Edpire | The Operating System for Adaptive Assessment

1. Who We Are (Data Controller)

Edpire ("Company", "we", "our", "us") is the Data Controller for personal data collected through this website and platform. You can reach us at: privacy@edpire.com.

When Edpire processes data on behalf of a school, language center, or e-learning company (our customers), we act as a Data Processor under our customers' instructions. In that case, the customer is the Data Controller responsible for lawfully collecting and submitting learner data to our platform.

2. What Data We Collect

Category	Data	Who it applies to
Account data	Name, email address, profile image	All registered users
Authentication data	Hashed passwords, session tokens, email verification tokens	All registered users
Session data	IP address, browser user agent, session expiry	All registered users
Assessment results	Submission scores, learner answers, grading results, timestamps	Learners
Learner identifiers	External learner reference ID (learnerRef) provided by integrated platforms	Learners via API integrations
Billing data	Subscription status, billing plan (payment details handled by Lemon Squeezy)	Organization administrators
Contact form data	Name, email, message content	Visitors who contact us

3. Lawful Basis for Processing (GDPR Art. 6)

We process personal data only where we have a lawful basis to do so:

Contract (Art. 6(1)(b)): Processing your name and email to create and manage your account, deliver the service you signed up for, and send transactional emails (password reset, account invitations, billing notifications).
Legitimate interest (Art. 6(1)(f)): Storing session information (IP address, user agent) to detect abuse, prevent unauthorized access, and maintain security. Our legitimate interest in securing the platform outweighs the minimal privacy impact of this limited technical data.
Consent (Art. 6(1)(a)): Loading the Cal.com scheduling widget for demo booking — only after you accept marketing cookies via our cookie banner.
Legitimate interest (Art. 6(1)(f)): Processing learner submission data on behalf of our customers (schools, e-learning platforms) to deliver assessment results. Our customers are responsible for ensuring their own lawful basis for collecting learner data.

4. How We Use Your Data

To create and manage user accounts and organization workspaces.
To deliver assessment creation, administration, and grading services.
To send transactional emails (invitations, password resets, billing alerts).
To process payments via our billing provider (Lemon Squeezy).
To maintain session security and prevent unauthorized access.
To respond to contact form inquiries submitted via our website.
We do not sell your personal data to third parties.
We do not use your data for automated decision-making that produces legal effects.

5. Data Retention

Data	Retention Period
Session tokens	30 days from creation (automatic expiry)
Account data (name, email)	Until account deletion or within 30 days of a deletion request
Assessment submissions and answers	Retained while the organization account is active; deleted on org deletion
Webhook delivery logs	90 days (automatically purged)
Email verification tokens	1 hour (automatic expiry)
Contact form submissions	Retained by Web3Forms per their privacy policy; we do not store copies

6. Sub-Processors (Third Parties)

We share personal data with the following sub-processors to operate the platform. Each has been evaluated for GDPR compliance:

Provider	Purpose	Location
Neon (Neon Inc.)	PostgreSQL database hosting — stores all platform data	United States (SCCs apply)
Vercel Inc.	Application hosting and deployment	United States (SCCs apply)
Cloudflare R2	Object storage for uploaded files (logos, images)	EU/US (Cloudflare DPA available)
Resend	Transactional email delivery	United States (SCCs apply)
Lemon Squeezy	Payment processing and subscription billing	United States (SCCs apply)
Cal.com (cal.eu)	Demo scheduling widget — only loaded with your consent	EU
Web3Forms	Contact form submission delivery	United States

International transfers to the United States are covered by Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework where applicable.

7. Cookies

We use cookies to maintain your session and (with your consent) to load the Cal.com demo scheduling widget. For full details on cookies we use, their purpose, and how to manage your preferences, see our Cookie Policy.

8. Your Rights Under GDPR (Art. 15–22)

If you are located in the European Economic Area (EEA) or the UK, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you. You can also download your data directly from your account settings.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your personal data. You can delete your account directly from your account settings, which permanently erases your data within 30 days.
Right to data portability (Art. 20): Download your data in a machine-readable format (JSON) from your account settings.
Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): Withdraw consent for marketing cookies at any time using the cookie banner ("Manage Preferences").

To exercise any of these rights, email us at privacy@edpire.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., the CNIL in France, ICO in the UK).

9. Data Security

We implement the following technical and organizational measures to protect your data:

Passwords are hashed using bcrypt and never stored in plaintext.
API keys are hashed using SHA-256 and never stored in plaintext.
All data in transit is encrypted using TLS.
Database access is restricted to the application layer; no direct public access.
Assessment answer keys are never included in any client-facing API response.
Webhook payloads are signed using HMAC-SHA256 to prevent tampering.
Sessions expire automatically after 30 days.

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33–34.

10. Data Processing Agreement (B2B)

If you are a business customer (school, language center, e-learning platform), you may request a Data Processing Agreement (DPA) to formalize our obligations as your Data Processor. View our standard DPA at edpire.com/data-processing-agreement or email privacy@edpire.com to sign a countersigned copy.

11. Changes to This Policy

We will post any changes to this policy on this page with an updated "Last updated" date. For material changes affecting your rights, we will notify you by email or a notice on the platform.

12. Contact & DPO

For any questions about this policy or to exercise your data rights, contact us at: privacy@edpire.com.

← Back to Home

Privacy Policy