Loading Lectora…
Privacy Policy.
This Privacy Policy explains how Fjordbyte AS (org. nr. 933 773 477), the company behind Lectora ("Lectora", "we", "us"), processes personal data when you or your institution use the Lectora platform — an AI-assisted grading and feedback tool for higher education that integrates with the Canvas learning management system (LMS).
We have written this policy to comply with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act (Personopplysningsloven), and the guidance issued by the Norwegian Data Protection Authority (Datatilsynet) for the education sector.
This policy describes:
If anything in this policy is unclear, write to lectora@fjordbyte.no.
Lectora is used in three distinct ways. The controller and processor roles differ in each. Find the scenario that matches you:
You signed up for Lectora yourself, generated a Personal Access Token in your Canvas account, and pasted it into Lectora. Your institution has not signed an enterprise agreement with us.
You confirm in our Terms of Service that you have authority from your institution to use Lectora to process student work. If you are uncertain whether you have this authority, do not upload student work and contact your institution's data protection officer first.
Your institution installed Lectora as an LTI 1.3 application in Canvas. You access it through institutional single sign-on.
This is a controller transition. See Section 11.
The categories of data we collect depend on which mode you use.
| Data | Purpose | Source |
|---|---|---|
| Name | Identification, addressing in emails | You at signup, or your institution via LTI/SSO |
| Email address | Authentication, notifications | You at signup, or via SSO |
| Profile image (optional) | UI personalisation | Canvas (if available) |
| Password hash (PAT mode only) | Authentication | You at signup, hashed before storage |
| Canvas user ID | Linking your Lectora account to your Canvas identity | Canvas |
| Canvas access token (PAT or OAuth) | Authorised API access to Canvas on your behalf | You (PAT) or Canvas OAuth flow (LTI) |
Canvas access tokens are encrypted at rest using AES-256-GCM with key rotation support.
| Data | Purpose | Source |
|---|---|---|
| Course title, code, semester | Organising work within Lectora | Canvas |
| Assignment text, rubric, point values | Grading context for the AI | Canvas |
| Solution manuals, reference files (uploaded by you) | Grading context for the AI | You |
| Data | Purpose | Source |
|---|---|---|
Submission text (body), URLs, attachments | Grading and feedback generation | Canvas |
| Extracted text from PDF/DOCX submissions | AI processing | Lectora extracts on your behalf |
| Submission metadata (attempt number, timestamps, file types) | Audit and grading workflow | Canvas |
| Student name and email | Linking grades back to Canvas users | Canvas |
Important: Lectora does not send direct student identifiers (name, email, student ID) to upstream AI providers. AI prompts use only pseudonymous internal identifiers; AI outputs are linked back to students within Lectora's own systems.
| Data | Purpose | Source |
|---|---|---|
| AI-drafted scores | Educator review and approval | Lectora generates |
| AI-drafted written feedback (strengths, suggestions, corrections) | Educator review and approval | Lectora generates |
| Educator edits, approvals, and publication actions | Workflow state | You |
| Reviewer identity, review timestamps | Audit trail | Lectora records on each review/publish action |
| Data | Purpose | Source |
|---|---|---|
| Your messages to the Lectora teacher assistant | AI response generation, conversation history | You |
| Per-student daily feedback-chat usage counters | Rate limiting (deleted after 30 days) | Lectora records |
| Data | Purpose | Source |
|---|---|---|
| IP address | Security, rate limiting, abuse prevention | Network |
| Browser type / user-agent | Compatibility, debugging | Network |
| Session cookies, authentication tokens | Keeping you signed in | Lectora |
| Application logs, error reports | Diagnosing and fixing issues | Lectora |
| Anonymised usage events (feature interactions) | Product improvement (aggregate only) | Lectora |
| Data | Purpose | Source |
|---|---|---|
| Institution name, billing contact | Invoicing | Your institution |
| Subscription details, invoice history | Account management | Lectora and Stripe |
Lectora does not store payment card data. Card details are processed exclusively by Stripe (PCI DSS Level 1 certified).
