AEMS

This site is in preview. Enter the password to continue.

Incorrect password.

AEMS

Privacy Policy

Last updated: 2026-02-20

This Privacy Policy explains how AEMS (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our website (aems.app) and our exam marking software (the “Service”). We are committed to protecting the privacy of educators, students, and institutional users in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data controller

AEMS is the data controller for data collected through this website and the Department (hosted) plan. For the Institutional (on-premises) plan, your institution is the data controller and AEMS acts as a data processor under the terms of a Data Processing Agreement.

For the Personal (desktop) plan, AEMS does not process exam content or student data. The only data we process is license validation metadata (see Section 4).

Contact: privacy@aems.app

2. What data we collect

2.1 Website visitors

  • Analytics — We use Plausible Analytics, a cookieless, GDPR-compliant service. No personal identifiers, IP addresses, or cookies are stored. We collect aggregate page views, referral sources, and country-level location data.
  • Contact forms — If you contact us or submit a form, we collect the information you provide (name, email, message content).

2.2 Personal plan users

  • License metadata — Email address, license key identifier, activation timestamp, and application version. No exam content, student data, or grading results are transmitted.
  • Optional telemetry — If you opt in, we collect anonymous usage statistics: app_started events and version_number. No file paths, student names, or grading results are included. Telemetry is off by default for users in the EU.

2.3 Department plan users

  • Account data — Name, email, university affiliation, workspace name, and role.
  • Exam content — PDFs uploaded for marking, marking schemes, reference solutions, and AI-generated annotations. This may include student personally identifiable information (PII) such as names and student numbers.
  • Grading results — Scores, feedback text, and audit trail of human adjustments.
  • Canvas LMS tokens — Encrypted API access tokens used to sync grades with your LMS.

2.4 Institutional plan

For on-premises deployments, all exam content and grading data resides within your institution’s infrastructure. We do not have access to this data. We process only license validation metadata and support ticket content.

3. How we use your data

  • To provide and operate the Service (marking exams, generating annotations, syncing grades)
  • To validate licenses and manage subscriptions
  • To send transactional emails (license delivery, trial reminders, security notices)
  • To respond to support requests
  • To improve the Service based on aggregate, anonymised usage patterns

We do not use your exam content or student data to train, fine-tune, or improve AI models. Each submission is processed in isolation for the purpose of marking and discarded according to our retention schedule.

4. Legal basis for processing (GDPR)

  • Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — Aggregate analytics, security monitoring, and fraud prevention.
  • Consent (Art. 6(1)(a)) — Optional telemetry in the Personal plan. You may withdraw consent at any time.

5. Data storage and residency

  • Department plan — All data is stored in EU data centres (Germany and Finland). Backups are stored in EU object storage, encrypted at rest.
  • Personal plan — Exam data stays on your local machine. License metadata is stored in our license service (EU-hosted).
  • Institutional plan — All data resides within your infrastructure, per your policies.

6. Data retention

  • Exam PDFs (Department plan) — Automatically purged 30 days after upload.
  • Grading results (Department plan) — Retained for 1 academic year (configurable per workspace). After expiry, data is purged and only anonymised aggregate analytics are preserved.
  • Backups — Encrypted backups are retained for 90 days, then permanently deleted.
  • Account data — Retained while your account is active. Deleted within 30 days of account closure.

7. Sub-processors

We use the following third-party services to operate the Department plan. A full list with effective dates is maintained in our Data Processing Agreement.

  • Hetzner (Germany/Finland) — Application hosting and database
  • OpenAI / Anthropic / Google (EU endpoints) — AI inference (configurable per workspace)
  • Stripe (EU) — Payment processing
  • Postmark / Resend — Transactional email delivery

Changes to this sub-processor list are communicated with 30-day advance notice to institutional customers with active DPAs.

8. Your rights

Under GDPR, you have the right to:

  • Access — Request a copy of all personal data we hold about you.
  • Rectification — Correct inaccurate personal data.
  • Erasure — Request deletion of your data (“right to be forgotten”).
  • Data portability — Receive your data in a machine-readable format.
  • Restriction — Request that we limit processing of your data.
  • Objection — Object to processing based on legitimate interest.
  • Withdraw consent — Where processing is based on consent, withdraw it at any time.

Department plan users can exercise most of these rights via the in-app “Privacy & Data” settings page (export and delete workspace data). For all other requests, contact privacy@aems.app. We will respond within 30 calendar days.

9. Security

We protect your data with TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access controls, CSRF protection, and regular security reviews. See our Security page for full details.

10. Cookies

This website does not use tracking cookies. Our analytics provider (Plausible) is cookieless. If you use the hosted Service, session cookies are used for authentication. These are strictly necessary cookies and do not require consent under GDPR.

11. Children’s data

AEMS is designed for use by educators and academic institutions. We do not knowingly collect data from individuals under 16. Student exam submissions are processed on behalf of educational institutions acting as data controllers.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to active account holders. The “last updated” date at the top of this page indicates when the most recent revision was published.

13. Contact

For privacy-related enquiries or to exercise your data subject rights:
privacy@aems.app

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.