Back to Trust CenterDownload PDF

StandUp Privacy Policy

Last updated: 2026-04-05

StandUp Privacy Policy

Last updated: 2026-04-05 Effective date: 2026-04-05

This Privacy Policy explains what data StandUp collects, how we use it, who can access it, and what rights you have. It is written in plain English because IT admins, teachers, parents, and students should all be able to read it without a lawyer.

If you are a school IT administrator evaluating StandUp, please also read our School Privacy Addendum, which addresses school-specific concerns (no data selling, no ads, retention, breach notification, sub-processors, opt-outs).

1. What Data We Collect

We collect only what is necessary to run StandUp as an educational service.

1.1 Account Information

  • Name (teacher or student display name)
  • Email address (for sign-in and password reset)
  • Role (teacher, student, school admin)
  • School / class association
  • Authentication provider identifiers (Google OAuth sub, Supabase user ID)
  • Optional profile photo

1.2 Classroom Content (Teacher-Provided)

  • Lesson materials uploaded by teachers (PDFs, slide decks, documents, images, audio/video)
  • Lesson recaps, summaries, and teacher notes
  • Class rosters created or imported by teachers
  • Assignment prompts and rubrics

1.3 Student-Generated Content

  • Questions posted to the Q&A board (posted anonymously to peers, but linked to the student account internally for moderation and safety)
  • AI Tutor chat transcripts
  • Quiz answers and results
  • Practice Mode answers
  • Voice transcripts from Live Voice Tutor sessions (text only; audio is not retained after transcription)
  • Study session participation records

1.4 Usage Telemetry

  • Page views, button clicks, and feature usage counts (aggregated where possible)
  • Device type, browser, and operating system
  • Approximate geographic region (derived from IP, not precise location)
  • Error and crash logs

1.5 What We Do NOT Collect

  • We do not collect precise location (GPS).
  • We do not collect contacts, photos, microphone audio outside an active Live Tutor session, or camera feeds.
  • We do not buy or ingest data from data brokers.
  • We do not build advertising profiles.

2. How We Collect It

  • Directly from you: when you sign up, create a class, upload a lesson, post a question, or chat with the AI Tutor.
  • From your school: when a school admin provisions accounts or syncs a roster.
  • Automatically: usage telemetry is recorded as you interact with the product.
  • From authentication providers: if you sign in with Google, Google provides your name, email, and profile photo.

We do not use tracking pixels from advertising networks. We do not share data with social media platforms.

3. How We Use It

StandUp uses your data only to operate the educational service.

Specifically, we use data to:

  • Authenticate you and keep your account secure
  • Deliver teacher-created lesson content to the correct students
  • Generate AI-powered quizzes, tutoring responses, and lesson recaps
  • Moderate Q&A posts for safety (every post passes through automated moderation before going live)
  • Show teachers class-level analytics so they can see where students are struggling
  • Notify you about account events (password reset, class invitations)
  • Debug errors and improve reliability

What we will never do with your data:

  • We do not sell your data. Not now, not ever. This is a contractual commitment to every school.
  • We do not run advertising. StandUp has no ads and no ad partners.
  • We do not use student data to train AI models. Student content is not used to fine-tune or retrain Anthropic's, OpenAI's, or our own models. See Section 8 for how we work with AI sub-processors.
  • We do not share data with marketing partners. We have none.
  • We do not use student data for any commercial purpose beyond running the educational service the school has authorized.

4. Where We Store It

  • Primary database: Supabase (PostgreSQL), hosted in the United States (US region).
  • File storage: Supabase Storage, US region, encrypted at rest with AES-256.
  • Application hosting: Vercel (edge network). Application code runs on Vercel's US infrastructure; static assets may be cached at edge locations globally, but student data itself is not stored at edge nodes.
  • Backups: Supabase-managed encrypted backups, US region, retained per Supabase's standard policy.
  • Logs: Application logs (errors, request metadata) are retained for 30 days for debugging and security monitoring.

All data in transit is encrypted with TLS 1.3. All data at rest is encrypted with AES-256.

