Privacy Policy

1. Who we are

Proftor is an AI-assisted spaced-repetition learning platform designed for educational institutions. This Privacy Policy applies to the website at proftor.com and all related services operated by DABAX-INFORMATIKA Kft., registered at 2344 Dömsöd, Középső út 63., company number 13 09 207304 (hereinafter "Proftor", "we", "us" or "our").

We are committed to protecting the personal data of everyone who interacts with our platform — including visitors to our website, teachers, school administrators, and students. This policy explains what data we collect, why we collect it, and the rights you have over it, in compliance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable national data protection law.

2. Data we collect and why

2.1 Website visitors

When you visit proftor.com, we collect basic technical data necessary to serve the website: your IP address (anonymised after session), browser type, and pages visited. This is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in operating a functioning and secure website. We do not use this data to build individual profiles.

2.2 Interest form submissions

When you submit the pilot interest form, we collect: your name, email address, school or institution name, and any message you include. This data is processed on the basis of your consent (Art. 6(1)(a) GDPR), given at the moment of submission. We use it solely to evaluate your interest, respond to your enquiry, and, if applicable, onboard you as a pilot partner. You may withdraw your consent at any time by contacting us.

2.3 Teacher and administrator accounts

When a school or institution activates a Proftor account, teachers and administrators provide: name, work email address, and school affiliation. This is processed on the basis of performance of a contract (Art. 6(1)(b) GDPR). This data is used to manage access, send session and platform notifications, and provide support.

2.4 Student data

Students interact with Proftor through sessions assigned by their teacher. We process: the student's display name or identifier (provided by the school), session responses (free-text answers to recall prompts), scores, completion timestamps, and same-day recall metrics. This data is processed on the basis of performance of a contract with the school (Art. 6(1)(b) GDPR) and, where the student is under 16 years of age, in accordance with Art. 8 GDPR — the school, acting in loco parentis or with verified parental consent, is responsible for ensuring lawful processing for minors in its care.

Student responses are processed by Proftor's AI engine ("Socrates") to evaluate recall quality against teacher-defined keywords and concepts. No student data is used to train external AI models or shared with third parties for advertising or profiling purposes.

3. Legal basis for processing

We rely on the following legal bases under Art. 6 GDPR:

• Consent (Art. 6(1)(a)): interest form submissions; optional cookies.
• Contract performance (Art. 6(1)(b)): teacher, administrator, and student accounts; session delivery and scoring.
• Legitimate interest (Art. 6(1)(f)): website security and analytics; fraud prevention; product improvement based on aggregated, anonymised usage patterns.
• Legal obligation (Art. 6(1)(c)): where we are required to retain or disclose data under applicable law.

Where we process special category data — which we generally do not — we would identify and document a separate legal basis under Art. 9 GDPR.

4. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected:

• Interest form data: up to 12 months from submission, or until you request deletion.
• Teacher and administrator accounts: for the duration of the active contract with the school, plus a 90-day grace period after termination.
• Student data: for the duration of the school's active contract with Proftor, plus a 30-day deletion window following contract end. Schools may request earlier deletion at any time.
• Server and access logs: up to 30 days, then automatically purged.

Anonymised, aggregated usage statistics (with no link to any individual) may be retained indefinitely for product improvement purposes.

5. Data sharing and processors

We do not sell personal data. We do not share personal data with third parties for marketing or advertising purposes. We may share data with the following categories of trusted service providers acting as data processors under a Data Processing Agreement (DPA):

• Cloud infrastructure: hosting, storage, and database services located within the European Economic Area (EEA).
• Email delivery: for transactional notifications (session reminders, account confirmations).
• Error monitoring: anonymised crash and error logging to maintain platform reliability.

If we engage any processor that involves a transfer of data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR (e.g. Standard Contractual Clauses).

We may disclose personal data if required to do so by law, court order, or to protect the rights, property, or safety of Proftor, its users, or the public.

6. Your rights under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): you may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): you may ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17): you may request deletion of your data where there is no longer a lawful basis to retain it.
• Right to restriction (Art. 18): you may ask us to restrict processing in certain circumstances.
• Right to data portability (Art. 20): where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
• Right to object (Art. 21): you may object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@proftor.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority. In Hungary, this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), at naih.hu.

7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security reviews. No method of transmission over the internet is entirely secure; we cannot guarantee absolute security, but we take our obligations seriously and act promptly in the event of any incident.

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay, in accordance with Art. 33–34 GDPR.

8. Children's data

Proftor is designed for use in educational settings and may process data relating to students under the age of 16. We do not knowingly collect data from children directly — student accounts are created and managed by schools, which bear responsibility for ensuring appropriate consent or authorisation under Art. 8 GDPR and applicable national law. Schools using Proftor should ensure that their data processing activities relating to students comply with their own obligations under GDPR and any applicable national education or child protection legislation.

9. Cookies

We use a limited number of cookies necessary for the functioning of the platform (session management) and, where you have consented, for analytics. Full details are set out in our Cookie Policy.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify active users by email. Continued use of the platform after changes are posted constitutes acceptance of the revised policy. We encourage you to review this page periodically.

Contact

For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us: