Status: DRAFT — pending legal review. See README.md for marker conventions.
Last updated: 20 May 2026 Effective from: 20 May 2026 Version: 1.0 (draft)
1. Introduction
This Privacy Policy explains how Fjordbyte AS (org. nr. 933 773 477), the company behind Lectora ("Lectora", "we", "us"), processes personal data when you or your institution use the Lectora platform — an AI-assisted grading and feedback tool for higher education that integrates with the Canvas learning management system (LMS).
We have written this policy to comply with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (Personopplysningsloven), and the guidance issued by the Norwegian Data Protection Authority (Datatilsynet) for the education sector.
This policy describes:
- What personal data we collect, and from whom
- Why we process it and on what legal basis
- Who we share it with, and where it is processed geographically
- How long we keep it
- The rights you have, and how to exercise them
- How to contact us, our Data Protection Officer, and the supervisory authority
If anything in this policy is unclear, write to lectora@fjordbyte.no.
2. Who is the data controller?
Lectora is used in three distinct ways. The controller and processor roles differ in each. Find the scenario that matches you:
2.1 You are an individual educator using Lectora with a personal Canvas access token
You signed up for Lectora yourself, generated a Personal Access Token in your Canvas account, and pasted it into Lectora. Your institution has not signed an enterprise agreement with us.
- For your own personal data (your name, email, login activity): Fjordbyte AS is the controller.
- For the student work you upload, the rubrics, the grades you generate: you, as the educator, are operating as the data controller (or as a representative of your institution's controllership, depending on your institution's policies). Lectora is the processor, processing this data on your instructions.
You confirm in our Terms of Service that you have authority from your institution to use Lectora to process student work. If you are uncertain whether you have this authority, do not upload student work and contact your institution's data protection officer first.
2.2 Your institution has signed an enterprise agreement with Lectora
Your institution installed Lectora as an LTI 1.3 application in Canvas. You access it through institutional single sign-on.
- For all student and educator data flowing through Lectora: your institution is the data controller. Lectora is the processor, governed by the Data Processing Agreement (DPA) signed between Lectora and your institution.
- For data Lectora collects independently to operate the service (account metadata, billing contacts, security logs): Fjordbyte AS is the controller.
2.3 You started in scenario 2.1, and your institution later signed an enterprise agreement
This is a controller transition. See Section 11.
3. What personal data we collect
The categories of data we collect depend on which mode you use.
3.1 Account & authentication data
| Data | Purpose | Source |
|---|---|---|
| Name | Identification, addressing in emails | You at signup, or your institution via LTI/SSO |
| Email address | Authentication, notifications | You at signup, or via SSO |
| Profile image (optional) | UI personalisation | Canvas (if available) |
| Password hash (PAT mode only) | Authentication | You at signup, hashed before storage |
| Canvas user ID | Linking your Lectora account to your Canvas identity | Canvas |
| Canvas access token (PAT or OAuth) | Authorised API access to Canvas on your behalf | You (PAT) or Canvas OAuth flow (LTI) |
Canvas access tokens are encrypted at rest using AES-256-GCM with key rotation support.
3.2 Course and assignment data
| Data | Purpose | Source |
|---|---|---|
| Course title, code, semester | Organising work within Lectora | Canvas |
| Assignment text, rubric, point values | Grading context for the AI | Canvas |
| Solution manuals, reference files (uploaded by you) | Grading context for the AI | You |
3.3 Student submission data
| Data | Purpose | Source |
|---|---|---|
Submission text (body), URLs, attachments | Grading and feedback generation | Canvas |
| Extracted text from PDF/DOCX submissions | AI processing | Lectora extracts on your behalf |
| Submission metadata (attempt number, timestamps, file types) | Audit and grading workflow | Canvas |
| Student name and email | Linking grades back to Canvas users | Canvas |
Important: Lectora does not send direct student identifiers (name, email, student ID) to upstream AI providers. AI prompts use only pseudonymous internal identifiers; AI outputs are linked back to students within Lectora's own systems.
