Privacy Policy

1. Introduction

Welcome to Digiklass! We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes what data we collect, how we use it, and how we protect it.

Digiklass is operated by Nutistu OÜ (registry code 14322776, Estonia). We are the data controller for this data within the meaning of GDPR Article 4(7).

2. Scope of Service and Our Role

Digiklass is a free web-based toolkit intended for the personal use of the registered user. The primary user group is teachers in their own teaching, but the tools are equally suitable for other private or small-scale events — for example, team activities at work, the programme of a party, a club's activities, or other similar situations. The user registers an account as a private individual using their email or Google/Microsoft account.

Session participants (e.g., players, respondents) do not create accounts in Digiklass and are not required to. A participant joins only via a link or session code shared by the user, predominantly anonymously or under a nickname of their own choice.

Digiklass is not intended as a service for any institution (school, company, association, NGO, etc.) to process the personal data of its employees, students, or other individuals. We do not enter into data processing agreements under GDPR Article 28 with any institution, nor do we act as an institution's data processor. If your institution wishes to systematically process personal data, please use a dedicated institutional platform.

The user is responsible for ensuring that the data they enter (e.g., the names of persons in a list) is permitted to be entered under the applicable rules and law.

3. Information We Collect

2.1 Authentication Data

When you sign in with Google or Microsoft, we collect:

  • Account ID (Google or Microsoft)
  • Email address
  • Name
  • Profile picture URL
  • Account creation and last login timestamps

When you register with email and password, we collect:

  • Email address
  • Name
  • Password (stored as a cryptographic hash, never in plain text)
  • Email verification status and token
  • Account creation and last login timestamps

2.2 Security-Related Data

To ensure account security, we collect:

  • Login attempt history (IP address, timestamp, success status)
  • Password reset tokens (temporary, expire automatically)
  • Account lockout status (activated after 5 failed login attempts)

2.3 Educational Data

To provide our services, we store content entered by the user or generated in their sessions:

  • Names of lists (e.g., class, team, group)
  • Names of list members (entered by the user — we recommend using first names, initials, or nicknames where entering the full real name is not necessary)
  • Responses and results from polls, votes, games, and quizzes
  • Event registrations

We do not ask for or store from session participants email addresses, phone numbers, dates of birth, profile pictures, national identifiers, or other direct identifiers. For participants we only store what the participant themselves enters when starting the game/poll (e.g., a nickname), plus a technical session ID. In most tools, asking for the participant's name is optional and the user can turn it off.

2.4 File Collection (Koguja)

When using the file collection feature with Google Drive or Microsoft OneDrive integration, we store:

  • Encrypted cloud service credentials (Google Drive or OneDrive)
  • Collection session data (title, description, folder ID)
  • File metadata (name, size, type)
  • Submitter name (if requested)
Note: File contents are stored in your Google Drive or OneDrive account, not on our servers.

2.5 Technical Data

We automatically collect:

  • Session cookies (for authentication, 30-day validity)
  • Browser and device information
  • IP address
  • Application usage statistics (server-side only, no cookies or third parties)

2.6 Browser Storage

We store in your device:

  • Application card order preferences
  • Newsletter subscription status

4. How We Use Your Data

  • Service provision: delivering educational tools and features
  • Authentication: user identification and account management
  • Personalization: remembering your preferences
  • Communications: sending important updates and newsletters
  • Analytics: collecting application usage statistics to improve our service (server-side, anonymous)
  • Security: detecting and preventing misuse

5. Data Security and Hosting

We implement the following security measures:

  • Secure database storage
  • Secure password hashing
  • Encryption of cloud service credentials (AES-256-CBC)
  • Secure cookies (HttpOnly, Secure flags)
  • HTTPS connection for data transmission
  • Login attempt rate limiting (brute-force protection)
  • Automatic account lockout after repeated failed attempts
  • Email address verification on registration
  • API request rate limiting
  • Regular security updates

Hosting: Digiklass servers are located in the Opalstack hosting provider's Frankfurt (Germany) data centre. Data remains within the European Union.

Security updates and vulnerability management: We monitor security advisories for the libraries and server software in use and apply updates within a reasonable timeframe. Vulnerability tracking relies on public CVE databases. We do not perform regular external penetration testing — Digiklass is a free service intended for personal use.

Internal access: Access to the Digiklass system and databases is limited to Nutistu OÜ representatives for the purpose of system administration. In addition, the hosting provider (Opalstack) has technical access to the server infrastructure.

While we follow best practices, no system can guarantee 100% security.

6. Personal Data Breaches

If we become aware of a personal data breach (e.g., data leak, unauthorised access, loss or alteration of data), we will act as follows:

  • We identify and document the nature, scope, and likely consequences of the breach.
  • We assess the likely impact of the breach on users' rights and freedoms.
  • If the breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach (GDPR Article 33).
  • If the breach is likely to result in a high risk, we will also notify the affected users without undue delay at their registered email address (GDPR Article 34).
  • We maintain a register of breaches in which all identified personal data breaches are recorded together with the circumstances, consequences, and measures taken.

If you suspect that a personal data breach has occurred affecting the Digiklass system, please notify us immediately at mikk@nutistu.ee.

