Privacy Policy
Last updated: 9 July 2026
This Privacy Policy explains how Solebo Ltd (Reg. No. HE 433661, Kyrenias 130, 2113 Nicosia, Cyprus — “we”, “us”) handles personal data in connection with GIScases (giscases.com, the “Service”). We have designed GIScases to collect as little personal data as possible, and in particular to avoid collecting data directly from children.
1. Our role: controller and processor
Our role depends on whose data is involved:
- Teacher / account data — we are the data controller. We decide how teacher account and billing data are handled to run the Service. (In parts of the app a teacher is also called a “creator”; the terms mean the same account holder.)
- Student data (names, emails, and answers that a teacher enters or collects through the Service) — the teacher and their school are the data controller, and we act as a data processor that stores and processes that data only to provide the Service on their instructions. Schools may request a data processing agreement (DPA).
2. What we collect
| Who | What | Why |
|---|---|---|
| Teachers | Sign-in identity (e.g. work email via Microsoft/Cloudflare Access), account and plan status, and payment metadata processed by our card processor (we never see or store full card numbers). | To create your account, provide paid features, and issue invoices/receipts. |
| Students | Name and email address, entered by the teacher to deliver a task link; the answer submitted (the map geometry/analysis) and basic task metadata (submission time, computed score). No passwords, no accounts, no data collected directly from the child. | To deliver the assigned exercise and return the answer to the teacher for review. |
| All visitors | Privacy-preserving usage analytics: page views and time on page, a coarse location (country/approximate city inferred from IP), and a random local identifier. IP addresses and access tokens are stored only in hashed form; we do not keep raw IP addresses in our analytics. | To understand overall usage and keep the Service reliable and secure. |
We do not ask for, and ask that you do not submit, any sensitive personal data (such as data about health, religion, or ethnicity) about students beyond the name and email needed to deliver a task.
3. Students and children’s data
GIScases is a tool for teachers. It has no student sign-up, no student login, and no direct interaction that would ask a child to provide personal data to us. A student simply opens a unique link and submits an answer, which is returned to their teacher.
The exercises are recommended for learners aged 12 and over only because of their conceptual difficulty, not because of their content. The Service does not present sensitive, mature, or otherwise age-inappropriate material to students.
Where a teacher assigns work to students who are minors, the teacher and their school are responsible, as controller, for having the appropriate legal basis — including any notice, consent, or authorisation required under the GDPR, local education law, and child-protection rules — before entering a student’s name and email or sending a task. We process that limited data only on the school’s behalf and only to run the Service. A teacher can delete a student’s data — or an entire task or class — from the system at any time, and it is not retained after deletion. If you are a parent or school and want a student’s data corrected or deleted, please contact the teacher who assigned the task, or contact us and we will assist the school in fulfilling the request.
4. How and why we use data
- To provide, maintain, and secure the Service and deliver assigned exercises and answers.
- To operate paid plans, process payments, and send invoices/receipts and service messages.
- To respond to enquiries (for example, Corporate Pro quote requests) and provide support.
- To monitor performance, prevent abuse, and improve the Service using aggregated, privacy-preserving analytics.
- To comply with legal obligations.
We do not sell personal data, we do not serve advertising, and we do not use student data to build profiles or for any purpose other than delivering the Service to the school.
5. Legal bases (GDPR)
- Performance of a contract — to provide the Service to teachers and process paid plans.
- Legitimate interests — to keep the Service secure and reliable and to understand aggregate usage, balanced against your rights.
- Legal obligation — for accounting, tax, and compliance.
- Consent / school authorisation — for student data, the school/teacher provides the legal basis as controller.
6. Sharing & sub-processors
We do not sell your data. We share data only with service providers that help us run GIScases, under contractual confidentiality and data-protection obligations:
- Cloudflare — hosting, database, content delivery, and sign-in/access management.
- Payment processor — to take card payments for Individual Pro (card details go directly to the processor; we receive only status and metadata).
- Email delivery provider — to send transactional messages such as quote confirmations.
- Identity provider (e.g. Microsoft) — to authenticate teacher sign-in.
- Map & imagery providers (Esri, OpenStreetMap) — map tiles are served through our own cache, and we do not share your identity with them.
We may also disclose data if required by law or to protect our rights, users, or the Service.
7. Cookies & local storage
We use only what is needed to run the Service: an essential authentication cookie for signed-in teachers, and a small random identifier stored in your browser’s local storage for privacy-preserving usage counting and to remember preferences (such as your chosen units or map view). We do not use third-party advertising or cross-site tracking cookies.
8. Retention
We keep data only as long as needed for the purposes above:
- Teacher account and task data — while your account is active and for a reasonable period afterwards, unless you ask us to delete it sooner.
- Student names, emails, and answers — retained only as part of the teacher’s tasks. The teacher can delete a student’s data (or an entire task or class) from the system at any time; once deleted, it is not retained. Student data is also removed when the teacher closes their account.
- Billing records — retained as required by tax and accounting law.
- Analytics — kept in aggregated/hashed form for a limited period.
9. Security
We use industry-standard measures to protect data, including encryption in transit, access controls, and storing identifiers such as IP addresses and access tokens in hashed form. No system is perfectly secure, but we work to protect your data and to limit what we collect in the first place.
10. International transfers
We are based in the EU (Cyprus). Some of our providers may process data outside the European Economic Area. Where they do, appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) are used to protect your data.
11. Your rights
Subject to applicable law (including the GDPR), you have the right to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. To exercise these rights for teacher/account data, contact us at the address below. For student data, the school/teacher is the controller, so please direct requests to them; we will support them in responding. You also have the right to lodge a complaint with your local data-protection authority (in Cyprus, the Office of the Commissioner for Personal Data Protection).
12. Changes
We may update this Policy from time to time. We will change the “Last updated” date and, for material changes, provide notice where appropriate. Continued use of the Service after changes take effect means you accept the updated Policy.
13. Contact
Solebo Ltd — Kyrenias 130, 2113 Nicosia, Cyprus. Reg. No. HE 433661 · VAT CY10433661P.
Privacy enquiries and data requests: [email protected].
