your complaint to the Swedish Data Protection Authority.

More information about our obligations and your rights can be found at www.imy.se.

You may contact the authority via e-mail at: imy@imy.se.

15. Changes to this policy

We reserve the right to make changes to this Policy. In the event that the change affects our obligations or your rights, we will inform you about the changes in a timely and appropriate manner so that you are able to review the changes beforehand.

16. Contact

Please contact us if you have any questions about your rights or if you have any other questions about how we process your Personal Data at privacy@skolon.eu.