Privacy policy

Last updated: 10 Februari 2026

This Moodle Learning Management System (the “LMS”) processes personal data to provide online learning, course participation, assessments, and communication. The LMS processes account information, course enrolments, learning activity, submissions, grades, communications, and certain technical data (such as IP addresses) necessary for system operation and security. Personal data is processed to deliver education and training services, meet contractual and legal obligations, and ensure the security and performance of the platform. Data is shared only with authorised service providers under strict contractual safeguards.

Privacy Policy – Moodle Learning Management System

This privacy policy explains how personal data is collected, used, and protected when you use the Moodle Learning Management System (“LMS”) operated by Novulo Nederland B.V.

1. Data Controller

The data controller responsible for this Moodle LMS is:

Novulo Nederland B.V.
Josink Hofweg 9a
7545 PP Enschede, Netherlands
PO Box 466, 7500 AL Enschede 
administratie@novulo.com
+31 (53) 436 2340

2. Personal Data We Process

Depending on your role (learner, teacher, administrator), we may process the following categories of personal data:

  • Identification data (first and last name, username, user ID, date of birth)
  • Contact details (email address)
  • Account and authentication data (organisation, role, login credentials)
  • Course enrolments and participation records
  • Assignments, submissions, and uploaded files
  • Grades, feedback, and assessment results
  • Forum posts, messages, and other learning interactions
  • Activity logs (login times, actions performed)
  • Technical data (IP address, browser type, device information)

3. Special Categories of Data

The LMS is not intended to collect special categories of personal data (such as health, biometric, or political data). Such data is processed only where strictly necessary for educational accommodations or legal obligations and where it is voluntarily provided or otherwise lawfully permitted.

4. Purposes and Legal Bases for Processing

We process personal data for the following purposes and legal bases under the General Data Protection Regulation (GDPR):

  • Providing education and training services
    Legal basis: Performance of a contract (Article 6(1)(b) GDPR)
  • User account management and authentication
    Legal basis: Performance of a contract (Article 6(1)(b) GDPR)
  • Assessment, grading, and progress tracking
    Legal basis: Performance of a contract (Article 6(1)(b) GDPR) and Legitimate interests (Article 6(1)(f)) in delivering effective education
  • Communication within the LMS
    Legal basis: Legitimate interest (Article 6(1)(f))
  • System security, logging, and abuse prevention
    Legal basis: Legitimate interests (Article 6(1)(f)) and Legal obligation (Article 6(1)(c))
  • Compliance with legal and regulatory requirements
    Legal basis: Legal obligation (Article 6(1)(c))

Where processing is based on legitimate interests, these interests are balanced against users’ rights and freedoms.

5. Automated Decision-Making

This LMS does not use automated decision-making or profiling that produces legal or similarly significant effects for users.

6. Data Retention

Personal data is retained only for as long as necessary for the purposes described in this policy:

  • User account data: Retained while the account is active. After two (2) years of inactivity, the account is suspended. Suspended accounts and associated personal data are permanently deleted or anonymised unless retention is required for legal, contractual, or certification purposes.
  • Course participation and grades: Course enrolment records, learning activities, submissions, and grades are retained for two (2) years from the start of user inactivity, unless a longer period is required for certification, accreditation, or legal compliance.
  • System logs and technical data: Audit logs and technical data (including IP addresses) are retained for two (2) years from the start of user inactivity, unless a longer period is required for security investigations or legal obligations.
  • Backups: System backups are retained solely for disaster recovery purposes for a maximum of 60 days. Backup data is not actively processed and is not used to restore deleted user accounts except where required by law.

7. Data Sharing and Processors

Personal data is not sold to third parties. Data may be shared only with authorised data processors who provide services supporting the LMS, such as:

  • Hosting and infrastructure providers
  • Email delivery services
  • Backup and security providers
  • Approved Moodle plugins and integrations

All processors are bound by data processing agreements in accordance with Article 28 GDPR.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), appropriate safeguards are applied, such as adequacy decisions or Standard Contractual Clauses approved by the European Commission.

9. Cookies and Local Storage

The LMS uses essential cookies and local storage to support login sessions, security, and user preferences. Analytical or non-essential cookies are used only where permitted by law and, where required, with user consent.

The LMS uses the following cookies:

1. Essential session cookie (MoodleSession)
This cookie is required for basic site functionality. It maintains your login session and is deleted when you log out or close your browser.

2. Convenience cookie (MOODLEID)
This optional cookie stores your username to prefill the login form on future visits. You may disable this cookie without affecting site functionality.

10. Your Rights

Under the GDPR, you have the following rights:

  • Right of access
  • Right to rectification
  • Right to erasure (where applicable)
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to lodge a complaint with a supervisory authority

To exercise your rights, please contact privacy@novulo.com or submit a request through the LMS privacy request function. Go to your profile and find contact the privacy officer.

You also have the right to lodge a complaint with your local supervisory authority or with the authority in the country of your habitual residence or place of work.

11. Children and Minors

Where the LMS is used by children under the age of 16, personal data is processed in accordance with applicable child data protection laws. Parental or institutional consent may be required.

12. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, activity logging, and regular system updates.

13. Changes to This Policy

This privacy policy may be updated from time to time. The most current version will always be available within the Moodle LMS.