Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") governs the processing of personal data when schools, teachers, or educational institutions ("Data Controller") use Langnite's educational materials and services managed through the Langnite AI Hub ("Data Processor": Langnite / Kacper Michalec).

2. Definitions

• Personal Data — any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
• Processing — any operation performed on personal data, as defined by GDPR Article 4(2).
• Data Subject — an identified or identifiable natural person whose personal data is being processed.
• Data Controller — the school, teacher, or institution that determines the purposes and means of processing.
• Data Processor — Langnite / Kacper Michalec, processing data on behalf of the Data Controller.

3. Scope and Purpose

Data processing under this DPA is limited to:

• Providing access to Langnite educational materials (worksheets, lesson plans, exercises, flashcard sets)
• Managing teacher and school accounts on the Langnite platform
• Tracking material usage for content quality improvement
• Providing learning analytics to teachers and schools

4. Data Processed

Teacher / School Admin Data

• Name, email address, school name, role
• Login activity and material access logs

Usage Data

• Which materials were accessed, when, and how frequently

Student Data

Langnite does NOT directly collect or process student personal data. Teachers independently access and distribute materials to their students. Langnite has no direct relationship with students and does not receive student names, grades, or personal information through the Hub.

5. Obligations of the Data Processor

Langnite, as Data Processor, shall:

• Process personal data only on documented instructions from the Data Controller
• Ensure that team members with access to data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 6)
• Assist the Data Controller in fulfilling data subject rights requests (access, rectification, erasure, portability)
• Notify the Data Controller of any personal data breach without undue delay, and within 72 hours of becoming aware
• Delete or return all personal data upon termination of the service agreement, at the Data Controller's choice
• Make available all information necessary to demonstrate compliance with GDPR obligations

6. Security Measures

• Data encrypted in transit (HTTPS/TLS) and at rest
• Password-protected access with role-based permissions
• EU-based hosting (Hetzner, Germany)
• Automated daily backups with 30-day retention
• Access restricted to authorized Langnite team members only
• Automated security monitoring (CyberGuard) scanning every 3 minutes
• Network verification for new login locations

7. Sub-Processors

Current sub-processors are listed in our Privacy Policy (Section 8). The Data Controller will be notified of any changes to sub-processors with reasonable advance notice.

8. International Transfers

Primary data storage is in the EU (Hetzner, Germany). Any transfers outside the EU are protected by Standard Contractual Clauses as detailed in our Privacy Policy (Section 9).

9. Duration and Termination

• This DPA remains in effect for the duration of the service agreement between the Data Controller and Langnite.
• Upon termination, Langnite will delete all Data Controller's personal data within 30 days, unless retention is required by applicable law.
• The Data Controller may request immediate deletion at any time by contacting us.

10. Governing Law

This DPA is governed by Polish law and the General Data Protection Regulation (GDPR). The competent supervisory authority is Urzad Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl

11. Contact

Data protection inquiries: kacpermichalec@langnite.pl

Langnite / Kacper Michalec, ul. Lazy 106, 21-400 Lukow, Poland