This category applies if you are receiving outreach emails from Lectora before you have signed up — typically because you are a course leader, department head, or member of academic staff at a higher-education institution we believe Lectora is relevant to.
| Data | Purpose | Source |
|---|---|---|
| Name and work email | Initial professional contact | Publicly available professional listings (university web pages, LinkedIn, conference programmes) |
| Job title, institution, department | Targeting relevance | Same as above |
| Engagement metadata (email opens, link clicks, replies) | Adjusting outreach cadence; suppressing further contact when there is no interest | Lectora's outreach tooling (HubSpot Sales Hub) |
We do not buy, scrape at scale, or build behavioural profiles of prospects. The data is collected in the public professional context, processed under legitimate interest (see Section 4), and you can opt out at any time using the unsubscribe link in any email we send you or by writing to lectora@fjordbyte.no. On opt-out we suppress further contact and delete the prospect record within 30 days unless we have another lawful basis to retain it (e.g. an active sales conversation you initiated).
Under GDPR Art. 6, each processing activity has a legal basis:
| Activity | Legal basis |
|---|---|
| Operating your Lectora account | Contract performance (Art. 6(1)(b)) — our agreement with you or your institution |
| Processing student work for grading | In institutional mode: our Data Processing Agreement on behalf of the institution. In PAT mode: your instructions as the operating controller, with your warranty of authority |
| Security monitoring, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) — operating a secure service |
| Transactional emails (account, security, billing) | Contract performance (Art. 6(1)(b)) |
| Aggregated, anonymised product analytics | Legitimate interest (Art. 6(1)(f)) — improving the service |
| Marketing emails to opted-in subscribers (Pipeline A — newsletter, product updates, case studies) | Consent (Art. 6(1)(a)) + Markedsføringsloven §15 |
| Sales outreach to prospects in their professional capacity (Pipeline B — 1:1 emails from a Lectora team member to a professionally-relevant contact) | Legitimate interest (Art. 6(1)(f)) — balanced against the prospect's professional context. A written Legitimate Interest Assessment (LIA) is kept on file. Every outreach email contains a one-click unsubscribe link and a link to this policy. [REVIEW — Norwegian counsel to confirm the LIA scope is appropriate; Datatilsynet has issued cautious guidance on B2B cold outreach.] |
| Compliance with legal obligations (e.g. accounting records) | Legal obligation (Art. 6(1)(c)) |
Student submission text may incidentally contain special-category personal data (GDPR Art. 9) — for example a health-related case study, or content revealing a student's beliefs. Lectora processes such content only as an incidental consequence of the educational task and never deliberately solicits it. The legal basis is Art. 9(2)(j) (archiving for scientific or educational purposes) combined with the safeguards in Section 8 of this policy. [REVIEW — Norwegian counsel to confirm Art. 9 basis is correct for higher-ed grading context.]
We use the third-party providers listed below to operate Lectora. Each is bound by a written Data Processing Agreement and contractual data-protection safeguards. The full operational details and contact information for each provider are in our DPA's Bilag B (annex of subprocessors); a public-facing summary lives at /subprocessors.
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Vercel Inc. | Application hosting (Next.js, serverless compute, edge) | All application traffic in transit | EU (Frankfurt, eu-central-1) |
| Vercel Blob (operated by Vercel Inc.) | Object storage for uploaded files | Course files, student submissions, AI context files | EU (Stockholm, eu-north-1) |
| Supabase Inc. | PostgreSQL database (primary) | All application data | EU (Frankfurt, eu-central-1) |
| OpenAI Ireland Ltd. | AI inference (grading, feedback, assistant) | Pseudonymised text, submission content (no direct student identifiers) | EU (Europe region) — zero data retention, no training on customer data |
| Google Cloud EMEA Ltd. (Vertex AI / Gemini) | AI inference (alternate models) | Pseudonymised text (no direct student identifiers) | EU (europe-west4 Netherlands) — no training on customer data |
| Inngest, Inc. | Background job orchestration | Internal job identifiers only (no submission content) | USA — covered by SCCs |
| Plus Five Five, Inc. (Resend) | Transactional email delivery | Recipient address, message metadata | USA — covered by SCCs |
| Statsig, Inc. | Feature flags, usage analytics, error/log monitoring | Pseudonymised events, technical metadata, request logs | USA — covered by SCCs |
| Stripe Payments Europe Ltd. | Billing (institutions only) | Billing contacts, invoice data | EU/global — covered by Stripe DPA + SCCs |
The detailed Subprocessors page contains DPA links, sub-processor lists for each provider, and update notifications.
[CONFIRM — list reflects DPA Bilag B as of [date]. If sub-processor roster changes, both the DPA and this policy update; institutions are notified per the DPA's notification clause.]
