Appendix 1: Privacy Annex

Version v20240902 - last update 02-09-2024

NOTE

This Appendix is part of the Data Processing Agreement

• A. Contact Information
• B. Version Number & History
• C. General Information
• D. Description of Specific Products and/or Services
  • D1. Ziber Platform (generic)
  • D2. Ziber Team
  • D3. Ziber Kwieb
  • D4. Ziber Data Connections (import)
  • D5. Ziber Newsletter
  • D6. Ziber Pay
  • D7. Ziber SenseView
  • D8. Ziber Website
  • D9. Ziber API
• E. Purposes for Processing of Personal Data
• F. Categories of Personal Data including Retention Periods
  • F.a Categories of Personal Data
  • F.b. Retention Period of the Personal Data or the Criteria for Establishing It
• H. Sub-processors

A. Contact Information

For questions or comments regarding this Privacy Statement or the operation of this product and/or service, you can contact:

• Processor: General Director, Johan Alkemade, j.alkemade@ziber.eu, tel. +31(0)224290989
• Educational Institution: The information provided by the Customer as the contact person when entering into the Ziber Subscription for the Ziber Services

B. Version Number & History

See the top of this document.

C. General Information

Product and/or Service Name	Ziber Education
Name of Processor and Location Details	Ziber B.V., Zijperweg 4 J, 1742 NE Schagen, The Netherlands
Link to Supplier (website/URL)	www.ziber.eu
Link to Product Page (website/URL)	www.ziber.eu
Brief Description and Functionality of the Product and/or Service	Platform for parent communication for childcare and educational organizations (or related)
Target Audience	Primary Education, Childcare, Education
Users (Education Participants/Parents/Guardians/Staff)	Education participants, parents, guardians, staff, participation councils, parent councils, and users of other organizations related to education and/or childcare.

D. Description of Specific Products and/or Services

Below is a description of the associated Data Processing activities that are integral to each product/service offered. Each processing activity indicates whether it is mandatory or optional, the personal data being processed, the purpose, the category of personal data, and the retention period applied.

D1. Ziber Platform (generic)

When using one of the Ziber Services, or any part of it, you are at least utilizing the underlying processing activities described here.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D1.1.1	Ziber ID (account) Email address Password	E12, E13, E14	F2.1, F3.1	Up to 90 days after the User has deleted or requested deletion of the account.
D1.1.2	Ziber ID (account) IP address	E12, E14, E15, E19	F2.3, F3.4	Up to 90 days after the User has deleted or requested deletion of the account. Up to 90 days after the time of logging

Optional Processing Activities

The User is not required to provide this data for the proper functioning of the Services.

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D1.2.1	Ziber ID (account) Profile picture Phone number Address Job title Preferred language Gender Biography	E9, E12, E15	F2.1, F2.4, F3.1, F3.5	Until self-deletion of the data. Up to 90 days after Ziber ID deletion
D1.2.2	User Support Personal data shared by the User for the purpose of providing support, delivery, and development of Ziber Services.	E12, E15		No end date, except email correspondence to privacy@ziber.eu, which is automatically deleted after 60 days

D2. Ziber Team

The Educational Institution team uses Ziber Team to access and share information with and from relevant users of the Ziber Services. A comprehensive description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D2.1.1	Ziber ID Role of team member in relation to the Educational Institution	E9, E12, E15	F3.5	Immediately deleted if the Ziber ID is no longer connected to the Ziber Zone (Educational Institution or organization) Immediately deleted if role at the school is removed via import link/synchronization Up to 90 days after the Ziber ID is deleted Up to 2 years after the Customer Subscription ends

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D2.2.1	Content Messages Comments Registrations Photos Videos Files Music Software	E9, E12, E15	F1.11, F1.12, F1.13, F3.3	Until the User deletes the content Up to 2 years after the Customer Subscription ends
D2.2.2	Absence Notifications Reason for absence Description (optional)	E7, E9, E12, E15	F1.9	Until the absence is deleted by the Educational Institution Up to 2 years after the Education Participant leaves the Educational Institution Up to 2 years after the Customer Subscription ends
D2.2.3	Topics (private conversation feature) Messages and/or files shared directly between Parent(s)/Guardian(s) and staff of the Educational Institution	E9, E12, E15	F1.1, F1.9, F1.11, F1.12, F1.13, F1.15, F2.1, F3.1, F3.3	Until the relevant part of the Topic is deleted by the User Up to 2 years after the Customer Subscription ends

