Privacy

Galactic Automation BV, registered office at Wijnhuizestraat 44, 9620 Zottegem, Belgium, registered in the Belgian Crossroads Bank for Enterprises. We are the data processor when a school uses EduVlaanderen. The school itself is the data controller.

For students: name, date of birth, class, attendance, assignment submissions, report grades, photos (if uploaded by the school). No sensitive health data beyond what the school records as part of pastoral care.

For parents: name, email, phone (optional), relationship to child. No financial data — invoicing is to the school, not individual parents.

For teachers and management: name, email, professional phone, role within the school, audit logs of platform actions.

Performance of the contract with the school (student follow-up, communication with parents, reporting).

Legal obligations: attendance registration and forwarding to AgODi (Flemish Decree on Primary/Secondary Education).

Legitimate interest: platform security, fraud detection, capacity planning.

Student data: while the student is active at the school + 5 years (administrative retention period).

Parent data: while at least one of their children is active + 5 years.

Attendance records: 10 years (Flemish education regulations).

Audit logs: 2 years.

Messages and communication: 3 years.

After these periods data is automatically anonymised or deleted.

The school itself: obviously.

AgODi (Flemish education administration): attendance exports at the school's request.

Our infrastructure providers: Hetzner Online GmbH (Germany) for hosting; no access to personal data.

We share no data with third parties for marketing or analytics. No Google Analytics, no Facebook Pixel, no ad networks.

All personal data is stored in Hetzner Online GmbH data centres in Falkenstein, Germany (primary) and Helsinki, Finland (backup). No data leaves the European Economic Area. No transfers to the United States or other third countries.

AI models for the assistant features (Ollama, LibreTranslate) run on the same servers. No calls to OpenAI, Anthropic, Google or similar providers.

You have the right to access, rectification, erasure, restriction of processing, and data portability (GDPR Articles 15-20).

For parents: all rights are exercised via the parent portal or by contacting the school. We technically execute what the school as controller decides.

For teachers: requests via your school principal or directly to dpo@galacticautomation.com.

You have the right to lodge a complaint with the Belgian Data Protection Authority (gegevensbeschermingsautoriteit.be).

TLS 1.3 enforced everywhere. Argon2id for passwords. Postgres Row-Level-Security with FORCE mode on all tenant tables. Audit log of every access to sensitive data. Antivirus scan on all uploaded files (ClamAV). Daily off-site backups with 30-day retention.

In case of a breach with risk to data subjects, we notify the school within 24 hours and the Belgian Data Protection Authority within 72 hours. Data subjects are informed via the school, or directly if that is not reasonably possible via the school.

Questions about this privacy statement? Email dpo@galacticautomation.com or write to Galactic Automation BV, attn. DPO, Wijnhuizestraat 44, 9620 Zottegem, Belgium.