Log in

Privacy Policy

Last updated: November 17, 2025

Data Protection Commitment

PeerCards is designed with privacy and data protection at its core. We process all personal data in full compliance with the GDPR and applicable privacy laws, ensuring the highest standards of protection, confidentiality, and security. We adopt a minimal data processing approach and continually work to ensure that students and teachers can use the platform safely, transparently, and responsibly.

However, to guarantee maximum safety when using PeerCards, please keep in mind the following important notice:

Important Notice: Do not insert personal data into any content submitted to PeerCards, including AI prompts, questions, answers, comments, uploaded materials, or any text written by teachers or students.

1. Data Controller

The Data Controller responsible for the processing of personal data carried out by PeerCards is:

Ivan Molineris
Via Accademia Albertina 13
10123 Torino – Italy
Email: ivan.molineris@unito.it
Phone: +39 380 3424730

Although PeerCards is used in academic contexts, it is operated as an independent software project, and personal data is processed under the responsibility of the above individual.

2. Data Protection Officer (DPO)

The Data Protection Officer (appointed voluntarily under Articles 37–39 GDPR) is:

Ivan Molineris
Via Accademia Albertina 13
10123 Torino – Italy
Email: ivan.molineris@unito.it
Phone: +39 380 3424730

You may contact the DPO for any privacy-related request or to exercise your rights under GDPR.

3. Categories of Personal Data Processed

When you use PeerCards, we may process:

3.1. Account and Identity Data

  • Name and surname
  • Email address (institutional or personal)
  • Optional affiliation
  • Authentication identifiers (only those necessary for login)

3.2. Educational Content and Interaction Data

  • Questions, answers, comments, PeerCards created or revised
  • Group participation, assignments, peer reviews
  • Texts or files voluntarily uploaded by the user
  • Self-evaluations and peer evaluations (if used)

3.3. Technical and Log Data

  • IP address (short-term, for security)
  • Browser and operating system information
  • Session identifiers
  • Server logs (error and access logs)

These data are essential for providing the service securely and reliably.

4. Cookies

PeerCards uses only technical cookies, strictly necessary for:

  • Login sessions
  • Security (e.g., CSRF tokens)
  • Basic platform functionality

PeerCards does not use:

  • Analytics cookies
  • Profiling cookies
  • Third-party tracking cookies
  • Cookies for advertising

Because only technical cookies are used, no cookie banner is required under GDPR and ePrivacy rules.

5. Purposes and Legal Bases of Processing

Personal data is processed exclusively for the following purposes:

5.1. Provision of the Service

  • User authentication
  • Platform functionalities (assignments, groups, collaborative activities)
  • Storage and display of content created by users

Legal basis: Art. 6(1)(b) GDPR – processing necessary to provide the service.

5.2. Educational and Didactic Activities

PeerCards supports collaborative learning and academic workflows.

Legal basis: Art. 6(1)(b) GDPR – service performance, or Art. 6(1)(f) – legitimate interest in supporting educational activities.

5.3. AI-Assisted Features

PeerCards may use AI systems to:

  • Generate suggestions, variations, or explanations
  • Support collaborative reasoning
  • Offer formative guidance

Only the minimal text necessary to generate a meaningful output is sent to AI models (if external). Identity data is never transmitted intentionally. Providers do not use data for training, unless explicitly stated.

Legal basis: Art. 6(1)(b) GDPR.

5.4. Security and Abuse Prevention

  • Server logs
  • Intrusion detection
  • Debugging and reliability checks

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in securing the platform.

6. Data Retention

Data is retained only for the time strictly necessary:

  • Account data → until the user requests deletion
  • Didactic content → for the academic term or project duration
  • Technical logs → 30 to 180 days
  • AI prompts → retained only locally; external providers do not store them (if configured)

Data may be anonymized for research or statistical analysis.

7. Data Sharing

Your personal data is never sold.

It may be shared only with:

  • Technical service providers (hosting, email delivery, AI processors)
  • Collaborators or teaching staff involved in specific courses (if applicable)

All processors operate under legally compliant Data Processing Agreements (DPAs).

8. International Data Transfers

PeerCards uses two categories of services that may involve international data transfers:

8.1. OVH (Hosting Provider – France/EU)

The Platform is hosted on a Virtual Private Server (VPS) provided by OVH, whose primary infrastructure for this service is located in France, within the European Economic Area (EEA).

  • All platform data (accounts, content, logs) is stored and processed exclusively within the EU.
  • No data hosted on OVH leaves the EU.
  • OVH acts as a Data Processor under a GDPR-compliant Data Processing Agreement.

➡️ No international data transfer occurs for hosting.

8.2. OpenAI (AI Provider – Potential Transfers Outside the EU)

When users interact with AI-assisted features, minimal text data (e.g., a question or short content excerpt) may be transmitted to OpenAI for the purpose of generating responses.

PeerCards uses OpenAI's API under the following conditions:

  • Data is processed by OpenAI only to provide the requested AI output.
  • OpenAI does not use data submitted via API to train its models or improve services.
  • OpenAI may process data in the United States or other locations depending on operational needs.

Because OpenAI operates outside the EU/EEA, transfers rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and
  • Additional technical and organizational measures implemented by OpenAI.

➡️ This constitutes an international transfer under GDPR, but only for AI-related interactions.

Users should avoid including personal or sensitive information in AI prompts as well as in any other data transmitted to PeerCards.

9. User Rights

Users may exercise the following rights under GDPR:

  • Access to their personal data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Portability
  • Objection to processing based on legitimate interests
  • No automated decision-making

Requests may be sent to support@peercards.org

10. Security Measures

We implement appropriate technical and organizational measures, including:

  • TLS encryption (HTTPS)
  • Hashing of passwords
  • Access control and role-based permissions
  • Regular security updates
  • Secure backups

Despite these measures, no internet-based service can guarantee absolute security.

11. Minors

PeerCards is not intended for unsupervised use by minors. If PeerCards is used in schools, accounts are created or supervised by the institution.

12. Changes to This Policy

This Privacy Policy may be updated to reflect improvements or regulatory changes. Users will be informed of significant changes through the Platform.

Back to Home