Privacy notice

The privacy notice is valid from 1 June 2021.

Please also read the terms and conditions of use.

1. Introduction

The Opiq service is an information society service based on the explanation provided in the Information Society Services Act.

The Opiq service is provided by Star Cloud OÜ (hereinafter Star Cloud), registry code 12731921, e-mail info@starcloud.ee, tel. 5323 7793.

This document provides an overview of how your personal data are processed when you use the Star Cloud environment www.opiq.ee and the related services (hereinafter Opiq).

As a rule, the data controller of your personal data is a school or a local authority, and hence, the terms and conditions of processing personal data which have been established by them are applied. Please contact the data controller for more information about those terms and conditions.

If Star Cloud as the provider of the Opiq platform is the data processor, the data are primarily processed based on the instructions of the data controller, as well as based on the rules specified in the terms and conditions of use of the Opiq service.

If Star Cloud as the provider of the Opiq platform is the data controller (e.g. in the case of the visitation data of the Opiq online store www.opiq.ee), the data are processed by Star Cloud as described in the terms and conditions of use of the Opiq service. The compositions and purposes of the data are described in detail below.

2. How does Opiq process your personal data?

It is possible to register as a user of the Opiq environment in various different roles (as a student of a specific school, as a school administrator, as a regular user without any connection with a school, as a parent or a teacher). The Opiq user instructions by roles can be found HERE.

Opiq also processes the data of the visitors to the Opiq website, those ordering from the online stores, as well as the authors, editors, and technical editors of the teaching materials.

Opiq’s grounds for the processing of the personal data is fulfilling its legal obligations (as a publisher of educational literature based on subsection 20 (4) of the Basic Schools and Upper Secondary Schools Act), contractual provision of a service to the client and the user, Opiq’s justified interest, and the user’s consent if the law calls for asking the user’s consent (primarily in the case of commercial messages).

The personal data are processed for the purposes of creating and managing user accounts, contractual provision of a service and ensuring the quality and convenient use of the service, identification of the users and association with the users with specific schools, if necessary, contacting the users, keeping the accounts of the royalties, management of the online store orders and settling of the accounts, as well as for statistical, accounting, marketing, and user support services, complying with the security requirements, and functioning of the service between the service providers.

When the services of Opiq are used, information about the user’s operations is generated in our server.

The statistical data from Opiq may not provide an overview of a student’s overall academic success, as it does not reflect the entire teaching process. In order to adequately analyse the academic success, a comprehensive overview of the student’s knowledge and results is required.

The table below provides an overview of the processing of personal data within the framework of the Opiq service. The composition of the personal data varies depending on the role of the user.

3. Which personal data are being processed and why?

Operation Personal data Purpose Grounds for processing
Authentication of the user ID, name, personal identification code/date of birth, e-mail address, authentication key, if the service provider’s account is used for authentication (a Stuudium key, a social media key in Facebook or Google, an e-Kool account key, user name and e-mail address, an HarID account key, user name, e-mail address, personal identification code). Authentication of the user Legal obligation. A contract
Creating and managing the user’s account First name and last name, personal identification code, e-mail address, telephone number, hardware, role, subjects, study groups, the user’s educational institution and year, invitation from another user + the inviting party’s details, the duration of using the service, and the user’s IP address.
A licence in Opiq.
Account management A contract
Teaching-related data Teaching materials added by the user (file, text), answers of the exercises completed in the teaching materials, any notes and comments added to the teaching materials.
Information about the student’s performance (the students answers, automatic checking-based feedback, the teacher’s feedback provided in the form of corrections of the answers, the grade, or in another manner).
Created/changed study journals.
Information about the teaching materials worked through, the exercises and bookmarks in the teaching materials.
Provision of the contractual service A contract
The information of the author of the teaching material CMS (content management system), the first name and surname, e-mail address, position (publishing house) of the author, editor, etc. who has a contractual relationship with Opaq. Provision of the contractual service A contract
The online store and accounting Accounting data (invoices paid by private users by names, expiry dates of licences).
In the case of using the payment service, the user’s bank account number.
Accounting, contractual provision of a service, the user’s convenience. Legal obligation. A contract. legitimate interest
Online store direct marketing Sending campaign and discount offers via electronic channels for the Opiq products and services only (name, e-mail, the Opiq environment). Marketing Consent
Processing of the inquiries of users concerned with the functioning of the platform The history and content of the inquiries sent to the user support. User support A contract
Logging of the operations of users in Confluent Cloud Kafka Entries about use, e.g. browsing history, search history. The history of using interactive components. Platform development A contract
Technical logging of the operations of users in Microsoft Azure Application Insight The system’s security logs concerning logging in and the activities of users.
Entries about the use, browser information, error messages, IP address, country.
Security of the service
Functioning and development of the platform
User support
A contract
Logging of the online behaviour of users in Google Analytics Entries about the use, browser information, analytical dimensions, country. Optimising of the convenient use for the user of the platform
Contractual provision of a service
A contract

