Privacy Statement

Privacy policy

Last updated: 26th of November 2021

1. Introduction
   Dugga AB (”Dugga”, ”we”, ”our”, “us”) is a software company which has developed a web based application for knowledge assessment and to conduct exams, tests and assignments in classroom and remotely called the Dugga Learning Assessment (the “Service”). We at Dugga know that our users (“you”, “your”) care about how personal information (“Personal Data”) is used and shared, and we take your privacy seriously. Therefore, we will be transparent with you about the type of Personal Data we collect and how we use that Personal Data. Dugga has taken appropriate measures to ensure that we follow EU/GDPR data protection laws and regulations. We also continuously develop our work with data privacy to ensure that we always are in line with any legal requirements concerning the processing of Personal Data.

This policy (“Privacy Policy”) outlines: (i) general information on responsibility for processing of Personal Data and the allocation of roles as controller/processor for processing of Personal Data within the Service, (ii) processing of Personal Data within the Service and Dugga’s role as processor for such processing, (iii) processing of Personal Data that Dugga is the controller for, including which types of Personal Data we collect, why and how we use that Personal Data, how long we store it, and our legal basis for doing so; (iv) with whom we share Personal Data; and (v) what your rights are.

2. Responsibility for processing of Personal Data
   A party that processes Personal Data is either a controller of Personal Data or a processor of Personal Data. The controller is the party that determines the purposes and means of the processing of Personal Data while the processor is the party that processes Personal Data on behalf of a controller. The person whose Personal Data is being processed is referred to as a data subject.

It is the controller that has the overall responsibility for ensuring that the processing of Personal Data is carried out in accordance with applicable data protection legislation, while the actual handling of the Personal Data may be performed by processors of Personal Data on behalf of the controller.

It is possible to be the controller of certain processing activities while at the same time being the processor in relation to other processing activities. When Personal Data is processed within our operations, we are the controller for the processing (see section 4 below), while we are the processor when we act at the request of a school or other educational institution (“School”) and process Personal Data in the Service since, in this case, it is the School which decides on the processing we perform on their behalf in the system (see section 3 below). This Privacy Policy does not in full detail describe the collection or use of Personal Data by the School which has given you access to the Service. Please contact the School to understand its privacy practices as data controller.

3. Processing for which Dugga is a processor
   The Service
   When a School enters into an agreement to use the Service the School is acting as a controller for the processing of Personal Data described in this section.

Purpose
It is the controller (the School) that establishes the purposes of the processing of Personal Data in the Service, Dugga only processes the Personal Data for the purposes stated by the School.

How we obtain access to your Personal Data
We receive and store any Personal Data you or your School actively provide to us, and that is provided to us when your use one of the login services (for example through your use of login with a username and password at app.dugga.se, through Microsoft or Google, or through Single Sign On (SSO) starting from the portal that you use). The Personal Data received is described further below and will depend on your role. In the Service you can have different roles as Teacher, Student, Administrator, Study Administrator or Exam guard.

Which Personal Data we process
We process the data provided through the Service which can include your full name, email address, class and School. In some cases, you or the School can choose to share your personal number/social security number and a photography but that is not necessary in order to use the Service.

For students: we may process information related to answering questions in for instance a test, exam or assignment (including completed assessment and given grades). In some cases, you as a student may also opt to share id, audio, screenshots, keyboard input and video during an exam event to secure the integrity of an exam event and the environment. This tool is mainly used for remote examinations and for higher levels of education. 

For teachers: we process the name of the teacher that has carried out the assessment of a student, course and calendar information, course participants to synchronize students to our database so that teachers can see their students in the Service and are able to schedule exams with specific students/groups. We need access to your assignment information so that your students can create and update their course work in Google Classroom. When students submit their exams/assignment, it will be uploaded to Google Classroom in which they can see their results once it is graded.

In order to maintain your account we also process your user account information, logins, events (create, change, read, delete), change of roles/permissions, activation of users and data on last login. The data processed depends on which login provider your School has chosen for your user account:

• For Microsoft integrations

When a user uses the Service in Microsoft O365 or Teams we also collect; Office 365 user Id, Office 365 tenant details in order to be able to identify the user, for error reporting and to improve the Service.

• For Google integrations

Students: we use your profile information, email information and your open ID for single sign on into our application. If you are a G-Suite user, you will be able to login with your google account to our application.

For complete information regarding which data is processed via the teaching platform used by your School, please contact your School or our support department.

Legal basis
In order for it to be permissible to process Personal Data, there must always be support in the GDPR, referred to as the legal basis. It is the controller (the School) which establishes the legal basis for the processing which we perform on its behalf and which shall provide you with the information on the legal basis used.

As a general information, most Schools base the processing of Personal Data in the Service on it being necessary to perform a task of public interest or as a part of the exercise of public authority by the controller to be able to grade and assess the work submitted. The legal basis used by your School is often set out in the School’s own privacy policy.

How long we keep Personal Data
It is the controller (the School) which decides the how long we keep the Personal Data (the retention period) and which shall provide you with the information of the retention period. For most Schools, your Personal Data will be kept for as long as your account is active and the Service is provided, or for as long as your School needs the examination result saved on the Service.

4. Processing for which Dugga is the controller
   Website and the Service
   Whenever you interact with our Service, we automatically receive and log certain data (“Log data”). Log data may include data such as your computer’s IP address, type and version of operating system, the screen resolution of your computer etc. Client hash is also collected by us in order to identify a student’s computer. We process Log Data for the purpose of ensuring the technical functioning of the Service and to prevent use of the Service in breach of the terms of use. This is based on our legitimate interest of being able to maintain sufficient IT-security, prevent fraud and to protect our website and Service from cyber threats.

When you sign up for our newsletter, we will process the Personal Data you provide to us, such as your school/organization, name, email address and phone number. This is based on our legitimate interest in being able to keep you up to date about us and the services you are using. You can always unsubscribe by clicking the unsubscribe link in our newsletters.

Whenever you interact with our website or Service, certain information is also provided to us from your browser through cookies. Cookies are identifiers, files or pieces of information, that allow us to recognize the browser or device and tell us how and when pages in our website/Service are visited by you. Cookies may provide information on your browser type, how you navigate, and other data. Some of this may constitute Personal Data meaning that it can be traced back to an individual. We use this information to analyze how our website is being used with the purpose to improve our website’s functionality and provide you with a better user-experience.

Our website also includes social media features. These features may collect your IP address, visited pages and may set a cookie to enable the features to function properly. Social Media features are either hosted by a third party or directly on our website. These features are governed by the privacy statements of the company providing it. We use these features to analyze how our users use our website. The Service uses cookies to collect data such as user interaction, errors, device identifiers, how often users visit the site and pages they visit.

Please see our cookie policy for details regarding the types of cookies and social media features used at https://dugga.com/data

Improving our products and services
We use the name and email we receive from you in order to improve our products and services. Our main purpose of collecting data is to improve your experience on our platform and Service by understanding how you use it. We base our processing on our legitimate interest to be able to improve and develop current and new services and products.

Testimonials
We may post user testimonials and reviews on our website which may contain Personal Data such as your name and School. Prior to posting the testimonial including Personal Data we always obtain the user’s consent via email or another suitable channels. Such consent may be withdrawn at any time. To request removal of your Personal Data from Testimonials or comments please contact us at privacy@dugga.com.

Communication
When you communicate with us over phone, email, our website or through other channels we may process your contact details such as phone number, email, name, and your School for the purpose of communicating with you. This is based on our legitimate interest to handle communication with you and answering and supporting you or your School.

How long we keep Personal Data
Personal Data will never be stored longer than necessary for the purpose and is dependent upon which Personal Data is being processed for which purpose. The retention period of Personal Data processed on our website and Service for which Dugga is a controller is two years. The retention period of Personal Data processed for Communication purposes is however long your question or query is being handled or however long there is a need to be able to communicate with you, and for a period thereafter. Your contact details for newsletters are processed for as long as you are signed up for the newsletter.