3.4 Grading and feedback data
| Data | Purpose | Source |
|---|---|---|
| AI-drafted scores | Educator review and approval | Lectora generates |
| AI-drafted written feedback (strengths, suggestions, corrections) | Educator review and approval | Lectora generates |
| Educator edits, approvals, and publication actions | Workflow state | You |
| Reviewer identity, review timestamps | Audit trail | Lectora records on each review/publish action |
3.5 Chat and assistant data
| Data | Purpose | Source |
|---|---|---|
| Your messages to the Lectora teacher assistant | AI response generation, conversation history | You |
| Per-student daily feedback-chat usage counters | Rate limiting (deleted after 30 days) | Lectora records |
3.6 Technical and operational data
| Data | Purpose | Source |
|---|---|---|
| IP address | Security, rate limiting, abuse prevention | Network |
| Browser type / user-agent | Compatibility, debugging | Network |
| Session cookies, authentication tokens | Keeping you signed in | Lectora |
| Application logs, error reports | Diagnosing and fixing issues | Lectora |
| Anonymised usage events (feature interactions) | Product improvement (aggregate only) | Lectora |
3.7 Billing data (institutions only)
| Data | Purpose | Source |
|---|---|---|
| Institution name, billing contact | Invoicing | Your institution |
| Subscription details, invoice history | Account management | Lectora and Stripe |
Lectora does not store payment card data. Card details are processed exclusively by Stripe (PCI DSS Level 1 certified).
3.8 Prospect data (sales outreach)
This category applies if you are receiving outreach emails from Lectora before you have signed up — typically because you are a course leader, department head, or member of academic staff at a higher-education institution we believe Lectora is relevant to.
| Data | Purpose | Source |
|---|---|---|
| Name and work email | Initial professional contact | Publicly available professional listings (university web pages, LinkedIn, conference programmes) |
| Job title, institution, department | Targeting relevance | Same as above |
| Engagement metadata (email opens, link clicks, replies) | Adjusting outreach cadence; suppressing further contact when there is no interest | Lectora's outreach tooling (HubSpot Sales Hub) |
We do not buy, scrape at scale, or build behavioural profiles of prospects. The data is collected in the public professional context, processed under legitimate interest (see Section 4), and you can opt out at any time using the unsubscribe link in any email we send you or by writing to lectora@fjordbyte.no. On opt-out we suppress further contact and delete the prospect record within 30 days unless we have another lawful basis to retain it (e.g. an active sales conversation you initiated).
4. Legal bases for processing
Under GDPR Art. 6, each processing activity has a legal basis:
| Activity | Legal basis |
|---|---|
| Operating your Lectora account | Contract performance (Art. 6(1)(b)) — our agreement with you or your institution |
| Processing student work for grading | In institutional mode: our Data Processing Agreement on behalf of the institution. In PAT mode: your instructions as the operating controller, with your warranty of authority |
| Security monitoring, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) — operating a secure service |
| Transactional emails (account, security, billing) | Contract performance (Art. 6(1)(b)) |
| Aggregated, anonymised product analytics | Legitimate interest (Art. 6(1)(f)) — improving the service |
| Marketing emails to opted-in subscribers (Pipeline A — newsletter, product updates, case studies) | Consent (Art. 6(1)(a)) + Markedsføringsloven §15 |
| Sales outreach to prospects in their professional capacity (Pipeline B — 1:1 emails from a Lectora team member to a professionally-relevant contact) | Legitimate interest (Art. 6(1)(f)) — balanced against the prospect's professional context. A written Legitimate Interest Assessment (LIA) is kept on file. Every outreach email contains a one-click unsubscribe link and a link to this policy. [REVIEW — Norwegian counsel to confirm the LIA scope is appropriate; Datatilsynet has issued cautious guidance on B2B cold outreach.] |
| Compliance with legal obligations (e.g. accounting records) | Legal obligation (Art. 6(1)(c)) |
Student submission text may incidentally contain special-category personal data (GDPR Art. 9) — for example a health-related case study, or content revealing a student's beliefs. Lectora processes such content only as an incidental consequence of the educational task and never deliberately solicits it. The legal basis is Art. 9(2)(j) (archiving for scientific or educational purposes) combined with the safeguards in Section 8 of this policy. [REVIEW — Norwegian counsel to confirm Art. 9 basis is correct for higher-ed grading context.]
5. Who we share your data with (subprocessors)
We use the third-party providers listed below to operate Lectora. Each is bound by a written Data Processing Agreement and contractual data-protection safeguards. The full operational details and contact information for each provider are in our DPA's Bilag B (annex of subprocessors); a public-facing summary lives at /subprocessors.
