Student Data Privacy

Last Updated: January 28, 2026

GradeWithAI is committed to protecting the privacy and security of student data. This document outlines our compliance with federal and state student privacy laws, our data governance practices, and the privacy controls we have implemented to protect student information.

Compliance: FERPA, COPPA, SOPIPA, and applicable state student privacy laws.

Overview

GradeWithAI provides AI-powered grading assistance to teachers and educational institutions. We understand the critical importance of protecting student data and have built our platform with privacy and security at its core. We operate as a "school official" under FERPA when schools use our service, meaning we are bound by the same privacy requirements as the school itself.

FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. GradeWithAI fully complies with FERPA requirements.

Our FERPA Commitments

  • School Official Exception: GradeWithAI operates under the "school official" exception to FERPA (34 CFR 99.31(a)(1)), performing services that the school would otherwise perform itself. We are under the direct control of the school regarding the use and maintenance of education records.
  • Legitimate Educational Interest: We only access student data when there is a legitimate educational interest, and only the minimum data necessary to provide our grading services.
  • No Re-disclosure: We do not disclose personally identifiable information from education records to third parties without proper authorization, except as permitted under FERPA.
  • Data Security: We maintain reasonable security measures to protect student education records from unauthorized access, destruction, use, modification, or disclosure.
  • Annual Notification Support: We support schools' obligation to notify parents annually of their FERPA rights.

Education Records We Process

When teachers use GradeWithAI, the following student information may be processed:

  • Student names (as provided through LMS integrations)
  • Assignment submissions (essays, test answers, homework responses)
  • Grades and feedback generated by our AI
  • Course and class information

What We Do NOT Collect

  • Social Security numbers
  • Financial information
  • Medical or health records
  • Disciplinary records
  • Biometric data (facial recognition, fingerprints, voice prints)
  • Geolocation data of students
  • Student or parent contact information for marketing

COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) requires parental consent before collecting personal information from children under 13. GradeWithAI complies with COPPA, including the 2025 amendments effective April 2026.

Our COPPA Commitments

  • School Consent: In the K-12 educational context, we rely on schools to provide consent on behalf of parents for the collection of student information, as permitted by the FTC's guidance on COPPA compliance in schools. This consent is limited to educational purposes only.
  • Limited Collection: We collect only the information necessary to provide our educational grading services.
  • No Targeted Advertising: We do not use student data for targeted advertising or create advertising profiles based on student information.
  • No Selling of Data: We never sell, rent, or trade student personal information to any third party.
  • Parental Rights: Parents have the right to review their child's information, request deletion, and refuse further collection. Schools can facilitate these requests on behalf of parents.
  • Data Retention Limits: We retain student data only as long as necessary to fulfill educational purposes, and delete it upon school request or when the educational relationship ends.

SOPIPA Compliance (California)

The Student Online Personal Information Protection Act (SOPIPA) is a California law that has been adopted by many states. GradeWithAI complies with SOPIPA and similar state laws.

Our SOPIPA Commitments

  • No Targeted Advertising: We do not use student information to target advertising to students.
  • No Profiling: We do not create profiles of students for non-educational purposes.
  • No Selling of Information: We do not sell student information or disclose it for commercial purposes.
  • Security: We implement and maintain reasonable security procedures to protect student information.
  • Deletion: We delete student information within a reasonable time after a school or district requests deletion, or when the information is no longer needed for educational purposes.
  • Transparency: We are transparent about our data practices and make this information publicly available.

Data Governance

Data Ownership

Schools and districts retain ownership of all student data. We act as a data processor on behalf of the school. Schools can request export or deletion of their data at any time.

Data Access Controls

  • Only authenticated teachers can access their own students' data
  • Role-based access controls limit data visibility
  • Administrators cannot access student submission content without explicit school authorization
  • All data access is logged and auditable

Data Retention

  • Student submissions are retained only while needed to provide the grading service
  • Schools can configure their own retention policies
  • Upon account deletion or contract termination, all associated student data is deleted within 30 days
  • Schools can request immediate deletion at any time

Data Deletion

Schools and teachers can request data deletion through:

  • Email request to john@gradewithai.com
  • Account settings (for teachers deleting their own data)
  • Formal written request from authorized school personnel

Upon receiving a valid deletion request, we will delete the specified data within 30 days and provide confirmation of deletion.

Third-Party Service Providers

We use select third-party service providers to operate our platform. All providers are contractually bound to:

  • Process data only as instructed by us
  • Maintain appropriate security measures
  • Not use data for their own purposes
  • Delete data upon termination of services

Our Key Providers

  • Supabase: Database hosting (data stored in US)
  • Vercel: Application hosting (data processed in US)
  • OpenAI/Anthropic/Google: AI processing (data not retained for training per our agreements)

We do not share student data with any other third parties for marketing, advertising, or other commercial purposes.

Security Measures

We implement comprehensive security measures to protect student data. For detailed information, please see our Security Practices page.

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Employee background checks and security training
  • Incident response procedures
  • Access logging and monitoring

Breach Notification

In the event of a data breach affecting student information, we will:

  • Notify affected schools within 72 hours of discovering the breach
  • Provide details about the nature of the breach and data affected
  • Cooperate with schools to notify parents as required by law
  • Take immediate steps to mitigate the breach and prevent recurrence

District Agreements

We offer formal Data Processing Agreements (DPAs) for schools and districts. Our DPA is based on the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA) template and can be customized to meet specific state requirements.

To request a DPA or discuss enterprise deployment, please contact us at john@gradewithai.com.

View our standard Data Processing Agreement.

Parental Rights

Parents have the right to:

  • Review their child's education records processed by GradeWithAI through their school
  • Request correction of inaccurate information through their school
  • Request deletion of their child's data through their school
  • Opt their child out of using GradeWithAI (schools may provide alternative grading methods)

To exercise these rights, parents should contact their child's school directly. Schools can then work with us to fulfill these requests.

State-Specific Compliance

In addition to federal laws, we comply with state-specific student privacy laws, including but not limited to:

  • California - SOPIPA, California Consumer Privacy Act (CCPA)
  • New York - Education Law 2-d
  • Colorado - Student Data Transparency and Security Act
  • Connecticut - Student Data Privacy Act
  • And student privacy laws in all other applicable states

Contact us for state-specific compliance documentation at john@gradewithai.com.

Changes to This Policy

We may update this Student Data Privacy documentation from time to time. We will notify schools of material changes via email and post the updated policy on this page with a new "Last Updated" date.

Contact

For questions about student data privacy, FERPA/COPPA compliance, or to request a Data Processing Agreement, email john@gradewithai.com.