top of page

Unihelper.io Privacy Policy


Effective Date: November 1, 2025

1. INTRODUCTION & SCOPE

Who We Are

UniHelper ApS (CVR: 39750007) is a Danish company that provides educational technology solutions. Our registered office is at Slotsgade 17B, 6200 Aabenraa, Denmark.


Key Definition

"Services" means Unihelper.io's cloud-based software-as-a-service (SaaS) platform for student group optimization and collaboration, including all related features, algorithms, and technical infrastructure.


Our Two Roles

We handle personal data in two distinct ways:

  1. As a Service Provider - When educational institutions hire us to provide our Services to their students and staff

  2. As a Business - When we collect information for our own purposes (marketing, website visitors, business contacts)


Note on Terminology: Throughout this policy, we use the terms "processor" and "controller" from EU law, but these apply equally to equivalent US terms:

  • "Processor" = "Service Provider" (CCPA/CPRA), "Processor" (CPA, VCDPA, CTDPA)

  • "Controller" = "Business" (CCPA/CPRA), "Controller" (CPA, VCDPA, CTDPA)


Geographic Coverage

This Privacy Policy applies globally, with specific provisions for:

  • European Union/EEA/UK (GDPR compliance)

  • United States (FERPA, COPPA, and state privacy laws)

  • Other jurisdictions as applicable


Which Sections Apply to You

If you are...

Relevant sections

A student using the Services through your educational institution

Sections 2A, 3A, 4, 5, 6

An educational institution’ administrator managing the Services

All sections

A website visitor (not using the Services)

Sections 2B, 3B, 4, 5, 6

Someone we've contacted for marketing

Sections 2B, 3B, 4, 5, 6


2. HOW WE PROCESS YOUR DATA


2A. When Educational Institutions Hire Us (Service Provider Role)

When educational institutions use our Services, we act as their:

  • "Data Processor" under GDPR (EU/UK)

  • "Service Provider" under CCPA/CPRA (California)

  • "Processor" under CPA (Colorado), VCDPA (Virginia), and other US state laws

  • "School Official" under FERPA (US federal education law)


These terms all mean the same thing: we only process data according to the educational institution's instructions to provide our Services.


What this means:

  • Schools decide what data to upload to our Services

  • Schools determine how long we keep it

  • Schools remain responsible for getting necessary consents

  • We cannot use student data for purposes beyond operating the Services


Required Agreements Before any student data can be processed through the Services, we require:

  • A signed Agreement with the institution

  • Clear written instructions for data handling within the Services

  • Authorization for any sub-processors supporting our Services infrastructure


Our Commitments

  • Never use Services data for marketing

  • Never sell or share student data from the Services with third parties (except authorized sub-processors)

  • Delete Services data when instructed or when agreements end

  • Maintain strict separation between Services data and our business data


How We Process Group Formation

The Services follow this documented process:

  1. Questionnaire Distribution: Schools receive a secure link to distribute to students

  2. Data Collection: Students provide responses about preferences and availability

  3. Algorithm Processing: Our proprietary algorithm creates optimized groups based on responses and educational institution criteria

  4. Results Delivery: Schools access group lists through our self-service portal or receive them via secure email

  5. Communication: Schools or UniHelper.io (if authorized) send relevant information for the group creation process

  6. Evaluation (Optional): Follow-up surveys to assess group formation success


Special Restrictions

  • We only process special categories of personal data (sensitive data under GDPR) if you’ve added customized institutional questions, which should only be added in accordance with your educational institution’s policies

  • We only process questions that would collect protected or confidential information if you’ve added customized institutional questions, which should only be added in accordance with your educational institution’s policies

  • All customized institutional questions must be relevant for purposes of determining group formation and added in accordance with your educational institution’s policies


2B. When We Interact with You Directly (Business Role)

For our own business purposes, we independently collect and process data as a:

  • "Data Controller" under GDPR (EU/UK)

  • "Business" under CCPA/CPRA (California)

