Privacy Policy

Learn about what data we collect, why we collect it, and how you can access, update, export, and delete your information.

Last updated June 23, 2026

xtec.dev complies with the EU General Data Protection Regulation (GDPR / RGPD) and Spanish data-protection law (LOPDGDD). The data controller is David de Mingo (david@xtec.dev), acting in a personal capacity — not on behalf of any educational centre or of the Administration.

This policy covers three different ways you can use the site, because each one handles data differently:

Reading the public learning content — no account.
Signing in to your own account — Google, your school Moodle, or Esfera/GICAR.
The teacher grading tools — where a teacher works with their students’ grades from Esfera and Moodle.

1. Reading the public content

When you simply browse the learning material without signing in, we do not collect any personal information.

We do not:

Process personal data
Track visitor browsing activity
Run analytics or advertising scripts
Use advertising or tracking cookies
Share data with third parties

The only cookie used in this mode is a strictly functional one, lang, which remembers your chosen language (English, Català, or Español). It carries no identifier and is not used for tracking, so no cookie-consent banner is required.

2. Signing in to your account

You can sign in with Google, with your school Moodle, or with Esfera / GICAR (the Generalitat de Catalunya’s teacher identity). Signing in creates an account so we can remember who you are and what content you are entitled to read.

What we store for your account:

Your display name and email address, as provided by your sign-in provider.
A stable identifier from that provider, used to recognise you on your next visit.
For school sign-ins, the school context that the provider supplies.
The date of your last sign-in.

If you link more than one sign-in method (for example, Google plus your school Moodle), they are joined to the same single account so your entitlements follow you across devices.

Why we store it: to authenticate you, to keep you signed in, and to determine which pages you may read (some articles are reserved for signed-in accounts, students, or teachers).

Session cookie: signing in sets one secure, HttpOnly cookie (grade_auth_token) that keeps you logged in for 8 hours. It is functional, not a tracking cookie.

Passwords are never stored. Authentication is delegated entirely to your provider (Google, your school’s Moodle, or GICAR/Esfera). The server never sees your password in clear text beyond the lifetime of a single sign-in request, and never persists it.

You can review your linked sign-in methods, unlink them, or delete your account at any time from your account page, or by contacting us.

3. Teacher grading tools (Esfera & Moodle)

This is the only part of the site that handles students’ personal data, and we have deliberately built it to keep that data under the school’s control.

The grading tool is an information hub for vocational-training teachers. It has no data-entry forms for student data and captures no new personal information: it only displays and cross-references information that already exists in the two source systems, retrieved through the teacher’s own authenticated session.

Two distinct source systems

These are different systems, run by different controllers, and we treat them separately:

Moodle is operated by each educational centre (your school). It holds the courses, students, and teachers of that centre.
Esfera is operated by the Department of Education (Generalitat de Catalunya). It holds the official enrollments and academic records.

For this feature the controller of the students’ data is the educational centre (in Moodle) and, ultimately, the Department of Education (in Esfera) — exactly as it was before this tool existed. xtec.dev acts only as a tool that presents that data to the authorised teacher; it does not replace or represent those systems.

What is fetched live and not stored

When a teacher opens a grading view, the platform requests the data from Esfera and Moodle in real time and passes it straight to the teacher’s browser. The Esfera session used to fetch this data lives only for the duration of a single request. The following are never written to our database:

Names and surnames. The names shown on screen are looked up live from Moodle when needed and are not written to disk.
DNI, NIE, passport, or IdRalc (the Catalan student register number).
Email, phone, address, photograph, date of birth.
Academic marks and group/enrollment details from Esfera.
Passwords (see section 2).

What metadata is stored

So that a teacher’s work carries over between sessions — without re-entering the Moodle and Esfera references every time — we keep a minimal set of opaque references:

An internal identifier per student (an auto-incremented integer) with no meaning outside this database.
From Moodle: only the Moodle userid. It is the number needed to look up a student’s name or course live in Moodle, and it only resolves to a person from inside the centre’s own Moodle.
From Esfera: only the Esfera idMatricula (enrollment id). It is an opaque enrollment identifier assigned by the Generalitat that expires automatically at the end of the academic year.
The teacher’s own evaluation work: marks, comments, task statements, and learning-outcome (RA) results the teacher produces during their assessment activity, indexed by the opaque references above.

These references are technical pseudonyms: on their own they do not reveal which person they correspond to. They become identifying only when combined with the information held by the educational centre or the Generalitat.

