Privacy Policy
Last updated: 20 March 2026
L8 Group ("we", "us") is the data controller for Zaags Schools. We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) and Portuguese data protection law.
1. Data Controller
L8 Group
Registered in Portugal
Email: management@zaags.school
Website: zaags.school
2. Data We Collect
2.1 Account Data (provided by you)
- Registration: email address, first name, last name, password (hashed).
- Profile: phone number (international format), display name, avatar URL, bio, communication language preference.
- Role-specific: specialties, teaching levels (teachers/coordinators); starting level, current level (students).
2.2 School Data (entered by School Managers)
- School name, slug, address, city, country, tax number (VAT ID).
- Logo URL, description, contact email, Stripe Connect account ID.
2.3 Educational Data
- Enrolments, grades, exam scores, attendance records, certificates.
- Module assignments, schedule/time slots, substitute assignments.
2.4 Communication Data
- Messages sent between Users within a School.
- Notifications (system-generated).
2.5 Payment Data
- Marketplace orders: buyer ID, student ID, offer/module purchased, amounts, currency, VAT details, payment status.
- Stripe checkout session IDs and payment intent IDs.
- We do not store credit card numbers. All payment processing is handled by Stripe.
2.6 Technical Data (collected automatically)
- IP address (logged on consent, authentication, and API requests).
- User agent (browser/device information).
- Timestamps of actions (login, data changes via audit log).
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide the Platform services (scheduling, grading, attendance, etc.) | Performance of contract |
| Process marketplace payments via Stripe | Performance of contract |
| Send transactional emails (password resets, invitations, payment confirmations, substitute notifications) | Performance of contract |
| Maintain audit logs for security and compliance | Legitimate interest |
| Rate limiting and fraud prevention | Legitimate interest |
| Calculate and apply VAT on marketplace transactions | Legal obligation |
| Process GDPR data export and erasure requests | Legal obligation |
| Generate platform fee invoices for Schools | Performance of contract |
| Aggregate analytics for School dashboards | Performance of contract |
4. Email Communications
All transactional emails are sent from management@zaags.school on behalf of the relevant School, using Fluent SMTP for delivery. Emails include:
- Account emails: password set/reset links, welcome messages.
- School notifications: substitute teacher assignments, payment confirmations, enrolment confirmations.
- Platform invoices: platform fee invoices for Schools without Stripe Connect.
These are operational emails required for the functioning of the service. They are not marketing communications and cannot be opted out of while your account is active.
5. Data Sharing
We share your data only with:
- Stripe Inc. — payment processing. Stripe acts as an independent data controller. See Stripe's Privacy Policy.
- Your School(s) — Managers and Coordinators within your School can see your profile, enrolments, grades, and attendance as required for educational administration.
- Email delivery services — transactional emails are delivered via SMTP (Fluent SMTP plugin). Email content passes through the configured SMTP provider.
- EU VIES service — VAT number validation for B2B transactions (only the VAT number is sent, not personal data).
We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising.
6. Data Storage & Security
- Data is stored in a MySQL database on servers operated by our hosting provider.
- Passwords are stored using WordPress's default hashing (bcrypt via phpass).
- API authentication uses JSON Web Tokens (JWT) with configurable expiry.
- All connections use HTTPS/TLS encryption in transit.
- Access to the database is restricted to the application layer only.
- GDPR data exports are stored temporarily as encrypted JSON files and automatically deleted after download.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | As long as your account is active |
| Data after account closure | 90 days, then permanently deleted |
| Audit logs | 2 years |
| Consent records | 5 years (legal requirement) |
| Payment/invoice records | 7 years (Portuguese tax law) |
| GDPR export files | Deleted after download or 30 days |
| Email queue records | 90 days after sending |
8. Your Rights (GDPR)
As an EU resident, you have the following rights. You can exercise most of these directly within the Platform under Settings > Privacy & Data:
- Right of access — request a copy of all your personal data. Available via the "Export my data" button in the app.
- Right to rectification — update your profile, name, phone, and other details at any time via your profile page.
- Right to erasure ("right to be forgotten") — request deletion of your personal data. Available via the "Erase my data" button. Messages are anonymised (replaced with "[Deleted]"), and your profile is removed.
- Right to data portability — your exported data is provided in machine-readable JSON format.
- Right to restrict processing — contact us to restrict processing while a complaint is being investigated.
- Right to object — you may object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent (e.g., cookies), you may withdraw at any time.
How to exercise your rights: Use the in-app GDPR tools (Settings > Privacy & Data), or email management@zaags.school. We respond within 30 days as required by GDPR.
9. GDPR Data Processing
When you submit a data export or erasure request through the Platform:
- Requests are queued and processed within 24 hours by an automated system (WP-Cron hourly).
- Export: generates a JSON file containing your profile, enrolments, grades, attendance, messages, notifications, and consent records. A download link is emailed to you.
- Erasure: your profile data is deleted, sent/received messages are anonymised with "[Deleted]", and your school membership is removed. If you have no other school memberships, your WordPress user account is fully anonymised.
- School Managers can view and manage pending GDPR requests for their school.
10. International Transfers
Your data may be processed by Stripe (US-based) for payment purposes. Stripe complies with EU-US Data Privacy Framework. No other international transfers occur outside the scope of our hosting infrastructure.
11. Children's Data
The Platform is designed for educational use and may contain data about minors (students). Schools are responsible for obtaining appropriate parental consent for students under 16 years old. We process children's data solely for educational purposes as instructed by the School.
12. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Portuguese data protection authority (CNPD) within 72 hours if the breach poses a risk to individuals.
- Notify affected individuals without undue delay if the breach poses a high risk to their rights.
- Document the breach internally, including its effects and remedial actions taken.
13. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered Users. The "last updated" date at the top of this page indicates when the policy was last revised.
14. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- CNPD (Comissão Nacional de Proteção de Dados) — the Portuguese data protection authority: cnpd.pt
- Or the supervisory authority in your EU member state of residence.
15. Contact
For privacy-related queries:
- Email: management@zaags.school
- Entity: L8 Group, Portugal