en
/ Privacy Policy

Privacy Policy

Last Updated: 10 February 2026

1. Who We Are

GIOS (www.gioschool.com) is an AI-powered educational technology platform that delivers gamified, adaptive mathematics learning experiences for K–12 students. It combines short-form interactive lessons, and personalized learning paths, empowering schools, teachers, and families to improve learning outcomes at scale.

We are committed to data privacy, transparency, and compliance with applicable laws, including:

  • General Data Protection Regulation (GDPR)
  • Children’s Online Privacy Protection Act (COPPA)
  • Family Educational Rights and Privacy Act (FERPA)
  • EU Artificial Intelligence Act (AI Act)

2. Scope of This Policy

This Privacy Policy applies to all personal and non-personal data collected through our platforms, products, apps, services, or interactions, including data processed by AI-driven features.

3. User Roles and Responsibilities

The GIOS platform may be accessed by different categories of users:

  • Students – End users who access educational content and complete learning activities.
  • Parents/Guardians – Individuals who may create or supervise student accounts and provide consent where required by applicable law.
  • Teachers – Educational professionals who manage classes, monitor student progress, and assign learning activities.
  • Institutions (Schools or Educational Authorities) – Contracting entities that may act as Data Controllers for student educational records under applicable agreements. In such cases, GIOS acts as a Data Processor on behalf of the institution. The specific allocation of controller and processor responsibilities is defined in contractual agreements between GIOS and the institution.

User access levels and responsibilities are defined within contractual agreements and platform permissions.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

  • Consent – for marketing or optional features.
  • Contractual necessity – to provide services you’ve requested.
  • Legitimate interest – for quality improvement and analytics.
  • Compliance with laws – such as GDPR, COPPA, FERPA, and the AI Act.

5. AI Systems and Risk Classification (AI Act Compliance)

Under the EU AI Act, we have assessed our AI components and classified them as:

Within GIOS, limited-risk AI systems are used to enhance adaptive learning pathways, generate interactive educational content, and support intelligent feedback inside the platform.

These AI components power features such as:

  • Automated diagnostics based on learning progress
  • Personalized task recommendations
  • Content generation for practice and reinforcement

Minimal Risk Systems (e.g., recommendation algorithms for classroom content or gamified learning tools).

We do not deploy AI systems classified as unacceptable risk or high-risk (e.g., biometric surveillance, social scoring, automated grading, or recruitment AI).

GIOS does not engage in automated decision-making that produces legal or similarly significant effects on users within the meaning of Article 22 GDPR.

6. What Personal Data We Collect

We may collect:

  • User-provided data: Name, email, school details, feedback.
  • Usage data: Log files, device type, IP address, language, browser type.
  • Child data (where applicable under COPPA or similar regulations): processed only with verifiable parental or institutional consent.

We do not collect:

  • ❌ Biometric data
  • ❌ Location data for surveillance
  • ❌ Social scoring data

Personal Information

GIOS (Global Innovative Online School) relies on consent in connection with Personal Information collections or uses (if required to use GIOS services and/or receive information and/or communication from GIOS via email subscription) that are necessary to enhance the user experience, to enable optional services or features, or to communicate with you.

Withdrawal of consent

GIOS believes that we are only entitled to access or use your Personal Information if we have your consent to do so. Whenever we rely on your consent, you will always be able to withdraw that consent.

Deletion

If the user requests that his/her personal information kept with GIOS be erased/deleted, the same will be obliged through us. Upon verified deletion requests, personal data will be permanently removed from active systems and scheduled backups in accordance with our data retention and backup policies.

Access to personal information

GIOS does not sell personal data and does not share personal data with advertisers or marketing networks. We may share personal data only with contracted service providers (such as cloud hosting, analytics, or technical infrastructure providers) strictly for the purpose of delivering our services and under binding data protection agreements.

GIOS platform collects and stores personal data from registered clients to enable work storage on the website for further user(s) reference.

Type of personal data

Pupils: GIOS processes limited student data necessary to provide educational services. This may include pseudonymised learning progress, task completion data, and performance indicators. Students are not subject to biometric identification, social scoring, or behavioural advertising profiling. Data minimisation principles are applied at all times.

