Your data, treated with respect.

Who we are

Class2Class ApS ("Class2Class", "we", "our", "us") operates the Class2Class.org platform. We are a Danish company. The data controller for personal data processed on the platform is:

For data processed by Class2Class on behalf of a partner school (controller–processor relationship for student data under a signed Data Processing Agreement), the school is the controller and Class2Class is the processor. See §9.

What this statement covers

This statement covers personal data processing for:

• The Class2Class web platform(s) (under the domain class2class.org) and any associated mobile experience, including subdomain web and mobile platforms.
• The Teacher Resources area, including the AI Literacy and Responsible Use guide.
• Customer-support communications via [email protected], [email protected], and the in-platform support chatbot.
• AI-assisted features described in §6.

It does not cover personal data processed by your own school's systems or by external sites we link to. Those are governed by their own privacy notices.

What personal data we collect

We aim to collect only what we need to run the platform. The categories below are exhaustive as of this statement date.

3.1 What you provide directly

We do not intentionally collect special categories of personal data (GDPR Art. 9) — health, religion, ethnicity, political opinions, sexual orientation, genetic data, biometric data for unique identification, trade-union membership. Where such information is incidentally shared in a project (for example, a student's reflection that mentions their religion or family background), it is handled with the same protections as other personal data and the teacher may remove it.

Photos and videos shared inside a project are educational content. They are not processed for biometric identification, not analysed by facial-recognition systems, and not used to uniquely identify any person. They are not biometric data within the meaning of GDPR Art. 9.

3.2 What we collect automatically

Why we use personal data, and the legal basis

Where the legal basis is consent, you can withdraw consent at any time. Where the legal basis is legitimate interest, you can object — see §11.

Visual retention schedule

We keep personal data only as long as we need it. Below is the consolidated retention schedule, derived from the Records of Processing Activities (ROPA) and the Data Processing Agreement with partner organisations.

Where Class2Class is the processor (for partner-school student data under a signed DPA), the retention period in the DPA governs. The retention windows above are the controller-side retention for data Class2Class controls directly.

AI features and how they handle your data

Class2Class operates AI features under the principle "You Decide. AI Helps." — humans remain the decision-makers; AI is assistive only.

6.1 The AI systems we use

We document the basis of these classifications in our standalone Article 6(3) AI Risk Classification Assessment v.1.0, available on request to supervisory authorities and partner schools.

6.2 Our commitments on AI

• No automated decisions about students. We do not use AI to make automated decisions about a student — not about grades, placements, or behaviour. Any decision that materially affects a student is taken by a human.
• No use of your data for AI training. We do not use your work, messages, images, or session recordings to train AI models — neither our own nor any third party's. This is contractually required of every AI sub-processor.
• AI identifies itself. Where you interact directly with an AI system on Class2Class — at present, the customer-support chatbot — the system identifies itself as AI before the conversation starts, in accordance with EU AI Act Article 50(1). The Project Creation Assistant and the Project Image Generation feature do not "interact directly" within the meaning of Article 50 — they are tools the teacher invokes and reviews; outputs reach the teacher as draft suggestions, not as conversation.
• Human oversight on flags. No content is removed, suspended, or escalated based on an AI flag alone — a human moderator reviews every flag.
• AI literacy for staff and teachers. Our staff complete annual training on AI literacy, the Ethical Guidelines, safeguarding, and reports handling. Teachers using AI features attest, when accepting our Terms & Conditions, that they will read and apply our public AI Literacy and Responsible Use guide before using AI features with students.

You can read the full AI Literacy and Responsible Use guide in our Teacher Resources.

6.3 If you do not want AI to process your data

The customer-support chatbot is one entry point to support — you can email [email protected] directly to reach human support without engaging the chatbot. The Project Creation Assistant (text generation and image generation for project covers) is activated only when a teacher chooses to invoke it on a draft project.

Children and minors — what we do differently

Class2Class welcomes students of all ages, including students under 13 with parental consent. Because most of our students are minors, child protection is built into the platform rather than added at the edges.

