Last updated: March 2026
This Privacy Policy explains how Etalia collects, uses, and protects your personal data when you use our services. If you have any questions, contact us at info@etalia.nl.
1. Who We Are
Etalia ("EtAlia", "we", "our", "us") is registered in the Netherlands (KvK: 89654722). We provide educational services that utilise AI-driven technology to deliver personalised feedback and enhance student learning experiences. We are committed to protecting your personal data in compliance with GDPR.
For GDPR purposes, we act as the Data Controller for the personal data we collect directly. Where Etalia is accessed via an institution's LMS (e.g. Canvas via LTI), we act as a Data Processor on behalf of that institution, governed by a Data Processing Agreement (DPA).
2. What Personal Data We Collect
We collect the following types of personal data:
- Emails, name & passwords
- Account information & settings
- Educational content you create and submit — questions, exams, answers, responses, feedback, assignments, etc.
2.1 Data You Provide to Us
- Account Information: Name, email, password.
- Account Settings: Preferences such as AI feature toggles, data usage consent, email contact permissions, and content management settings.
- User Content: Any data you submit or use to create content on the platform.
2.2 Data We Collect Automatically
- Usage Data: IP address, browser type, operating system.
- Cookies: Etalia uses only essential cookies for authentication and session management. See our Cookies Policy.
2.3 Data from Third Parties
- Basic profile information if you log in via SURFconext or Microsoft Entra ID (institution SSO).
- Data provided by a university or school, processed under our Data Processing Agreement (DPA).
- If you opt in, your academic submissions may be processed by Azure OpenAI — no personal data (name, email, etc.) is sent. Institutional hosting may vary.
If you access Etalia via Canvas or another LMS through LTI, we receive your LMS display name, email address, platform user ID, and course enrollment context. This data is used to identify you across LTI sessions and to sync grades back to your institution's LMS. In this context, Etalia acts as a data processor on behalf of your institution, governed by a Data Processing Agreement (DPA).
3. Why We Collect Your Data
Under GDPR, we must have a legal basis for processing your data:
| Purpose | Legal Basis |
|---|---|
| Providing & improving our services | Contractual necessity |
| Customer support & communication | Legitimate interest |
| Security & fraud prevention | Legitimate interest |
| Sending emails (optional) | Consent |
| AI processing via Azure OpenAI | Consent |
4. How We Use Your Data
- Create and manage your account
- Provide our educational services
- Send you important updates
- Analyze usage to improve our platform
- If opted in — process responses via Azure OpenAI or our own secure internal models
- If explicitly opted in to model improvement — use anonymised data to improve Etalia's own internal models only. This data is never shared with or used to train any third-party or external AI model. Opting out prevents future submissions from being used; earlier anonymised contributions are retained in anonymised form.
5. How We Share Your Data
If you opt in, Etalia may send academic submissions to Azure OpenAI for processing. No personally identifiable information is shared. All processing takes place within Etalia's secure Azure environment. You can opt out at any time in your account settings.
6. How We Protect Your Data
- Data encryption — AES-256, TLS 1.3
- Role-Based Access Control (RBAC)
- Regular security audits
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Payment data (via Stripe) | Not stored by Etalia |
| Logs & security data | 12 months |
| Azure OpenAI processed data | As necessary; deletable on request |
8. Your GDPR Rights
Right to Access
Request a copy of your data
Right to Rectification
Correct inaccurate data
Right to Erasure
Request deletion of your data
Right to Portability
Export in CSV/JSON format
Right to Object
Opt out of email communications
Right to Restriction
Restrict processing under certain conditions
Email us at info@etalia.nl with your request. We will respond within 30 days.
9. Third-Party Services
- Azure — Cloud Hosting
- Azure OpenAI — AI Processing (if opted in)
These providers are GDPR-compliant. If your data is transferred outside the EU/EEA, we ensure adequate protection via EU Standard Contractual Clauses (SCCs).
10. Cookies
Etalia uses only essential cookies for authentication, security, and sessions. See our Cookies Policy.
11. Data Breach Notification
- We notify affected users within 72 hours if the risk is high.
- We take immediate steps to secure data and prevent further breaches.
12. Policy Updates
We may update this policy periodically. We will notify you via email or app notifications if changes impact your rights.
13. Contact
For privacy-related questions or to exercise your GDPR rights: info@etalia.nl.