Effective: 15 May 2025 · Version 2.1
What we collect, in plain terms: your child's nickname and school email so they can log in; what they learn and how they progress so the AI tutor can adapt; basic technical information like browser type and IP address for security; and how they use the platform so we can improve it. We do not ask students for home addresses, phone numbers, payment details, photos of themselves, or sensitive information such as health, religion, or political views — and our rules forbid students from typing such information into the platform.
Wedapt GbR Erkstraße 2, 12043 Berlin, Deutschland Vertretungsberechtigte Gesellschafter: Mohamed Abdelmetaal, Volkan Bilici Email: contact@wedapt.ai
Wedapt is a platform provided to students exclusively through their schools. The school is the data controller for student records. Where Wedapt processes personal data on behalf of a school, Wedapt acts as a data processor under Article 28 GDPR.
A Data Processing Agreement (Auftragsverarbeitungsvertrag / AVV) is executed with every school before any user account is created. The DPA covers our security measures, sub-processor list, breach notification timeline, audit rights, and data-deletion obligations. Schools may request a copy at contact@wedapt.ai.
Data Protection Officer (DPO): Given that Wedapt processes personal data of children at scale, we are evaluating whether a formal DPO appointment is required under Article 37 GDPR. Pending that determination, all data-protection queries should be directed to contact@wedapt.ai.
We may collect and process the following personal data:
We process personal data based on the following legal grounds under GDPR:
Wedapt is provided to students only through their school. Before any student under 16 can access the platform, the school obtains a signed parental or guardian consent form in accordance with Article 8 GDPR and applicable German state school law (e.g., § 64a Berlin Schulgesetz). The school is the data controller for student records and retains the consent documentation.
Parents may request to view or withdraw consent at any time through their school. Wedapt provides schools with a recommended consent-form template to ensure the consent collected includes the date of signature, identity of the parent or guardian, scope of permitted processing, and instructions on how to withdraw consent.
Users aged 16 and 17 may consent on their own behalf under German law. The school's Master Agreement governs the contractual relationship at the institutional level.
We use personal data to:
We do not sell personal data. We share it only with the sub-processors listed in Section 6 and with schools as part of the agreed service delivery.
All personal data processed through Wedapt is hosted within the European Union, primarily in data centers located in Germany (Frankfurt am Main), and is processed in accordance with GDPR and the German Federal Data Protection Act (BDSG).
We rely on the following sub-processors:
| Sub-processor | Role | Hosting location | Transfer basis |
|---|---|---|---|
| Supabase (via AWS) | Database and authentication | AWS eu-central-1, Frankfurt, Germany | GDPR adequacy / SCCs |
| Google Vertex AI | AI tutoring inference (student tutor) and Teacher Co-pilot inference | europe-west region (Belgium / Netherlands / Germany) | GDPR adequacy / SCCs |
| Langfuse | AI prompt logging and monitoring | EU-hosted instance | GDPR adequacy / SCCs |
No personal data is transferred outside the EEA in the normal course of operation.
Access to personal data is strictly limited to authorized personnel. Servers are encrypted at rest and in transit.
We retain personal data only as long as necessary for the stated purpose or as required by law:
| Data category | Retention period |
|---|---|
| Identity data (name, email) | Duration of school contract + 30 days |
| Educational and usage data | Current school year + 12 months, or until deletion request |
| Technical logs (server logs, IP) | 90 days |
| Backup snapshots | Maximum 30 days rolling |
| Teacher Co-pilot conversation threads | 24 months after last activity, or upon account deletion |
| AI-generated materials (lesson plans, worksheets, etc.) | Until manually deleted by the teacher, or upon account termination |
| Web tool usage logs (teacher AI web searches / fetches) | 90 days |
| Billing records to schools | 10 years (§ 147 AO / § 257 HGB) |
After the applicable period, data is securely deleted or irreversibly anonymized.
Wedapt uses artificial intelligence (Google Vertex AI) to generate tutoring content, feedback, and learning recommendations.
Important rule for users: Do not type personal information — such as full names, addresses, phone numbers, ID numbers, or health information — into the AI chat or any input box. The AI tutor does not need this information to help you learn. See our Terms of Use for the full rule.
Teacher Co-pilot and Student Data: When teachers use the Teacher Co-pilot, the AI assistant may retrieve student progress data (class overviews, individual topic completion rates, focus area status) at the teacher's instruction. This retrieval is scoped strictly to the teacher's own assigned classes and subjects. Student data processed in this way is sent to Google Vertex AI solely to generate the teacher's response; it is not used by Google to train AI models and is not retained by Google beyond the scope of service delivery. The teacher remains responsible for all decisions made on the basis of Co-pilot outputs — no grading or disciplinary decision is made automatically.
In accordance with the EU AI Act (progressive enforcement from August 2026), Wedapt discloses that its AI tutoring system is used in an educational context. The system is designed to support, not replace, teacher judgment. Users always have the right to request human review of any AI-generated recommendation or assessment outcome.
Under GDPR, you (or your parent/guardian if you are under 16) have the right to:
To exercise these rights, contact us at contact@wedapt.ai. We will respond within 30 days. Students and parents should also contact their school, which holds the primary data-controller role for student records.
In the event of a personal data breach affecting school users, we will notify the affected school(s) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. We will provide details of the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.
We use cookies to support essential functionality and, with consent, to analyze platform usage. See our Cookie Policy for the full list of cookies, their purposes, durations, and how to manage or withdraw consent.
Our platform may include links to third-party websites. This Privacy Policy applies only to Wedapt. We encourage you to review third-party privacy practices separately.
If you believe your rights under GDPR have been violated, you have the right to lodge a complaint with a supervisory authority.
Primary authority for Wedapt (Berlin-based controller): Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) Alt-Moabit 59–61, 10555 Berlin www.datenschutz-berlin.de
Federal alternative: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) www.bfdi.bund.de
We may update this Privacy Policy periodically. All changes will be posted here with an updated effective date. Significant changes will be communicated to schools in advance via email or platform notification.
Questions? Email us at contact@wedapt.ai.