Privacy Policy
Last updated 20 June 2026. This page is information, not legal advice.
1. Who we are
Graidable is operated by Lukas Thrane (sole proprietorship), reg. no. 936 043 925, Vegamot 1N, 7049 Trondheim, Norway ("we"). For questions about privacy, contact [email protected]. We have not appointed a Data Protection Officer (not required for this business).
2. Our role
When an educational institution uses Graidable, the institution is the data controller and Graidable is the data processor, acting on the institution's documented instructions under a Data Processing Agreement (GDPR Art. 28). For visitors to our website and account holders, we act as controller for basic account and usage data.
3. What we process
- Account data: name, email, role, institution.
- Submission content: essays, code and handwritten answers uploaded for assessment, which may contain personal data.
- Assessment data: scores, draft grades and feedback.
- Technical data: logs, device/usage data for security and operation.
4. Purposes and legal basis
We process data to deliver the Service (assessment drafting, OCR, feedback), to secure and operate the platform, and to communicate with users. For processing on behalf of an institution, the legal basis is set by the institution (typically GDPR Art. 6(1)(e) or (f), or (a)). For our own account/usage data, the basis is contract performance and our legitimate interest in operating the Service.
5. AI processing and no training
Submission content is processed by AI to generate draft assessments. A human reviews and decides. We do not use customer or student content to train AI models, and we contractually require the same of our sub-processors.
6. Sub-processors
| Sub-processor | Function | Location (configured) | Safeguards |
|---|---|---|---|
| Railway | App hosting, database (Postgres), queue (Redis/RabbitMQ) | EU – EU West (Amsterdam) | DPA + SCC (Railway is a US company; data stored in the EU) |
| Amazon Web Services (S3) | File storage | EU – eu-west-1 (Ireland) | DPA, EU region, encryption |
| Amazon Textract | OCR | EU – eu-west-1 (Ireland) | DPA, EU region |
| LandingAI (ADE) | OCR / document analysis | EU (eu-west-1) or US – on demand | Zero Data Retention available in both regions; local/on-prem hosting for full data ownership (enterprise); SOC 2 Type II |
| LLM provider (via OpenRouter) | AI assessment | Configurable: EU / self-hosted / Norway-hosted | Zero retention, no training; SCC for any US transfer |
| Amazon SES | Transactional email | EU – eu-west-1 (Ireland) | DPA |
| Stripe | Billing | EU (Ireland) | Does not receive student content |
We keep an up-to-date list and notify the controller of material changes.
7. International transfers
Where agreed, the storage and OCR pipeline runs entirely within the EU/EEA. For any transfer outside the EEA (e.g. certain LLM providers), we rely on Standard Contractual Clauses or an adequacy mechanism.
8. Retention and deletion
We retain data for as long as the account and its classes are active — this is necessary for the purpose (assessment throughout the course). Data is deleted when you delete a submission, assignment, class or your entire account; deleting the account also removes the underlying files from storage (S3). For pilots, pilot data is deleted after the pilot ends. You or the controller may request deletion at any time.
9. Security
We apply encryption in transit and at rest, access controls, logging and EU-based hosting. We notify the controller without undue delay on becoming aware of a personal-data breach.
10. Your rights
Data subjects have rights of access, rectification, erasure, restriction, objection and portability under the GDPR. Where the institution is the controller, requests are directed to it; we assist the controller in fulfilling them. You may also complain to the Norwegian Data Protection Authority (Datatilsynet).
Cookies and analytics
The website uses strictly necessary cookies only for login, session and language. We currently use no marketing or tracking tools (such as Meta Pixel). If we introduce such analytics later, tracking cookies will be set only with your consent, which you can withdraw at any time. We use no tracking inside the assessment tool or on student submissions.
11. Changes and contact
We may update this policy; material changes will be notified. Contact: Lukas Thrane (Graidable), [email protected].