Institum

Privacy Policy

What Institum collects, how it is used, who controls it, how long it is kept, and the rights you have over it.

Last updated: 9 June 2026

1. Who we are & what this covers

Institum (“Institum”, “we”, “us”) is an education-management platform delivered as a web application and a mobile app. You can reach us about privacy at privacy@institum.com.

This policy explains how personal data is handled when you use Institum. It applies to the data we control directly — your account and identity. Records created inside an education institute (such as grades or invoices) are controlled by that institute, not by us; the next section explains this split, which is central to how Institum works.

2. Who controls your data (controllers & processors)

Institum is a multi-tenant platform. Responsibility for personal data is split in two:

  • Your account data — we are the controllerthe identity and login you create to use Institum (name, email, phone, password, profile photo, and similar). We decide how this is processed, and you can delete it yourself (see the Account Deletion page).
  • Educational records — your institute is the controller, we are its processoreverything an institute creates about you within the platform — enrollments, attendance, grades, invoices, submissions, posts. The institute decides why and how long these are kept, in line with the laws of its own country. We process them only on the institute’s instructions.

Why this matters for deletion

When you delete your account, we erase the account data we control. Educational records stay with your institute under the laws that bind it — we cannot unilaterally delete an institute’s records. To erase those, you contact the institute (or us, and we route the request). See Account Deletion.

3. Data we collect

  • Identity & accountname, email address, phone number, date of birth, gender, postal address, a password (stored only as a salted hash), and a profile photo if you add one.
  • Guardian relationshipslinks between a guardian account and the minor(s) they represent.
  • Educational records (institute-controlled)enrollments, attendance — including QR-code class check-ins — grades, invoices and payment records, assignment submissions and the files you upload, and feed posts or comments.
  • Technical dataa push-notification token (to deliver notifications), device and session information, IP address, and basic diagnostic logs.
  • Communicationsmessages you send us for support.

4. How we use data & our legal bases

We use personal data to:

  • authenticate you and keep your account secure;
  • provide the platform’s features and let your institute administer your enrollment;
  • send service messages and the notifications you have not turned off;
  • prevent fraud and abuse, and comply with legal obligations.

Our legal bases for processing are performance of a contract (providing the service), our legitimate interests (security and service improvement), your consent (e.g. optional notifications, which you can withdraw), and compliance with legal obligations. Which framework applies to you is explained under Your rights.

What we never do

We do not sell your personal data, and we do not use it for third-party advertising or cross-app tracking.

5. Children & minors

The minimum age to hold an Institum account is 13. Users under 18 require a guardian’s approval to enroll, which a guardian provides through a linked guardian account or via the institute.

Because rules differ by country, where the law of the user’s (or institute’s) jurisdiction sets a higher age for digital consent — for example up to 16 in parts of the EU — that higher age applies, and the required guardian consent is obtained accordingly. Institutes are responsible for obtaining any consents the law of their country requires before adding minors.

We do not knowingly collect personal data from children under 13. If we become aware that we have collected such data without the consent required by law, we delete it promptly.

6. Who we share data with

We do not sell data. We share it only with:

  • Your instituteand its authorized staff, who administer your enrollment and the records they control.
  • Service providers (sub-processors)vetted providers, under contract, who process data on our behalf — listed below.
  • Authoritieswhere we are legally required to disclose, or to protect rights and safety.

Our current production sub-processors:

  • Hetzner Online GmbH — hosting (Germany, EU)runs the servers and databases.
  • Backblaze — encrypted backups (EU region)stores encrypted offsite backups.
  • Brevo — transactional email (EU)sends account emails such as password resets and invitations.
  • Google Firebase Cloud Messaging — push notificationsdelivers mobile push.

Depending on your institute’s country, we may also use a regional communication provider (for example an SMS or WhatsApp gateway for verification codes). The exact set of providers can therefore vary by region.

7. International data transfers

Our primary hosting is in Germany (EU). Some providers, or a regional provider serving your institute’s country, may process data outside your own country. Where required by law, such transfers rely on appropriate safeguards — for example the European Commission’s Standard Contractual Clauses or an adequacy decision.

8. How long we keep data

  • Account & identity data (we control)kept until you delete your account; on deletion it is anonymized as described in Account Deletion.
  • Educational records (institute controls)retained by your institute for as long as the laws of its country require — accounting and education-record retention periods often run for several years.
  • Backupsresidual copies in our encrypted backups are purged on the normal rotation cycle (within 30 days) after data is deleted from the live system.
  • Diagnostic logskept for a short period for security and troubleshooting.

9. How we protect data

We use encryption in transit (HTTPS/TLS), encrypted offsite backups, hashed passwords, access controls, and a private administrative network. No method of transmission or storage is ever completely secure, but we work to protect your data and to notify you and the relevant authority if a breach legally requires it.

10. Your rights

You may request access, correction, erasure, restriction, or portability of your personal data, and you may object to certain processing or withdraw consent at any time.

For the account data we control, email privacy@institum.com. For educational records, the request goes to your institute as the controller — contact them, or contact us and we will route it.

EU/EEA users & other regions

Institum is operated from within the EU and applies GDPR-level protection to all users, wherever they live. If you are in the EU/EEA, you also have the statutory GDPR rights listed above and may lodge a complaint with your data-protection supervisory authority; we respond within one month. If you are outside the EU/EEA, this policy and the same core rights still apply to you, and your local law — and, for educational records, your institute’s jurisdiction — may grant you further rights.

11. Changes to this policy

We may update this policy; the “Last updated” date will change. For material changes we will provide a clearer notice (for example in the app) before they take effect.

12. Contact

Questions or requests about privacy: privacy@institum.com.