GDPR Compliance
Summary
EMStudio is built with GDPR compliance from the ground up. We process teacher data under contract and student data as a processor on behalf of the teacher or school. We support all eight data subject rights, use Standard Contractual Clauses for international transfers, and commit to 72-hour breach notification.
1. What Is the GDPR?
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. It applies to any organization that processes personal data of individuals in the EU or UK — regardless of where the organization is based. Since EMStudio serves teachers across Europe, the GDPR applies to us.
The GDPR gives individuals strong rights over their personal data and requires organizations to be transparent about how data is collected, used, and protected. This page explains how EMStudio meets those requirements. For the full legal notice required by Articles 13 and 14, see our Privacy Policy.
The UK operates under its own version (UK GDPR) with the Information Commissioner's Office (ICO) as the supervisory authority. Our practices apply equally to EU and UK users.
2. Our Role: Controller & Processor
The GDPR distinguishes between “controllers” (who decide what data to collect and why) and “processors” (who handle data on someone else's behalf). EMStudio operates in both roles:
| Data Type | Our Role | Who Is the Controller? |
|---|---|---|
| Teacher account data (name, email, payment) | Controller | EMStudio |
| Teacher-created content (lessons, notes, files) | Controller | EMStudio |
| Student education records (names, grades, attendance) | Processor | The teacher or school (see FERPA page) |
| Analytics data (usage events, page views) | Controller | EMStudio (consent required) |
For student data, the teacher (or their school) is the controller. EMStudio processes student data solely on their behalf, under their instructions, and for educational purposes only. We formalize this relationship through our Data Processing Addendum.
3. Legal Bases for Processing
The GDPR requires a lawful basis for every processing activity. Here are ours:
| Processing Activity | Legal Basis (Art. 6) | Why This Basis |
|---|---|---|
| Providing EMStudio to teachers | Contract (Art. 6(1)(b)) | Necessary to deliver the service you signed up for |
| Processing student data | Contract + school authorization | We act as processor under the teacher/school's instructions |
| Processing payments | Contract (Art. 6(1)(b)) | Necessary to fulfill your subscription |
| Analytics (PostHog, GA) | Consent (Art. 6(1)(a)) | Only activated when you opt in via the cookie consent banner |
| Marketing emails | Consent (Art. 6(1)(a)) | Only with explicit opt-in |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) | Protecting the service and our users from threats |
| Legal compliance | Legal obligation (Art. 6(1)(c)) | Tax records, law enforcement requests |
4. Children's Data Under the GDPR
The GDPR provides additional protections for children's data. Article 8 sets the age of digital consent between 13 and 16 (varying by EU member state), and Article 6(1)(f) explicitly restricts the use of “legitimate interest” as a legal basis when processing children's personal data.
EMStudio handles children's data with extra care:
- We do not rely on “legitimate interest” for children's data. Student data is processed under contract and school authorization — the teacher or school is the controller, and we are the processor acting on their instructions.
- No profiling or behavioral targeting. We never build profiles about students or use their data for any purpose beyond education.
- No AI training. Student data is never used to train, fine-tune, or improve any AI model. See our AI features & data section for details on what data reaches our AI provider.
- Data minimization. We only store what the teacher enters. We never request additional information about students. See our Transparency page for a complete data inventory.
For complete details on children's data protections, see our COPPA compliance page (which applies to children under 13, complementing GDPR protections).
5. Your Rights
Under the GDPR, you have eight fundamental rights regarding your personal data. EMStudio supports every one:
| Right | Article | How to Exercise |
|---|---|---|
| Access | Art. 15 | Settings > Export Data — download all your data as CSV files |
| Rectification | Art. 16 | Edit your profile, students, lessons, and all content directly in the app |
| Erasure (“Right to be forgotten”) | Art. 17 | Settings > Delete Account — permanently erases all data within 30 days |
| Restriction of processing | Art. 18 | Email info@emstudio.pro |
| Data portability | Art. 20 | Settings > Export Data — structured CSV format in a ZIP file |
| Objection | Art. 21 | Email info@emstudio.pro or opt out of analytics via cookie settings |
| No automated decision-making | Art. 22 | We do not make automated decisions about you or your students. AI features assist teachers — they do not make decisions. |
| Lodge a complaint | Art. 77 | Contact your local supervisory authority (see Section 11) |
We respond to all rights requests within one month, as required by Article 12(3). We never charge a fee for exercising your rights.