7.1 Minimum age and verification

The minimum age to use Class2Class is 13. Students under 13 may use the platform only where their teacher has obtained parental or guardian consent and has confirmed that consent in our platform consent flow. Teachers are responsible for verifying that the student is at least 13 (or for obtaining parental consent for students under 13). Adults may not use Class2Class as students.

7.2 Teacher gatekeeping

Students cannot register directly. Every student account is created and managed by a teacher. This gatekeeping model:

• Reduces the risk of a child sharing personal data with us without an adult in the loop
• Ensures every student on the platform is connected to a teacher who is responsible for them
• Allows teachers to delete inappropriate content immediately and to remove students from projects when needed

7.3 Under-13 and under-16 messaging restrictions

7.4 Parental consent for students under 13

For students under 13:

• The teacher attests, via the platform consent flow, that the parent or guardian has been informed about Class2Class, has understood what data the student will share and how the student will use the platform, and has agreed.
• This attestation is recorded with the teacher's identity, the student's identity, the version of the attestation text shown, and the timestamp — these records are retained for 5 years after the student's account closes (see §5).
• The recognised legal frameworks are the COPPA "school authorisation" model in the United States and GDPR Article 8 elsewhere (which permits the controller to make reasonable efforts to verify parental authority).
• Teachers must not confirm consent unless parents or guardians have actually been informed and have agreed.

If you are a parent or guardian and want to:

• Withdraw consent: write to [email protected]. We will block the student's access immediately. The student's project work and learning records are retained while consent is withdrawn (see §7.5). You can also ask your child's teacher to withdraw consent on the platform — they have features to do so.
• Have the student's account fully deleted: write to [email protected]. This is stronger than consent withdrawal — we will delete the account and the data, with the legally-required retention exceptions (see §5), and confirm in writing what has been deleted.
• Ask what data we hold about your child (access right): write to [email protected].
• Correct or update something: write to [email protected], or ask the student's teacher to update the record where they hold the relevant information.

We respond to parental data-rights requests within 30 calendar days as required by GDPR Article 12(3).

7.5 Withdrawal of consent and the block screen

When a parent or guardian withdraws consent, the student cannot navigate or use the platform — a block screen prevents access. The account itself is not deleted while the block is in place; the student's project work and learning records are retained, so that consent can be restored without loss of the educational record. The block remains in place until the teacher confirms in the consent flow that consent has been re-obtained.

7.6 Child-friendly summary

A short, plain-language summary of how we handle children's data — written for students aged 13–18 themselves — is published at class2class.org/privacy-for-students. We encourage teachers to introduce it in class.

International transfers — where your data goes

Class2Class is a Danish company. Our primary data storage is in the European Union (Xano EU). Some of our sub-processors are established outside the European Economic Area (EEA), so a portion of your personal data is transferred to the United States or other third countries to deliver specific services (analytics, the customer-support chatbot, marketing tools where you have given consent).

For each US-based sub-processor we rely on the European Commission's Standard Contractual Clauses (SCCs) supplemented by a Transfer Impact Assessment (TIA) that we maintain internally per the Schrems II judgment and EDPB Recommendations 01/2020. The TIA is reviewed annually and on every change to a sub-processor's data location or contractual terms.

Where a sub-processor is certified under the EU–U.S. Data Privacy Framework (DPF) — for example, Google LLC, which covers Google Analytics, Google Cloud / BigQuery, and Google's Gemini API — we additionally rely on the European Commission's Adequacy Decision (EU) 2023/1795 of 10 July 2023 as a primary transfer basis. SCCs are retained as a fallback mechanism; the TIA is still maintained.

The current sub-processors and their transfer mechanisms are listed in our public Sub-processor List. Highlights:

• Bubble (US — SCCs + TIA)
• Mixpanel (US — SCCs + TIA)
• Google Analytics (US — Google LLC DPF-certified + SCCs as fallback + TIA + IP anonymisation)
• Meta (US — SCCs + TIA, marketing only with consent)
• Chatbase (US — SCCs + TIA + contractual no-AI-training-on-user-data commitment)
• OpenAI (US — SCCs + TIA; standard API with no-training-by-default and 30-day retention for abuse monitoring; powers the Project Creation Assistant text generation, teacher-only)
• Google (Gemini API) (US — Google LLC DPF-certified + SCCs as fallback + TIA + contractual no-AI-training-on-user-data commitment; powers Project Image Generation, teacher-only)
• Anthropic (Claude AI) (US — SCCs + TIA + contractual no-AI-training-on-user-data commitment; staff-only internal analytics over the BigQuery data warehouse)

EU-based sub-processors (no transfer outside EEA): Xano (EU residency confirmed), Brevo, WordPress, Vercel (EU regions configured for the Project Creation Assistant frontend), Google Cloud — BigQuery (EU regions for the centralised data warehouse), Airbyte (EU deployment for the ETL pipelines that load BigQuery).

