Privacy Policy

Reactored Service Privacy Notice

Last updated: 30 June 2026

This Privacy Notice explains how Reactored processes personal data in its language-learning environment and related services.

1. Data controller

Rouhia Oy / Reactored
Business ID: 2722150-8
Address: Kimalaispolku 7, 04410 Järvenpää, Finland
Telephone: +358 40 537 0375
Email: info@reactored.com

Questions and requests concerning data protection may be sent to info@reactored.com.

2. The role of Reactored

Where Reactored is provided through a school, educational institution, municipality, employer or another organisation, that organisation generally acts as the data controller. Rouhia Oy processes personal data on behalf of and according to the instructions of that organisation.

Rouhia Oy acts as the data controller for its own customer, contact, contract, invoicing and support data.

Users accessing Reactored through an organisation should normally address requests concerning their learning and user data to that organisation first.

3. Personal data we process

Depending on how the service is used, we may process:

  • name, nickname, email address and username

  • organisation, group, course and user role

  • login and invitation identifiers

  • learning materials used and exercises completed

  • answers, results, feedback and progress information

  • content created or uploaded by the user

  • text responses generated from speech

  • language and service preferences

  • IP address, login information, browser and device information

  • customer-service and technical-support communications

  • contract and invoicing information.

Users must not enter unnecessary sensitive, confidential or third-party personal data into the service.

4. Why personal data is processed

Personal data is processed to:

  • identify users and provide login functionality

  • manage user accounts and access rights

  • provide learning materials, exercises and courses

  • store progress, answers and results

  • provide feedback and automated assessment

  • provide customer service and technical support

  • maintain service security and availability

  • investigate errors and suspected abuse

  • develop the service

  • manage contracts, subscriptions and invoicing

  • comply with legal obligations.

Depending on the circumstances, processing is based on a contract, legal obligation, legitimate interest, consent or the legal basis determined by the customer organisation.

5. Processing of spoken answers

Reactored uses the Web Speech API provided by the user’s browser to convert speech into text.

The process is as follows:

  1. the user grants the browser permission to access the microphone

  2. the browser or operating system converts speech into text

  3. Reactored receives the text response

  4. Reactored’s own assessment algorithm assesses the text according to the rules defined for the exercise.

Reactored does not receive or store the original audio recording in its own systems. Audio is not transmitted to OpenAI and is not assessed using generative AI.

The technical implementation of speech recognition depends on the user’s browser, device and operating system. The browser or operating system may process speech on the device or through its own speech-recognition service. Such processing is governed by the privacy practices of the relevant browser or operating-system provider.

Reactored does not use speech for user identification, biometric identification or voice profiling.

6. Automated assessment

Learners’ answers are assessed using Reactored’s own algorithms and predefined assessment rules.

Assessment may be based on:

  • correct answer options

  • predefined words and expressions

  • the structure of a written response

  • text generated from a spoken response

  • the scoring and assessment rules defined for the exercise.

Learners’ answers are not assessed using OpenAI or another generative AI service.

Automated results and feedback are intended to support learning and guidance. They should not be used as the sole basis for a significant decision concerning a user without human review.

7. Use of artificial intelligence

Reactored uses artificial intelligence in limited functions, such as assisting teachers in creating learning materials, exercises and dialogues.

OpenAI models are used through the Microsoft Azure OpenAI service in a service environment configured for the EU or EEA.

Learners’ audio recordings or exercise answers are not transmitted to Azure OpenAI for assessment.

Users must not enter unnecessary personal data, sensitive information or confidential material into AI-enabled functions. AI-generated content may contain errors, and teachers or other content creators must review the content before publishing it to learners.

8. Recipients of personal data

Reactored does not sell, rent or disclose users’ personal data to external parties for their own marketing, profiling or other independent purposes.

Personal data may be processed on behalf of Reactored by contracted technical service providers needed for:

  • hosting and data storage

  • authentication and login

  • delivery of email communications

  • technical support

  • AI-assisted creation of learning materials.

These providers may process personal data only to provide the agreed service and according to documented instructions.

Personal data may also be available to authorised teachers, advisers and administrators of the customer organisation according to their access rights.

Personal data may be disclosed to public authorities where required by law or a binding order.

9. Location of processing

Reactored seeks to process and store personal data within the EU or EEA or in another country recognised by the European Commission as providing an adequate level of data protection.

Microsoft Azure OpenAI is used in a service environment configured for the EU or EEA.

Where personal data exceptionally needs to be processed outside the EU or EEA, appropriate contractual and technical safeguards required by the GDPR are used.

10. Data retention

Personal data is retained only for as long as necessary to provide the service, manage the customer relationship or comply with legal obligations.

Inactive user accounts are handled as follows:

  • an account is deactivated if the user has not logged in to the service for 90 days

  • after deactivation, the user or customer organisation has a further 90 days to request restoration of the account

  • if restoration is not requested during this period, all personal data, learning data, answers, results and other user-specific data connected with the account are automatically deleted from the system

  • user-related data is therefore deleted no later than 180 days after the user last used the service.

A deactivated account may be restored during the 90-day restoration period following an appropriately verified request from the user or customer organisation.

After deletion, the user account and related data can no longer be restored to the active system.

Data may be retained for longer only where retention is required by law, a binding authority order, the establishment or defence of legal claims, or a separately agreed and lawful retention obligation with the customer organisation.

Invoicing and accounting records are retained for the period required by law.

11. Cookies

Reactored uses cookies and similar technologies that are necessary for:

  • authentication

  • maintaining the user’s session

  • service security

  • remembering user selections.

The website may also include external media or other services. Non-essential cookies are placed only in accordance with the user’s choices and applicable law.

Further information is provided in the Reactored cookie settings or a separate Cookie Notice.

12. Data security

Personal data is protected through appropriate technical and organisational measures, including:

  • encrypted network connections

  • personal user accounts

  • role-based access controls

  • separation of organisation-specific data

  • security logging

  • backups

  • restricted staff and service-provider access.

Personal data may be accessed only by persons whose duties require such access.

13. Rights of data subjects

Depending on the circumstances, a data subject may have the right to:

  • receive information about the processing of personal data

  • access their personal data

  • request correction of inaccurate information

  • request deletion of personal data

  • request restriction of processing

  • object to processing

  • withdraw consent

  • receive certain data in a portable format

  • object to direct marketing

  • lodge a complaint with a supervisory authority.

The available rights depend on the purpose and legal basis of the processing.

Requests may be sent to info@reactored.com. We may verify the identity of the person making the request before responding.

Where Reactored is used through a customer organisation, the request should normally be addressed to that organisation first.

14. Children

Reactored may be used in schools and other learning environments intended for children.

Where the service is provided through a school, municipality or another organisation, that organisation is responsible for determining the legal basis for processing and for providing the required information to users and, where necessary, their guardians.

Reactored seeks to minimise the personal data collected from children. The service may also be used with teacher-generated access codes without requiring a learner’s personal email address.

Unnecessary sensitive or confidential information concerning a child must not be stored in the service.

15. Complaints

A user who believes that their personal data has been processed in violation of data-protection law has the right to lodge a complaint with a supervisory authority.

The supervisory authority in Finland is:

Office of the Data Protection Ombudsman
PO Box 800
FI-00531 Helsinki, Finland
Email: tietosuoja@om.fi
Website: tietosuoja.fi

We recommend contacting Reactored or the customer organisation that provided access to the service first so that the matter can be investigated.

16. Changes to this Privacy Notice

We may update this Privacy Notice if the service, processing activities or applicable legislation change.

The current version will be published on the Reactored website. Significant changes may also be communicated through the service, by email or through the customer organisation.