Alexandria Logotype

Privacy Policy

Last updated: January 7, 2026

This Privacy Policy explains how Quipalup, S.L. (“Quipalup”, “Code Sherpas”, “Alexandria”, “we”) processes personal data when you use Alexandria.

1. Controller and contact

Controller: Quipalup, S.L. (Tax ID B01672674)

Address: Mossèn Amadeu Oller 38, 5-2ª, Spain

Registry: Barcelona Companies Registry (Tomo 47363, Folio 214, Sección 8, Hoja B549719)

Support: support@code-sherpas.rocks

Privacy/legal & security contact: quipalup@gmail.com

2. Who this applies to

This applies to:

  • Users who create an account and use Alexandria; and
  • Authorized Users within an organization’s workspace (a B2B environment).

If you use Alexandria through an organization, that organization may have additional internal policies (for example, regarding performance evaluations).

3. Definitions

  • Customer: the company/organization that manages a workspace.
  • User / Authorized User: an individual who uses Alexandria.
  • Account Data: data used for authentication and access management.
  • Assessment Data: performance/competency assessment data (e.g., scores/ratings, comments, private notes, results).
  • Course Data: courses, lessons, learning paths (“paths”), and content generated/configured in Alexandria.
  • Google (Drive) Data: data we access via Google APIs if you connect Drive and select files.

4. GDPR roles

4.1. In B2B workspaces

In general, the Customer acts as the Controller (it determines purposes and use, especially for performance evaluations). Quipalup acts as the Processor to the extent it processes data to provide the Service within the workspace and in accordance with the Customer’s configuration/instructions.

DPA: if a Customer requires it, a data processing agreement (DPA) may be put in place where applicable.

4.2. In individual use

Quipalup acts as the Controller.

5. What data we process

We process data depending on the features you use:

5.1. Account and access data

  • Email and name (if provided via Google/Auth0 sign-in).
  • Access-related technical events (e.g., date/time, security signals, IP address).

5.2. Workspace data (B2B)

  • Organization/workspace, roles, permissions, teams (if configured), and activity related to administration/use.

5.3. Assessment data (performance/competency/assessments)

Alexandria supports different types of assessments. We may process:

  • Participants: reviewer(s), reviewee(s) (depending on permissions).
  • Content: ratings/scores, comments, private notes, and results/reports.
  • Metadata: template, skills, scales, dates, status (draft/published/closed), and basic creation/modification traces.

Visibility: the visibility of comments/results may depend on the options defined for the assessment. For example, it may allow the reviewer to decide whether to share certain results/comments with the reviewee or with other legitimate users in accordance with the Customer organization’s rules.

5.4. Courses, lessons, and learning paths

  • Titles, descriptions, audience, course structure, lessons, learning paths (“paths”), and content generated/configured within Alexandria.
  • Visibility settings (private/public), if such an option exists.

5.5. Google Drive imports (only if you choose)

If you choose to “add a lesson from Google Drive”, we may process:

  • content extracted from the file you select (including text and, where present, images or other embedded resources); and
  • minimum necessary metadata (e.g., ID, name, type/format, modifiedTime, and other equivalent metadata strictly necessary) to link it to the course/lessons and, if sync is enabled, update it.

5.6. Technical, security, and operations data

  • Technical and security logs (e.g., errors, security events, technical telemetry), to the extent necessary to operate and protect the Service.

6. Purposes (why we use the data)

  1. Provide the Service: accounts, workspaces, roles, courses, learning paths, and assessments.
  2. Administer assessments: publish, collect inputs, generate results, and enable viewing based on permissions/configuration.
  3. Create courses/lessons from content (including optional imports from Drive).
  4. Sync Drive content (if enabled) to keep lessons up to date.
  5. Support and incident resolution.
  6. Security and abuse prevention (detecting unauthorized access, fraud, attacks).
  7. Legal compliance (e.g., tax obligations where applicable).
  8. Communications: if you subscribe or give your consent, we may send product updates/newsletters; always with an unsubscribe option.

7. Google Drive

7.1. Permission requested

To create lessons from Google Drive, Alexandria asks for permission to read only the files you select using Google’s file picker (Google Picker).

Note: Google manages the OAuth consent screen. The wording shown there may describe, in general terms, access granted to “files you use with this app.” In all cases, Alexandria only accesses the files you explicitly select.

