GDPR Compliance

Protecting your personal information and ensuring data privacy compliance

OVERVIEW

BigBlueButton Host (owned and operated by Bymond Private Limited, referred to as "we", "us", or "our") provides managed virtual classroom hosting for educational and commercial organizations. Our platform is optimized to enable clients and their participants to have a high-quality online learning, meeting, and webinar experience.

We take the privacy of your personal information very seriously.

Together with our Privacy Policy, this document explains the personal information we collect, why we collect it, how we use it, how we protect it, and the data residency safeguards we maintain under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This document also outlines data subject rights, including the right of access and the right to erasure.

HOSTING FOR BIGBLUEBUTTON

BigBlueButton is a web conferencing system designed for online learning. It enables students and instructors to collaborate in real-time. This collaboration includes sharing audio, video, slides, chat, desktop screens, emojis, and responding to polls. The collaboration may also be recorded by the meeting host.

We provide managed hosting of this virtual infrastructure, which integrates with learning management systems (LMS) or portal front-ends through API credentials or plugins.

CONTROLLER & PROCESSOR BOUNDARIES

The majority of end-users access BigBlueButton through a learning management system (LMS) such as Canvas, Moodle, Sakai, WordPress LFT, or custom portals. We refer to these systems as the "Front End".

The LMS/Front End is hosted or controlled by an organization (e.g., educational institution, commercial enterprise, or school). In accordance with the GDPR, these client organizations are the Data Controllers. If you use BigBlueButton through their portal, Bymond Private Limited acts strictly as the Data Processor, handling data based on instructions from the client.

Each client organization manages its own terms of use and privacy notifications. Consent to participate in a classroom, record sessions, or publish chat statistics is established between the participant and the client organization.

COLLECTION & USE OF DATA IN MEETINGS

We process personal information when you log into BigBlueButton and when you actively share content during a live session. If a session is recorded, personal information (such as webcam footage, microphone audio, and chat strings) will appear in the recorded output.

WHAT HAPPENS WHEN YOU LOGIN?

When you log in to BigBlueButton from an external LMS/Front End, we receive a unique identifier internal to the LMS along with your full name to identify your avatar in the classroom.

We also receive metadata during the join process, which includes:

  • A return logout URL pointing back to the LMS;
  • The associated course ID or classroom context name; and
  • Your IP address, browser information, and operating system configuration.

We process this technical information to troubleshoot connection drops and prepare aggregate usage reports for the Data Controller.

WHAT CONSTITUTES MEETING DATA?

During a live meeting, you may share audio, video, whiteboard annotations, chat messages, presentation slides, screen sharing feeds, and responses to polls. We refer to this content as "Meeting Data".

The BigBlueButton client encrypts all Meeting Data in transit to the server using TLS (HTTPS/WSS) and DTLS-SRTP for real-time media streams.

WHERE DO WE STORE MEETING DATA?

Meeting Data storage depends on whether the meeting is recorded and whether the moderator marks segmentations for processing.

Case 1: Unrecorded Meetings

Meeting Data resides strictly in system memory during the live call and is completely purged from server memory after the meeting ends.

Case 2: Recorded (No processing marks)

Meeting raw recordings are stored in server temp storage for up to 14 days to compile statistics, after which they are deleted.

Case 3: Recorded & Processed Playbacks

Compressed Meeting Data is converted into a structured media package. The Customer determines the storage duration. We store the processed files in regional cloud resources.

EU Data Residency: For customers whose plan or agreement requires EU data residency, all meeting data and processed recordings are stored in infrastructure located in the European Union (Germany).

Meeting Statistics

To provide instructors with visibility into participant engagement, the system compiles classroom metrics including:

  • User Name and Role (Moderator/Viewer)
  • Count of chat messages sent, audio talking instances, emoji clicks, and hand raises
  • Responses submitted during live classroom polls
  • Cumulative session duration, join timestamps, and leave timestamps

FOR HOW LONG DO WE RETAIN DATA?

Recording retention is managed directly by the customer (Data Controller) through their dashboard or LMS commands.

If a Data Controller terminates their hosting contract with Bymond Private Limited, we delete all customer recordings, meeting metadata, and related database records within a default window of 90 days post-contract termination, unless applicable laws, audits, or DPAs require a separate retention duration.

WHAT INFORMATION DO WE RETAIN FOR SUPPORT PURPOSES?

We capture technical connection metrics (names, browser type, operating system version, join times, connectivity logs, and packet drop percentages) to resolve support tickets (e.g., diagnosing audio drops or recovering deleted recordings).

Support Processing Location: Unlike hosted classroom files, support logs, email communications, and ticketing metadata are processed globally, primarily by our engineering and technical support teams operating in India.

All support logs are subject to standard cleanup and are deleted within 90 days after a customer's contract terminates.

HOW DO WE SECURE OUR INFRASTRUCTURE?

Bymond implements baseline technical controls to secure the BigBlueButton Host platform, including:

  • Restricting server shell access to a limited group of system administrators.
  • Disabling password authentication on all hosting nodes in favor of revocable SSH keys.
  • Applying regular operating system package updates and security patches.
  • Infrastructure Penetration Testing: Only on custom Enterprise plans, we perform penetration testing on clients' request on their deployed infrastructure, with all costs sponsored by the client.

WHO IS OUR DATA PROTECTION CONTACT?

Our designated Privacy/Data Protection Contact is Pritam Nanda, CEO of Bymond Private Limited. You can contact the privacy office directly at:

privacy@bigbluebutton.host

YOUR DATA PROTECTION RIGHTS

HOW CAN YOU ACCESS OR DELETE YOUR DATA?

If you are an individual classroom participant or student, please submit your request to the Data Controller (the school or company providing your LMS portal). Because Bymond acts as a processor, we cannot independently alter or erase hosted meeting data without authorization from the client organization.

If you are an account administrator and wish to submit a data request regarding your billing profile, please email privacy@bigbluebutton.host. We will process verified account requests within 30 days.

SUBPROCESSORS & TRANSFERS

We employ third-party subprocessors for hosting, mailing, support chat, and payment gateway infrastructure.

For a detailed and updated vendor list, please review our dedicated Subprocessor Policy Page.