VivaEdu
Teacher Sign In

VivaEdu Privacy Policy

Last Updated: 21/09/2025 • Version: 1.0

Definitions

  • “Platform” means the VivaEdu oral assessment service, accessible via LMS integrations and web application.
  • “Institution” means the educational institution that licenses and uses VivaEdu.
  • “Student” means an individual enrolled at an Institution who uses VivaEdu for oral assessments.
  • “Teacher” means an individual employed or engaged by an Institution to deliver and assess coursework through VivaEdu.
  • “LMS” means Learning Management Systems such as Moodle, Canvas, or other integrated providers.

Introduction

VivaEdu Ltd ("VivaEdu", "we", "us", or "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the VivaEdu oral assessment platform (the "Platform"). This policy applies to all users of our Platform, including students and teachers at educational institutions. VivaEdu operates primarily as a data processor on behalf of educational institutions (the data controllers). The institution remains responsible for the lawfulness of processing student data. We also act as a data controller for certain platform operations such as account management and service improvement.

Contact Information:
Jex Pearce, Chief Technology Officer
VivaEdu Ltd, 15 Ranulf Road
Email: privacy@vivaedu.co.uk

Legal Basis for Processing

We process personal data under the following legal bases:

  • Legitimate Interests (Article 6(1)(f) GDPR): For providing and improving educational assessment services. We have conducted balancing tests for our legitimate interests processing.
  • Contract Performance (Article 6(1)(b) GDPR): To fulfill our service agreements with educational institutions.
  • Consent (Article 6(1)(a) GDPR): For optional features such as camera activation and gaze tracking.
  • Legal Obligations (Article 6(1)(c) GDPR): To comply with applicable laws and regulations.
  • LMS Accounts: Where students access VivaEdu exclusively through their institution’s LMS, the institution remains the primary data controller for account data. VivaEdu processes only the minimum assessment data necessary for service delivery. For LMS-based users, VivaEdu creates internal user profiles that contain only the information provided by your LMS. We use high-privacy identifiers (opaque IDs) and system-generated emails solely for linking assessments and enabling grade passback.
Processor Activities
  • Oral assessments (recording, transcription, grading workflows).
  • Storage of assessment responses and related materials.
  • LMS data exchange (assignment metadata, grades).
Controller Activities
  • Teacher and administrator account setup.
  • Platform usage analytics (aggregated).
  • Customer support and service troubleshooting.

Data We Collect

Account Information

  • Full name; institutional email address; role (student or teacher).
  • Teacher ID (stored for authentication).
  • Student identification via LMS (passwordless, not stored).
  • Course enrollment information.
  • Teacher batch review preferences.

For LMS-only users, enrollment data is passed as opaque identifiers. We do not independently store student names or emails beyond what the LMS provides for linking and grade passback. Pseudonymised identifiers and assessment content are retained per the retention schedule.

Assessment Data

  • Audio recordings (MinIO S3).
  • Transcripts generated from audio via Whisper AI (PostgreSQL).
  • Assessment responses and submissions (text in PostgreSQL).
  • Question images and context cards (MinIO S3).
  • Timestamps and duration data (PostgreSQL).
  • Question responses and interactions (PostgreSQL).
  • We do not store video recordings.

Optional Monitoring Data (with explicit consent)

  • Camera feed (local-only, not recorded).
  • Gaze tracking data (local-only, not stored).
  • Tab-switching activity; browser focus events; excessive reload tracking.

Accessibility and Accommodation Data

  • Accommodation settings (extra time, pause/resume, typing mode, extensions, late submissions).
  • Accessibility preferences (high contrast, larger buttons, screen reader compatibility).
  • Disability-related accommodations as configured by teachers.

Academic Performance Data

  • Grades and rubric evaluations; teacher feedback and comments.
  • Assignment metadata from LMS integration; due dates and submission times.

Technical Data

  • Browser and device information; session logs; platform usage analytics.

AI-Generated Content and Deep Linking

  • Document content from LMS for AI question generation (processed temporarily, the documents are never further stored after question generation creation completes).
  • PDFs, presentations, lecture materials (processed temporarily and deleted after processing).
  • AI-generated question suggestions (teacher-controlled).
  • Deep linking metadata from LMS platforms.
  • All demo mode data is synthetic and deleted after 2 hours.

How We Use Your Data

Core Platform Functions

  • Deliver oral assessments; record and transcribe responses with synchronized highlighting.
  • Provide accessibility accommodations; integrate with LMS via LTI 1.3.
  • Create assignments in LMS and push grades and feedback back to LMS.
  • Batch processing for reviews and exports.

For LMS users: assessment data links to your LMS profile and is returned to the LMS after processing. Educators and students initiate access via the LMS. Only educators can sign into the web app directly.

Educational Support

  • Generate performance analytics; support academic integrity measures; enable progress tracking.

