Last updated May 2026

Your data in Edaptic

This page tells you, in plain language, exactly what data Edaptic collects when you use it, why it's collected, where it goes, how long it's kept, and what you can do about it. No legal jargon. No vague promises.

Edaptic is intended for users aged 16 and older. Do not register if you are under 16. We confirm your age at sign-up and the platform will refuse to create an account if you tell us you are younger.

We never sell your data

Not to advertisers, not to data brokers, not to anyone. Ever.

You can see everything

Every data point we store about you is visible in your profile.

You can take it or delete it

Export your data or delete your account at any time. No hoops.

What we collect and why

Here's the complete list. If it's not in this table, we don't collect it.

DataWhy we need itKept for
Username, full name, email Account identity and login. Your email is verified once during registration and used for password resets. Until you delete your account
Password Authentication only. Stored as a one-way bcrypt hash — we can never see your actual password. Until you delete your account
Chat messages with the AI tutor To provide tutoring and maintain conversation context within your session, and to improve your mastery profile. Your course instructor can review conversations to see where students get stuck and improve the course material. 90 days after your last session, then auto-deleted
Voice recording (only if your course turns on voice input) When your instructor enables voice input, you can speak instead of type. Your short recording is sent to OpenAI's Whisper service to convert it to text; only the resulting text is kept — the audio recording itself is never stored. Voice input is optional, processed solely to capture your coursework answer, and is off unless your course turns it on; the platform operator can also disable it across the whole deployment. The recording is not stored by Edaptic — it is transcribed and discarded
Quiz and assignment answers To grade your work, track your mastery per concept, and show you where to focus. Duration of your enrollment + 1 year
Mastery profile (per topic) The core of adaptive learning. A 0–100 mastery score per topic — the weighted ratio of your correct evidence over total evidence — paired with a band (needs support / developing / almost secure / secure) and a confidence level. Tells the system where to focus next. Duration of your enrollment + 1 year
Study domain preference So the AI tutor uses examples from your field (e.g. medicine, engineering) instead of generic ones. Until you change it or delete your account
Practice XP, streaks Gamification features to encourage consistent study — your XP and streaks are visible only to you. (Your practice answers, like your other coursework, also contribute to your per-topic mastery score, which your instructor can see.) Until you delete your account
Feedback ratings Your 1–5 star ratings and thumbs up/down on AI responses. Helps us improve the tutor quality. Anonymised after 6 months
Session timestamps and slide views To show you where you left off and to calculate engagement metrics for your instructor. Duration of enrollment
Login metadata (IP address, device / browser) Recorded on each login for account security and to detect suspicious access. The network and device identifiers are redacted after 6 months; the record that you logged in (and when) is kept for security audit. IP and device redacted after 6 months
Age confirmation and date of birth Collected once at sign-up to confirm you meet the minimum age for the service (GDPR Art. 8) and to record your consent. Used only for the age check. Until you delete your account
Assignment file uploads (report-type submissions) Only for assignments where your instructor asks you to upload a PDF (e.g. a report). The file is stored so it can be graded and reviewed alongside your other submissions. Duration of enrollment + 1 year
AI grading decision records A record of each automated grade — which AI model graded you, when, the score and feedback it produced, and whether your instructor overrode it. The EU AI Act requires us to keep this so you can later ask for an explanation of any automated decision that affected you. After 1 year the record is pseudonymised (your identity is detached from it). 7 years, then permanently deleted

How the AI systems use your data

Edaptic uses AI in several places. Here's exactly what happens at each point — no hidden processing.

AI tutor When you chat with the tutor

Your message, the current slide content, your study domain, and your recent conversation history are sent to the AI model. The model generates a response and sends it back. Your conversation is not used to train the AI model — we use API agreements that explicitly prohibit training on user data.

AI grading When your written answer is graded

Your answer, the question, and the grading rubric are sent to the AI model. It returns a score and explanation. Your instructor can review any AI-graded answer, and you can request a human review if you disagree with the AI's assessment.

