Ludenso Privacy Policy

Privacy Policy for Ludenso AS

Effective Date: 1st of January, 2026
Last Updated: 19th February, 2026

1. Introduction
Ludenso AS (“Ludenso”, “we”, “us”, or “our”) is committed to protecting personal data in accordance with:
- The EU General Data Protection Regulation (EU GDPR)
- The UK GDPR and Data Protection Act 2018
- The EU AI Act (where applicable)
‍
This Privacy Policy explains how we collect, use, process, and protect personal data when providing:
- LAIA (Ludenso AI Assistant)
- Publisher AI deployments (including CREST – Clear Revise Exam Study Tutor)
- Ludenso Studio and related services
- Our website and related digital services
‍
Ludenso AS is a Norwegian company operating within the European Economic Area (EEA).
‍
2. Our Role
Depending on the service context, Ludenso acts as:
- Data Controller (for website visitors, direct customers, demo requests, and account management), or
- Data Processor / Sub-Processor (for institutional and publisher deployments, where the publisher or educational institution is the Controller).
Where we act as a processor, we process personal data only on documented instructions from the Controller.
‍
3. Categories of Personal Data We Process
We apply strict data minimisation. Personal data processed typically includes:
- Account and Authentication Data
- Name
- Email address
- Organisation name
- Username or system identifier
- Usage Data
- Log data (IP address, timestamps, device/browser information)Platform interaction data
- Technical diagnostics
- Educational Deployments (e.g., CREST)
‍
In school or publisher contexts, personal data is typically limited to:
- Username
- Email address
- Organisational affiliation

We do not process:
- Financial data
- Special category data (health, ethnicity, religion, etc.)
- Biometric data
- Government identification numbers
Unless explicitly agreed under a separate contractual framework.
‍
4. Legal Basis for Processing
We process personal data under the following legal bases:
- Article 6(1)(b) GDPR – Performance of a contract (e.g., user account access)
- Article 6(1)(f) GDPR – Legitimate interests (security, service improvement)
- Article 6(1)(c) GDPR – Legal obligation
- Article 6(1)(a) GDPR – Consent, where applicable
For educational deployments, the lawful basis is typically determined by the Controller (e.g., school or publisher).
‍
5. AI Processing and Transparency
Ludenso provides AI-powered services using a Retrieval-Augmented Generation (RAG) architecture.
AI System Characteristics:
- Source-grounded responses
- No autonomous decision-making affecting legal rights
- No automated grading or admission decisions
- No behavioural profiling
- No advertising use of personal data

Users are clearly informed when interacting with AI-generated responses.
We do not use client personal data to train external foundation AI models.
‍
6. Children’s Data
Where our services are used in educational contexts involving minors:
- We collect only minimal account information (username/email).
- We do not perform behavioural profiling.
- We do not serve advertising.
- We do not process sensitive categories of data.
- We operate under institutional governance (school or publisher policies).

We align with:
- UK ICO Age Appropriate Design Code
- GDPR data minimisation principles
Primary safeguarding responsibilities remain with the deploying institution.
‍
7. Data Storage and Security
We implement appropriate technical and organisational measures including:
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Role-based access control (least privilege)
- Multi-factor authentication for administrative access
- Logical separation of customer environments
- Encrypted backups
- Audit logging
- 30-day maximum retention of operational logs
- Infrastructure is hosted primarily within the EU/EEA.
‍
8. Sub-Processors
We use carefully selected sub-processors under Data Processing Agreements (DPAs), including:
- Microsoft Ireland Operations Limited (Azure infrastructure)
- OpenAI OpCo, LLC (LLM inference – EU configured projects)
- Google Cloud EMEA Limited (Gemini / Vertex AI – EU regions)
- MongoDB, Inc. (MongoDB Atlas – EU region)
- Pinecone Systems, Inc. (Vector database – EU region)
- Vercel Inc. (Web hosting – EU region)

All sub-processors are contractually bound to GDPR-compliant safeguards, including Standard Contractual Clauses where applicable. An updated list may be provided upon request.
‍
9. International Transfers
Where personal data is transferred outside the EEA or UK, we rely on:
- European Commission Standard Contractual Clauses (SCCs)
- UK International Data Transfer Addendum (where applicable)
- Supplementary technical safeguards (encryption and access controls)
We prioritise EU/EEA data residency wherever available.
‍
10. Data Retention
We retain personal data only as long as necessary for the purpose of processing.
Personal data is deleted when:
- A user deletes their account
- A contractual relationship ends
- The license expires
- The data is no longer required

Operational logs are retained for a maximum of 30 days unless legally required otherwise. Upon contract termination in processor contexts, personal data is deleted within 30 days unless otherwise agreed.
‍
11. Data Subject Rights
Under GDPR and UK GDPR, individuals have the right to:
- Access their personal data
- Rectify inaccurate data
- Erase personal data (“right to be forgotten”)
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent (where applicable)

Requests may be submitted via the contact details below.

Individuals also have the right to lodge a complaint with:
- The Norwegian Data Protection Authority (Datatilsynet)
- The UK Information Commissioner’s Office (ICO)

12. Data Protection by Design and by Default
Ludenso embeds privacy-by-design principles throughout system architecture, including:
- Minimal data collection
- No unnecessary profiling
- Default EU data residency
- Encryption by default
- Strict access controls
- No cross-client data sharing
- AI deployments are subject to internal risk assessment prior to launch.
‍
13. Changes to This Policy
We may update this Privacy Policy periodically.
Material changes will be communicated via our website or service notification.

14. Contact Information
Ludenso AS
Torggata 2, 0181, Oslo, Norway
Organisation Number: 921 437 609
Email: hello@ludenso.com
For data protection inquiries, please contact: hello@ludenso.com