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Vercel Inc. | Application hosting (Next.js, serverless compute, edge) | All application traffic in transit | EU (Frankfurt, eu-central-1) |
| Vercel Blob (operated by Vercel Inc.) | Object storage for uploaded files | Course files, student submissions, AI context files | EU (Stockholm, eu-north-1) |
| Supabase Inc. | PostgreSQL database (primary) | All application data | EU (Frankfurt, eu-central-1) |
| OpenAI Ireland Ltd. | AI inference (grading, feedback, assistant) | Pseudonymised text, submission content (no direct student identifiers) | EU (Europe region) — zero data retention, no training on customer data |
| Google Cloud EMEA Ltd. (Vertex AI / Gemini) | AI inference (alternate models) | Pseudonymised text (no direct student identifiers) | EU (europe-west4 Netherlands) — no training on customer data |
| Inngest, Inc. | Background job orchestration | Internal job identifiers only (no submission content) | USA — covered by SCCs |
| Plus Five Five, Inc. (Resend) | Transactional email delivery | Recipient address, message metadata | USA — covered by SCCs |
| Statsig, Inc. | Feature flags, usage analytics, error/log monitoring | Pseudonymised events, technical metadata, request logs | USA — covered by SCCs |
| Stripe Payments Europe Ltd. | Billing (institutions only) | Billing contacts, invoice data | EU/global — covered by Stripe DPA + SCCs |
The detailed Subprocessors page contains DPA links, sub-processor lists for each provider, and update notifications.
[CONFIRM — list reflects DPA Bilag B as of [date]. If sub-processor roster changes, both the DPA and this policy update; institutions are notified per the DPA's notification clause.]
6. International data transfers
Lectora is configured to keep all customer-content processing within the EU/EEA wherever possible:
- Application hosting: EU (Frankfurt)
- Database: EU (Frankfurt)
- File storage: EU (Stockholm)
- AI inference: EU (Europe region for OpenAI; europe-west4 for Vertex AI)
- Email: EU SCCs apply (Resend is US-based but covered by Standard Contractual Clauses)
- Analytics / monitoring (Statsig): USA with SCCs
- Background-job orchestration (Inngest): USA with SCCs — but receives only internal identifiers, never submission content
Where a transfer outside the EU/EEA occurs, it is governed by the EU Commission's Standard Contractual Clauses (Decision 2021/914) and the relevant provider's Transfer Impact Assessment. Where supplementary measures are needed (e.g. encryption in transit and at rest, contractual data-use restrictions), they are in place.
7. How long we keep your data
| Data category | Retention |
|---|---|
| Account data (name, email, profile) | While your account is active; deleted within [REVIEW — e.g. 30 days] of account closure |
| Canvas OAuth tokens | Refreshed proactively before expiry; revoked + purged 7 days after they go stale (institutional mode) |
| Canvas Personal Access Tokens | Until you replace or delete the token, or close your account |
| Course and assignment data | While the course exists in Lectora; deletable on request |
| Student submissions, AI-generated grades and feedback | [REVIEW — current code retains indefinitely. Recommended: align with the institution's grading-record retention policy via the DPA. Default proposal: deleted within 90 days of course archive, or sooner on instruction.] |
| Per-student feedback-chat usage counters | 30 days (automatic deletion) |
| Application logs and security telemetry | [REVIEW — typical 30-90 days] |
| Billing records | As required by Norwegian accounting law (5 years) |
| Audit-trail records (security events, governance transitions) | [REVIEW — typical 5 years to align with bokføringsloven] |
You can request deletion of data Lectora holds about you at any time (Section 9). Where Lectora is processor and the institution is controller, deletion requests should be addressed to your institution first; Lectora will act on the institution's instructions per the DPA.
[REVIEW — current platform code does not implement a self-service erasure endpoint for submissions/grading data. Build this before this policy is published.]