4. Access to the personal data

Access to the personal data contained in Opiq is restricted as follows:

  1. if the user of Opiq is a school via an authorised representative (such as the administrator of the school), this individual can access the following information: student names, class teacher names, subject teacher’s names, grades, e-mail addresses, and the sets of teaching materials used in the Opiq study journals of students;
  2. the teachers who use Opiq can access the following information in connection with the subject taught by them: the list of students in the journal, the e-mail addresses of the students of the school, and information about the tasks of their subject, the respective results and performances (statistical data);
  3. class teachers can access the following information in addition to the teacher’s rights related to teaching their subject: the list of all study journals related to their class (plus the works and statistical data later);
  4. the students using Opiq can access their own data, their teaching materials, the tasks send (assigned) to them, and their statistical data. students can connect their parents to their accounts;
  5. parents can access their own data, their child’s teaching materials, tasks, and results. Parents cannot mark or add teaching materials or solve tasks or submit works in the name of their child.
  6. Private users other than those listed above (such as authors, editors, etc.) can only address their own data and the teaching materials related to them.

5. Transfer of personal data

Opiq does not share your personal data with data processors or third parties without a legitimate reason. Our employees only have access to your personal data in the extent which is required for performing their duties.

We use the services of third parties to provide the Opiq service to you at the highest possible level. Those service providers have access to your personal data to ensure an appropriate service. Those service providers may not use your personal data for any other purposes or retain the data for longer than is required for appropriate provision of the service.

Who do we share the personal data with and for which purposes?

Categories of recipients Purpose of transmitting
Service providers

We cooperate with service providers who offer additional functionalities required for the functioning of the comprehensive Opiq solution. Our circle of cooperation partners also includes providers of the technical solutions required for the functioning of Opiq and the security services for those solutions.

  1. AgileWorks AS; www.agileworks.eu
  2. Microsoft Azure (Cloud Computing Platform & Services), azure.microsoft.com/en-us
  3. Koodimasin OÜ - Stuudium eSchool, stuudium.com
  4. eKool AS – eSchool, www.ekool.ee
  5. ElasticSearch, www.elastic.co
  6. SendGrid, sendgrid.com
  7. Confluent Cloud Kafka, www.confluent.io
  8. Google Analytics, analytics.google.com/analytics/web/provision/#/provision
  9. Maksekeskus AS, www.maksekeskus.ee. Maksekeskus AS as a data processor receives the personal data required for making payments in the event of a bank link or credit card being used for paying for the licence for using a teaching material. Maksekeskus AS is the data controller of the personal data processed by Maksekeskus AS to fulfil its legal obligations or satisfy its further business interests. The privacy policy of Maksekeskus AS can be found here.
Recipients of data based on the law
  1. The information is required for civil or offence proceedings (court, police, or another competent investigation authority)
  2. The Ministry of Education and Research and creators of study materials receive anonymous statistical data on the use of the teaching material, which cannot be associated with specific users by teaching materials and/or schools, based on their inquiries.
  3. Local authorities can use the OpiqStat statistical workstation of Opiq which provides generalised statistical data on the use of a specific material or by subjects, for example, and does not provider user-based statistical data.

