GradeIX

Privacy Policy

Last Updated: 5/19/2025

This Privacy Policy describes how GradeIX ("we", "us", or "our") collects, uses, and shares information when your educational institution ("Institution") and its authorized users (administrators, teachers, staff - collectively "Users" or "you") use our school management and analytics platform (the "Service").

1. Information We Process on Behalf of Institutions

GradeIX primarily acts as a "data processor" under applicable privacy laws (like GDPR or similar state laws) for the personal data provided by the Institution, which acts as the "data controller". The Institution determines the purposes and means of processing personal data through the Service.

The types of personal data we process depend on how the Institution uses the Service, but typically include:

  • Student Data: Name, student ID, date of birth, gender, class/grade level, stream/section, enrollment status, courses, grades, assessment scores, attendance records, contact information (if provided by the Institution), and other educational records necessary for the Service's function.
  • Staff Data (Teachers, Administrators): Name, email address, assigned classes/subjects, roles/permissions within the Service, phone number (optional).
  • Parent/Guardian Data (if applicable): Name, email address, relationship to student(s), phone number (optional).
  • Institution Data: School name, address, contact details.

The Institution is responsible for obtaining necessary consents and providing appropriate notices for the collection and processing of this data via the Service, especially concerning student data under laws like FERPA (US), COPPA (US), GDPR (EU/UK), etc.

2. Information We Collect Directly

2.1. Account Information

When an Institution signs up, we collect information about the administrator creating the account, including name, email address, and password (securely hashed). We also collect basic school details provided during signup.

2.2. Usage Data

When Users access the Service, we automatically collect technical information, such as IP address, browser type, operating system, pages visited, features used, actions taken, timestamps, and error logs. This helps us operate, secure, and improve the Service.

2.3. Cookies and Tracking Technologies

We use essential cookies (e.g., session cookies for login status, security cookies) necessary for the Service to function. We may also use analytics cookies (e.g., via plausible.io or a self-hosted solution) to understand usage patterns in an aggregated and anonymized way to improve the Service. We do not use third-party advertising cookies.

3. How We Use Information

3.1. Providing the Service

We use the information processed on behalf of Institutions solely to provide, maintain, secure, and support the Service as directed by the Institution. This includes managing accounts, processing academic data, facilitating communication (if enabled), generating reports, and providing support.

3.2. Service Improvement

We use aggregated and anonymized Usage Data and feedback to understand how the Service is used, diagnose technical issues, prevent fraud, ensure security, and improve functionality and user experience. We do not use personal data from Institutions (like student names or grades) for these analytical purposes.

3.3. Communication

We may use administrator contact information to send essential service-related notices (e.g., maintenance, security updates, billing) and respond to support requests.

4. Information Sharing and Disclosure

We do not sell personal data processed on behalf of Institutions.

  • With the Institution: User data is accessible to authorized personnel within the respective Institution based on the roles and permissions they set.
  • Service Providers: We use third-party service providers for essential functions like cloud hosting (e.g., AWS, Vercel, Supabase), database management, and potentially error tracking or customer support tools. These providers only access data necessary to perform their tasks for us and are contractually obligated to maintain confidentiality and security. We select providers with strong privacy and security standards.
  • Legal Requirements: We may disclose information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is necessary to protect our rights, protect user safety or the safety of others, investigate fraud, or respond to a government request. We will attempt to notify the Institution of such requests unless prohibited by law.
  • Business Transfers: If GradeIX is involved in a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction. We will notify Institutions of any change in ownership or uses of their data.

We do not share student personal data with third parties for marketing or advertising purposes.

5. Data Security

We implement appropriate technical and organizational measures to protect the personal data we process. This includes encryption (in transit and at rest where feasible), access controls, regular security reviews, vulnerability management, and employee training. However, no system is 100% secure, and we cannot guarantee absolute security.

6. Data Retention

We retain personal data processed on behalf of an Institution for as long as the Institution maintains an active account or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. When an Institution terminates its account, we will delete or return their data according to their instructions and our data retention policies, typically within a defined period (e.g., 90 days), unless legally required to retain it longer.

Anonymized Usage Data may be retained for longer periods for analytical purposes.

7. User Rights and Choices

Individuals (students, parents, staff) should direct requests to access, correct, amend, or delete their personal data to their respective Institution (the data controller). GradeIX will assist the Institution in responding to these requests as required by applicable law and our contractual agreements.

Users can typically manage some of their profile information through their account settings within the Service.

8. Children's Privacy

We process student data solely at the direction of the Institution. Institutions are responsible for compliance with laws like COPPA (US Children's Online Privacy Protection Act) and similar regulations globally regarding parental consent and notice before providing student data to us.

9. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify Institutions of significant changes by email (to the registered administrator) or through a notice within the Service. We encourage you to review this policy regularly.

10. Contact Us

If you (as an Institution representative or user) have questions about this Privacy Policy or our data practices, please contact us at privacy@gradeix.example.com (replace with your actual privacy contact email).

For individual data rights requests, please contact your educational institution directly.