Privacy Policy
1. Who we are and how to contact us
Graasp is developed and maintained by the Graasp Association and supported by the École Polytechnique Fédérale de Lausanne (EPFL), a public university of science and technology in Switzerland. Graasp complies with the privacy policies of EPFL, the Swiss Federal Act on Data Protection (FADP), and with the European GDPR.
You can contact Graasp at the following email address: contact@graasp.org
2. Responsibilities
2.1 User’s obligations
As user, you agree:
- that you bear all responsibility for the Uploaded Data (see Section 4.4) in Graasp. Graasp does not check users’ uploaded/created content for appropriateness, violations of privacy rights or Intellectual Property Rights. You are responsible for the content that you upload, because you are the data manager over your Uploaded Data;
- that you will comply at all times with relevant professional and business secrecy obligations if applicable;
- that Graasp only acts as a data manager regarding the storage and use of your Uploaded Data. Graasp only provides storage spaces and central processing units;
- that you are aware of the technical and organizational security measures implemented in Graasp;
- that you will promptly notify Graasp about:
- any legally binding request for disclosure of the Personal data by a law enforcement authority unless otherwise prohibited;
- any accidental or unauthorized access to proprietary, Personal or Uploaded Data, if technical assistance is required.
- to deal promptly and properly with all inquiries relating to the processing of the Personal Data as requested by applicable laws.
2.2 Obligations of Graasp
Graasp agrees and warrants to provide the services according to the Terms of Use. Graasp is acting as a data manager and warrants:
- that Graasp keeps detailed and updated records of all management activities carried out on the Personal and Uploaded Data;
- to guarantee the confidentiality of your Personal and Uploaded Data if they are configured as private;
- promptly comply with any request from users requiring Graasp to amend, transfer, delete, or otherwise dispose of the Personal and Uploaded Data, or to cease, mitigate, or remedy any authorized processing;
- that Graasp will not process Personal or Uploaded Data for Graasp‘s own commercial benefit or that of any third party;
- notify the users without undue delay of any suspected or actual data breach involving their Personal or Uploaded Data;
- to notify the user immediately if Graasp receives any complaint, request, or other communication concerning the processing of the Personal or Uploaded Data.
- to assist users with appropriate measures and by providing information for the fulfillment of your obligations under the applicable law.
3. How Graasp uses your Personal and Uploaded Data
3.1 Manage your account
Graasp processes your Account Data (see Section 4.1) for the purposes of operating the Graasp platform and software, providing the Graasp services, and communicating with you about Graasp. The legal basis for the Account Data processing is the contract between users and Graasp as stated in the Terms of Use.
3.2 Provide our services
Graasp processes your Meta-data (see Section 4.2) to provide the Graasp services. For instance, it is used to describe the source of the Personal and Uploaded Data, the lineage, and to display activities performed on the Personal and Uploaded Data. The legal basis for the Meta-data management is the contract between users and Graasp as stated in the Terms of Use.
3.3 Ensure the functionalities and understand the use of Graasp
Graasp processes Operational Data (see Section 4.3) for the purpose of analyzing the use of Graasp, but also to ensure the functionalities of Graasp and the comfort of use. The legal basis for the Operational Data processing is the contract between users and Graasp as stated in the Terms of Use.
3.4 Compliance with the law
Graasp may process Personal and Uploaded Data, in case of suspected or actual criminal or administrative proceedings led by competent authorities (see Section 4.4). The legal basis for this processing is necessary to carry out a legal obligation.
3.5 Research purposes
Graasp may collect and use your Personal and Upload Data for research purposes. Published scientific results only contain anonymized data.
4. Data collected
Graasp may collect all the following Personal data (referred to as the « Personal Data »).
4.1 Account Data
In order to manage the account of a user, Graasp needs to process the following Personal Data (« Account Data »):
- email address
- full name
- User ID
- password
- Other log information
- IP address
- timestamps of access to Graasp
- logs of consents
4.2 Meta-data
In order to provide Graasp services, the information that is collected from your activities in Graasp is required. For instance, collecting provenance of the data (where this data comes from, how it was created) and its lineage (who is using the data and how). Provenance information is not collected automatically without the user’s knowledge, its creation and subsequent collection is subject to a User’s deliberate action using Graasp.