D3. Ziber Kwieb

Parents/Guardians use the Ziber Kwieb parent app (school app), which the Educational Institution has made available to facilitate parent communication. A detailed description of all the features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D3.1.1	Ziber ID (Parent/Guardian) Role in relation to Education Participant	E9, E12, E15	F2.4	Immediately deleted if Ziber ID is no longer linked to the Education Participant Up to 90 days after the Ziber ID is deleted Up to 2 years after the Customer Subscription ends
D3.1.2	Education Participant Name Date of Birth Role in relation to Parent/Guardian Group and academic year Administration number	E9, E12, E14, E15	F1.1, F1.6, F1.11, F1.15	Up to 2 years after the Education Participant leaves the Educational Institution Up to 2 years after the Customer Subscription ends

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D3.2.1	Content (potentially of a personal nature) Messages Comments Registrations Photos Videos Files Music Software	E9, E12, E15	F1.11, F1.12, F1.13, F3.3	Until the User deletes the content Up to 2 years after the Customer Subscription ends
D3.2.2	Absence Notifications Reason for absence Description (optional)	E7, E9, E12, E15	F1.9	Until the absence is deleted by the Educational Institution Up to 2 years after the Education Participant leaves the Educational Institution Up to 2 years after the Customer Subscription ends
D3.2.3	Topics (private conversation feature) Messages and/or files directly shared between Parent(s)/Guardian(s) and staff of the Educational Institution	E9, E12, E15	F1.1, F1.9, F1.11, F1.12, F1.13, F1.15, F2.1, F3.1, F3.3	Until the relevant part of the Topic is deleted by the User Up to 2 years after the Customer Subscription ends

D4. Ziber Data Connections (import)

The Educational Institution can use various Data Connections to easily import and keep up-to-date the basic details of Education Participants, employees of the Educational Institution, and Parents/Guardians from other systems into the Ziber platform.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D4.1.1	Education Participant Name Date of Birth Role in relation to Parent/Guardian Group and academic year Unique administration number Email addresses of Parent(s)/Guardian(s)	E9, E12, E15	F1.1, F1.3, F1.6, F1.11, F2.1, F2.4	Up to 2 years after the Education Participant leaves the Educational Institution Up to 2 years after the end of the Customer Subscription
D4.1.2	Employee of the Educational Institution Name Role in relation to the Organization Group and academic year Unique administration number Email address	E9, E12, E15	F3.1, F3.5	Up to 2 years after the Education Participant leaves the Educational Institution Up to 2 years after the end of the Customer Subscription

Optional Processing Activities

There are no optional processing activities.

D5. Ziber Newsletter

Parents/guardians and other Users can subscribe to a newsletter from the Educational Institution so that the Educational Institution can send email newsletters to the subscribed users. A detailed description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D5.1.1	Newsletter Subscriber Email address	E9, E12, E15	F2.1	Until unsubscribed from the newsletter Up to 2 years after Customer Subscription ends

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D5.2.1	Newsletter Subscriber Name Title Phone number	E9, E12, E15	F2.1	Until User unsubscribes Up to 2 years after Customer Subscription ends

D6. Ziber Pay

The Educational Institution can create payment requests for Parents/guardians and other Users to collect payments. A detailed description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

Processing Activity	Personal Data	Purpose	Category	Retention Period
D6.1.1	Payer Email address Name Transaction details	E9, E12, E15, E20	F2.1, F2.2	Up to 2 years after Customer Subscription ends

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D6.2.1	Payer Phone number Date of birth Comment Address (billing/shipping)	E9, E12, E15, E20	F2.1	Up to 2 years after Customer Subscription ends

D7. Ziber SenseView

The Educational Institution can publish information to its own TV channel (Ziber SenseView). A detailed description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

There are no mandatory processing activities.

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D7.2.1	Education Participant Name Date of birth (age related to birthday)	E9, E12, E15	F1.1, F1.6	Up to 2 years after Education Participant leaves the Educational Institution Up to 2 years after Customer Subscription ends

D8. Ziber Website

The Educational Institution can publish information to a Ziber Website created on the Ziber Platform. A detailed description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

There are no mandatory processing activities.

Optional Processing Activities

The Educational Institution agrees to the following optional processing activities of personal data.

