top of page

ISP
Library

Privacy Policy

Last updated: 28 January 2021

This Privacy Policy explains how ISP Library (“ISP Library”, “we”, “us”, “our”) processes personal data when you access or use isplibrary.com and related services (the “Platform” or “Services”).

This Privacy Policy is intended to comply with Regulation (EU) 2016/679 (GDPR) and Latvian data protection legislation, including the Personal Data Processing Law (Fizisko personu datu apstrādes likums). (eur-lex.europa.eu)

 

1) Who We Are and How to Contact Us

Data Protection Officer (DPO) / Privacy Contact:

  • If you have appointed a DPO: [Name], [email], [phone]

  • If not: contact privacy@isplibrary.com and we will route your request to our responsible privacy team.

 

2) When This Policy Applies

This Policy applies when:

  • you visit our public website pages;

  • you register for or use the Platform (as a teacher, student, School Admin, or other authorized user);

  • your School uses ISP Library and you are an authorized user under that School;

  • you subscribe to newsletters/updates;

  • you communicate with our support team.

 

3) Controller vs Processor (School Use Is Usually Different)

3.1 Typical School scenario (most common)

When a School uses ISP Library for teaching/learning, the School typically determines:

  • why student/teacher data is processed (education, access management, learning workflows), and

  • how it is organized (roles, classes, permissions).

In that case:

  • the School is the “Controller” (GDPR), and

  • ISP Library is the “Processor” processing personal data on the School’s documented instructions.

Where required, we provide/enter into a Data Processing Agreement (DPA) with the School.

3.2 Situations where ISP Library may be a Controller

Even in School scenarios, ISP Library may act as a Controller for limited processing that we determine ourselves, such as:

  • platform security and fraud prevention;

  • maintaining technical logs necessary for safe operations;

  • billing/contract administration (for Schools or direct subscribers);

  • handling inbound support requests as a service provider.

Your School may also have its own privacy notices that apply in parallel.

 

4) Categories of Personal Data We May Process

The exact data depends on how the Platform is configured by your School and which features you use (e.g., analytics, AI quiz generator mentioned on the site). (ISP Library)

4.1 Identity and account data

  • name, surname;

  • email address (school or personal, depending on setup);

  • username / account ID;

  • role (teacher, student, admin);

  • school name and group/class membership;

  • password hash (we do not store plaintext passwords).

4.2 Usage and device data

  • login timestamps, session identifiers;

  • IP address (may be stored in logs);

  • browser/device type, operating system (basic technical telemetry);

  • pages/features used, clicks/actions within the Platform (depending on logs/analytics settings).

4.3 Content and files (School Content)

  • materials you upload or access (documents, scans, PDFs, images, etc.);

  • metadata of files (filename, upload time, uploader account).

Important: Schools and Users must avoid uploading unnecessary personal data inside files. If a School uploads materials containing personal data (e.g., student names inside scanned worksheets), the School (as Controller) is responsible for ensuring a lawful basis and compliance.

4.4 Communications

  • messages to our support team (email, chat, contact forms);

  • technical support attachments/screenshots;

  • feedback, bug reports.

4.5 Subscription/marketing data

  • newsletter email address and consent records;

  • preferences (opt-in/opt-out);

  • campaign interaction (opens/clicks), if enabled.

4.6 Payment and billing (if applicable)

  • billing contact details (name, email);

  • invoice data (company details, VAT ID, payment status);

  • partial payment identifiers from payment providers (we do not aim to store full card data; payment processing is typically handled by specialized providers).

4.7 AI features (if enabled)

If AI tools are used (e.g., quiz generation):

  • prompts and inputs you provide may be processed to generate outputs;

  • we recommend Schools avoid using sensitive personal data as inputs unless strictly necessary and legally permitted.

 

5) Sources of Personal Data

We collect personal data from:

  • you directly (registration, profile updates, support messages);

  • your School Admin (creating accounts, assigning roles/classes);

  • your device/browser automatically (technical logs, cookies);

  • third-party services enabled by the School (e.g., integrations), where applicable.

 

6) Purposes and Legal Bases (GDPR)

Below are common purposes and typical legal bases. Exact legal bases may vary depending on whether we are acting as Controller or Processor and the School’s configuration. The GDPR provides the legal framework for these bases. (eur-lex.europa.eu)

6.1 Provide the Services (Platform functionality)

Purpose: create accounts, authenticate users, provide storage/access to materials, enable teacher/student workflows.
Legal basis (Controller cases): performance of a contract (GDPR Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)).
Processor cases: processing on School instructions under the School’s lawful basis.

6.2 Security, abuse prevention, and incident response

Purpose: detect suspicious logins, prevent fraud, ensure system stability, investigate misuse.
Legal basis: legitimate interests (Art. 6(1)(f)); and/or legal obligation (Art. 6(1)(c)) where relevant.

6.3 Analytics and service improvement (platform-level)

Purpose: improve performance, troubleshoot errors, understand feature usage at an aggregated level.
Legal basis: legitimate interests (Art. 6(1)(f)) and/or consent for non-essential tracking where required (see Cookies).
Schools may be able to disable certain analytics depending on plan/settings.

6.4 Customer support and communications

Purpose: respond to requests, resolve technical issues, provide administrative communications.
Legal basis: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), or legal obligation (Art. 6(1)(c)).

6.5 Newsletter and marketing communications

Purpose: send updates, newsletters, product announcements.
Legal basis: consent (Art. 6(1)(a)) for non-essential marketing, where applicable.
You can unsubscribe at any time (see Section 13).