Lectora is configured to keep all customer-content processing within the EU/EEA wherever possible:
Where a transfer outside the EU/EEA occurs, it is governed by the EU Commission's Standard Contractual Clauses (Decision 2021/914) and the relevant provider's Transfer Impact Assessment. Where supplementary measures are needed (e.g. encryption in transit and at rest, contractual data-use restrictions), they are in place.
| Data category | Retention |
|---|---|
| Account data (name, email, profile) | While your account is active; deleted within [REVIEW — e.g. 30 days] of account closure |
| Canvas OAuth tokens | Refreshed proactively before expiry; revoked + purged 7 days after they go stale (institutional mode) |
| Canvas Personal Access Tokens | Until you replace or delete the token, or close your account |
| Course and assignment data | While the course exists in Lectora; deletable on request |
| Student submissions, AI-generated grades and feedback | [REVIEW — current code retains indefinitely. Recommended: align with the institution's grading-record retention policy via the DPA. Default proposal: deleted within 90 days of course archive, or sooner on instruction.] |
| Per-student feedback-chat usage counters | 30 days (automatic deletion) |
| Application logs and security telemetry | [REVIEW — typical 30-90 days] |
| Billing records | As required by Norwegian accounting law (5 years) |
| Audit-trail records (security events, governance transitions) | [REVIEW — typical 5 years to align with bokføringsloven] |
You can request deletion of data Lectora holds about you at any time (Section 9). Where Lectora is processor and the institution is controller, deletion requests should be addressed to your institution first; Lectora will act on the institution's instructions per the DPA.
[REVIEW — current platform code does not implement a self-service erasure endpoint for submissions/grading data. Build this before this policy is published.]
We protect your data with industry-standard technical and organisational measures, including:
Full technical and organisational measures (TOMs) are documented in the DPA's security annex for institutional customers.
Under GDPR Art. 13–22, you have the following rights:
If your institution is the data controller (LTI mode), you should direct rights requests to your institution first. Lectora will support the institution in fulfilling such requests per the DPA.
To exercise these rights with Lectora, write to lectora@fjordbyte.no. We respond within 30 days (extendable by 60 days for complex requests, with notice).
app.lectora.io)Lectora uses the minimum cookies necessary to operate the service:
Inside the product, we do not use advertising cookies and we do not allow third-party tracking for marketing purposes.
lectora.io)The marketing site uses cookies for traffic analytics and — with your opt-in — for advertising attribution and optimisation. The full cookie inventory and consent controls live at /cookies. Subprocessors involved in the marketing site:
If you signed up for Lectora individually with a Personal Access Token and your institution later signs an enterprise agreement, the following applies:
[REVIEW — decide policy: (a) carry forward under the new DPA, with notice to the institution; or (b) quarantine pre-transition data pending institutional review.]If you object to your data being placed under your institution's control after such a transition, you may request deletion of your account and data (Section 9).
Lectora is designed for higher-education students and educators. We do not knowingly process personal data of children under 16. If you believe a child's data has been processed, contact us at lectora@fjordbyte.no and we will delete it.
We may update this policy from time to time. Material changes are notified to:
Non-material changes (typos, formatting) may be made without notice. The version and effective date shown on this page always reflect the latest revision.
Data controller (for data we control): Fjordbyte AS Org. nr. 933 773 477 Address: c/o DNB Bank ASA, Solheimsgaten 7C, 5058 Bergen Postal address: c/o DNB Bank ASA, Postboks 7100, 5020 Bergen Email: lectora@fjordbyte.no
Data Protection Officer: [FILL — if appointed. Note: not strictly required under GDPR Art. 37 unless triggered, but recommended for an EdTech processor at this scale.]
EU representative: [REVIEW — Fjordbyte is established in Norway/EEA, so no separate EU representative is required.]
Supervisory authority: Datatilsynet (the Norwegian Data Protection Authority) Postboks 458 Sentrum, 0105 Oslo Phone: +47 22 39 69 00 Web: https://www.datatilsynet.no
You have the right to lodge a complaint with Datatilsynet, or with the supervisory authority in your country of residence, if you believe our processing of your personal data violates the GDPR.
When your Lectora access is covered by an institution's enterprise agreement, your institution is the controller for student work and subscription administration covered by that agreement. Lectora acts as processor for that institutional data.
Lectora relies on a set of third-party subprocessors to deliver the service. The current list — including each recipient's purpose and international-transfer mechanism — is published on our subprocessors page.