Nature of the tool

The grading tool is a teacher’s personal tool for organising their own teaching work. It is in no case an official service of the educational centres or of the Department of Education. Each user uses it under their own professional responsibility, with credentials they are already authorised to use in Moodle and Esfera, and it is the user who must ensure this use is compatible with their centre’s guidelines.

Read-only toward Esfera

The tool only reads from Esfera; it never writes grades or any other information there. This limitation is intentional: automated writing into an official Generalitat de Catalunya system by a third-party tool could breach the system’s access conditions, and would shift onto this tool the technical responsibility for any erroneous entry in an academic record. The tool therefore only calculates and displays learning-outcome marks; it is the teacher who enters them into Esfera from the official screen, as the authorised actor inside the Generalitat’s system.

Legal basis

Because the grading tool collects no students’ personal data but only opaque references and the teacher’s own assessment work, the processing of this metadata relies on the legitimate interest of the teacher in organising their own teaching work (Article 6.1.f GDPR). Responsibility for the source data (student register, official grades, academic records) remains with the educational centre and, in Esfera’s case, with the Generalitat de Catalunya, governed by their own data-protection policies.

Minors

A large part of vocational-training students are minors. This tool does not collect or request any data directly from students; all the information shown (names, marks, enrollments) comes from the centre’s or the Generalitat’s systems, where the specific framework for protecting minors’ data already applies (Article 8 GDPR and Article 7 LOPDGDD). Students do not interact with this tool; only their teachers do.

Sub-processors and infrastructure

We use a small number of providers strictly to operate the service. We do not sell or rent personal data to anyone.

Provider	Purpose
Google	Sign-in (OpenID Connect) for accounts that choose it
Generalitat de Catalunya (Esfera / GICAR)	Teacher sign-in and live grading data
Your school’s Moodle	Student/teacher sign-in and live course data
Hetzner	Server hosting (EU data centres)

The server and database run on a server rented from Hetzner within the European Economic Area (Germany). Communications with your browser, with Moodle, and with Esfera are always encrypted with TLS. There is no international transfer of data outside the EEA.

Security measures

End-to-end TLS-encrypted communications (Let’s Encrypt).
Per-school data isolation: a teacher’s access is scoped to their own school’s data.
Daily backups, retained for 30 days; each school can be restored independently.
No analytics, no third-party scripts, no calls to third parties beyond the centre’s Moodle and the Generalitat’s Esfera service.
If a security breach that could affect person-linked metadata is detected, the supervisory authority and the affected centres will be notified within the deadlines of Article 33 GDPR.

Data retention

Account data is kept until you delete your account or ask us to remove it.
Sign-in sessions expire after 8 hours.
Grading metadata is kept while the teacher uses the tool for the current academic year. The Esfera idMatricula is invalidated automatically at the end of each academic year.
Encrypted server backups are taken daily and retained for 30 days; deletions propagate out of backups within the rotation window.
Student grading data (names, document numbers, grades) is not retained at all (see section 3).

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, object to, and port your personal data. Where you exercise these rights depends on who holds the data:

For the source-system data (name, NIF, official grades, academic record): with the educational centre or, in Esfera’s case, with the Generalitat de Catalunya, who are the controllers.
For your account and for the opaque references and teaching work stored by this tool: contact david@xtec.dev. The opaque references alone cannot identify a person without the information held by the centre, but they can be removed or deleted on request.

You also have the right to lodge a complaint with a supervisory authority: the Spanish Data Protection Agency (AEPD) or, for data processed by the Catalan education system, the Catalan Data Protection Authority (APDCAT, apdcat.gencat.cat).

Data protection officer

As a personal tool with no collection of students’ data, this tool has no DPO of its own. For questions relating to the source data, the applicable DPO is that of the educational centre or, for Esfera, that of the Department of Education of the Generalitat de Catalunya.

Third parties

The tool communicates only with the teacher’s centre Moodle and with the Generalitat’s Esfera service, always over TLS and always within the user’s authenticated session. No data is sent to third parties: no analytics, no advertising, no tracking service.

Changes to this policy

We may update this policy from time to time. When we do, we revise the “Last updated” date above. Significant changes affecting account holders will be communicated by email where appropriate.

For any privacy question, contact david@xtec.dev.

Privacy Policy

#1. Reading the public content

#2. Signing in to your account

#3. Teacher grading tools (Esfera & Moodle)

#Two distinct source systems

#What is fetched live and not stored

#What metadata is stored

#Nature of the tool

#Read-only toward Esfera

#Legal basis

#Minors

#Sub-processors and infrastructure

#Security measures

#Data retention

#Your rights

#Data protection officer

#Third parties

#Changes to this policy