Processing Activity	Personal Data	Purpose	Category	Retention Period
D8.2.1	Response Form Name Phone Email IP Address Phone	E12, E15	F2.1, F2.3	Up to 90 days after form submission Up to 2 years after Customer Subscription ends
D8.2.2	Web Forms IP Address & email address of a visitor to the Educational Institution's website who submits a web form (using Ziber technology)	E12, E15	F2.1, F2.3	Up to 90 days after form submission Up to 2 years after Customer Subscription ends
D8.2.3	Visitor downloading a file from the Educational Institution website IP Address	E12, E14, E15	F2.3	Up to 90 days after form submission Up to 2 years after Customer Subscription ends
D8.2.4	Logging into a secured section of the Educational Institution website IP Address Email Password	E12, E14, E15	F2.1, F2.3	Up to 90 days after form submission Up to 2 years after Customer Subscription ends

D9. Ziber API

The Educational Institution can publish information to a generic applicable (API) channel, for example, to supply a website hosted elsewhere with up-to-date information from the Ziber Platform, such as news and activities. A detailed description of all features can be found on our support website support.ziber.eu.

Mandatory Processing Activities

There are no mandatory processing activities.

Optional Processing Activities

There are no optional processing activities.

E. Purposes for Processing of Personal Data

The Processing of Personal Data using Digital Educational Tools by Educational Institutions takes place to provide education, including preparing, executing, evaluating, and supporting the education process, and to guide and monitor Education Participants in their learning process. Below is an indication of more specific purposes that apply to the product or service.

Abbreviation	Purpose
E1	Storage of learning and test results
E2	Receiving learning and test results back by the Educational Institution
E3	Assessment of learning and test results to obtain study materials and test materials tailored to the specific learning needs of an Education Participant
E4	Analysis and interpretation of learning and test results
E5	Exchange of learning and test results between Digital Educational Tools
E6	Scheduling and adjustment of timetables
E7	Keeping track of personal (including medical) circumstances of an Education Participant and the consequences for following education
E8	Guidance and support of teachers and other staff within the Educational Institution
E9	Communication with Education Participants and parents, and with staff of the Educational Institution
E10	Monitoring and accountability, particularly for: performance measurements of the Educational Institution, quality assurance, satisfaction surveys, effectiveness research of education or support provided to Education Participants in inclusive education
E11	Exchanging Personal Data with Third Parties, where necessary and legally permitted, including: supervisory authorities and care institutions in the course of their (legal) duties; collaborative partnerships for inclusive education and regional collaborations; parties involved in internships or work-study placements; providing Personal Data to Educational Institutions when transferring between schools or for further education; providing Personal Data to a third party as instructed by the Educational Institution.
E12	Receiving and using Digital Educational Tools as per the agreement between the Educational Institution and the Supplier
E13	Access to offered Digital Educational Tools, and external information systems, including identification, authentication, and authorization
E14	Security, control, prevention of misuse and improper use, and prevention of inconsistency and unreliability in Personal Data processed using the Digital Educational Tool
E15	Continuity, improvement, and proper functioning of the Digital Educational Tool as agreed between the Educational Institution and the Supplier, including maintenance, backup, error correction, and support
E16	Providing (anonymized or pseudonymized) Personal Data for scientific research or statistical purposes to improve the learning process or the Educational Institution’s policies, conducted under strict conditions similar to existing research and statistical codes of conduct
E17	Providing anonymized Personal Data for research and analysis purposes to improve the quality of education
E18	Providing Personal Data to meet legal requirements imposed on Digital Educational Tools
E19	Handling disputes
E20	Financial management
E21	Enforcement or application of a Union or Member State legal requirement
E22	Other purposes related to providing education, including preparing, executing, evaluating, and supporting the educational process, and guiding and monitoring Education Participants in their learning

F. Categories of Personal Data including Retention Periods

F.a Categories of Personal Data

This section describes the categories of Data Subjects, the categories of Personal Data that are processed, and their possible specifications.

Data Subject: Education Participant (F1)

Abbreviation	Category of Personal Data	Specification
F1.1	Contact Details	First Name(s) Initials Last Name Gender Home Address Postal Code City of Residence Phone Number Private Email Address School Email Address
F1.2	Personal Identification Number of the Government
F1.3	Education Participant Number	An administrative number that identifies Education Participants
F1.4	ECK-iD
F1.5	Nationality
F1.6	Date of Birth
F1.7	Place of Birth
F1.8	Financial Data for calculating, recording, and collecting funds and contributions	Bank Account Number Invoice Administration
F1.9	Health Data	Data necessary for the health or well-being of the Data Subject or processed at the request of the Education Participant, as far as necessary for education
F1.10	Religion	Data regarding the religion or beliefs of the Data Subject, as far as necessary for education or processed at the request of the Education Participant
F1.11	Study Progress	Class / Grade / Group Examination Study progress and/or study path Guidance for Education Participants, including action plans Attendance registration
F1.12	Educational Organization	Data for the organization of education (such as a schedule) and the provision or availability of educational materials
F1.13	Visual Material	Photos and video recordings (visual material) of the Data Subject with or without sound from activities at the Educational Institution
F1.14	User Data	Diagnostic data, log data, metadata, such as: IP address
F1.15	Other Personal Data, namely	Role in relation to Parent/Guardian/Caretaker Profile Picture