International transfer

Some of our data processing is carried out by using cloud solutions. This means that in certain cases, some of the data may be transferred outside of the European Union. The personal data are transferred outside of the European Union in compliance with the requirements of the General Data Protection Regulation. Protection of the data at a level which is equivalent to the level guaranteed in the European Union is ensured by standard contractual clauses (SCC).

6. Ensuring of the security of the personal data

We apply technical and organisational safety measures to organise the security of all data. We ensure protection of your personal data from intentional or accidental destruction, modification, unauthorised access, or any other unlawful processing.

Opiq uses the newest cloud technologies and applies the highest security requirements. Among other things, we use access management, authentication services, data encryption, security testing, etc. Please contact Star Cloud for further description of the security measures.

7. Retention and use of personal data

The retention periods of the personal data depend on the purposes and legal grounds for processing the data. For example, we may be subject to a legal or contractual obligation to retain the data for a certain period of time. The data may also be retained based on your or our legitimate interest or your consent.

Unless this is in conflict with a mandatory retention period or unless the schools prior consent is required for deletion, we delete a user’s data immediately based on the user’s respective application.

Data Purpose of processing Retention period
The user ID, name, personal identification code/date of birth, e-mail address required for authentication Authentication of the user Upon deletion of an account
The data related to the user’s account and to the teaching Account management and contractual provision of a service Five years after deletion of the account, except specified otherwise in this table
The data which must be retained on the basis of the Accounting Act Accounting 7 years + the running financial year
The learning outcomes which enable supporting the student in continuing to acquire general education (e.g. at a university, vocational education) or in using their data which have been saved in Opiq due to having left their studies incomplete. This supports meaningful continuation of the learning journey or returning to the journey. A legitimate interest in longer retention of the learning outcomes Five years or up to receiving the user’s application for deletion
The name, e-mail address required for marketing Marketing Until the consent is withdrawn
Technical logs of the operations of users in Microsoft Azure Application Insight Security, functioning, and development of the platform, user support 1 year
Logging of the online behaviour of users in Google Analytics Optimising of the convenient use for the user of the platform
Contractual provision of a service
26 months
Logging of the operations of users in Confluent Cloud Kafka Platform development In a format which can be associated with a specific individual – 5 years of until the user submits an application for deletion
In a format which cannot be associated with a specific individual – based on the needs for developing the service, for an unspecified term

8. The person’s rights

Based on the data protection regulation, you have certain rights in connection with the processing of your personal data. Please keep in mind that you must contact the data controller of the respective data to exercise those rights.

  1. The right of access to data. You have the right to know who and how are they processing your data, which sources the data comes from, and which personal data are being processed.
  2. Transferring of data. You have the right to request issuing of the personal data collected about you in a machine-readable format for transferring to another service provider whose services you would like to use in the future, for example.
  3. The right to erasure / to be forgotten. You may request deletion of your personal data if you no longer wish to have your personal data processed and if the processor does not have a justified reason for using the data.
  4. The right to restrict processing of data/submission of objections. You always have the right to restrict or prohibit processing of your personal data under certain conditions. If there is a valid reason, you may also object to the processing of your data based on a legitimate interest.
  5. Rectification of the data. You always have the right to rectification or complementation of your personal data if the data is inaccurate and if the inaccuracy may have an effect on you.
  6. The right to withdraw the consent. If you have given consent for the processing of your personal data, you may withdraw the consent at any time.

In order to use any of the afore-mentioned rights related to the processing of your personal data, please contact us by sending an e-mail to: info@starcloud.ee.

We will respond within thirty days. If your inquiry is concerned with the personal data in respect of which we are not the data controller, we will forward your inquiry to the data controller.

9. Other important information

Newsletters and direct marketing

We are sending you newsletters and selected marketing offers if you have given us respective consent. You may withdraw your consent at any time. The link for unsubscribing from the messages is usually included in the message, but you can also withdraw your consent under the settings of Opiq if this option has been created.

Settling of disputes

If you have any questions about the processing of personal data, please contact us by sending an e-mail to: info@starcloud.ee. You may also submit a complaint to the Data Protection Inspectorate info@aki.ee.

Privacy notice