Privacy Policy

Last updated: 24 January 2024

At Grasple, we respect your privacy and data protection rights and recognize the importance of protecting the personal data we collect and process. This Privacy Policy describes how Grasple processes your personal data and is designed to help you to understand what personal data we collect about you and how we use and share it.

    1. When we refer to Grasple, we refer to “Grasple” as a registered trade name of Grasple B.V., a company registered in the Netherlands with a registered address at Kattenburgerstraat 5, 1018JA, Amsterdam, and is registered at the Dutch Chamber of Commerce under number 66873843 ("Grasple", "we", "us", "our").
    2. This Privacy Policy applies to you if you:
      • interact with any of Grasple’s websites (including or our social media pages (collectively, the "Sites") ("website users");
      • use Grasple's applications and services (collectively, the "Grasple’s Services") ("users”, and/or “customers");
      • are an interested prospect, who is anyone whose data Grasple processes for the purposes of assessing user or customer eligibility ("marketing prospect");
      • receive marketing communications from Grasple;
      • interact with our job websites (including (“job applicants”).
    3. In case that you use Grasple based on an invitation or instruction by a third party organization (ie: your university, school or employer), then your organization will determine how your data are processed and act as Controller and Grasple will act as Processor.

    For questions about your privacy you can email 
    1.  This privacy statement gives information about the processing of personal data of users of Grasple.
    2. For users and customers of Grasple, we process the following personal data:

Category of Data


First and last name


Email address


SurfConext ID

The Respondent's intention is to connect to SurfConext. In the event that the Respondent deviates from this and asks students to create an account, we will also process passwords.

If paired with SURFConext:

uid (link to SURFConext explanation)

Needed for access to courses in Grasple and when linking LTI (1.3) and SURFConext



Learning and usage data

Including but not limited to: finished

exercises, date, time, practice time, practice

results, usage of components in the program,

opening and clicking behaviour in emails.

Optional: student number


If the service is used for summative testing:

Summative test results

Results which are used for a grade or review.


    1. In case you are a (potential) contact for or instructor at your organization, marketing prospect or job applicant, we may also ask you for your (mobile) phone number, but you can choose not to provide it.
    2. Aggregated non-personally identifiable Data. Notwithstanding anything to the contrary herein, Customer agrees that Grasple may obtain and aggregate technical and other data about Customer's use of the Services that is non-personally identifiable with respect to Customer ("Aggregated non-personally identifiable Data"), and Grasple may use the Aggregated non-personally identifiable Data to analyze, improve, support and operate the Services and otherwise for any business purpose during and after the term of this Agreement, including without limitation to generate industry benchmark or best practice guidance, recommendations or similar reports for distribution to and consumption by Customer.
    1. For students, instructors, learners and creators:
      • Invite, make and provide access to personal accounts
      • Online learning and practicing
      • Test and grade
      • To provide the student with information about and insight in his/her own learning process
      • To provide teachers with information about and insight in the learning process of students
      • Making and sharing of learning materials by users
      • Insights into individual activity, progress, and knowledge to show to teachers, and users (students) themselves
      • Personal advice about progress and mastery through algorithms, data and through teachers
      • data and through teachers
      • Offering adaptive advice and learning paths to students through algorithms
      • Automatically checked exercises through algorithms
      • Facilitating support through chat app and email in platform
      • Sharing of experiences (provided that user gives written permission)
      • Gathering feedback to improve the product
      • Improvement of the product
      • Back-up of data

      In order to be able to process your personal data, the processing has to comply with one of the legal bases described in the AVG/GDPR. For the purposes above, the legal basis is the fulfillment of a contractual agreement. In case you do not provide us with certain personal data, we cannot offer you the service that you or your organization has requested from us. Without your personal data Grasple cannot operate.

    2. For potential users or customers:
      • Sending marketing communications: We process your personal data to send you marketing communications via email, post, phone or chat/sms about our products, services and upcoming events that might interest you in reliance on our legitimate interests or where we seek your consent.