7. Third-Party Services

7.1 Google Services

  • Google OAuth: for authentication, only if you choose to sign in with Google (Google Privacy Policy)
  • Google Drive: for file storage, only if you choose this option

7.2 Microsoft Services

  • Microsoft Azure AD / Entra ID: for authentication, only if you choose to sign in with Microsoft (Microsoft Privacy Statement)
  • Microsoft OneDrive: for file storage, only if you choose this option

7.3 Content Delivery Networks (CDN)

When loading pages, fonts and web frameworks are fetched from the following networks. They do not set cookies or collect personal data, but the service providers can see your IP address.

  • jsDelivr, cdnjs (Bulma, Font Awesome and other libraries)
  • Google Fonts (Inter typeface)

7.4 YouTube

Some applications (Kuldvillak, Viktoriin, Kiirviktoriin) allow users to add YouTube videos. We use the youtube-nocookie.com domain, which does not set tracking cookies until the user actually plays a video.

7.5 Hosting Provider

Opalstack (a US-based company, with servers in Frankfurt, Germany) provides server hosting. Opalstack has technical access to Digiklass database files as part of the hosting service, but is not entitled to use the data for any other purpose.

8. Data Sharing

We do not sell or rent your data. We only share data:

  • With your consent
  • With service providers: who help operate the application (e.g., Google)
  • For legal reasons: when required by court or authorities
  • To protect rights: our or users' rights, safety, and security

9. Your Rights

Under the EU General Data Protection Regulation (GDPR), you have the right to:

  • Access: obtain a copy of your personal data
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion of your data
  • Restrict processing: limit certain data processing
  • Data portability: receive data in machine-readable format
  • Object: prohibit data processing for certain purposes
  • Withdraw consent: at any time

To exercise your rights, please contact us (see §15). You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee/en).

10. Data Retention

  • User account: retained while the account is active. We delete it within 30 days of a deletion request.
  • List data and member names: retained until the user deletes them or closes the account.
  • Poll, game, and session data: deleted according to application-specific logic — mostly per-session (e.g., Foor, Klassitahvel widgets, Lumememm), some until the user deletes them.
  • Images, audio recordings, shared text: 30 days, then automatically deleted.
  • Session data: 30 days after last activity.
  • Password reset and email verification tokens: expire automatically within 1 hour.
  • Login attempt logs: up to 90 days.
  • Collection sessions: until user deletes or they expire.
  • Application anonymous usage statistics: up to 24 months, then anonymous summaries.

Backups: backups of databases and files are performed by Opalstack as part of the hosting service (see Opalstack documentation). Digiklass itself does not create additional backups. When an account is deleted, we remove the data from the production system; data in the host's backups expires according to their rotation schedule.

You may request deletion of your account and data at any time.

11. Children's Privacy

An account can only be created by users who are at least 13 years old, and by accepting the terms of service the user confirms their age.

Minors do not create accounts in Digiklass. When you use Digiklass together with minors (e.g., in class with students, in training, at a children's event, or in club activities) such that they take part in games or polls:

  • participation is anonymous or under a nickname chosen by the participant;
  • the data collected is minimal (session-based responses, optional nickname);
  • data is typically deleted after the session ends, depending on the tool.

The user is responsible for ensuring that the use of the tools with minors complies with the applicable rules (e.g., the school's internal rules, instructions from the event organiser, notice to parents). If a user enters minors' real names into a list, we recommend first consulting with the responsible party and considering the use of nicknames or initials.

If your child's data has been entered into Digiklass and you wish to have it deleted, please contact us — we will delete the data without undue delay.

12. Cookies

Digiklass only uses cookies strictly necessary for the service to function — we do not use tracking or advertising cookies:

  • Session cookie (PHPSESSID): to remember your login (30-day validity)
  • CSRF cookie: to securely process form submissions
  • Login redirect cookie (login_redirect): temporary cookie that expires after sign-in

Local storage (localStorage) is used on your device only to remember theme preferences (light/dark) and application card order — this data never leaves your device.

Because we only use strictly necessary cookies, we do not need prior consent for cookie use (EU ePrivacy Directive art. 5(3) exemption). You can manage cookies through your browser settings, but this may affect application functionality.

13. International Data Transfers

The primary Digiklass data (user account data, class lists, game and poll results) is hosted in Opalstack's Frankfurt (Germany) data centre — data remains within the European Union.

For third-party services that the user optionally chooses to use (Google OAuth, Google Drive, Microsoft Entra ID, OneDrive, jsDelivr/cdnjs/Google Fonts, YouTube), data may travel outside the EU (e.g., to the United States). Such transfers take place under the respective providers' standard contractual clauses and data protection frameworks. The user can decide whether to use these third parties — authentication is also available with email and password.

14. Changes

We may update this policy from time to time. We will notify you of changes by:

  • Updating this page and the date
  • Sending email for significant changes

15. Contact and Data Controller

Data controller: Nutistu OÜ

Registry code: 14322776

Email: mikk@nutistu.ee

Website: digiklass.ee

For questions or requests, please contact us at the email address above.

16. Governing Law and Supervisory Authority

This Privacy Policy is governed by Estonian law and the EU General Data Protection Regulation (GDPR). The supervisory authority is the Estonian Data Protection Inspectorate (www.aki.ee/en), with which you have the right to lodge a complaint.

← Back to homepage | Terms of Service | Eesti keeles