Privacy Policy | ISP Library

00 Overview

This Privacy Policy explains how ISP Library ("ISP Library", "we", "us", "our") processes personal data when you access or use isplibrary.com and related services (the "Platform" or "Services").

This Privacy Policy is intended to comply with Regulation (EU) 2016/679 (GDPR) and Latvian data protection legislation, including the Personal Data Processing Law (Fizisko personu datu apstrades likums).

01 Who We Are and How to Contact Us

Data Protection Officer (DPO) / Privacy Contact:

If you have appointed a DPO: [Name], [email], [phone]

If not: contact privacy@isplibrary.com and we will route your request to our responsible privacy team.

02 When This Policy Applies

This Policy applies when:

you visit our public website pages;
you register for or use the Platform as a teacher, student, School Admin, or other authorized user;
your School uses ISP Library and you are an authorized user under that School;
you subscribe to newsletters or updates;
you communicate with our support team.

03 Controller vs Processor

3.1 Typical School scenario

When a School uses ISP Library for teaching and learning, the School typically determines why student/teacher data is processed and how it is organized through roles, classes, and permissions.

In that case, the School is the "Controller" under GDPR, and ISP Library is the "Processor" processing personal data on the School's documented instructions. Where required, we provide or enter into a Data Processing Agreement (DPA) with the School.

3.2 Situations where ISP Library may be a Controller

Even in School scenarios, ISP Library may act as a Controller for limited processing that we determine ourselves, such as platform security and fraud prevention, maintaining technical logs necessary for safe operations, billing or contract administration, and handling inbound support requests as a service provider.

Your School may also have its own privacy notices that apply in parallel.

04 Categories of Personal Data We May Process

The exact data depends on how the Platform is configured by your School and which features you use, including analytics or AI quiz-generation features.

4.1 Identity and account data

name, surname;
email address, school or personal depending on setup;
username / account ID;
role, such as teacher, student, or admin;
school name and group/class membership;
password hash. We do not store plaintext passwords.

4.2 Usage and device data

login timestamps and session identifiers;
IP address, which may be stored in logs;
browser/device type and operating system;
pages, features, clicks, and actions depending on logs and analytics settings.

4.3 Content and files (School Content)

materials you upload or access, including documents, scans, PDFs, and images;
metadata of files, such as filename, upload time, and uploader account.

Important: Schools and Users must avoid uploading unnecessary personal data inside files. If a School uploads materials containing personal data, the School, as Controller, is responsible for ensuring a lawful basis and compliance.

4.4 Communications

messages to our support team, including email, chat, and contact forms;
technical support attachments and screenshots;
feedback and bug reports.

4.5 Subscription/marketing data

newsletter email address and consent records;
preferences, including opt-in and opt-out;
campaign interaction such as opens and clicks, if enabled.

4.6 Payment and billing, if applicable

billing contact details;
invoice data, including company details, VAT ID, and payment status;
partial payment identifiers from payment providers.

4.7 AI features, if enabled

If AI tools are used, prompts and inputs may be processed to generate outputs. We recommend Schools avoid using sensitive personal data as inputs unless strictly necessary and legally permitted.

05 Sources of Personal Data

We collect personal data from:

you directly, through registration, profile updates, and support messages;
your School Admin, when creating accounts and assigning roles/classes;
your device/browser automatically through technical logs and cookies;
third-party services enabled by the School, where applicable.

06 Purposes and Legal Bases

6.1 Provide the Services

Purpose: create accounts, authenticate users, provide storage/access to materials, and enable teacher/student workflows. Legal basis in Controller cases may include performance of a contract or legitimate interests. Processor cases are handled on School instructions under the School's lawful basis.

6.2 Security, abuse prevention, and incident response

Purpose: detect suspicious logins, prevent fraud, ensure system stability, and investigate misuse. Legal basis may include legitimate interests or legal obligation.

6.3 Analytics and service improvement

Purpose: improve performance, troubleshoot errors, and understand feature usage at an aggregated level. Legal basis may include legitimate interests and/or consent for non-essential tracking where required.

6.4 Customer support and communications

Purpose: respond to requests, resolve technical issues, and provide administrative communications. Legal basis may include contract, legitimate interests, or legal obligation.

6.5 Newsletter and marketing communications

Purpose: send updates, newsletters, and product announcements. Legal basis is consent for non-essential marketing, where applicable. You can unsubscribe at any time.