Sub-processors

We engage sub-processors to deliver parts of the platform — for example, the database, the email service, the customer-support chatbot. Every sub-processor:

• Has been reviewed before engagement and at least annually thereafter
• Is listed publicly at class2class.org/data-processing-agreement

We notify partners and schools at least 30 calendar days in advance of any addition, replacement, or material change to the sub-processor list, via the contact on file under their signed DPA. Partners and schools may object on reasonable data-protection grounds within 15 calendar days. Individual users (teachers, parents) who want to be notified of material changes can write to [email protected].

Cookies

Cookies and similar technologies are governed by our separate Cookie Policy. The Cookie Policy describes the four categories of cookies we use (Necessary, Functional, Statistical, Marketing), the cookies in each category, our consent banner, and how to change your preferences at any time.

We do not use cookie walls. You can use the essential platform features without consenting to non-essential cookies.

Your rights

Under the GDPR, you have the following rights in respect of your personal data. We honour all of them, with the limited exceptions described in the GDPR itself (for example, where a deletion request would conflict with our legal obligations).

We respond to data-rights requests within 30 calendar days of receipt (GDPR Art. 12(3)). Where a request is unusually complex, we may extend by up to 60 additional days, with written notice to you and the reason for the extension. There is no fee for these requests, except where the request is manifestly unfounded or excessive.

If your request relates to a child's data, see §7.4.

Security

We implement appropriate technical and organisational measures to protect your personal data, in line with GDPR Article 32. Highlights:

• Encryption in transit — TLS 1.2+ across all connections to the platform.
• Encryption at rest — provided by Xano in the EU storage layer.
• Password storage — passwords are stored using bcrypt, the modern adaptive hashing algorithm recommended by OWASP and NIST SP 800-63B. Hashing is performed in our backend layer (Xano).
• Role-based access control — Class2Class staff access to personal data is restricted by role and logged.
• Multi-factor authentication — required for administrative access to platform infrastructure.
• Sub-processor due diligence — every sub-processor has been reviewed and has a signed DPA.
• Regular security audits — annual security reviews, supplemented by ad-hoc reviews on incident or material change.
• Incident response — a documented Data Breach Response Procedure covers detection, classification, regulatory notification within 72 hours under GDPR Art. 33, and notification to affected individuals under Art. 34 where required.

We have completed a Data Protection Impact Assessment (DPIA) for the platform that identifies and mitigates 10 core risks, with overall residual risk assessed as Low to Moderate (acceptable). The DPIA is reviewed annually.

Changes to this statement

We may update this statement to reflect changes in our services, applicable law, or our compliance commitments.

Continued use of the platform after the notice period constitutes acceptance of the revised statement. If you do not agree, you can close your account during the notice period — see Terms & Conditions §9.5.

Accessibility

Our standalone Accessibility Statement describes our commitment to WCAG 2.1 Level AA and the European Accessibility Act.

If a feature of this Privacy & Accessibility statement (or any other document we publish) is not accessible to you in its current form, write to [email protected] (subject "Accessibility") and we will provide it in an alternative format.

Contact

The full reporting framework is described in the Ethical Guidelines §10 and in the Reports Handling and Whistleblower Procedure.

Related documents

• Terms & Conditions v.2.0
• Cookie Policy
• Sub-processor List
• Accessibility Statement
• Ethical Guidelines
• Code of Conduct
• Child-friendly Privacy Summary
• AI Literacy and Responsible Use guide

If any of these documents conflicts with this statement on a matter of substance, we apply the most protective interpretation for the data subject and resolve the conflict at the next document review. Tell us at [email protected] and we will fix it.