GIOS does not perform device-level tracking to identify how many individuals use a single device. Student identification is based solely on account-level credentials where applicable.

Teacher/school staff: Name, email, registration group/classes only via GIOS platform.

Parent/guardian: Name, email, registration group/classes only via GIOS platform.

Who can access personal data?

Where it is necessary to access client data (for example, to investigate a support case), only approved GIOS support and technical staff can access it.

GIOS staff are vetted and are subject to contractual data access policies and confidentiality clauses.

How are errors in data corrected?

User data is obtained from the user who registers to use the software from GIOS (i.e., registers as account administrator). Account administrators can correct user data generated within GIOS platform.

Support and assistance is available from our support team: hello@gioschool.com

How do I make a Subject Access Request or implement the Right to be Forgotten?

Where Subject Access Requests and/or Right to be Forgotten are applicable to client data in a GIOS product, we provide means for authorised client users to carry out activities directly.

Support and assistance is available from our support team: hello@gioschool.com

How does GIOS protect personal data and where is it processed?

GIOS stores platform and client data on secure, compliant cloud infrastructure located within the European Economic Area (EEA). This ensures that personal data is processed and retained in accordance with applicable European data protection regulations.

Where personal data is transferred outside the EEA, such transfers are protected through appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent legal mechanisms in accordance with GDPR requirements.

We apply multiple technical and organisational safeguards to protect personal data, including:

  • Encrypted communication (HTTPS / TLS) for all data transmitted between users and the platform
  • Encryption of data at rest to prevent unauthorised access
  • Role-based access control (RBAC) ensuring that users and staff can only access data necessary for their function
  • Restricted personnel access, limited to authorised team members bound by confidentiality and data protection obligations

These layered security measures are designed to maintain the confidentiality, integrity, and availability of personal data at all times.

Rights of the person concerned

Pursuant to Section III of the GDPR, the person concerned shall be entitled to exercise their right to:

  • access personal data (free information about the personal data held by the Data Controller, and a copy thereof in an accessible format);
  • amend incorrect, inaccurate or old data;
  • withdraw consent at any time (where consent is the legal basis);
  • cancel personal data – right to be forgotten;
  • restrict data processing in certain cases;
  • object to processing due to legitimate reasons, including direct marketing;
  • data portability;
  • lodge a complaint with a Supervisory Authority.

Exercise of users’ data protection rights

You may contact us via email at hello@gioschool.com to assert your rights, including confirmation of the existence and origin of data, purposes of processing, rectification, deletion, anonymisation, or blocking of unlawful processing, and updates or integrations of data. You may also object at any time to the possible profiling of your personal data.

7. Children’s Privacy – COPPA & FERPA Compliance

We strictly follow COPPA and FERPA:

  • For users under 13, verifiable parental or school consent is required before data collection.
  • Parents, guardians, or schools can review, delete, or restrict a child’s data at any time.
  • Educational records are only accessible to authorized school representatives.

Because some of our users may be interested in it, we have included some information below related to COPPA and FERPA.

Data collected by GIOS may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”). When processing FERPA-covered educational records under institutional agreements, GIOS acts as a “School Official” under the direct control of the educational institution.

COPPA requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children under 13. Therefore, GIOS only collects personal information through the Services from a student under 13 where their school, district, and/or teacher has agreed in order to obtain parental consent to use the Services and disclose personal information to us for the use and benefit of the learning environment. Such consent shall not be deemed as consent pursuant to Art. 6(1)(a) GDPR.

If we become aware that personal data has been collected from a child without appropriate consent, such data will be deleted without undue delay.

Schools acting as Data Controllers are responsible for obtaining and documenting parental consent where required by applicable law.

If you believe that a student under 13 may have provided us personal information in violation of this paragraph, please contact us at hello@gioschool.com.

8. How We Use Data

We use data to:

  • Operate and maintain our platforms.
  • Improve user experience through analytics and AI.
  • Provide customer support.
  • Comply with legal obligations.

We do not sell personal data or use it for profiling beyond platform improvements.

GIOS does not:

  • sell student data
  • use student data for advertising
  • conduct behavioural profiling for commercial purposes
  • monetise user data

Student data is used strictly to provide and improve educational services.

9. Data Sharing & Third Parties

We only share data with:

  • Service providers (hosting, analytics) under strict data protection agreements.
  • Educational institutions, upon request and with consent.
  • Authorities, if legally required.

We do not share data with advertisers or third-party marketing platforms without explicit consent.

A list of subprocessors may be provided to institutional partners upon request.

All subprocessors are subject to data processing agreements (DPAs) and confidentiality obligations in accordance with GDPR requirements.

10. AI Transparency & Oversight

In accordance with the AI Act:

  • We disclose any interaction with AI systems within our apps and platforms.
  • Human oversight is built into all AI interactions — teachers remain in control of classroom content and outputs.
  • Users are informed when interacting with AI-powered features within the platform.
  • Model reuse is restricted to minimize unintended consequences (e.g., algorithmic bias).

GIOS does not use identifiable student data to train, retrain, or fine-tune external foundation models. Any internal model optimisation relies on anonymised or synthetic datasets.

Where AI service providers are engaged, only pseudonymised or minimal necessary data is processed under strict contractual safeguards. Where student responses or learning data are processed by third-party AI providers, such processing is based on contractual necessity (Art. 6(1)(b) GDPR) or legitimate interest (Art. 6(1)(f) GDPR), depending on the service context.

We ensure that training datasets used for internal model optimisation do not contain directly identifiable personal data.

Data protection methods:

  • Where anonymisation is applied, personal identifiers are irreversibly removed.
  • Where pseudonymisation is used, identifiers are stored separately under strict access control and technical safeguards.
  • Where student responses are processed by third-party AI providers, only pseudonymised or minimal task-related data is transmitted. No direct identifiers (such as name, email, or account ID) are shared.

Third-party AI providers are contractually prohibited from using submitted data to train or improve their foundation models.

Internal AI optimisation relies exclusively on:

  • anonymised educational datasets,
  • synthetic training data,
  • or curriculum-based content developed by GIOS and its educational partners.

No publicly scraped personal data or student-generated identifiable content is used for model training.

11. Your Rights

You have the right to:

  • Access, correct, or delete your personal data.
  • Withdraw consent at any time.
  • Request data portability.
  • Object to certain processing or automated decisions.
  • File a complaint with a supervisory authority (for EU residents).

12. Data Retention

  • Account data: retained until account deletion or contract termination.
  • Learning progress data: retained during the active service period and up to 12 months after termination.
  • System logs: retained for up to 12 months.
  • Support communications: retained for up to 24 months.
  • Marketing data: retained until consent withdrawal.

Accounts inactive for more than 24 months may be anonymised or deleted, unless contractual or legal obligations require continued retention.

13. Data Security

  • Data encryption
  • Secure HTTPS / TLS connections for all data transmission
  • Data is stored within the European Economic Area (EEA)
  • Restricted staff access — only authorized personnel, bound by confidentiality and data protection obligations, may access data

We conduct periodic security reviews and vendor risk assessments to ensure compliance with contractual and regulatory requirements. Where appropriate, external security testing or vulnerability assessments may be performed.

14. Incident Response and Breach Notification

GIOS maintains internal procedures for detecting, investigating, and responding to potential security incidents.

In the event of a personal data breach, we will assess the level of risk and notify affected institutions and relevant supervisory authorities in accordance with applicable data protection laws, including GDPR requirements where applicable (such as the 72-hour notification rule).

We maintain logging, monitoring, access controls, and internal escalation procedures to ensure timely detection, containment, and remediation of incidents.

15. International Users

If you are outside the EU, we process your data in compliance with applicable local laws. The AI Act’s provisions may apply if you are interacting from the EU, regardless of our country of origin (extraterritorial scope).

16. Updates to This Policy

We update this policy to comply with new legal requirements, such as the AI Act, and reflect changes in our services. Users will be notified of major changes via email or platform notification.

17. How can I contact GIOS?

If your school would like further information on GDPR compliance in GIOS products then please contact our support team at hello@gioschool.com.