6.6 Billing and accounting

Purpose: invoicing, payment administration, and tax compliance. Legal basis may include contract and legal obligation.

6.7 Compliance with legal requests

Purpose: respond to lawful authority requests, enforce Terms, and protect rights and safety. Legal basis may include legal obligation and/or legitimate interests.

07 Cookies and Similar Technologies

We use cookies and similar technologies for:

essential site operation, including security and session management;
preferences, such as language and basic settings;
analytics, where optional and consent-based where required;
marketing, where optional and consent-based.

Under the ePrivacy Directive, storing or accessing information on a user's device generally requires prior consent unless it is strictly necessary for the service.

7.1 Cookie categories

Strictly necessary - required for login/session security and core functionality.
Preferences - remember user settings.
Analytics - understand usage and improve service.
Marketing - track effectiveness of campaigns.

7.2 Cookie control

We provide a cookie banner or controls where required. You can also manage cookies via browser settings, but disabling essential cookies may break login or core functions.

7.3 Cookie Policy

We provide additional details in a separate Cookie Policy: [insert link].

08 How We Share Personal Data

We do not sell personal data. We may share personal data with:

8.1 Your School

School Admins may view account status, roles, class membership, and certain usage info depending on permissions. Teachers may see student activity and learning materials depending on course configuration.

8.2 Service providers

We may use vetted providers for hosting/cloud infrastructure, email delivery, support tools, security monitoring, and analytics tools if enabled. We require appropriate contractual safeguards and limit processing to what is necessary.

Sub-processor list: [insert link to live list] or available upon request.

8.3 Professional advisors

Legal, accounting, or audit providers under confidentiality obligations.

8.4 Legal and safety disclosures

We may disclose data if required by law or to protect rights, safety, and security.

09 International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), we will use lawful transfer mechanisms under GDPR, such as an EU adequacy decision or Standard Contractual Clauses and supplementary measures where necessary.

10 Data Retention

We keep personal data only as long as necessary for the purposes described, unless longer retention is required by law.

Account data: kept while the account is active; deleted or anonymized after removal or contract termination, subject to backups.
Platform logs: retained for [30/90/180] days unless needed longer for security investigations.
Support tickets: retained for [12-24] months for quality and dispute handling.
Billing records: retained as required by applicable tax/accounting law.
Backups: may retain deleted data for a limited rolling period before overwrite.

Schools may have their own retention policies and may instruct us as Processor.

11 Security Measures

We implement organizational and technical measures appropriate to risk, for example:

access controls and role-based permissions;
encryption in transit and where feasible at rest;
vulnerability management and monitoring;
least-privilege internal access;
secure development and change management;
incident response procedures.

No system is 100% secure; if you suspect an issue, contact security@isplibrary.com.

12 Children and Student Data

ISP Library is designed for educational use and may be used by students, including minors, under School supervision.

12.1 Age of consent

Latvia has set the age at which a child can provide valid consent, where consent is the legal basis for online services offered directly to children, at 13; under that age, parental authorization is required.

12.2 School responsibility

In typical deployments, Schools rely on their lawful bases for education and act as Controllers. Schools are responsible for providing privacy information, ensuring a lawful basis, and enabling safeguarding and access controls.

13 Your Rights Under GDPR

Under GDPR, individuals have rights including:

access to personal data;
rectification or correction;
erasure in certain cases;
restriction of processing;
data portability in certain cases;
objection to processing based on legitimate interests;
withdrawal of consent where processing is based on consent.

Email privacy@isplibrary.com with enough information to verify your identity.

13.1 If your account is managed by a School

If the School is the Controller, you should usually submit your request to your School Admin first. We will support the School in fulfilling the request as Processor.

13.2 Response times

We aim to respond within the GDPR timeframe, generally one month.

14 Automated Decision-Making

We do not intend to make decisions that produce legal or similarly significant effects solely by automated means, unless explicitly stated for a specific feature. If this changes, we will update this Policy and provide required information.

15 Third-Party Links and Integrations

The Platform may link to third-party sites or allow School-enabled integrations. Their privacy practices are governed by their own policies. Schools should evaluate third-party compliance before enabling integrations.

16 Changes to This Privacy Policy

We may update this Policy to reflect changes in law, our Services, or our processing practices. The "Last updated" date shows when it was most recently revised. Material changes may be communicated via the Platform or email, especially for Schools/Admins.