      For this purpose the legal basis is, dependent on the specific situation, either fulfilment of a contractual agreement, user consent or in some cases legitimate interest.

    3. For job applicants:
      • Identify, screen and interview applicants for positions in our team

      For this purpose the legal basis is user consent. 
    1. There are two ways in which Grasple uses cookies. Firstly, for our application website we use cookies to provide our services. Secondly, for our marketing website we use cookies to analyze user behavior in order to function and to improve your experience. By using and navigating and our other Sites, you agree that we store this data. 
    1. We will never sell your personal data to third parties.
    2. We do share your personal data with third parties in order to provide you the service. We refer to these parties as (sub) Processors. In these cases, we retain control over the processing and we conclude a written processing agreement with these processors, called a Data Processing Agreement (DPA). In the DPA we make agreements about, among other things, the objective, the duration and the scope of the processing, the retention periods and the security measures taken to protect the personal data.
    3. We may ask you to share your data with research groups for research purposes. In that case, we will ask you or your organization for consent. 
    1. Grasple processes most of your data within the European Union (“EU”). This means that the servers where we save your personal data are located within the EU. In some cases, we do work with processors that process your data or have ties to (parent) companies outside of the European Economic Area (EEA), for example the United States. In that case, we follow the European Data Protection Board (EDPB) recommendations and conclude a DPA based on the Standard Contractual Clauses (SCCs) and supplementary measures, such that your personal data is considered as safe and secure as if it were processed within the EEA. 
    1. You have the right to view your personal data, have it corrected, deleted or restricted. You can also under certain circumstances object or request a transfer of your personal data. To make a request to us in this context, you can contact us via In these cases, we may ask you to identify yourself.
    2. In case a third party is the Controller (for example your university or school), then we will relay your request to them, and we will comply with their instructions.
    3. Your privacy rights:
      1. View or Correct: in case you want to know if we are processing your personal data or if you want to change your personal data, you can contact us via
      2. Delete: the AVG/GDPR offers, under certain circumstances, the possibility to have personal data deleted. We or your Organization will assess whether such a request can be executed. In some cases we do have to retain your personal data, for example due to a legal requirement or for the operation of Grasple.
      3. Restrict: you can contact us with a request to limit the processing of your personal data if you think that your personal data is incorrect, the processing is unlawful, you need it for a legal action or if you have objected to the processing thereof.
      4. Object: if we process your personal data on the basis of a legitimate interest, you may object to further use of your personal data under specific circumstances.
    1. We have taken fitting technical and organizational measures to prevent the loss of personal data or unlawful processing. For example, your personal data can only be accessed by employees who are authorized to do so on the basis of their position.
    1. We will store your personal data for as long as necessary for the objectives for which we use your personal data.
    2. Content that you post may remain on the Sites even if you cease using the Sites or we terminate access to the Sites.
    1. Our Services and Sites are not intended for use by anyone under the age of 16. If you are under 16, you may not attempt to register for our Services or send any information about yourself to us, including your name, address, telephone number, or email address. If we become aware that we have collected personal information from someone under the age of 16 without verification of parental consent, we will delete that information promptly. If you are a parent or legal guardian of a child under 16 and believe that a child has provided us with their personal information, please contact us at the email or mailing address provided at the end of this Privacy Policy.
    1. We may amend this Privacy Policy from time to time in response to changing legal, technical or business developments. When we update it, we will take appropriate measures to inform you, consistent with the significance of the changes we make. If we make material updates to this Privacy Policy we will update the effective date at the top of the Privacy Policy.
    1. If you have any questions about how we process your personal data, you can contact us via We are happy to help you.
    2. If you do not agree with our processing and/or course of action, you can submit a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The Dutch Data Protection Authority will handle the complaint or the request and will decide a course of action.
Questions and feedback
Regarding questions or feedback related to our privacy policy, you can contact us: