Diagnote — AI-powered grading for teachers

1. Controller

The controller within the meaning of Article 4(7) GDPR for data processing through the Diagnote web application is:

Kander Akinci
Ehrenfeldgürtel 174
50823 Köln, Germany
Email: [email protected]

For Student Data entered by Users (teachers), the User is the data controller and Diagnote acts as the data processor (see Section 7).

2. Overview

This Privacy Policy explains how Diagnote ("we", "us", "our") collects, uses, stores, and protects personal data when you use the Diagnote web application ("Service") at diagnote.io.

3. Data We Collect

3.1 Account Data

Provided by you during registration and use:

Username, email address, name, and surname
Password (stored as a cryptographic hash; never stored in plain text)
Google ID (if using Google sign-in)
Profile image (optional)
System language preference (DE/EN)

Legal basis: Article 6(1)(b) GDPR — necessary for the performance of the contract (providing the Service).

3.2 Student Data

Entered by the User (teacher):

Student names, surnames, or aliases
Student email addresses (optional)
Student responses (free text, multiple choice, fill-in-the-blank)
AI scoring results (fulfillment percentage, rationale, feedback)
Language analysis results (grammar, spelling, punctuation errors)
Class and subject assignments

Legal basis: Article 6(1)(b) GDPR — necessary for providing the Service to the User. The User (teacher) is the data controller for Student Data; see Section 7.

3.3 Billing Data

Wallet balance and transaction history
Stripe customer ID
Payment method type (card brand/last 4 digits, or PayPal email)
Invoice records

Legal basis: Article 6(1)(b) GDPR — necessary for billing and contract performance. Article 6(1)(c) GDPR — necessary for compliance with tax record-keeping obligations.

Full payment card numbers are never stored by Diagnote. All payment processing is handled by Stripe.

3.4 Task and Content Data

Task structures, instructions, and materials
Grading keys and scoring criteria
Uploaded images

Legal basis: Article 6(1)(b) GDPR — necessary for providing the Service.

3.5 Technical and Usage Data

AI model used and token consumption per scoring operation
Timestamps of actions
Error logs (via Sentry, may include IP addresses and request metadata)

Legal basis: Article 6(1)(f) GDPR — legitimate interest in maintaining, securing, and improving the Service.

3.6 Training Data

Anonymized AI input/output data (task descriptions, student responses, and scoring results with direct personal identifiers removed)

Legal basis: Article 6(1)(f) GDPR — legitimate interest in improving the Service and developing machine learning models. See Section 8.

4. Cookies and Authentication Tokens

4.1 The Service uses the following cookies:

Cookie	Purpose	Type	Duration
access	JWT authentication	HttpOnly	15 minutes
refresh	JWT token refresh	HttpOnly	7 days
csrftoken	CSRF protection	Functional	Session
diagnote_cookie_preferences	Cookie consent choice	Functional	1 year

4.2 All cookies used by the Service are strictly necessary for its technical operation (authentication and security). No marketing, analytics, or third-party tracking cookies are used.

4.3 Legal basis: Article 6(1)(b) and (f) GDPR; § 25(2) TDDDG — cookies that are strictly necessary for the provision of the Service.

5. Third-Party Processors and Data Transfers

5.1 We share personal data with the following third-party service providers who act as data processors on our behalf:

Provider	Purpose	Location	Safeguard
DigitalOcean	Hosting, database, file storage	Frankfurt, Germany (FRA1)	DPA
OpenAI	AI scoring of student responses	USA	DPA + SCCs
LanguageTooler GmbH	Grammar, spelling, punctuation checks	Germany / EU	DPA
Stripe	Payment processing	USA	DPA + SCCs + DPF
Google	OAuth sign-in	USA	DPA + SCCs + DPF
Sentry	Error monitoring	USA	DPA + SCCs

5.2 Data transfers to the United States are protected by Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR and, where applicable, by the EU-U.S. Data Privacy Framework (DPF).

5.3 Copies of the applicable Data Processing Agreements are available upon request at [email protected].

5.4 When a User submits student responses for AI Scoring, the text of the response and the task/grading key are transmitted to OpenAI's API for processing. OpenAI processes this data as a data processor and, under its current API data usage policy, does not use API input/output for training its models.

6. How We Use Your Data

6.1 We use personal data for the following purposes:

Providing and operating the Service (account management, task creation, scoring, report generation);
Processing payments and maintaining billing records;
Sending transactional emails (account verification, password reset, billing notifications, result delivery);
Maintaining security and preventing abuse;
Monitoring and resolving technical errors;
Improving and developing the Service, including training machine learning models using anonymized data (see Section 8).

6.2 We do not use your data for advertising, sell your data to third parties, or create user profiles for marketing purposes.

