Edena Logo - School Management Software

Privacy Policy

Last updated: April 17, 2026

1. INTRODUCTION AND PURPOSE

At Edena, we are committed to protecting the privacy of all users of our platform and to being fully transparent about how we process personal data. This Privacy Policy describes the data processing practices of Edena Software S.L. in connection with the use of the Edena platform and this website, in compliance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI).

Edena is a comprehensive educational management platform designed for educational institutions (schools, nurseries, academies, and school groups). As a platform that handles data of minors, students, and families, we apply the highest standards of privacy and security.

2. DATA CONTROLLER

Company name: Edena Software S.L.

Address: Barcelona, Spain

Email: [email protected]

Website: www.edena.es

3. DATA PROTECTION OFFICER (DPO)

Edena has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection regulations. You may contact our DPO at any time at: [email protected]

4. PLATFORM USERS AND DATA PROCESSED

Edena provides services to different categories of users, each with specific data processing:

4.1 Administrators and school staff

Data: full name, national ID, role/position, corporate email, phone number, login credentials, and activity logs on the platform.

Purpose: management of the contractual relationship with the institution, platform access and administration, operational communication, and technical support.

4.2 Teachers and academic tutors

Data: full name, email address, login credentials, assigned subjects or groups, grades entered, and communications with families.

Purpose: delivery of educational services, communication with families, grade management, and attendance tracking.

4.3 Families and legal guardians

Data: full name, email address, phone number, relationship to the student, payment data (handled by PCI DSS-certified providers), communication history, and attached documentation.

Purpose: school-family communication, payment and billing management, access to student records, and educational follow-up.

4.4 Students

Data: full name, date of birth, photograph (optional, with explicit consent), academic data (grades, attendance, progress), and relevant health data (allergies, special educational needs) when explicitly provided by the school or family.

Purpose: academic and student record management, educational communication, and monitoring of school progress.

4.5 Website visitors

Data: browsing data, IP address (anonymised), pages visited, session duration, and data from contact or demo request forms (name, email, school name, message).

Purpose: website usage analysis, improvement of user experience, and handling of information requests.

5. PURPOSES OF PROCESSING AND LEGAL BASIS

a) Contract management and service delivery — Basis: performance of a contract (Art. 6.1.b GDPR).

b) Academic management and student records — Basis: performance of a contract / legitimate interest (Art. 6.1.b and 6.1.f GDPR).

c) Communication between school and families — Basis: performance of a contract / legitimate interest (Art. 6.1.b and 6.1.f GDPR).

d) Billing and payment management — Basis: performance of a contract / legal obligation (Art. 6.1.b and 6.1.c GDPR).

e) Sending commercial communications about Edena — Basis: consent (Art. 6.1.a GDPR). Consent may be withdrawn at any time.

f) Compliance with tax, employment, and commercial legal obligations — Basis: legal obligation (Art. 6.1.c GDPR).

g) Platform improvement and anonymised statistical analysis — Basis: legitimate interest (Art. 6.1.f GDPR).

6. SPECIAL PROCESSING: DATA OF MINORS

Edena is fully aware of the particular sensitivity involved in processing personal data of minors. In accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD:

- Educational institutions, as data controllers for their students' data, are responsible for obtaining the consent of parents or legal guardians for the processing of data of children under 14.

- Edena acts as data processor with respect to student data entered by the educational institution, following its instructions.

- Health data and other special categories of student data (Art. 9 GDPR) are only processed when the institution explicitly enters them and a specific legal basis exists (explicit consent or necessity for the educational service).

- Edena does not use minors' data for any purpose other than strictly educational and school management purposes.

7. DATA RETENTION

Data will be kept for the time strictly necessary for the purpose for which it was collected and, in any case, for the periods required by law:

- Contract and billing data: 6 years (tax and commercial obligations).

- Commercial communication data: until consent is withdrawn.

- Student records: for the duration of the relationship with the institution and, after leaving, for the limitation period for potential liability (up to 5 years).

- Platform access and activity logs: maximum 12 months.

- Website visitor data: in accordance with the applicable cookie policy.

After these periods, data will be deleted or irreversibly anonymised.

8. RECIPIENTS AND DATA PROCESSORS

Edena does not sell or transfer personal data to third parties for commercial purposes. Data may only be disclosed to:

- Technology and cloud infrastructure providers (hosting, databases) acting as data processors under GDPR-compliant agreements.

- Certified payment service providers (PCI DSS) for billing and payment management.

- Service analysis and monitoring providers, always on an anonymised or aggregated basis.

- Public authorities and bodies, exclusively to fulfil legal obligations.

All our providers are subject to confidentiality agreements and data processing contracts that ensure GDPR compliance.

9. INTERNATIONAL DATA TRANSFERS

As a general rule, data is hosted on servers located in the European Economic Area (EEA). In the exceptional cases where an international transfer outside the EEA is necessary, Edena ensures that appropriate safeguards under the GDPR are in place, such as standard contractual clauses approved by the European Commission or the existence of an adequacy decision.

10. DATA SUBJECTS' RIGHTS

In accordance with the GDPR and LOPDGDD, users may exercise the following rights:

- Right of access: to know what personal data we process about you.

- Right of rectification: to correct inaccurate or incomplete data.

- Right of erasure ("right to be forgotten"): to request deletion of your data when it is no longer necessary for the purpose for which it was collected.

- Right to object: to object to the processing of your data in certain circumstances.

- Right to restriction of processing: to request that processing be limited in certain cases provided for by law.

- Right to data portability: to receive your data in a structured, commonly used, and machine-readable format.

- Right to withdraw consent: at any time, without affecting the lawfulness of processing prior to withdrawal.

- Right not to be subject to automated decisions with significant legal effects.

To exercise any of these rights, send a request to [email protected] stating your name, surname, and a copy of your identity document. We will respond within a maximum of one month.

If you consider that your rights have not been properly addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es.

11. SECURITY MEASURES

Edena implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

- Encryption of data in transit (TLS/HTTPS) and at rest.

- Role-based access control and least-privilege principle.

- Secure authentication and session management.

- Continuous monitoring and security incident detection.

- Regular backups and disaster recovery plans.

- Regular staff training on data protection and cybersecurity.

- Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

In the event of a security breach affecting the rights and freedoms of data subjects, Edena will notify the supervisory authority within 72 hours and, where necessary, will inform the affected individuals.

12. ACCURACY AND TRUTHFULNESS OF DATA

Users undertake to provide truthful, accurate, and up-to-date data. Edena shall not be liable for any harm arising from the use of inaccurate or false data provided by the user. If the data changes, the user must notify us as soon as possible at [email protected].

13. CHANGES TO THIS POLICY

Edena may update this Privacy Policy to reflect legislative changes, supervisory authority decisions, or platform updates. When changes are substantial, users will be notified by email or through a prominent notice on the platform. The "last updated" date at the top of this document always reflects the current version.

14. CONTACT AND COMPLAINTS

For any queries, requests, or complaints related to the processing of your personal data, please contact our Data Protection Officer:

Email: [email protected]

To lodge a complaint with the competent supervisory authority:

Spanish Data Protection Agency (AEPD)

C/ Jorge Juan, 6, 28001 Madrid

www.aepd.es