7.2. What we do and what we do NOT do

Alexandria only uses Google Drive to read the content of the files you explicitly select. We do not request permission to access your entire Drive, and we do not use other Google services to read documents.

7.3. Sync (if enabled)

If you enable sync, Alexandria may re-access the same files you previously selected to keep the course up to date. To do so, Alexandria may retain an access authorization linked to your account, limited to those selected files.

Revocation: You can revoke access in your Google account. If you do, Alexandria will not be able to re-read or sync those files. Content already transformed inside Alexandria (lessons/course) is not automatically deleted, unless you or your organization delete it according to workspace configuration (see Retention).

7.4. Storage

  • We do not store a copy of the original Google Drive file.
  • We may store the transformed content (lessons/course) while the course exists or remains archived. This transformed content may include structured text and, where applicable, derived copies of images or other resources needed for the lesson/course.

8. Legal bases (GDPR)

Depending on the context, we process data based on:

  • Contract performance (Art. 6(1)(b)): providing the Service (courses, assessments, workspaces).
  • Consent (Art. 6(1)(a)): connecting Google Drive and enabling sync; cookies/analytics when activated; opt-in marketing communications.
  • Legitimate interests (Art. 6(1)(f)): security, abuse prevention, and technical improvements.
  • Legal obligation (Art. 6(1)(c)): where applicable (e.g., invoicing).

In B2B environments, determining the applicable legal basis in the employment context is the Customer’s responsibility (see Section 4).

9. Who we share data with (recipients)

9.1. Service providers (sub-processors)

We use providers to operate the Service:

  • Render (EU): hosting and infrastructure (including database, depending on configuration).
  • Auth0 (EU tenant): authentication/identity.
  • PostHog (AWS, EU): analytics/observability if enabled.
  • Google: OAuth and access to selected files via the Picker API, Drive API (depending on your use).

9.2. Customer administrators (B2B)

In a B2B workspace, certain data may be visible to Customer administrators depending on permissions/configuration (for example, workspace membership and, if configured by the Customer, access to assessment results or content).

9.3. Legal requirements

Where necessary, we may disclose data to comply with the law or respond to valid requests.

10. International transfers

In the current configuration, the providers listed above are configured to operate within the EU/EEA. If transfers outside the EEA become necessary in the future, we will apply appropriate safeguards under the GDPR and update this Policy.

11. Retention, archiving, and deletion

  • Assessments: retained while the workspace exists (unless deleted by an authorized Customer/user or different policies are established).
  • Courses/lessons: may remain archived as long as the Customer/user does not delete them.
  • Original Drive files: we do not store a copy in Alexandria.
  • Technical and security logs: retained for as long as necessary to operate the Service and maintain security.
  • Backups: when backups exist, deletion may take effect after purge cycles.

Transformed content stored in Alexandria (including, where applicable, derived copies of images/resources) is retained in line with the course/lesson retention described in this section.

12. Cookies and analytics

We currently do not use non-essential cookies on the website.

If we enable analytics/cookies in the future (e.g., PostHog or similar technologies), we will implement a consent banner/manager and controls to accept/reject, and we will update this Policy and/or publish a dedicated cookie notice.

13. Special-category data and best practices

We recommend that you do not upload (or include in imported documents) special-category or highly sensitive data (for example, health, biometric, political, religious data), or credentials/secrets (API keys, passwords). If your organization needs to process such data, it must do so with an appropriate legal basis and stronger controls.

14. Security

We implement reasonable technical and organizational measures to protect data against unauthorized access, loss, or alteration. If you enable Google Drive sync, we protect the credentials and authorizations required to maintain that sync using appropriate security controls (for example, access restrictions and secure storage).

15. Your rights (GDPR)

You have the right to access, rectify, delete, object, restrict processing, and data portability (where applicable), and to withdraw consent at any time.

To exercise these rights, email quipalup@gmail.com and specify your account and, if applicable, the workspace. We will respond within the applicable legal deadlines.

If you use Alexandria under a Customer, some requests may require coordination with the Customer as Controller.

You may lodge a complaint with the Spanish Data Protection Authority (AEPD).

16. Changes to this Policy

We may update this Policy due to legal or Service changes. We will publish the current version and, where reasonable, notify material changes by email and/or within the product.