Data Subject: Parent/Guardian/Caretaker (F2)

Abbreviation	Category of Personal Data	Specification
F2.1	Contact Details	First Name(s) Initials Last Name Gender Home Address Postal Code City of Residence Phone Number Private Email Address
F2.2	Financial Data for calculating, recording, and collecting funds and contributions	Bank Account Number Invoice Administration
F2.3	User Data	Diagnostic data, log data, metadata IP Address
F2.4	Other Personal Data, namely	Role in relation to Education Participant (e.g., "Parent of..." or "Guardian of ...") Profile Picture Preferred Language

Data Subject: Employee of the Educational Institution (F3)

Abbreviation	Category of Personal Data	Specification
F3.1	Contact Details	First Name(s) Initials Last Name Gender School Email Address
F3.2	Educational Organization	Schedule Guidance Data
F3.3	Visual Material	Photos and video recordings (visual material) of the Data Subject with or without sound from activities at the Educational Institution
F3.4	User Data	Diagnostic data, log data, metadata, such as: IP Address
F3.5	Other Personal Data, namely	Role at the Educational Institution (e.g., "Teacher of Class 3" or "IT Specialist at the Educational Institution") Profile Picture Phone Number Bio (description by the employee about themselves) Preferred Language

F.b. Retention Period of the Personal Data or the Criteria for Establishing It

This section provides the (legal) retention periods of Personal Data (or the criteria to determine them) that apply to the Processing of Personal Data by the Processor. The specific retention periods are determined by the Educational Institution as the Data Controller, possibly based on a proposal from the Processor.

H. Sub-processors

By agreeing to this Data Processing Agreement, the Educational Institution provides the Processor with general written consent to engage a Sub-processor. At the time of the agreement, the Processor utilizes the following Sub-processors:

Sub-processor Name	Type of Processing (brief description of task/service outlining the data processed)	(Category of) Personal Data processed by the Sub-processor	Sub-processor's Country of Establishment	Country of Personal Data Storage/Processing by Sub-processor
Microsoft (Azure)	Translation function	Texts are translated to the set preferred language if the source language differs	USA	NL
Microsoft (Azure)	Sharing attachments via the Topics function in Ziber Team and/or Kwieb app	Attachments, photos, videos	USA	NL
Microsoft (Azure)	Error logging	User data and the related actions performed in the Ziber software	USA	NL
Microsoft (Azure)	Sending push notifications to users	Potentially personally identifiable information such as name and notification title/description	USA	NL
Google	Translation function (for languages not supported by Microsoft Azure)	All processed texts requiring translation	USA	EU
Google	Sending push notifications to users (apps on Android platform)	Potentially personally identifiable information such as name and notification title/description	USA	EU
Apple Inc	Sending push notifications to users (apps on iOS platform)	Potentially personally identifiable information such as name and notification title/description	USA	Outside EU
Stripe, USA	Processing financial transactions as part of the Ziber Pay service	Personal data related to Ziber Pay transactions, such as bank account number and name	USA	Outside EU
Zendesk, Amsterdam	Providing support (via email support@ziber.eu and chat function) to Ziber platform users	Name, email address, and user-shared information that may contain personal data	USA	Outside EU
Whatsapp (business), USA	Providing support (via WhatsApp) to Ziber platform users	Mobile phone number and user-shared information that may contain personal data	USA	Outside EU
Atlassian (Trello)	Handling Ziber processes related to acquisition, delivery, and service development	Name, email address, and potentially other personal data	USA	Outside EU
Microsoft 365, Europe	Communication for support, delivery, and development of Ziber Services to Customers and users	User-shared personal data for support, delivery, and development of the Services	USA	EU
Customer IO	Providing email support	Name, email address, and potentially other personal data	USA	EU
Linear	Handling Ziber processes related to acquisition, delivery, and service development	Name, email address, and potentially other personal data	USA	Outside EU
Airtable	Marketing purposes	Potentially name + email address	USA	Outside EU
Bunny.net	Serving attachments, photos, and videos	Attachments, photos, videos	Slovenia	EU