Last updated: Sept 24, 2025
This Privacy Policy explains how XFocus AS ("the company", "we", "our", "us") processes personal data when providing educational platform services to schools and educational institutions. We are committed to protecting personal data in accordance with applicable laws and regulations, in particular the General Data Protection Regulation (GDPR).
XFocus is exclusively available to educational institutions. We do not offer individual accounts or direct-to-consumer services.
Educational institutions (schools, districts, or organizations) act as Data Controllers, determining the purposes and means of processing personal data for their students, teachers, and staff.
XFocus AS acts exclusively as a Data Processor, processing personal data on behalf of and under the instructions of schools for:
XFocus AS acts as Data Controller only for:
For questions about data processing, please contact:
Email: support@xfocus.no
Schools should refer to our Data Processing Agreement for detailed processor obligations and requirements.
We collect, store, and process personal data that is necessary for us to provide our services to you. You provide this data directly when registering or interacting with our applications.
As instructed by schools, we process the following categories of personal data:
This data is processed solely to provide educational services as directed by the school.
If you contact us by email or other written communication, we will process your personal data to respond to your inquiries and maintain dialogue.
Legal basis: GDPR Article 6(1)(b) (necessary for the performance of a contract) or Article 6(1)(f) (legitimate interest in handling requests and maintaining contact).
Our IT systems log activity on our websites and applications. This includes IP address, links clicked, browser information, and device data. These logs may be analyzed in cases of hacking, cyberattacks, or criminal activity.
Legal basis: GDPR Article 6(1)(f), where our legitimate interest in securing systems outweighs the privacy impact.
We are legally required to maintain accounting records for five years after the end of the financial year. Such records may contain necessary personal data to enable invoicing and payment. Processing of payments is done through Stripe.
The following table summarizes how we use your personal data:
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Account access, notifications | Contract | Active account + 30 days |
| Name | User identification | Contract | Active account + 30 days |
| School/Class data | Service delivery | Contract | Active account + 30 days |
| IP address | Security, fraud prevention | Legitimate interest | 90 days |
| Browser info | Technical support | Legitimate interest | 90 days |
| Payment data | Billing, accounting | Contract, legal obligation | 5 years |
Your data is stored on secure servers within the EEA. We use recognized technical solutions to protect your data against unauthorized access, disclosure, alteration, and destruction.
We use subcontractors for IT and administrative services. Where these subcontractors process personal data, we have entered into Data Processing Agreements requiring compliance with data protection regulations and restricting processing to what is necessary for service delivery.
For a complete list of our sub-processors and third-party services, please refer to our Data Processing Agreement. All sub-processors are bound by appropriate data protection agreements and are regularly audited for compliance.
We will not share, sell, or transfer your personal data to third parties without your consent, unless required to fulfill our agreement with you or to comply with legal obligations or court orders.
Your personal data will not be transferred outside the EU/EEA unless required by law or legal order.
Students, teachers, and other individuals whose data is processed have the following rights under GDPR:
You also have the right to file a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe our processing violates GDPR. See: www.datatilsynet.no
To exercise these rights, individuals should first contact their school's data protection officer. Schools can contact us directly for assistance.
We keep your personal data only as long as necessary to fulfill the purposes described above or as required by law. After that, the data will be anonymized rather than deleted.
Anonymization means removing or modifying personal identifiers so that data can no longer be attributed to you. We may retain anonymized data for statistical analysis and service improvement.
XFocus AS reserves the right to update this Privacy Policy when necessary. Updated versions will be published on our website with the date of the latest revision.