6.6 Billing and accounting (if paid plans)

Purpose: invoicing, payment administration, tax compliance.
Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).

6.7 Compliance with legal requests

Purpose: respond to lawful requests by authorities, enforce Terms, protect rights and safety.
Legal basis: legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)).

 

7) Cookies and Similar Technologies (ePrivacy + GDPR)

We use cookies and similar technologies for:

  • essential site operation (security, session management);

  • preferences (language, basic settings);

  • analytics (optional);

  • marketing (optional).

Under the ePrivacy Directive (Directive 2002/58/EC), storing or accessing information on a user’s device generally requires prior consent unless it is strictly necessary for the service (Article 5(3)). This obligation is technology-neutral and also applies beyond classic “cookies”. (eur-lex.europa.eu)

7.1 Cookie categories (typical)

  1. Strictly necessary – required for login/session security and core functionality.

  2. Preferences – remember user settings.

  3. Analytics – understand usage and improve service (consent-based where required).

  4. Marketing – track effectiveness of campaigns (consent-based).

7.2 Cookie control

  • We provide a cookie banner/controls where required.

  • You can also manage cookies via browser settings, but disabling essential cookies may break login or core functions.

7.3 Cookie Policy

We provide additional details (cookie names, providers, lifetimes) in a separate Cookie Policy: [insert link].

 

8) How We Share Personal Data

We do not sell personal data.

We may share personal data with:

8.1 Your School (School-administered environment)

  • School Admins may view account status, roles, class membership, and certain usage info depending on permissions.

  • Teachers may see student activity/learning materials depending on course configuration.

8.2 Service providers (sub-processors)

We may use vetted providers to operate the Platform, such as:

  • hosting/cloud infrastructure;

  • email delivery (transactional emails, password resets);

  • customer support tools;

  • security monitoring;

  • analytics tools (if enabled).

We require appropriate contractual safeguards (including DPAs where needed) and limit processing to what is necessary.

Sub-processor list: [insert link to live list] or available upon request.

8.3 Professional advisors

Legal, accounting, or audit providers under confidentiality obligations.

8.4 Legal and safety disclosures

We may disclose data if required by law or to protect rights, safety, and security.

 

9) International Data Transfers (Outside the EEA)

If personal data is transferred outside the European Economic Area (EEA), we will use lawful transfer mechanisms under GDPR, such as:

  • an EU adequacy decision (where applicable), or

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (including Commission Implementing Decision (EU) 2021/914) and supplementary measures where necessary. (eur-lex.europa.eu)

 

10) Data Retention (How Long We Keep Data)

We keep personal data only as long as necessary for the purposes described, unless longer retention is required by law.

Typical retention logic (customize to your reality):

  • Account data: kept while the account is active; deleted or anonymized after the School removes the user or after contract termination, subject to backups.

  • Platform logs: retained for [30/90/180] days unless needed longer for security investigations.

  • Support tickets: retained for [12–24] months for quality and dispute handling.

  • Billing records: retained as required by applicable tax/accounting law.

  • Backups: may retain deleted data for a limited rolling period (e.g., [30–90] days) before overwrite.

Schools may have their own retention policies and may instruct us as Processor.

 

11) Security Measures

We implement organizational and technical measures appropriate to risk, for example:

  • access controls and role-based permissions;

  • encryption in transit (and where feasible at rest);

  • vulnerability management and monitoring;

  • least-privilege internal access;

  • secure development and change management;

  • incident response procedures.

No system is 100% secure; if you suspect an issue, contact security@isplibrary.com [or insert channel].

 

12) Children and Student Data

ISP Library is designed for educational use and may be used by students, including minors, under School supervision.

12.1 Age of consent (information society services)

Latvia has set the age at which a child can provide valid consent (where consent is the legal basis for online services offered directly to children) at 13; under that age, parental authorization is required. (dlapiperdataprotection.com)

12.2 School responsibility

In typical deployments, Schools rely on their lawful bases for education and act as Controllers. Schools are responsible for:

  • providing privacy information to students/parents where required;

  • ensuring appropriate lawful basis for processing student data;

  • enabling safeguarding and access controls.

 

13) Your Rights Under GDPR (and How to Exercise Them)

Under GDPR, individuals have rights including:

  • access to personal data;

  • rectification (correction);

  • erasure (“right to be forgotten”) in certain cases;

  • restriction of processing;

  • data portability (in certain cases);

  • objection to processing based on legitimate interests;

  • withdraw consent at any time where processing is based on consent (does not affect prior processing).

How to submit a request: email privacy@isplibrary.com with enough information to verify your identity.

13.1 If your account is managed by a School

If the School is the Controller, you should usually submit your request to your School Admin first. We will support the School in fulfilling the request as Processor.

13.2 Response times

We aim to respond within the GDPR timeframe (generally one month, extendable in complex cases).

 

14) Automated Decision-Making

We do not intend to make decisions that produce legal or similarly significant effects solely by automated means (GDPR Art. 22), unless explicitly stated for a specific feature. If this changes, we will update this Policy and provide required information.

 

15) Third-Party Links and Integrations

The Platform may link to third-party sites or allow School-enabled integrations. Their privacy practices are governed by their own policies. Schools should evaluate third-party compliance before enabling integrations.

 

16) Changes to This Privacy Policy

We may update this Policy to reflect changes in law, our Services, or our processing practices. The “Last updated” date shows when it was most recently revised. Material changes may be communicated via the Platform or email (especially for Schools/Admins).

bottom of page