5. Where we store Personal Data
   Your Personal Data is stored on a cloud platform, Azure, provided by Microsoft Corporation. Dugga’s data is stored in Amsterdam (the Netherlands), Dublin (Ireland) and Gävle/Sandviken (Sweden). If you are located outside the European Union, the Personal Data that we collect from you will be transferred to and stored and processed within the European Union. We will take all steps necessary to ensure that you information is treated securely and in accordance with this Privacy Policy.

Dugga may use subprocessors who receive and process certain Personal Data on our behalf. See https://dugga.com/data for a complete list of all our subprocessors. Dugga always signs legally adequate Data Processing Agreements with our external service providers.

6. Recipients of Personal Data
   Dugga will not sell or lease any of your Personal Data in personally identifiable form. We only share such Personal Data in personally identifiable form with parties as described below.

• Trusted Third Parties: We sometimes use third party companies to facilitate and improve our services, such as sub-processors for storage and processing of Personal Data and sub-processors for IT-operations, analysis and resolution of technical issues, as listed in section 5. Such parties do not have the right to use the Personal Data beyond what is necessary to assist us. We have Data Processing Agreements with all Third Parties where needed.
• Employees: We employ people to perform work on our behalf and we need to share Personal Data with some of them to be able to facilitate and improve our services. We have NDA contracts with all our employees.  
• Educational institution or other course providers: As your School is acting as controller for some processing of Personal Data as described under section 3, we and your School may naturally share your Personal Data with each other linked to your use of the Service as described above.
• Business Transfers: If Dugga is acquired, if we enter into bankruptcy or if we go through some other change of control, Personal Data would be one of the assets transferred to, or acquired by, a third party. You will then be notified via email of any change in ownership or uses of your Personal Data.
• Protection of Dugga and Others: We reserve the right to access, read, preserve, and disclose any data that we reasonably believe is necessary to comply with law or a court order or apply our conditions of use and other agreements. We also may be required to disclose an individual’s Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

7. General Practices Related to Data Security
   We take the security of your Personal Data seriously and use appropriate measures to protect it against unauthorized or unlawful processing and against accidental loss, destruction or damage. Dugga’s security measures are constantly being revised in accordance with technological developments. Which actions that are necessary will depend on the type of Personal Data and the specific risks associated with that processing.  To be able to protect your Personal Data it is important that you take appropriate measures to prevent unauthorized access to your account by protecting your credentials appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account. If you share your computer or use a computer that is accessed by the general public, remember to sign off and close your browser window when you have finished your session.

Dugga is committed to secure our user’s Personal Data. Therefore we have taken several actions: (a) limiting employee access to Personal Data based on roles in the company; (b) conducting data privacy training for all employees; (c) technical security safeguards in order to protect it from unauthorized access, release or use; and (d) contractual measures to limited the access and use. When you enter Personal Data on our site we encrypt the transmission of that Personal Data.

8. Data breach
   If Dugga is notified about a security breach or that any user’s Personal Data was used for an unauthorized purpose, we will comply with applicable data protection legislation regarding data breaches and use appropriate measures to mitigate the breach.

9. Your rights
   As a data subject you have many rights regarding your Personal Data which is collected and stored. These include: (1) the right to transparency and access to the Personal Data that is stored and processed; (2) the right to corrections of any mistakes in the Personal Data and deletion in certain situations; (3) the right to restriction of processing in certain circumstances; (4) the right to object to processing of Personal Data concerning you when such processing is based on our legitimate interest, for example direct marketing and in certain other situations; (5) the right to lodge a complaint with a data protection supervisory authority (read more here: https://edpb.europa.eu/about-edpb/about-edpb/members_en); (6) the right to data portability, i.e. to receive Personal Data collected about you; and (7) the right to claim compensation for damages caused by our breach of any data protection legislation. You may access, and, in some cases, update or delete Personal Data, but keep in mind that the Personal Data may be needed to use our services.

10. Contact information
    To exercise your rights set out in section 9  in relation to Personal Data for which your School is the controller as described under section 3, please contact your School. If you have any questions about our processing of Personal Data or wish to exercise any of your rights for the processing where Dugga is acting as a controller as described under section 4, please contact us privacy@dugga.com. We have also appointed a Data Protection Officer, which can be contacted at dpo@dugga.com.