Privacy Policy - AcademyOS

1. Introduction

AcademyOS ("we", "us", "our") is committed to protecting the privacy and personal data of our students, parents, teachers, and staff. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national legislation.

This platform (AcademyOS) is used to manage educational activities, student enrollment, attendance, grades, invoicing, and communication.

2. Data Controller

The data controller is AcademyOS. For any inquiries regarding your personal data, please contact us at: .

3. What Personal Data We Collect

Category	Data Types	Purpose
Identity Data	Full name, date of birth, gender, national ID (CNP)	Enrollment, legal identification
Contact Data	Email, phone number, address	Communication, notifications
Educational Data	Grades, attendance, homework, feedback	Academic tracking, reporting
Financial Data	Invoices, payments, IBAN	Billing, accounting
Health Data	Allergies, medical conditions, vaccinations (kindergarten only)	Child safety, medical emergencies
Photos / Media	Student photos, activity photos	Identification, daily reports
Technical Data	IP address, browser, login times	Security, audit trail

4. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds (GDPR Art. 6):

Contract — Processing necessary for the performance of the enrollment/service contract.
Consent — Where you have given explicit consent (e.g., photo consent, AI assistant usage, marketing emails).
Legal obligation — Where processing is required by law (e.g., fiscal records, educational reporting).
Legitimate interest — Where processing is necessary for the legitimate interests of the institution (e.g., security monitoring, platform improvement).

Children's Data (GDPR Art. 8): For students under 16, we require verifiable parental consent before processing personal data.

5. Data Retention

We retain personal data only for as long as necessary:

Active student data: duration of enrollment + 2 years
Invoices and financial records: 7 years (fiscal obligation)
Contracts: 5 years after termination
Security logs: 60 days
Activity logs: configurable, default 180 days

6. Your Rights

Under GDPR, you have the following rights:

Right of Access (Art. 15) — Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16) — Request correction of inaccurate data.
Right to Erasure (Art. 17) — Request deletion of your data (subject to legal retention requirements).
Right to Restrict Processing (Art. 18) — Request limitation of data processing.
Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.
Right to Object (Art. 21) — Object to processing based on legitimate interest.
Right to Withdraw Consent (Art. 7) — Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at: .

7. Third-Party Data Processors

We use the following third-party services that may process personal data on our behalf:

Service	Purpose	Location
Anthropic (Claude AI)	AI Assistant for school management	USA *
Stripe	Online payment processing	USA / EU *
Hetzner / AWS	Server hosting, data storage	EU (Germany / Ireland)

* Transfers to the USA are governed by Standard Contractual Clauses (SCC) and/or Data Processing Agreements (DPA).

8. Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

HTTPS/TLS encryption for all data in transit
Encryption of sensitive fields at rest
Role-based access control (RBAC)
Two-factor authentication (2FA)
Automated security monitoring and intrusion detection
Regular automated backups
Comprehensive audit trail of all data access

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the national supervisory authority:

ANSPDCP — National Supervisory Authority for Personal Data Processing
Website: www.dataprotection.ro

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the platform. The date of the last update is indicated at the top of this page.