Mastery tracking After every answer you give

This is not an AI model — it's a transparent weighted ratio of your correct evidence over total evidence per topic (the Evidence-Based Mastery Score). Recent work counts more than older work, and stronger forms of assessment (exam, written) count more than lighter ones (practice). Each score comes with a band and a confidence level, so a high score on three questions is correctly flagged as low-confidence. The full specification is documented in the platform's technical reference.

Adaptive recommendations When the system adjusts to you

Your mastery scores, session behaviour (like how many questions you ask), and feedback ratings are weighted to suggest a difficulty level and teaching style. These are suggestions — you can override them any time in your Preferences page.

Where your data is processed

Your data is stored on Microsoft Azure servers in Europe. When the AI tutor or grader processes your input, it's sent to one of these providers depending on which model your course uses:

OpenAI
Servers in the United States
Tutoring, grading, quiz generation
Anthropic (Claude)
Servers in the United States
Tutoring, grading, quiz generation
Google (Gemini)
Servers in the EU and US
Tutoring, grading, quiz generation
Mistral
Servers in France (EU)
Tutoring, grading, quiz generation
NTNU HPC
Servers in Norway
Tutoring (on-premises, no data leaves Norway)

All providers operate under Data Processing Agreements that prohibit using your data for training their models. For US-based providers, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as legal safeguards for international transfers. Your instructor's Settings page shows which provider is active for your course. Before any of these providers receives user-typed text, the platform replaces categorical personal data (email addresses, phone numbers, Nordic national identifiers, credit-card-shaped strings) with typed placeholders.

If your course turns on voice input, your short audio recording is additionally sent to OpenAI's Whisper service (United States) to convert speech to text. Audio cannot be cleaned by the placeholder step above the way typed text can, so this transfer is controlled at two levels: your instructor must turn voice input on for your course, and the platform operator must allow it for the whole deployment. An operator that must keep all data inside the EU/EEA can switch voice input off across the entire platform, in which case it is unavailable no matter what any individual course sets. Only the transcribed text is retained — it becomes your submitted answer; the audio recording is not stored by the platform or kept after transcription.

Operational sub-processors

In addition to the AI providers above, the following service providers handle parts of how the platform runs day-to-day:

Sentry
Error tracking. Servers in the EU (Frankfurt) when configured for EU-residency, otherwise the United States
Receives stack traces and request context when the platform throws an unhandled exception. Configured to NOT receive cookies, Authorization headers, IP addresses, or fields whose name suggests a credential. Errors raised on data-subject-rights endpoints (export / erasure) are dropped entirely before transmission.
Azure Communication Services (or configured SMTP)
Email delivery. Servers in the EU (West Europe) for the Azure tenant
Receives the recipient address and message body when we send a verification code, password reset, or pacing nudge.
TrustLayer (AI governance — only when your institution enables it)
AI-governance and audit layer, operated by an affiliated company under common control with the Edaptic group. It is inactive by default and processes data only if your institution explicitly enables AI-governance mode; when enabled, processing stays within the Edaptic group under an intra-group data processing agreement.
When your institution switches AI governance on, a copy of the tutor prompt and the tutor's response — with the same personal-data placeholders already applied — plus a pseudonymous account reference and your course is sent to TrustLayer so it can run policy checks and keep an audit record. It does not change what the tutor says to you. This is off by default.

Each of these operates under a Data Processing Agreement with the platform operator. If you want a copy of any DPA, contact your data protection officer.

What we never do

Hard commitments — not policies, promises

  • Never sell, licence, or share your personal data with third parties for any commercial purpose
  • Never use your data to train AI models — on the API tiers we use, providers do not train their models on your inputs or outputs
  • Never show your individual scores, mastery levels, or chat history to other students
  • Never use your data for advertising, profiling for marketing, or any purpose beyond your education
  • Never make automated decisions about your academic standing — AI outputs are always advisory to your instructor, never determinative
  • Never retain your data beyond the stated periods — deletion is automated, not at our discretion

What your instructor sees

Your instructor has access to your learning data for the courses they teach — just as they would with any university learning system. Specifically, they see:

Visible to your instructor

Your name, your mastery scores per concept, your assignment scores and AI-graded feedback, your engagement metrics (time spent, sessions, messages), your conversations with the AI tutor (your instructor for that course can review these to see where students get stuck and improve the course material), your risk indicator (a formula-based advisory label — not an AI judgment), and aggregated feedback you leave about the platform.

Not visible to your instructor

Your password is private. Your study domain preference is private. Your feedback star ratings on individual AI responses are anonymised before your instructor sees aggregate trends.

Instructors from other courses cannot see your data. Administrators can access your account information for platform support but do not have routine access to your learning data.

Your rights — and how to use them

Under GDPR, you have specific rights over your data. Here's what each one means in practice and how to exercise it in Edaptic.

👁

See your data

View everything we store about you — mastery scores, session history, feedback, preferences — in your Analytics and Preferences pages.

Privacy & Data → Export my data

Export your data

Download a complete copy of your data in a machine-readable format (JSON). This includes your mastery history, answers, and session records.

Privacy & Data → Export my data

Delete your account

Permanently delete your account and all associated data. There is a 30-day grace window during which you can cancel; after that the deletion is irreversible. Anonymised aggregate statistics may be retained.

Privacy & Data → Delete my account

Correct your data

Update your name, email, study domain, or any personal information directly in your profile. If your mastery data seems wrong, contact your instructor.

Profile → Edit

Contest AI decisions

If you disagree with an AI-graded score, you can request a human review. Your instructor will re-evaluate the answer personally, and the override deletes the affected evidence and replays the corrected verdict through the mastery pipeline.

Assignment → Request review

Override adaptive suggestions

The platform's adaptive suggestions (audience level, persona) are suggestions, not decisions — you can override any of them in your Preferences page and your manual choices take precedence. The risk indicator is rule-based and advisory; it never triggers an automated academic consequence.

Preferences → Override suggestions

How you'll always know when AI is involved

Under the EU AI Act, you have the right to know when you're interacting with an AI system and when AI-generated content is presented to you. Here's how Edaptic makes this visible:

Always visible Chat interface

A persistent notice on the chat panel states that responses are generated by AI. The specific model being used (e.g. "Claude Sonnet 4") is shown in the interface so you know which system you're talking to.

Labelled Slide explanations

Each slide explanation carries a badge showing whether it was written by your instructor or generated by AI. AI-generated explanations show "AI draft" until your instructor reviews and approves them.

Flagged Graded assignments

AI-graded written answers show "Scored by AI" next to the score. You can request instructor review on any AI-graded response.

Explained Mastery tracking

Your mastery isn't calculated by AI — it's a weighted ratio of your correct evidence over total evidence per topic (Evidence-Based Mastery). You can see your current scores, bands, and confidence levels on your Analytics page.

Questions or concerns?

If anything on this page is unclear, or if you want to exercise a right that isn't available through the interface yet, contact us directly.

Data controller

During the current pilot phase the responsible person is Prof. Adil Rasheed, NTNU Department of Engineering Cybernetics, Trondheim, Norway. When an institution adopts the platform, that institution becomes the data controller for its students' data and designates its own contact.

adil.rasheed@ntnu.no

Data protection officer

A dedicated Data Protection Officer will be designated as part of an institution's adoption. In the meantime, for GDPR-specific concerns you can contact the responsible person above or NTNU's Data Protection Officer, and you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet) at any time.

datatilsynet.no

This page describes data practices for Edaptic version 2.6 (May 2026). We will update this page when practices change and note the date of each update. Material changes will be communicated via in-app notification before they take effect. The full legal privacy policy is available at edaptic.no/privacy.