Privacy Policy

Last Updated: December 2024

This Privacy Policy describes how LMS Lab collects, uses, and protects your personal information when you use our services. This policy complies with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Data Controller: LMS Lab, [email protected]

1. Information We Collect

Personal Information

We collect information you provide directly to us, such as:

  • Account information (name, email address, password)
  • Payment information (processed securely through third-party payment processors)
  • Profile information and preferences
  • Communications with our support team

Integration Data

When you connect LMS Lab to your Skilljar account, we may collect:

  • Skilljar API credentials (stored securely)
  • Course and lesson information from your Skilljar account
  • Content you create or modify through our platform

Usage Information

We automatically collect information about your use of our services:

  • Log data (IP address, browser type, operating system)
  • Usage patterns and feature interactions
  • Device information and identifiers
  • Cookies and similar tracking technologies

2. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to perform our services contract with you (account creation, service delivery, payment processing)
  • Legitimate Interests: Processing necessary for our legitimate business interests (service improvement, security, fraud prevention, analytics)
  • Consent: Processing based on your explicit consent (optional cookies, marketing communications)
  • Legal Obligation: Processing required to comply with legal requirements (tax records, regulatory compliance)

You have the right to object to processing based on legitimate interests. Contact us to exercise this right.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments and questions
  • Analyze usage patterns to improve user experience
  • Comply with legal obligations and protect our rights

4. Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

  • Service Providers: With trusted third-party vendors who assist in providing our services (hosting, payment processing, authentication)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly agree to share your information

Our main third-party service providers include:

  • Outseta: Authentication and user management service
  • Skilljar: LMS integration (your API credentials are securely stored)
  • OpenAI: AI processing for text-to-quiz functionality

4. Data Security

We implement appropriate security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. This includes:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Limited access to personal information by employees
  • Secure storage of API credentials and sensitive data

5. Data Retention

We retain your personal data for different periods depending on the purpose:

  • Account Data: Retained for the duration of your account plus 90 days after account deletion
  • Transaction Records: Retained for 7 years for tax and accounting purposes
  • Support Communications: Retained for 3 years after resolution
  • Usage Analytics: Anonymized and retained for 2 years
  • Marketing Communications: Retained until consent is withdrawn
  • Legal Compliance: Retained as long as required by applicable laws

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business interests.

Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if there is a high risk to their rights and freedoms
  • Provide clear information about the breach and steps taken to address it

6. Your Rights Under GDPR

Under GDPR and other applicable privacy laws, you have the following rights regarding your personal data:

Individual Rights

  • Right of Access: Request access to your personal data and information about how we process it
  • Right to Rectification: Request correction of inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances
  • Right to Restrict Processing: Request that we limit the processing of your personal data
  • Right to Data Portability: Request a copy of your data in a structured, commonly used format
  • Right to Object: Object to processing of your personal data for direct marketing or based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis
  • Right to Complain: Lodge a complaint with a supervisory authority

Exercising Your Rights

To exercise these rights, please contact us at [email protected]. We will respond to your request within one month.

EU Representative

If you are located in the European Union and have questions about your data protection rights, you can contact our EU representative at [email protected].

7. Cookies and Tracking

We use cookies and similar technologies to enhance your experience and analyze usage. We have implemented a cookie consent system that allows you to manage your preferences.

Types of Cookies We Use

  • Necessary Cookies: Essential for the website to function properly, including user authentication via Outseta. These cannot be disabled.
  • Functional Cookies: Enable enhanced functionality and personalization features.
  • Analytics Cookies: Help us understand how visitors interact with our website (currently not in use).

Cookie Management

You can:

  • Accept or reject non-essential cookies through our consent banner
  • Change your cookie preferences at any time via the "Cookie Preferences" link in our footer
  • Control cookies through your browser settings

Third-Party Cookies

We use the following third-party services that may set cookies:

  • Outseta: Essential authentication and user management cookies (necessary)
  • Google Fonts: May set cookies for font delivery optimization (functional)

8. Third-Party Services

Our service integrates with third-party platforms. Your use of these platforms is subject to their respective privacy policies. We are not responsible for the privacy practices of third-party services.

Data Processing Agreements

We have appropriate data processing agreements in place with our key service providers:

  • Outseta: GDPR-compliant authentication and user management
  • Skilljar: LMS integration (your credentials are processed securely)
  • OpenAI: AI processing with appropriate privacy safeguards

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with GDPR and other applicable laws.

Transfer Mechanisms

For transfers outside the EU/EEA, we use the following safeguards:

  • EU-U.S. Privacy Shield framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding corporate rules for intra-group transfers

10. Children's Privacy

Our services are not intended for children under 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under the applicable age of consent. If you believe we have collected information from a child under the applicable age, please contact us immediately and we will take steps to remove the information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new policy on our website
  • Updating the "Last Updated" date
  • Sending you an email notification for significant changes
  • Requesting new consent where required by law

Your continued use of our services after the effective date constitutes acceptance of the updated policy.

12. Contact Us & Data Protection

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your data protection rights, please contact us at:

LMS Lab - Data Controller

Email: [email protected]

Website: https://lmslab.ai

Supervisory Authority

If you are located in the EU and have concerns about our data processing that you feel we have not adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority.