Privacy policy

This privacy policy explains how Design Excellent Group SL (“we”, “us”) collects and processes personal data when you use the ClassWolf public website, sign up for an account or operate a school on the platform. We follow the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and — for users based in Italy — Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

1. Who is the data controller

The controller for personal data processed through ClassWolf is:

For privacy-specific requests, write to info@classwolf.com with the subject line “Privacy request”.

2. Controller vs processor in a multi-tenant platform

ClassWolf hosts independent schools (“Customer Schools”) on shared infrastructure. The roles change depending on whose data we are talking about:

• Account and billing data of Customer Schools — we are the controller;
• Public-site visitor data (cookies, contact forms, sign-ups) — we are the controller;
• Student, teacher, attendance, bono and payment data uploaded by a Customer School about its own staff and members — the Customer School is the controller and Design Excellent Group SL acts as a processor under Article 28 GDPR. The corresponding data processing agreement (DPA) is part of our Terms of Service.

3. What data we collect

3.1 Information you give us

• Sign-up data: school name, your email address, country and the primary activity you teach.
• Authentication: we use passwordless magic-link sign-in; we store the short-lived sign-in tokens and the timestamp of each session.
• Profile data: any optional information you add to your school profile (logo, public address, contact details).
• Billing data: business name, tax identifier, billing address, and a payment-method identifier kept by our payment processor.
• Content you upload: rooms, teachers, students, courses, sessions, bonos, attendance, communications and any other records created through the app. For data about individuals other than yourself, you are the controller and you must have a lawful basis to upload it.
• Support correspondence: when you write to us we keep the email and any attachments to handle and follow up the request.

3.2 Information we collect automatically

• Technical logs: IP address, user-agent, request timestamps, status codes — captured to operate the service securely and prevent abuse.
• Cookies and similar technologies: see our Cookie Policy for details and choices.

4. Why we process your data and on what legal basis

• To provide the service (Art. 6.1.b GDPR — contract): create your account, host your school, generate sessions, take attendance, process payments, issue invoices.
• To comply with legal obligations (Art. 6.1.c GDPR): tax and accounting records, e-invoicing through SDI in Italy and Verifactu in Spain, responses to legitimate requests from authorities.
• To pursue our legitimate interests (Art. 6.1.f GDPR): keeping the service secure, preventing fraud and abuse, improving the product through aggregated usage analysis, and handling support.
• With your consent (Art. 6.1.a GDPR): non-essential cookies, marketing communications, optional newsletters. You may withdraw consent at any time.

5. Who we share data with

We do not sell your personal data. We share it with a limited set of service providers acting as processors on our behalf, including:

• cloud hosting and database providers (EU regions where available);
• transactional email providers (sign-in links, receipts, notifications);
• payment processors and acquiring banks (for paid plans);
• e-invoicing intermediaries for SDI (Italy) and Verifactu (Spain);
• analytics, monitoring and error-tracking tools (privacy-respecting where available);
• professional advisors (accountants, lawyers) bound by confidentiality.

Where any processor is located outside the European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission and on additional safeguards as required by Article 46 GDPR.

6. How long we keep your data

• Active accounts: for as long as the account is open and the related services are provided.
• Closed accounts: account profile and operational records are deleted or anonymised within 90 days of termination, except for data we are required to keep by law.
• Invoices and tax records: retained for six years under the Spanish Commercial Code; ten years where Italian rules apply.
• Authentication tokens: magic-link tokens expire within one hour; session records are kept for up to 12 months for security investigations.
• Server logs: retained for up to 12 months.
• Student records uploaded by a Customer School: kept according to the instructions of that school. By default ClassWolf preserves them indefinitely so historical attendance and billing can be reconstructed; a school can request deletion at any time.

7. Your rights

Under the GDPR you have the right to access your personal data, to ask for correction or erasure, to restrict or object to processing, to data portability and to withdraw any consent you have given. To exercise any of these rights, contact us at info@classwolf.com; we will reply within one month.

If a Customer School has uploaded data about you, please send the request to that school first — they are the controller. We will support them in handling the request and we will act directly if the school does not respond within a reasonable period.

You can lodge a complaint with the Spanish Data Protection Agency (AEPD), the Italian Garante per la protezione dei dati personali or the supervisory authority of the EU/EEA country where you live.

8. Security

We apply technical and organisational measures appropriate to the risk: encryption in transit (TLS) and at rest where the underlying platform supports it, role-based access control inside each tenant, network isolation between tenants, regular backups, audit logging and least-privilege access for our staff. No system is perfectly secure: if we detect a personal-data breach that is likely to result in a risk to your rights and freedoms we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay.

9. Children

ClassWolf is sold to schools and other professional users; the public site is not directed at children. In Spain a minor must be at least 14 years old to consent to processing of their personal data (Article 7 LOPDGDD); in Italy the threshold is also 14 years (Article 2-quinquies of Legislative Decree 196/2003). Where a school manages records about minors below this age, the school is responsible for collecting the necessary consents from the holders of parental responsibility.

10. Changes to this policy

We update this policy whenever our processing changes. The “last updated” date at the top of the page reflects the most recent revision. Material changes will be announced by email to account administrators at least 30 days before they take effect.

11. Contact

For any privacy-related question, write to info@classwolf.com or by post to the registered office at Calle Blanquerna 53 1C, 07003 Palma de Mallorca, Spain.