ClassMap.io Privacy Policy
Effective Date: 11.02.2026
This Privacy Policy explains how SC PAIE PE FOC SRL ("ClassMap.io," "we," "us," or "our") processes personal data for our website and product. It separates website privacy from student and classroom data privacy.
1. GDPR Roles (Controller and Processor)
Our GDPR role depends on the processing context. The matrix below applies:
- School-led use (school contract in place): the school is the Controller and ClassMap.io acts as the Processor for student data.
- Teacher-led use (no school contract): the teacher and/or the school remain the Controller of student data, and ClassMap.io acts as the Processor for student data. ClassMap.io acts as Controller for account, billing, support, and security logs.
- Website analytics (marketing site): ClassMap.io is the Controller for cookies and website analytics.
2. Chapter A: Website Privacy and Cookies
This chapter covers data processed when you browse our website and marketing pages.
- Data categories: IP address, device/browser data, referral data, page visits, and cookie identifiers.
- Purposes: operate the website, analyze usage, improve marketing performance, and maintain service security.
- Tools currently used: Cookiebot, Google Analytics, Google Tag Manager, Hotjar, HubSpot, Amplitude (EU zone), Bugsnag, and Vercel analytics tooling.
- Legal basis: consent for non-essential cookies; legitimate interests and contract where strictly necessary for core website operation and security.
- Cookie controls: cookie preferences are managed via Cookiebot. See our Cookie Policy for full cookie categories and retention details.
Note: non-essential website analytics and marketing scripts are designed to run only after you provide consent via Cookiebot (where applicable). We also use Consent Mode defaults to restrict analytics and ads storage until consent is granted.
3. Chapter B: Product Privacy (Student and Teacher Data)
This chapter covers classroom and product data processed in the ClassMap.io app.
3.1 Purposes, Legal Basis, and Retention
| Purpose | Data Categories | Legal Basis | Retention |
|---|---|---|---|
| Account creation and authentication | Name, email, account metadata, login/security logs | Contract and legitimate interests (security) | Active account lifetime; deleted/anonymised within 30 days after account closure unless legal retention applies |
| Class and student management | Class metadata, student names, classroom events | Contract; for student data generally under Controller instructions | Active while class is in use; inactive classes are anonymised after 12 months of no class activity |
| Reports and analytics in product | Aggregated engagement signals, class/session metrics | Contract and legitimate interests (service improvement) | Follows class lifecycle; anonymised with inactive class policy |
| Billing and financial compliance | Billing contact details, transaction records, subscription data | Contract and legal obligation | As required by tax/accounting law |
| Support and incident handling | Support communications, technical logs, diagnostics | Legitimate interests and contract | Kept only as long as necessary to resolve requests/incidents |
3.2 Children's Data and Sensitive Data Restriction
- ClassMap.io is not intended to collect special category/sensitive personal data (for example health data, diagnoses, religion, political opinions, or similar protected categories).
- Teachers and users should not enter sensitive data in free-text fields (including notes).
- If sensitive data is entered by mistake, delete or edit the entry immediately and contact support@classmap.io or legal@classmap.io for removal assistance.
3.3 Retention and Deletion in Plain Terms
- Inactive classes: classes with no relevant classroom activity for 12 months may be anonymised to reduce risk. You can also archive or delete classes earlier via the product UI.
- Delete flows: class, student, and account deletion options are available in the product UI.
- Account closure: personal data is deleted or anonymised within 30 days after closure (typically sooner), except where legal or accounting retention requirements apply.
3.4 International Transfers and Safeguards
Where data is processed outside the EEA by service providers, we rely on appropriate safeguards, typically the EU Standard Contractual Clauses (SCCs), plus technical and organizational controls such as minimization, role-based access controls, encryption in transit, and encryption at rest where applicable.
3.5 Data Subject Requests (DSAR)
- Requests can be submitted to legal@classmap.io.
- We aim to respond within 30 days, subject to legal complexity and identity verification.
- Where ClassMap.io acts as Processor for student data, requests may be redirected to the relevant Controller (school or teacher) and we assist that Controller under applicable agreements.
- Supervisory authority for our main establishment: Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP).
3.6 Security and Incident Notification
- A security incident includes unauthorized access, disclosure, alteration, loss, or unavailability of customer data.
- We maintain baseline controls including access control, audit logging, backups, and encryption in transit and at rest where applicable.
- If a security incident affecting customer data is confirmed, we notify affected customers within 48 hours of becoming aware.
- Security concerns can be reported to support@classmap.io or legal@classmap.io.
4. Sub-processors List
We use vetted service providers to support our service delivery. This list is updated periodically.
| Vendor | Purpose | Country/Region | EEA Transfer | Privacy Documentation |
|---|---|---|---|---|
| Cookiebot | Cookie consent management | EU | No | Cookiebot Privacy Policy |
| Google (GA/GTM) | Website analytics and tag management | Global | Yes | Google Privacy Policy |
| Hotjar | Product and website behavior analytics | EU | Yes | Hotjar Privacy Policy |
| HubSpot | CRM, forms, and marketing communications | EU/Global | Yes | HubSpot Privacy Policy |
| Amplitude | Product analytics (EU server zone) | EU/Global | Yes | Amplitude Privacy Policy |
| Bugsnag | Error and performance monitoring | Global | Yes | Bugsnag Privacy Policy |
| Stripe | Billing and payment processing | Global | Yes | Stripe Privacy Policy |
| Resend | Transactional email delivery | Global | Yes | Resend Privacy Policy |
| Vercel | Hosting and analytics tooling | Global | Yes | Vercel Privacy Policy |
Last updated: 11.02.2026. Material updates are announced through legal document updates on this website.
5. School Privacy Pack (Inside This Policy)
To support school and DPO reviews, we maintain a school privacy pack available on request from legal@classmap.io. The pack includes:
- GDPR one-pager for school leadership and compliance teams.
- Data Processing Agreement (DPA) template under Article 28 GDPR.
- Technical and organizational measures (TOMs) summary document.
- Current sub-processors list.
6. Changes to This Privacy Policy
- We may update this Privacy Policy periodically.
- Material updates are reflected by changing the effective date and publishing the revised text on this page.
7. Contact Information
For privacy-related inquiries, DSAR requests, or compliance questions, contact us at legal@classmap.io.