6. How to Exercise Your Rights
Most rights can be exercised directly in the app — no email or waiting required:
- Access & portability: Settings > Export Data (instant download)
- Rectification: Edit any record directly in the app
- Erasure: Settings > Delete Account
- Analytics opt-out: Cookie consent banner or clear your browser's local storage
- Marketing opt-out: Unsubscribe link in any email
For rights that require manual processing (restriction, objection), email us at info@emstudio.pro. We may verify your identity before processing the request.
7. International Data Transfers
EMStudio is operated from the United States. For EU and UK users, this means your data is transferred outside the European Economic Area (EEA).
We protect these transfers through:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (Module 2: Controller-to-Processor) as the legal mechanism for EU-to-US transfers, incorporated into our Data Processing Addendum
- UK International Data Transfer Addendum: For UK users, we include the UK addendum to the SCCs as approved by the ICO
- Sub-processor safeguards: Each of our sub-processors maintains their own data transfer mechanisms (most participate in the EU-US Data Privacy Framework or use SCCs)
All data is encrypted in transit (TLS 1.3) and at rest (AES-256), regardless of where it is stored. See our Security page for technical details.
8. Data Breach Notification
In the event of a personal data breach:
- Supervisory authority: We will notify the relevant authority within 72 hours of becoming aware, where the breach is likely to result in a risk to rights and freedoms (Art. 33)
- Affected individuals: We will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34)
- Schools: If we have a DPA with a school, we will notify the school within 24 hours
Our notification will include: what happened, what data was affected, what we are doing about it, and what steps you can take to protect yourself. For details on our incident response procedures and technical safeguards, see our Security page.
9. Data Protection Officer
For all data protection inquiries, including questions about this page, requests to exercise your rights, or concerns about how we handle your data, contact us at:
Data Protection Contact
Email: info@emstudio.pro
We treat all data protection inquiries with priority and aim to respond within 5 business days, with formal rights requests completed within one month as required by the GDPR. See how to exercise your rights for self-serve options.
10. EU & UK Representative
Article 27 of the GDPR requires organizations without an EU or UK establishment to appoint a local representative. As our EU user base grows, we will appoint representatives in both the EU and UK and publish their contact details here.
In the meantime, all data protection inquiries from EU and UK users can be directed to info@emstudio.pro. We respond to all inquiries regardless of jurisdiction. You can also review our 12 privacy commitments to understand how we protect your data.
11. Your Right to Complain
If you believe we are not handling your data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first at info@emstudio.pro so we can try to resolve the issue directly.
Relevant supervisory authorities include:
- EU: Find your local authority at edpb.europa.eu
- UK: Information Commissioner's Office (ICO)
- France: CNIL
- Germany: Your state's Landesdatenschutzbeauftragter (state data protection authority)
- Netherlands: Autoriteit Persoonsgegevens
- Ireland: Data Protection Commission
12. Contact
For questions about GDPR compliance or to exercise your data rights:
Education Management Studio
d/b/a EMStudio
Email: info@emstudio.pro
Related Policies
- Privacy Policy — our full privacy notice (Arts. 13/14)
- Data Processing Addendum — processor contract for schools (Art. 28)
- Cookie Policy — consent and tracking details
- Sub-Processors — every vendor that processes data on our behalf
- Security — technical and organizational measures (Art. 32)
- Transparency — what data we collect and where it flows
- COPPA Compliance — children's data protections
- FERPA Compliance — US education records law
- Our Commitments — 12 privacy promises we stand behind