eDoer

Privacy Policy

Privacy Policy

Official Notice: The German version of this document is the official document. This translation is provided for convenience only and is not official.

Effective Date: 02.06.2026

1. Controllers

Where eDoer acts as controller (see Section 4), the controller is:

Education4All GmbH
Angoulemeplatz 2
31134 Hildesheim, Germany
Email: [email protected]

For educational data processed on behalf of organizations, the respective organization is the controller.

2. Structure of Data Processing Roles

eDoer is operated as a multi-tenant learning platform.

Depending on the processing activity:

  • Educational data is processed on behalf of organizations (Art. 28 GDPR).
  • Certain technical, security-related, and analytics data is processed by eDoer as an independent controller.

3. Processing on Behalf of Organizations

Organizations using eDoer act as independent controllers for:

  • Learner registration and enrollment
  • Learning progress and assessment results
  • Certificates and grading
  • Educational communication
  • Course and content management
  • AI configuration and reference materials, including organization-related knowledge base files and, where enabled, learner background documents
  • Optional document-source integrations initiated by authorized users (where enabled)

eDoer processes this data only on documented instructions under Data Processing Agreements.

3.1. Categories of Data

  • Account data (name, email, role, organization)
  • Learning progress and assessment results
  • Submitted answers and uploaded files
  • Organization-related knowledge base files and associated reference materials (where enabled)
  • Learner background documents (where enabled)
  • Optional connection and import data for third-party document sources for authorized users (e.g. Roxtra username, encrypted credential material, imported files) (where enabled)
  • Certificates (name, grade, issue date)
  • Forum posts and attachments

3.2. Legal Basis

The legal basis for this processing is determined by the respective organization (typically Art. 6(1)(b) GDPR - contract).

4. Processing as Independent Controller

eDoer processes certain data as an independent controller for the following purposes:

4.1. Platform Security and Stability

  • System logs
  • Error reports
  • Access metadata (IP address, timestamp)
  • Fraud prevention

Legal basis: Art. 6(1)(f) GDPR - legitimate interest.

4.2. Behavioral Analytics (Consent-Based)

If users consent, eDoer collects usage behavior data on the platform to:

  • Improve product features
  • Analyze usability
  • Ensure performance and reliability

Legal basis: Art. 6(1)(a) GDPR - consent.
Consent may be withdrawn at any time.

Analytics processing:

  • is optional
  • does not impair educational functionality
  • is stopped without undue delay after withdrawal.

4.3. Consent Management

Consent records are stored to meet compliance requirements.
Legal basis: Art. 6(1)(c) GDPR - legal obligation.

5. AI-Based Processing and Optional Document-Source Integrations

Certain features may use AI services (e.g. large language models) to support:

  • Educational assistance
  • Creation of educational content and metadata
  • Retrieval and grounding based on organization-related knowledge base files and, where enabled, learner background documents

When AI features are enabled, data transmitted to AI services may include:

  • Educational content and learning path metadata
  • Knowledge base files specified by the organization
  • Learner background documents uploaded by users, where learner AI is enabled
  • User-submitted prompts and attachments

When AI processes organization-related educational data:

  • eDoer acts as processor
  • AI providers act as sub-processors under contractual safeguards
  • data is minimized and pseudonymized where possible
  • eDoer does not intentionally add unrelated learner performance data or platform account identifiers as separate AI input fields unless that information is contained in content, files, prompts, or attachments intentionally submitted for AI processing

AI providers are contractually prevented from using submitted data for their own purposes where enterprise agreements apply.

If recognized document-source integrations such as Roxtra are enabled by platform-level administration and the organization, eDoer may process the integration credentials of the connecting user to authenticate with the third-party provider, search documents, and import files selected by the user into eDoer. Imported files are then processed like other platform files on the organization's instructions.

6. Administrative Access

In limited cases, authorized eDoer employees may access organization data for:

  • Technical troubleshooting
  • Security investigations
  • Support requests

Such access:

  • is restricted to authorized personnel
  • is logged
  • is limited in time
  • requires a documented purpose
  • is subject to confidentiality obligations

7. International Data Transfers

Where third-party providers are located outside the European Union, transfers are based on:

  • Standard Contractual Clauses (SCCs), and
  • EU-US Data Privacy Framework

8. Retention Period

Educational data:

  • is stored in accordance with the organization's instructions
  • is deleted upon account or organization termination unless statutory retention obligations apply

Analytics data:

  • is stored only for as long as necessary for the stated purposes
  • is regularly deleted or anonymized

Security logs:

  • are retained for a limited period (e.g. 90 days)

Consent logs:

  • are retained for evidence and compliance purposes

Optional integration credentials:

  • are stored only as long as the integration remains connected or as required for security and troubleshooting
  • are deleted or overwritten after disconnection or replacement, subject to backup retention periods

9. Rights of Data Subjects

Users may exercise the following rights:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent (Art. 7)

For educational data, requests should generally be addressed to the respective organization. For analytics or platform-related processing, requests may be addressed to eDoer.
Requests are handled within one month.

10. Security Measures

eDoer implements appropriate technical and organizational measures, including:

  • Encrypted transmission (TLS)
  • Password hashing
  • Encrypted storage of third-party integration credentials
  • Role-based access control
  • Organization-related data isolation
  • Logged administrative access
  • Security incident response procedures

11. Complaints

Users may lodge a complaint with the competent supervisory authority. In Germany, this is typically the data protection authority of the federal state of residence.

12. Updates to This Policy

This Privacy Policy may be updated to reflect legal or technical changes.