Back to App

Privacy Policy

Privacy Policy

How EduGrade Handles Your Data

Last Updated: February 2026

Introduction

This Privacy Policy explains how EduGrade ("we", "us", or "our") collects, uses, and protects your personal information. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Austrian data protection law (DSGVO).

Data Controller: Fabian Murauer, AvoCloud.net
Email: fabian.murauer@avocloud.net

GDPR Compliance Notice

EduGrade is designed with privacy in mind and complies with GDPR/DSGVO requirements. However, as a user entering student data, you act as a data controller and are responsible for:

  • Obtaining necessary consents from students/parents before entering their personal data
  • Informing data subjects about data processing activities
  • Ensuring compliance with your institution's data protection policies
  • Responding to data subject requests (access, rectification, deletion)

1 Data We Collect

Account Data (You provide this)

  • Email address: Used for account identification and login
  • Password hash: Stored securely using PBKDF2 with 200,000 iterations
  • Registration date: Timestamp of account creation

Student Data (You enter and control this)

  • Student names: Personal data you enter for grade tracking
  • Grades and assessments: Academic performance data you record
  • Class information: Class names, categories, and organizational data

⚠ You are responsible for this data under GDPR/DSGVO

Technical Data (Automatically collected)

  • Session tokens: Temporary authentication tokens (1-hour expiration)
  • Login timestamps: When you access your account
  • IP addresses: Stored temporarily in server logs for security purposes

2 How We Use Your Data

We process your data for the following purposes:

  • 1
    Service Provision: To provide you with access to EduGrade's grade management features
  • 2
    Authentication & Security: To verify your identity and protect your account from unauthorized access
  • 3
    Data Storage: To store your grades, classes, and categories for your use
  • 4
    Service Improvement: To maintain and improve the application (no analytics or tracking)

✓ We do NOT use your data for marketing, advertising, or any other purposes

3 Legal Basis for Processing

Under GDPR Article 6, we process your data based on:

  • Consent (Art. 6(1)(a)): You provide consent when registering for EduGrade
  • Contract Performance (Art. 6(1)(b)): Processing is necessary to provide the service
  • Legitimate Interest (Art. 6(1)(f)): Security measures and service improvement

4 Data Storage and Security

Where Your Data is Stored

All data is stored in encrypted JSON format on our server located at edugrade.avocloud.net. Data is stored in Austria and does not leave the EU.

End-to-End-like Encryption

Your data (classes, students, grades) is encrypted using AES-256-GCM with a key derived from your password. This means:

  • • Only you can decrypt and read your data
  • • Even server administrators cannot access your plaintext data
  • • If the database is compromised, your data remains encrypted
  • • Changing your password will re-encrypt all your data with a new key

Security Measures

  • Data Encryption: All user data is encrypted with AES-256-GCM using a key derived from your password
  • Password Security: PBKDF2 hashing with 200,000 iterations and 32-byte salt
  • Key Derivation: Encryption keys derived with PBKDF2 (100,000 iterations) - only you can decrypt your data
  • Session Security: 1-hour session expiration with secure, httpOnly cookies
  • Transport Security: HTTPS encryption for all data transmission
  • Application Security: CSRF protection, CSP headers, input validation
  • Access Control: Only you can access your data - even server admins cannot read your encrypted data

Backup Responsibility

You are responsible for backing up your data regularly using the export functionality. We are not liable for data loss.

5 Data Retention

  • Active accounts: Data is retained as long as your account is active
  • Inactive accounts: May be deleted after 12 months of inactivity with prior notice
  • Deleted accounts: All data is permanently deleted immediately upon account deletion
  • Server logs: IP addresses and access logs are retained for up to 30 days for security purposes
  • Session tokens: Automatically expire after 1 hour and are cleaned up regularly

6 Data Sharing and Third Parties

Good News: We do NOT share, sell, or rent your personal data to third parties.

  • No analytics services (Google Analytics, etc.)
  • No advertising networks
  • No marketing companies
  • No data brokers
  • No social media tracking

Exception: We may disclose data if required by law or to protect our legal rights.

7 Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Art. 15):

Export your data anytime using the built-in export functionality

Right to Rectification (Art. 16):

Edit your data directly in the application at any time

Right to Erasure (Art. 17):

Delete your account and all data through the settings menu

Right to Data Portability (Art. 20):

Download your data in JSON format for use elsewhere

Right to Object (Art. 21):

Object to data processing by deleting your account

Right to Restriction (Art. 18):

Request processing restriction by contacting us

To exercise any of these rights, either use the built-in features or contact us at the address below.

8 Cookies and Tracking

EduGrade uses minimal cookies for essential functionality only:

Essential Cookies (Required)

  • session_token: Authentication cookie (expires after 1 hour)
  • These are necessary for the service to function

No Tracking Cookies

  • No analytics cookies
  • No advertising cookies
  • No social media cookies
  • No third-party tracking

9 Children's Privacy

EduGrade is intended for use by teachers and educational professionals who are 18 years or older. If you are under 18, you must have parental or guardian consent to use this service.

Teachers entering student data must ensure they have appropriate consent from parents/guardians for students under 16 (or the applicable age in your jurisdiction) in accordance with GDPR Article 8.

10 Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. We will notify you of significant changes through the application. Continued use after changes constitutes acceptance of the updated policy.

11 Contact & Data Protection Authority

Contact Us

For questions about this Privacy Policy or to exercise your rights:

Fabian Murauer
AvoCloud.net
Email: fabian.murauer@avocloud.net
GitHub: @rwolf2467

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien, Austria
Website: www.dsb.gv.at

Summary: Your Privacy Matters

  • We only collect data necessary to provide the service
  • We do NOT share, sell, or track your data
  • You have full control over your data (export, edit, delete)
  • Strong security measures protect your information
  • Full GDPR/DSGVO compliance
  • You are responsible for student data you enter