8. Security
We protect your data with industry-standard technical and organisational measures, including:
- Encryption in transit: TLS 1.2+ for all connections to Lectora and to upstream providers
- Encryption at rest: AES-256 for database storage; AES-256-GCM with key rotation for stored Canvas tokens
- Access control: role-based access within Lectora; principle of least privilege for engineering access; multi-factor authentication required for administrative accounts
- Network security: Vercel Firewall (WAF) and rate limiting protect against abuse
- Subprocessor controls: every subprocessor is reviewed for security posture; SOC 2 / ISO 27001 certifications preferred
- Audit logging: security-relevant actions are logged with timestamps and actor identity
- AI provider isolation: customer content sent to AI providers contains no direct personal identifiers; outputs are linked back internally
- Backups: database backups with retention per Supabase's backup policy
Full technical and organisational measures (TOMs) are documented in the DPA's security annex for institutional customers.
9. Your rights
Under GDPR Art. 13–22, you have the following rights:
- Right of access (Art. 15) — get a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion ("right to be forgotten")
- Right to restriction (Art. 18) — limit how we process your data
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — for any processing based on consent
- Right to lodge a complaint with the supervisory authority (Section 14)
If your institution is the data controller (LTI mode), you should direct rights requests to your institution first. Lectora will support the institution in fulfilling such requests per the DPA.
To exercise these rights with Lectora, write to lectora@fjordbyte.no. We respond within 30 days (extendable by 60 days for complex requests, with notice).
10. Cookies and tracking
10.1 In the product (app.lectora.io)
Lectora uses the minimum cookies necessary to operate the service:
- Strictly necessary cookies: authentication, session management, security
- Functional cookies: remembering your preferences (e.g. language)
- Product analytics (Statsig): pseudonymous usage analytics to improve the product
Inside the product, we do not use advertising cookies and we do not allow third-party tracking for marketing purposes.
10.2 On the marketing site (lectora.io)
The marketing site uses cookies for traffic analytics and — with your opt-in — for advertising attribution and optimisation. The full cookie inventory and consent controls live at /cookies. Subprocessors involved in the marketing site:
- Vercel Web Analytics + Speed Insights (cookieless, always on)
- HubSpot tracker (analytics; opt-in)
- Google Analytics 4, Meta Pixel + Conversions API, LinkedIn Insight Tag, Google Ads (marketing; opt-in, loaded only when paid ad campaigns are active)
11. Transitioning from individual to institutional use
If you signed up for Lectora individually with a Personal Access Token and your institution later signs an enterprise agreement, the following applies:
- We notify you in-app and by email that your institution has signed a Data Processing Agreement with Lectora.
- From that point onward, your use of Lectora is governed by your institution's contract and DPA, not by your individual ToS. Your account is migrated under institutional governance.
- Any data you had processed under your individual usage continues to be held by Lectora;
[REVIEW — decide policy: (a) carry forward under the new DPA, with notice to the institution; or (b) quarantine pre-transition data pending institutional review.] - You are encouraged to re-authenticate via institutional SSO. Your Personal Access Token can be revoked and removed from Lectora at your request.
- We log the transition as an auditable event.
If you object to your data being placed under your institution's control after such a transition, you may request deletion of your account and data (Section 9).
12. Children
Lectora is designed for higher-education students and educators. We do not knowingly process personal data of children under 16. If you believe a child's data has been processed, contact us at lectora@fjordbyte.no and we will delete it.
13. Changes to this policy
We may update this policy from time to time. Material changes are notified to:
- Active institutional customers by direct email to the contact on file (GDPR Art. 13(2)(a) requirement for changes affecting processing)
- Individual users by in-app notification on next sign-in
Non-material changes (typos, formatting) may be made without notice. The "Last updated" date at the top of this policy always reflects the latest revision.
14. Contact
Data controller (for data we control): Fjordbyte AS Org. nr. 933 773 477 Address: c/o DNB Bank ASA, Solheimsgaten 7C, 5058 Bergen Postal address: c/o DNB Bank ASA, Postboks 7100, 5020 Bergen Email: lectora@fjordbyte.no
Data Protection Officer: [FILL — if appointed. Note: not strictly required under GDPR Art. 37 unless triggered, but recommended for an EdTech processor at this scale.]
EU representative: [REVIEW — Fjordbyte is established in Norway/EEA, so no separate EU representative is required.]
Supervisory authority: Datatilsynet (the Norwegian Data Protection Authority) Postboks 458 Sentrum, 0105 Oslo Phone: +47 22 39 69 00 Web: https://www.datatilsynet.no
You have the right to lodge a complaint with Datatilsynet, or with the supervisory authority in your country of residence, if you believe our processing of your personal data violates the GDPR.