Privacy Policy
This Privacy Policy explains how Blocks, operated by Aulasneo (“Blocks”, “we”, “us” or “our”), collects, uses, shares, retains and otherwise processes personal information when you use our website, learning tools and related services (collectively, the “Service”). We are committed to processing personal information lawfully, fairly and transparently in accordance with applicable data protection laws, including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA/CPRA), and, where we act as a school service provider, the U.S. Family Educational Rights and Privacy Act (FERPA).
1. Our role: controller and processor
Blocks is provided to educational institutions and organisations (each a “Customer”) that integrate our tools into their Learning Management System (LMS) using the LTI 1.3 standard. The role we play under data protection law depends on the context:
- As a processor (or “service provider”/“school official”): when we handle personal information about students and instructors that originates from a Customer’s LMS launch or that the Customer otherwise uploads, we process it on the Customer’s behalf and under their instructions. The Customer is the controller and is responsible for the lawful basis and notices provided to those individuals.
- As a controller: when we handle personal information for our own purposes — for example account registration, billing, website visitors, marketing enquiries and product support — we determine the purposes and means of processing.
2. Personal information we collect
Information you provide directly
- Account and profile data: name, email address, password (stored only in hashed form), organisation and language preference when you register for an authoring account.
- Billing data: billing contact details, plan and subscription information, and payment status. Card and bank details are collected and processed directly by our payment processor and are not stored on our servers.
- Authoring content: learning activities, prompts, instructions, grading criteria and knowledge-base materials that you create or upload, which may contain personal information if you choose to include it.
- Communications: the content of demo requests, contact forms, support messages and any correspondence you send us.
Information received from your institution’s LMS
- LTI launch data: when a student or instructor opens a Blocks activity from an LMS, the LMS sends us identifiers and attributes such as a user identifier, name, email address (where released by the LMS), roles, course/context identifiers and resource link identifiers.
- Submissions and interactions: answers, free-text responses, chat messages with AI tutors, attempts, scores and other activity data generated when a learner uses a tool.
- Grades: scores we return to the LMS gradebook through the Assignment and Grade Services (AGS).
Information collected automatically
- Technical and usage data: IP address, browser and device type, pages viewed, referring pages, timestamps and diagnostic logs collected to operate, secure and improve the Service.
- Cookies and session data: see the “Cookies and similar technologies” section below.
3. How and why we use personal information
We use personal information to:
- Authenticate users, validate LTI launches and deliver the learning tools and their core functionality;
- Generate, grade and analyse learning activities, including AI-assisted authoring, grading and submission analysis;
- Return grades and results to the institution’s LMS;
- Create and administer accounts, tenants and team memberships;
- Process subscriptions, credits and payments, and prevent fraud;
- Provide customer support and respond to your enquiries;
- Monitor, secure, troubleshoot and improve the Service, and develop new features;
- Send service-related communications and, where permitted, marketing about our products (which you may opt out of); and
- Comply with legal obligations and enforce our terms.
We do not sell personal information, and we do not “share” it for cross-context behavioural advertising as those terms are defined under U.S. state privacy laws. We do not use student personal information to build or improve products unrelated to the educational service requested by the institution, and we do not use it for targeted advertising.
4. Legal bases for processing
Where the GDPR applies and we act as a controller, we rely on the following legal bases:
- Performance of a contract — to provide accounts, billing and the Service you request;
- Legitimate interests — to secure, operate and improve the Service, and for limited direct marketing, balanced against your rights;
- Consent — where required, for example certain cookies or marketing; and
- Legal obligation — to meet accounting, tax and other statutory requirements.
Where we act as a processor for a Customer, the Customer is responsible for establishing the legal basis for the processing we perform on their behalf.
5. AI processing
Some features use large language models hosted on Amazon Web Services (AWS Bedrock) to generate content, assist authoring, grade submissions, analyse responses and power knowledge-base retrieval. When you use these features, the relevant inputs (such as prompts, submissions or knowledge-base content) are transmitted to the model provider solely to return a result to you. We use enterprise model-hosting services that do not use your inputs or outputs to train their foundation models. AI outputs may contain inaccuracies; automated grades and analyses are intended to assist instructors, who remain responsible for final academic decisions.
6. How we share personal information
We share personal information only as described below:
- With your institution: grades, submissions and activity data are shared with the Customer that operates the course, consistent with their role as controller.
- With service providers (sub-processors): we use vetted vendors who process personal information on our behalf under contract, including cloud hosting and AI inference (Amazon Web Services), payment processing (Stripe), and email delivery. They may only use the data to provide services to us.
- For legal reasons: to comply with law, respond to lawful requests, or protect the rights, safety and property of our users, the public or us.
- Business transfers: in connection with a merger, acquisition, financing or sale of assets, subject to this policy.
7. International data transfers
We and our service providers may process personal information in countries other than your own, including the United States. Where we transfer personal information out of the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and equivalent mechanisms.
8. Data retention
We retain personal information only for as long as necessary for the purposes described in this policy, including to provide the Service, meet our legal, accounting and reporting obligations, and resolve disputes.
- Account and tenant data is retained for the life of the account and deleted or anonymised within a reasonable period after closure.
- Learner submissions, scores and AI interaction logs are retained for as long as the Customer’s configuration and applicable academic-records requirements dictate, and are deleted at the Customer’s instruction.
- Billing records are retained for the period required by tax and accounting law.
When acting as a processor, we delete or return personal information on termination of the Customer’s agreement, except where retention is required by law.
9. Security
We maintain technical and organisational measures appropriate to the risk, including encryption in transit, access controls, tenant isolation, hashed credentials and audit logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
10. Your rights and choices
Depending on where you live, you may have the right to access, correct, delete or port your personal information; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority. California residents have rights to know, delete, correct and to limit the use of sensitive personal information, and the right not to be discriminated against for exercising them.
To exercise your rights, contact us at support@aulasneo.com. If your personal information is processed by us on behalf of an educational institution (for example student records from an LMS), please direct your request to that institution; we will assist them in responding. We will verify your request and respond within the timeframes required by applicable law.
11. Children and student data
Blocks is designed for use by educational institutions and is not directed to children for direct sign-up. Where students who are minors use the Service through their school, we act as a processor and school official under the institution’s direction, process the data only to provide the educational service, and do not use it for advertising or to build unrelated profiles. We rely on the institution to provide any notices and obtain any consents required by laws such as FERPA and COPPA.
12. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in, secure sessions, support LTI launches and remember your language preference. We may use limited analytics to understand and improve the Service. You can control non-essential cookies through your browser settings; disabling necessary cookies may prevent the Service from functioning.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date and, where required, provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. How to contact us
If you have questions about this Privacy Policy or our handling of personal information, contact Aulasneo at support@aulasneo.com. Please also review our Terms of Use, which govern your use of the Service.