Log in

Privacy Policy - Data Processor Version

Last updated: March 31, 2025.

SchoolHub.ai is an AI-based service provided by Midgard AI AS. This privacy statement applies in cases where the end user has not entered into a direct customer relationship with us, but where we act as a data processor on behalf of a responsible third party – for example, a municipality, school, or organization (hereinafter “Customer”). The statement explains how Midgard AI AS (hereinafter “we”, “us”, or “Midgard AI”) processes personal data in the service SchoolHub.ai (hereinafter “The Service”), and how the responsibility is divided between us and the Customer.

For information on how we process personal data if you have registered and are using the Service as a private individual without a school, municipality, or other organization being the customer, see Privacy Policy – When Midgard AI is the Data Controller.

1. Details on Data Controller, Data Processor, and Processing Responsibility

1.1 The Customer

The customer is the data controller for personal data processed in the Service related to its users (for example, students, teachers, staff). This means that the customer determines the purpose of using the Service (e.g., educational purposes), and how personal data about the users should be processed.

1.2 Midgard AI AS

Midgard AI AS acts as a data processor for the Customer when processing personal data on behalf of the Customer, in accordance with the data processing agreement. For further details, please refer to the data processing agreement that has been entered into between Midgard AI AS and the Customer, where the specific instructions, security requirements, and allocation of responsibilities are more closely regulated.

This includes, among other things:

  1. Processing of text, audio, images, and other user content (for example, AI-generated images, chatbots) that users upload to the Service.
  2. Administration of user access for students/teachers (for example, Feide information, class affiliation).
  3. Storage of usage data related to the Customer's need for user support, security, availability, and possibly statistics about their own business.

Midgard AI AS is also the data controller for:

  1. Contact information for the customer's points of contact (e.g., for sales, billing, and contract administration).
  2. Technical logs or other data that we are legally or contractually obligated to retain in order to fulfill our own responsibilities as a provider (e.g., financial and accounting requirements).

2. Definitions

  • Personal Data: Any information that can be directly or indirectly linked to an individual.
  • Processing of personal data: Any use of personal data, including collection, recording, storage, compilation, disclosure, or deletion.
  • Data Controller: The entity that determines the purposes for which and the means by which personal data is processed.
  • Data Processor: The entity that processes personal data on behalf of the data controller.
  • Customer: Municipality/school/organization that has entered into an agreement with Midgard AI AS to use the Service. The customer is the data controller for student/employee data processed in the Service.
  • User: You who use the Service (for example, student, teacher, employee).

3. When Midgard AI acts as a data processor on behalf of the Customer

When users (such as students or teachers) log in to the Service or create, upload, or enter information into the Service, the following processing occurs where the Customer is the data controller, and we (Midgard AI) are the data processor.

3.1 Login and identity data (Feide, Google, Microsoft, etc.)

  • What is processed: Name, username, email address, organizational affiliation, classes/groups.
  • Purpose: Secure login, correct access, and differentiation of functionality (e.g., student or teacher).
  • Legal basis: The customer must assess this themselves, but typically GDPR Art. 6 (1) (e) or (f), based on educational purposes or legitimate interest.

3.2 Common conversation content (text, audio, files)

  • What is processed: Text messages, uploaded files, or voice function. We do not permanently store this content on our servers.
  • Microsoft Storage: Microsoft (Azure) as a subcontractor may cache content for up to 30 days to detect misuse (such as in log systems). We do not have access to these data after the conversation has ended, and neither we nor Microsoft use them for any other purposes.
  • Purpose: Provide the core functionality of the Service, maintain security, and prevent misuse.
  • Legal basis: The customer must assess this themselves, but typically GDPR Art. 6 (1) (e) or (f), based on educational purposes or legitimate interest.

3.3 Persistent user-generated content (chatbots, AI-generated images, etc.)

  • What is processed: If users create their own conversation bots ('chatbots'), upload files, or generate AI-based images, this content is stored with us and associated with the respective user.
  • Storage duration: Stored until the user deletes it themselves, or until 1 year after the last activity. After this, it will be deleted from our systems (but may be found in backups for up to 30 days). The customer can request a shorter storage period for certain types of data by agreement, if this is compatible with the technical and legal requirements of the service.
  • Purpose: To enable the user to preserve and manage self-created content (e.g., AI-generated images, custom chatbots).
  • Legal basis: The customer must assess this themselves, but typically GDPR Art. 6 (1) (e) or (f), based on educational purposes or legitimate interest.

3.4 Administration of Access Control

  • What is processed: Information about which classes/groups the users belong to, what rights/access they have, and who has administered these rights.
  • Purpose: To provide teachers or others with administrative rights the ability to control which features are available to a group of students.
  • Legal basis: The customer must assess this themselves, but typically GDPR Art. 6 (1) (e) or (f), based on educational purposes or legitimate interest.

3.5 Usage logs, system logs, and metadata (on behalf of the Customer)

We will need to maintain certain technical logs of traffic and events in the Service that are necessary to prevent and detect misuse and to ensure the Service's reliability, performance, and security on behalf of the Customer.

  • What is processed: Time and type of function used, IP address, user identifiers, user role (student/teacher), system events, and system information that are necessary for the purpose.
  • Purpose: Operation and troubleshooting, security (detect unusual activity), availability (detect operational issues and peak loads).
  • Legal basis: Determined by the Customer (typically GDPR Article 6(1)(f) for legitimate interest, or Article 6(1)(e) for public schools).

Important: We do not use personal data (e.g., student data, text, or files) to train AI models or for further development of the Service in violation of the guidelines set by the Ministry of Education.

Where possible, we anonymize or aggregate the data. Where anonymization or aggregation is not technically or practically feasible, the processing of personal data is always limited to the purpose for which the data was collected, and the information is deleted once the purpose is achieved, unless otherwise required by law.

4. When Midgard AI is the data controller

4.1 Contact information for the customer's representatives

When we enter into an agreement with a municipality or another organization, we process personal data about the relevant contact persons. This usually includes:

  • What is processed: Name, position, email address, phone number, billing address, and possibly personal identification number (for e-signature).
  • Purpose: Administration of customer relationships, follow-up, invoicing, signing of agreements, and operations.
  • Legal basis: GDPR Art. 6(1)(b) (necessary for the performance of a contract) and/or Art. 6(1)(f) (legitimate interest).

4.2 Compliance with Legal Requirements

  • What is processed: We store contracts, invoice documentation, and similar records in accordance with accounting and archiving regulations.
  • Purpose: To comply with legal and archival requirements, such as accounting rules related to invoicing and bookkeeping, as well as any archival law requirements applicable to our business.
  • Legal basis: GDPR Art. 6(1)(c) (legal obligation).

5. Overview of Our Sub-processors

To provide the Service, we use reputable subcontractors (data processors) where data is stored within the EU/EEA, in accordance with legal requirements and data processing agreements:

NameDescriptionRegion
Hetzner Online GmbHTechnical infrastructure.EU
Scaleway SASTechnical infrastructure.EU
MicrosoftTechnical infrastructure and Underlying artificial intelligence service (Azure OpenAI).EU
PosthogSystem and usage logs.EU
HubspotContract and customer management. Support.EU

6. Storage and Deletion

6.1 User-Generated Content (When We Are the Data Processor)

We store content solely on behalf of the Customer and in accordance with their instructions. Users can delete AI-generated images or chatbots themselves, and the deletion of content is reflected in our systems continuously, but may remain in backups for up to 30 days.

6.2 Contact Person Information (when we are the data controller)

Retained as long as the customer relationship lasts, and in accordance with accounting and archiving legislation.

6.3 Technical logs

If logs are kept for the Customer's purposes, they will be retained according to the Customer's instructions in the data processing agreement, unless there is a need to store them longer, such as in cases where there is a legal requirement or an ongoing case.

6.4 Anonymized Data

Data that is truly anonymized (with no possibility of re-identification) is not subject to GDPR by default, but we still limit the retention period in accordance with internal procedures.

7. Cookies

SchoolHub.ai uses the following cookies in the browser:

7.1 User's session ID

  • Purpose: Enable the Service to recognize the user so that login and conversation flow can be maintained.
  • Why necessary: Without this, the Service would not remember the user's state between page views (e.g., whether the user is logged in).

7.2 Cookies related to user preferences

  • Purpose: Used to remember if the user has closed the message about safe use of the service, so that the message does not reappear in the same session or on future visits.
  • Why necessary: Provides a better user experience by remembering active choices made by the user.

7.3 Cookies related to Posthog

Posthog is an analytics platform that allows us to collect usage data (such as technical errors that have occurred and the performance related to the pages or features being used) in a pseudonymized, anonymous, or aggregated manner.

  • Purpose: As described in section 3.5.
  • Why necessary: As described in section 3.5.

8. Security Measures

We use recognized security solutions to protect data from unauthorized access, alteration, or deletion. Measures include:

  • Encrypted transmission (HTTPS/TLS)
  • Strict access control (authorized personnel only)
  • Firewalls, intrusion detection
  • Regular security audits and routine tests

9. Your Rights

9.1 When the Customer is the Data Controller

If you are a student, teacher, or staff member using the Service on behalf of a school or other organization, it is the Customer who is primarily responsible for your personal data. If you wish to exercise rights (access, correction, deletion, etc.), please contact the Customer. We will assist the Customer as needed in accordance with the data processing agreement.

9.2 When Midgard AI is the Data Controller

If we process your information for our own purposes (e.g., you are the contact person for the Customer or have reached out to us directly), you have the following rights according to GDPR:

  • Right to withdraw your consent in accordance with Art. 7(3) GDPR
  • Right to access your data in accordance with Art. 15 GDPR
  • Right to rectification of your data in accordance with Art. 16 GDPR
  • Right to have your data erased in accordance with Art. 17 GDPR
  • Right to restrict processing of data pursuant to Art. 18 GDPR
  • Right to data portability in accordance with Art. 20 GDPR
  • Right to object to how your data is processed in accordance with Art. 21 GDPR
  • Right to lodge complaints with the supervisory authority pursuant to Art. 77 para. 1 of the GDPR

Inquiries can be directed to kontakt@skolebot.no.

10. Contact Information

Midgard AI AS

Business ID: 932739798

Email: contact@schoolhub.ai

If you have any questions about this privacy policy or our handling of personal data, please feel free to contact us.

11. Changes to the Privacy Policy

We may update this privacy policy as needed, for example, due to changes in legislation or the Service. The latest version will always be available on our website.