LearnLoop

Privacy Policy

Last updated: October 3, 2025

Introduction

LearnLoop B.V. ("LearnLoop," "we," "us," or "our") is committed to protecting the privacy of educational institutions, educators, and students. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered grading assistant platform ("Eval" or the "Service").

We recognize the sensitive nature of educational data and are committed to compliance with applicable data protection regulations including the General Data Protection Regulation (GDPR), the Family Educational Rights and Privacy Act (FERPA), and the EU AI Act.

1. Information We Collect

1.1 Educational Records and Student Work

When educators use Eval, we process:

  • Student submissions (essays, reports, assignments) uploaded for evaluation
  • Assessment rubrics and grading criteria
  • Grades and feedback generated through the platform
  • Chat messages and interactions with the AI assistant

Important: Student submissions may contain personally identifiable information (PII) such as student names. We process this data solely for the purpose of providing grading assistance.

1.2 Account Information

We collect:

  • Institutional email address (required for registration)
  • Password (encrypted and hashed using bcrypt with 10 salt rounds)
  • Educational institution domain
  • Account verification status
  • Login timestamps and authentication history

1.3 Usage Data and Analytics

We automatically collect:

  • Session identifiers (stored locally in browser)
  • Page visits (landing page, upload page, dashboard)
  • Feature usage (evaluation requests, chat interactions)
  • LLM API call counts (for rate limiting and usage monitoring)
  • IP addresses and user agent information
  • Source attribution (how users discovered our service)

1.4 Technical Data

We collect technical information including:

  • Browser type and version
  • Device type and operating system
  • Error logs and diagnostic data
  • Performance metrics

2. How We Use Your Information

We use collected information for the following purposes:

2.1 Providing the Service

  • Processing student submissions through AI models to generate grades and feedback
  • Enabling communication between educators and our AI assistant
  • Storing evaluation history and rubric configurations
  • Supporting multi-modal assessment (text, images, PDFs)

2.2 Account Management

  • Creating and maintaining user accounts
  • Authenticating users and managing sessions
  • Sending verification emails and security notifications
  • Providing customer support

2.3 Service Improvement

  • Analyzing usage patterns to improve platform functionality
  • Monitoring system performance and reliability
  • Detecting and preventing technical issues
  • Understanding conversion rates and user engagement

2.4 Compliance and Security

  • Enforcing usage limits and preventing abuse
  • Maintaining audit trails for security purposes
  • Complying with legal obligations
  • Protecting against fraud and unauthorized access

3. AI Processing and Third-Party Services

3.1 AI Model Providers

We use industry-leading AI model providers to process educational content. Student submissions may be sent to one or more of the following providers:

  • OpenAI (GPT-4 and other models) - US/EU processing
  • Anthropic (Claude models) - US processing
  • Google (Gemini models) - US/EU processing
  • OpenRouter (Multi-model access) - US processing

Zero Data Retention Commitment

All our AI provider contracts include zero data retention clauses. Student submissions sent to these providers are not stored, logged, or used for model training purposes. Data is processed in real-time and immediately discarded after evaluation.

Institution Control

Enterprise customers can choose to use their own API keys for AI providers, giving complete control over data processing, routing, and provider selection. This allows institutions to enforce their own data processing agreements directly with AI providers.

3.2 Infrastructure Providers

  • Vercel - Application hosting (SOC 2 Type II certified, global edge network)
  • MongoDB Atlas - Database hosting (EU regions available)
  • GitHub - Code repository and version control (US)

For EU customers, all primary data storage and processing occurs within the European Union. A complete and up-to-date list of subprocessors is available in our Trust center.

4. Data Location and International Transfers

LearnLoop is based in the Netherlands, and we store all primary data within the European Union:

  • Application: Vercel Edge Network (global, with EU nodes)
  • Database: MongoDB Atlas (configurable, EU regions available)
  • File storage: Vercel Blob Storage (global infrastructure)

When student submissions are processed by AI providers located outside the EU (such as OpenAI or Anthropic in the US), we rely on Standard Contractual Clauses (SCCs) and ensure zero data retention to protect data during processing. No EU student data is permanently stored outside the EU.

5. Data Security

We implement industry-standard security measures:

5.1 Encryption

  • Data at rest: AES-256 encryption (provided by MongoDB Atlas)
  • Data in transit: TLS 1.2/1.3 (provided by hosting platform)
  • Password storage: Bcrypt hashing with salt rounds
  • Secure key storage via environment variables

5.2 Access Controls

  • Email-based authentication with verification
  • Institutional email requirement for registration
  • Session management with secure HTTP-only cookies
  • Advanced authentication features on roadmap (SSO, MFA)

5.3 Monitoring and Incident Response

  • Error monitoring and automated alerting
  • Activity logging for user interactions
  • Incident response procedures
  • Vulnerability reporting program: luc@learnloop.nl

5.4 Compliance

  • SOC 2 Type I certification (in progress)
  • GDPR alignment documentation
  • FERPA compliance statement
  • Regular security audits and assessments

6. Data Retention

We retain different types of data for varying periods:

  • Student submissions and evaluations: Retained while your account is active and for 90 days after account deletion, unless you request immediate deletion
  • Account information: Retained while your account is active and for 30 days after account deletion to allow for account recovery
  • Usage analytics: Aggregated and anonymized data may be retained indefinitely for statistical purposes
  • Audit logs: Retained for 12 months for security and compliance purposes
  • AI provider processing: Zero retention - data is not stored by AI providers

Institutions can request immediate deletion of all associated data by contacting us at luc@learnloop.nl.

7. Your Rights Under GDPR and FERPA

7.1 GDPR Rights (EU Users)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time (where processing is based on consent)

7.2 FERPA Rights (US Educational Institutions)

LearnLoop acts as a "school official" with "legitimate educational interests" as defined by FERPA. We:

  • Do not sell or share student educational records
  • Restrict access to authorized educational personnel only
  • Maintain strict confidentiality of student records
  • Do not use student data for purposes outside the educational context

7.3 Exercising Your Rights

To exercise any of these rights, please contact us at luc@learnloop.nl. We will respond to verified requests within 30 days.

8. Cookies and Tracking

We use the following types of cookies:

8.1 Essential Cookies

  • Session cookie: Maintains your login state (HTTP-only, secure)
  • User ID: Stored locally in browser for session management

8.2 Analytics Cookies

  • Source tracking: Records how users discovered our service
  • Usage tracking: Monitors feature usage and conversion rates

We do not use third-party advertising cookies or social media trackers. All analytics are processed internally.

9. Children's Privacy

Eval is designed for use by educators in higher education settings. We do not knowingly collect personal information directly from students under 16 years of age. Student work is uploaded by educators, and we process this data solely on behalf of the educational institution.

If you believe we have inadvertently collected information from a child under 16, please contact us immediately at luc@learnloop.nl.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify users of material changes by:

  • Posting the updated policy on this page with a new "Last Updated" date
  • Sending email notifications to registered users for significant changes
  • Publishing updates in our Trust center

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

LearnLoop B.V.
Data Protection Officer
Email: luc@learnloop.nl
Address: Netherlands

EU Representative:
LearnLoop B.V.
Netherlands

Supervisory Authority:
Autoriteit Persoonsgegevens (Dutch DPA)
autoriteitpersoonsgegevens.nl

Additional Resources

Terms of Service

Trust center

Security FAQ