Platform Improvement

  • Analyze usage patterns; troubleshoot technical issues; ensure platform security; develop new tools.

Compliance and Safety

  • Meet legal and regulatory requirements; investigate policy violations; protect against fraud.
  • Maintain audit trails for educational institutions.

Data Sharing and Disclosure

Educational Institution

  • Share assessment data with your institution as required for academic purposes.
  • Teachers have access to their students' assessment data.
  • Institutional administrators may access data for legitimate oversight.

Service Providers

  • MinIO (object storage), PostgreSQL (database), LMS providers (LTI 1.3).
AI Processing Disclosure
  • Whisper API: converts audio recordings to text transcripts. Audio is processed on OpenAI’s US based servers and immediately deleted after transcription.
  • GPT API: assists teachers in generating question suggestions from course materials. Documents are processed temporarily and are not retained by OpenAI.
  • TTS (Text to Speech): provides accessibility support and demo content.

OpenAI does not use education data processed through our API calls to train their models. All API usage follows OpenAI’s zero retention policy for enterprise customers. Processing occurs in the United States with appropriate data transfer safeguards.

Legal Requirements

  • Court orders or legal proceedings; government or regulatory requests; protection of rights, safety, or property; investigation of suspected violations.

Consent-Based Sharing

  • Research (anonymized), institution-approved third-party integrations, and optional services.

VivaEdu processes the minimum necessary assessment data for assignment delivery and review. We use pseudonymised identifiers to link assessment data to the correct LMS user.

Data Retention

Automatic Deletion

  • Audio recordings: deleted 90 days after assignment due date.
  • Transcripts: deleted 180 days after assignment due date.
  • Inactive classes: archived and deleted after 180 days of inactivity.
  • Demo data: deleted after 2 hours.

Extended Retention

  • Grade records per institutional policy; account information while the account is active; legal holds as required.

Manual Deletion

  • Students can request deletion via privacy@vivaedu.co.uk.
  • Teachers can delete vivas and classes (with confirmation) and force re-takes.
  • Requests are processed within 30 days.
  • Archived classes are permanently deleted.

Student identifiers are pseudonymised personal data under GDPR and protected accordingly.

Your Rights Under GDPR

Right to Access
Students can view their transcripted responses and listen to their audio responses after they submit a viva. Holistically, you can request a copy of your data; receive it in a machine-readable format; export via settings.
Right to Rectification
Students can identify and state inaccurate transcriptons in their work in the aforementioned feature. Correct inaccurate data; complete incomplete data; update profile information.
Right to Erasure
Request deletion via privacy@vivaedu.co.uk. Some data may be retained for legal obligations.
Right to Restrict Processing
Limit how we use your data; suspend processing while concerns are investigated.
Right to Data Portability
Receive a ZIP export and transfer to another provider upon request.
Right to Object
Object to processing based on legitimate interests; opt out of optional features; withdraw consent for camera and gaze tracking.
Right to Withdraw Consent
Manage consent in settings. Withdrawal does not affect prior lawful processing; some features may become unavailable.
Right to Complain
Contact the ICO at ico.org.uk or 0303 123 1113.

Consent Management

  • Explicit opt-in required for camera, gaze tracking, and behavioral monitoring.
  • Consent can be granted or revoked in account settings; changes apply immediately.
  • Historical data collected with consent is retained per our retention policy.
  • Users under 13 may require institutional or parental consent as determined by their institution.

Data Security

  • Encryption in transit and at rest; secure APIs with rate limiting; regular audits and testing.
  • Organizational measures include least-privilege access, confidentiality agreements, training, incident response, and DPIAs.

Limitation of Liability

VivaEdu provides its services "as is" without warranties of any kind. We shall not be liable for any direct, indirect, incidental, special, or consequential damages arising from the use of our platform, including but not limited to technical failures, data loss, service interruptions, or AI processing inaccuracies. Our total liability shall not exceed £100 per incident. Educational institutions remain solely responsible for academic decisions and assessment outcomes.

International Transfers

Primary processing occurs in the United Kingdom, European Union, and the United States, with appropriate safeguards in place.

Cookies and Tracking

We use essential cookies for session management, security tokens, user preferences, and platform functionality.

Children's Privacy

The platform is intended for users 13 and older. Users under 18 may require institutional or parental consent as determined by their institution. We apply enhanced protections for minors’ data.

Changes to This Policy

We will notify users of material changes via email. Continued use after changes constitutes acceptance. Previous versions are available upon request.

Governing Law

This Privacy Policy is governed by the laws of England and Wales. Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales. If any provision is held invalid, the remaining provisions remain in full force and effect.

Questions and Complaints

Email: jex@vivaedu.co.uk
Post: Jex Pearce CTO, VivaEdu Ltd, 15 Ranulf Road London NW2 2bT
Response Time: Within 30 days of receipt
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — 0303 123 1113