  • "Controller" under CPA (Colorado), VCDPA (Virginia), and other US state laws


This means we determine why and how to process this data for:


Marketing & Sales

  • Contacting potential customers

  • Sending newsletters, product updates, offers, and other sales or marketing-related communications

  • Managing sales processes

  • Analyzing market trends


Website Operations (separate from Services)

  • Improving user experience on our marketing website

  • Analyzing traffic patterns on unihelper.io

  • Providing customer support outside the Services

  • Managing business accounts (not Services accounts)


Legal Basis for Our Processing

  • Consent: For direct sales communications and marketing to individuals

  • Legitimate Interest: For business-to-business marketing and website analytics

  • Contract: For customer account management


3. WHAT DATA WE COLLECT


3A. User Data (Processed Through Services)

Educational institution faculty/staff, and student users may upload to our Services (either by faculty/staff directly accessing the platform, or by students submitting a response to a questionnaire requested by educational institution faculty/staff):

  • Identity Information: Names, enrollment data (e.g. course name, section, and year), user email address

  • Educational Information: Courses, programs, academic levels

  • Collaboration Data: Availability, preferences, skills assessments, expectations for group work, competencies related to group work

  • Technical Data: Login credentials, session information for Services access

  • Optional Information: Team numbers, responses to customized questions from institutions (excluding sensitive or special category data)


3B. Business & Website Data (Our Collection - Not Through Services)

We directly collect:

  • Contact Information: Name, user email, work or professional phone, organization, professional title, user’s country

  • Website Activity (via Wix Analytics and Google Search Console): Pages visited, features used, time spent on unihelper.io

  • Communication History: Sales emails, support tickets, feedback

  • Technical Information: IP address (anonymized), browser type, device info


3C. Service Improvement Data

After removing all personal identifiers from Services usage, we analyze patterns for:

  • Algorithm performance optimization

  • Services feature usage trends

  • System reliability metrics

  • User experience improvements within the Services

This anonymized data cannot identify individuals and is retained for Services improvement.


4. YOUR PRIVACY RIGHTS


Your Rights by Region

Right

EU/UK

California

Other US States

Access your data

Varies

Correct your data

Varies

Delete your data

Varies

Port your data

Some states

Object to processing

Some states

Opt out of marketing

How to Exercise Your Rights


If you're a student using the Services: Contact your educational institution first. They control your data in the Services and will coordinate with us.


If we contacted you directly (outside the Services): Email contact@unihelper.io with your request.


Marketing opt-out: Click "unsubscribe" in any marketing email or email contact@unihelper.io


Educational Institution Responsibilities (Complementary Controls)

For the Services to operate compliantly, educational institutions must:

  • Ensure data provided is relevant, necessary, and limited to group formation purposes

  • Verify customized questions don't request sensitive or special category data

  • Maintain current and accurate student information

  • Provide lawful instructions consistent with GDPR and applicable regulations

  • Keep contact information updated for breach notifications and compliance matters

  • Obtain appropriate consent or legal basis for data processing

  • Fulfill data subject information obligations


Response Timeline

  • We acknowledge requests within 48 hours

  • We complete most requests within 30 days

  • Complex requests may take up to 90 days (we'll explain why)


5. SECURITY & DATA RETENTION


How We Protect Your Data

Technical Safeguards

  • Encryption at rest (AES-256) and in transit (TLS 1.3) for all personal data

  • Multi-factor authentication and/or SSO integration for Services access

  • Antivirus software with continuous updates (or OS built-in security for updated systems)

  • Role-based access controls limiting data access to work-related needs

  • Regular security audits of infrastructure

  • Intrusion detection systems monitoring access

  • Full logging of data access and modifications (where technically possible)

  • Pseudonymization or anonymization for development/testing purposes


Organizational Safeguards

  • Employee confidentiality agreements and personal data policy compliance declarations

  • Background checks for new hires

  • Annual security awareness training covering IT security and GDPR compliance

  • Access controls with annual reviews to ensure work-related need

  • Documented incident response plan (GDPR Portal system)

  • Formal procedures for granting and revoking access upon hiring/termination

  • Risk assessments performed annually with documented mitigation measures

  • Access limited to need-to-know basis with management oversight


How Long We Keep Data

Data Type

Retention Period

Student data in Services

Processing period + 8 months after last group formation

Contact person data

Maximum 2 years

Email communications

Maximum 2 years

Active customer account data

Duration of relationship + 3 years

Marketing prospects

24 months from last interaction

Website analytics

90 days (then anonymized)

Backup data

Not actively restored but may persist in backup systems

Legal records

As required by law

Data Breach Response

If a security incident affects the Services:

  1. We investigate immediately using our documented incident response plan

  2. We notify affected educational institutions without undue delay (maximum 24 hours from awareness)

  3. We assist educational institutions with regulatory notifications to supervisory authorities

  4. We notify individuals if required by law

  5. We document all incidents, measures taken, and provide breach certificates as needed


6. LEGAL COMPLIANCE FRAMEWORK


Education-Specific Laws


FERPA (US Federal Law)

  • We qualify as a "School Official" with legitimate educational interests when providing the Services

  • We don't disclose education records from the Services without educational institution authorization

  • Parents maintain rights through their student’s educational institution


General Privacy Laws


GDPR (EU/UK)

  • Full compliance with processor obligations (Article 28) for the Services

  • Support for data subject rights related to Services data

  • Appropriate international transfer safeguards for Services operations


US State Laws

  • California (CCPA/CPRA): California Privacy Rights Act compliance

  • Colorado, Virginia, Connecticut, Utah: Respective state law compliance

  • Additional states as laws are enacted


International Data Transfers

When authorized by educational institutions:

  • We use Standard Contractual Clauses for Services data transfers

  • Services data is primarily stored on Amazon Web Services’ GDPR compliant data center services in Sweden and in the US (sub-processing via Typeform)

  • Limited transfers to USA only with appropriate safeguards and educational institution approval

  • No Services data transfers without appropriate safeguards and valid transfer basis

  • All transfers documented in risk assessments and DPAs


7. KEY INFORMATION


Contact Us

Purpose

Email

Response Time

General privacy questions

contact@unihelper.io

2 business days

Data subject requests

contact@unihelper.io

48 hours acknowledgment

Security incidents

contact@unihelper.io

24/7 monitored

Marketing opt-out

contact@unihelper.io

48 hours

DPA execution (for Services access)

contact@unihelper.io

3 business days

Our Sub-Processors

Current sub-processors supporting the Services are listed at: www.unihelper.io/sub-processors


Primary Infrastructure: Amazon Web Services’ GDPR compliant data center services in Sweden and in the US (sub-processing via Typeform)


Sub-Processor Controls:

  • Written data processing agreements with all sub-processors

  • 30 days advance notice before adding new sub-processors for the Services

  • Schools may object, in accordance with the GDPR to the introduction of new subprocessors, through the process outlined in the DPA

  • Annual risk assessments and follow-up audits of sub-processor compliance

  • Same data protection obligations imposed as in educational institution agreements

  • EU-approved Standard Contractual Clauses

  • AWS Data Processing Agreement and Supplementary Addendum (addressing Schrems II ruling and invalidation of the EU-US Privacy Shield)


Supervisory Authorities

Our Lead Authority: Danish Data Protection Agency (Datatilsynet)Your Local Authority: Depends on your location - contact us for assistance


Updates to This Policy

  • Material changes announced 30 days in advance

  • Updates posted at www.unihelper.io/privacy

  • Schools using the Services notified directly of significant changes


APPENDICES

Available at www.unihelper.io/privacy-resources:

Appendix A: Technical Security Specifications for Services

Appendix B: Complete Sub-Processor List for Services Operations

Appendix C: Data Processing Agreement Template for Services Access

Appendix D: Services Anonymization Methodology

Appendix E: Website Cookie Policy (Non-Services)

Appendix F: Jurisdiction-Specific Provisions

bottom of page