7. Student Data — Processor Relationship

7.1 When a User (teacher) enters Student Data into the Service, the User is the data controller for that Student Data within the meaning of Article 4(7) GDPR. The User determines the purpose and means of processing Student Data.

7.2 Diagnote acts as a data processor within the meaning of Article 28 GDPR, processing Student Data solely on behalf of the User and in accordance with these Terms and the User's instructions.

7.3 The User is responsible for:

Having a lawful basis for processing Student Data (e.g., consent, legitimate interest, or legal obligation);
Informing students (and their parents/guardians, where applicable) about the data processing, including the involvement of third-party AI providers;
Responding to data subject access requests from students;
Using aliases instead of real names if they wish to avoid storing personal data on the platform.

7.4 A Data Processing Agreement (Auftragsverarbeitungsvertrag / AVV) pursuant to Article 28 GDPR is available upon request at [email protected].

7.5 Upon account deletion by the User, all Student Data is permanently deleted from our systems, subject to Section 10.

8. Data Usage for Model Training

8.1 Diagnote stores AI scoring input (task content, student responses, grading keys) and output (scoring results, rationale, feedback) to improve the Service and develop machine learning models.

8.2 Before use for training purposes, this data is anonymized by removing direct personal identifiers (names, email addresses, account associations).

8.3 The User acknowledges that free-text content in tasks and student responses may inherently contain personal or confidential information that cannot be automatically detected and removed.

8.4 Users who wish to opt out of data usage for model training may contact [email protected]. We will use commercially reasonable efforts to honor such requests prospectively.

8.5 Anonymized training data may be retained indefinitely, including after account deletion, as it is no longer considered personal data within the meaning of GDPR.

9. Data Retention

9.1 Account data, Content, and Student Data: Retained for the duration of the User's account. Permanently deleted upon account deletion by the User.

9.2 Billing records (invoices, transactions): Retained for up to 10 years after the end of the calendar year in which the transaction occurred, as required by German tax law (§ 147 AO, § 257 HGB).

9.3 Anonymized training data: Retained indefinitely (see Section 8.5).

9.4 Error logs (Sentry): Retained according to Sentry's data retention policies (typically 30–90 days).

9.5 We do not implement automatic data purging for active accounts. Users may delete individual students, tasks, classes, or their entire account at any time through the Service.

10. Account Deletion

10.1 Users may delete their account at any time via the account settings.

10.2 Upon account deletion, the following data is permanently deleted:

Account data (profile, credentials)
All tasks, classes, subjects, and assignments
All Student Data (names, responses, scores)
Wallet balance and payment method references

10.3 The following data may be retained after deletion:

Billing records as required by tax law (see Section 9.2)
Anonymized training data (see Section 8.5)
Data already contained in encrypted backups (deleted when backups rotate, typically within 30 days)

11. Your Rights (GDPR Articles 15–21)

11.1 Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — obtain confirmation and a copy of your personal data;
Right to rectification (Art. 16) — correct inaccurate data;
Right to erasure (Art. 17) — request deletion of your data;
Right to restriction of processing (Art. 18);
Right to data portability (Art. 20) — receive your data in a structured, commonly used format;
Right to object (Art. 21) — object to processing based on legitimate interest, including data usage for model training;
Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

11.2 To exercise any of these rights, contact [email protected]. We will respond within 30 days.

11.3 For Student Data: Since the User (teacher) is the data controller, data subject requests from students should be directed to the respective teacher. Diagnote will assist the User in fulfilling such requests upon instruction.

11.4 Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4
40213 Düsseldorf
https://www.ldi.nrw.de

12. Data Security

12.1 We implement appropriate technical and organizational measures to protect personal data, including:

Encryption in transit (TLS/HTTPS for all connections);
Encrypted cloud storage (DigitalOcean Spaces with server-side encryption);
Cryptographic password hashing (never stored in plain text);
Short-lived JWT authentication tokens (15-minute access tokens);
HttpOnly cookies to prevent client-side token access;
CSRF protection on state-changing requests;
Per-user data isolation (users can only access their own data);
Webhook signature verification (Stripe).

12.2 Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Children's Data

13.1 The Service is intended for Users aged 18 and older. We do not knowingly collect personal data from children.

13.2 Student Data may relate to minors. The User (teacher) is solely responsible for ensuring that they have appropriate legal authority to process the data of minor students, including parental or guardian consent where required.

13.3 If we become aware that we have directly collected personal data from a child under 16 without appropriate authorization, we will take steps to delete that data.

14. Changes to This Privacy Policy

14.1 We may update this Privacy Policy from time to time.

14.2 Users will be notified of material changes via email. The updated policy will indicate the "Last updated" date at the top.

14.3 Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

15. Contact

For any questions or requests regarding this Privacy Policy or your personal data:

Kander Akinci
Ehrenfeldgürtel 174
50823 Köln, Germany
Email: [email protected]