4.3 Operational Data
In order to ensure the operational functioning of Graasp and to understand its use, Graasp needs to process the following Personal Data (« Operational Data »):
- User IP addresses
- User ID
- Telemetry data, i.e. system data, used to get a pulse of the system, how hardware resources are used, by whom and understand why things fail, so that the Graasp team can troubleshoot them, or provide user support
- Logs from the firewall service
- Other logs required to ensure the functionalities of Graasp
- The number and duration of your visits
- Information about what parts of Graasp you visited
4.4 Uploaded Data
You can create content (“Uploaded Data”) which may include Personal Data (e.g. educational data, digital documents, etc). You have the control over this data, as explained in the Terms of Use. As mentioned in the Terms of Use, users can decide to make public the Uploaded Data. In this case, other users may use your Uploaded Data for their own purpose, and Graasp cannot be liable for their further-use. Graasp hereby declines all responsibility for the further-use of your Uploaded Data by third-parties.
5. Cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. When you access the Graasp platform, the installation of cookies on your devices is possible according to your settings, which will allow Graasp to recognize your browser, during the validity time of the cookies. The cookies that Graasp generates allows:
- to prepare statistics including frequency of access, the use and performances of websites;
- to store preferences and parameters (authentification)
- to enable you to access reserved or personal content on the Graasp platform
- to improve our communication and services.
Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Please refer to your browser’s privacy or help documentation to find instructions for blocking or deleting cookies. For examples: Edge, Safari, Chrome, Firefox
If you choose to refuse cookies, you may not have access to certain functionalities of Graasp, which we cannot be held responsible for. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies or similar technologies can be useful in many ways to make your visit in Graasp simpler, more pleasant and more pertinent. Various types of cookies are present in Graasp:
- Cookies that are strictly necessary, which are necessary for navigation, along with your authentication token after logging in, and to secure Graasp;
- Functionality cookies, which are collecting some of your surfing preferences such as language preferences;
- Graasp does not use advertising cookies
6. How Graasp retain your data
Graasp stores your Personal and Uploaded Data as long as your account exists. In order to fulfill our legal obligations or to fulfill our purpose described in Section 4.3, the Operational Data may be anonymized and/or may be kept for a longer period.
Your Personal Data is stored on secure servers at our Service Provider’s premises in continental Europe (Germany and Switzerland).
7. Data Sharing
Graasp is sharing your Personal Data with the following recipients exclusively:
- Authorized employees and Graasp managers
- Our Service Providers
8. Service Providers and Transfers
8.1 Amazon Web Services (Main service provider)
Graasp uses the services of AWS (Amazon Web Services). No international transfers are foreseen, but their privacy framework can be consulted here.
8.2 Other service providers
Graasp uses anonymised Google Analytics services and Google ReCaptcha services to secure and understand usage of the platform.
Anonymised data is also shared with Sentry.io for debugging and troubleshooting purposes in order to ensure a smooth and stable experience to our users.
Graasp may use the services of Google Fonts and other javascript libraries hosted on third-party servers. In those cases, only IP addresses would be communicated to those service providers.
8.3 Transfers
All your Personal and Uploaded Data is hosted by AWS, in Continental Europe (Germany and Switzerland). Copy of the data might be temporarily stored in the Graasp premises for quality insurance purposes.
9. Security
Graasp has put in place appropriate security measures pursuant to the acknowledged state of the art. Please note however that Graasp cannot guarantee an absolute security for your Personal and Uploaded Data, to the extent that the data retention and electronic transmission involves certain risks.
10. Your Rights
The user has a number of rights according to the data protection legislation. These rights can be limited in particular when they affect rights and freedom of others. Graasp will inform you of applicable exceptions in our answer to your potential request.
These rights include:
- right of access: You have the right to know what Personal Data Graasp hold about you and to ask, in writing, to see your Personal Data. You can directly have this information by contacting the data controllers: contact@graasp.org
- right to be informed: You have the right to be informed how your Personal and Uploaded Data will be used. This Privacy Policy as well as any additional information or notice that is provided to you either at the time you provided your details, or otherwise, is intended to provide you with this information.
- right to withdraw consent: Graasp processes your Personal Data and Uploaded Data on the basis of your consent; you can withdraw that consent at any time.
- right of erasure: In some cases, you have the right to have your Personal and Uploaded Data to be deleted.
- right of rectification: If you believe your Personal Data is inaccurate you have the right to ask for their update.
- right to file a complaint: If you are unhappy with the way in which Graasp have handled your Personal or Uploaded Data, you have the right to file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) or with the supervisory authority of your country or residency.
Graasp reserve the right to refuse any abusive request or one which is contrary to applicable laws.
11. Changes to this Privacy Policy
We may revise this Privacy Policy from time to time. The most current version of the policy will govern our processing of your Personal and Uploaded Data and will always be at https://graasp.org/privacy. In case of modifications, they will be published on https://graasp.org/. If you disagree with any of the changes to the Privacy Policy, you must stop using Graasp and ask for the deletion of your account.
12. Final provisions
12.1 Applicable law and jurisdiction
Swiss material laws are applicable. The place of execution and of jurisdiction is in Valais.