5. Who Can Access It

StandUp enforces least-privilege access through database Row-Level Security (RLS) policies. Specifically:

  • Students can see their own data, the classes they are enrolled in, and the public Q&A/lesson content in those classes.
  • Teachers can see the classes they own, the students in those classes, and the content those students generate inside those classes.
  • School administrators can see all classes, teachers, and students within their school, and can request exports or deletions.
  • StandUp staff (currently the solo founder) can access data only when necessary for support, debugging, or security investigations. Access is logged and limited to the minimum required to resolve the issue.
  • AI sub-processors (Anthropic, OpenAI) receive only the content required to answer a specific request, with student PII stripped where possible. They do not have persistent access to our database. See Section 8.
  • Hosting providers (Supabase, Vercel) have operational access to the infrastructure StandUp runs on, under their own SOC 2 / ISO 27001 controls. They are contractual sub-processors.

We do not share data with anyone else unless legally compelled (e.g., valid court order), and we will notify the affected school in writing before complying, to the extent legally permitted.

6. Retention Periods

We keep data only as long as it is needed to run the service or as required for a school's records.

Data Retention
Active account data (profile, classes, lessons) Kept while the account is active
Deleted account data 30-day soft delete, then hard purge
AI Tutor chat transcripts 90 days, then purged
Live Voice Tutor transcripts 90 days, then purged; raw audio not retained
Q&A posts and answers Kept for the school year, then archived per school request
Quiz and Practice Mode results Kept for the school year; teachers may export before purge
Application logs 30 days
Security and audit logs 1 year
Backups Rolling per Supabase's managed backup window

At contract termination, schools have a 30-day export window; after that window, all school data is purged from primary storage within 30 days and from backups as those backups expire on their normal rotation.

7. Deletion and Access Rights

Schools, parents, and eligible students have the following rights:

  • Right to access: request a copy of the data StandUp holds about a specific student.
  • Right to correction: request that inaccurate data be corrected.
  • Right to deletion: request that a student's data be deleted.
  • Right to export: receive a student's data in a machine-readable format (JSON or CSV).

How to exercise these rights:

  • School IT admins can submit a per-student export or delete request through their school admin console, or by emailing the contact in Section 10.
  • Parents and eligible students should contact their school first; the school will relay the request to StandUp.
  • StandUp will respond to verified requests within 30 days, and typically within 7 business days.

Deletion requests are honored in primary storage immediately upon verification and propagate to backups as those backups age out on their normal rotation (maximum 30 days).

8. AI Sub-Processors

StandUp uses third-party AI providers to power the AI Tutor, quiz generation, content moderation, and lesson recap features. We are fully transparent about who they are and what they receive.

8.1 Current AI Sub-Processors

  • Anthropic (Claude) — used for AI Tutor, quiz generation, and lesson recap. Governed by Anthropic's Commercial Terms and DPA. Anthropic does not train on data submitted via its API by default.
  • OpenAI — used as a failover provider for AI Tutor and quiz generation when Claude is unavailable, and for specific model tiers. Governed by OpenAI's Business Terms and DPA. OpenAI does not train on data submitted via its API.

Both providers are contractually bound to not use API-submitted content to train their models.

8.2 What Data Goes to AI Providers

Only the content necessary to answer a specific prompt is sent. We strip student personally identifiable information (PII) from prompts before sending, per our internal data-handling practice. The AI provider sees the lesson content, the question, and a generic role (e.g., "student"), but not names, emails, or school identifiers.

8.3 School Opt-Out

Schools may request to route their traffic to a specific provider only (for example, Claude only, or OpenAI only). This is documented in the School Privacy Addendum.

8.4 AI Content Moderation

Every Q&A post passes through automated moderation before going live to the class. This is a safety feature, not a surveillance feature.

9. Breach Notification

In the event of a security incident that involves unauthorized access to student data, StandUp will:

  1. Contain the incident as the first priority.
  2. Notify affected schools within 72 hours of confirming the breach, in line with FERPA expectations and our internal incident response plan.
  3. Provide the school with: what happened, what data was involved, when it happened, what we've done to contain it, and what we recommend the school do.
  4. Cooperate with the school on any notifications the school must make to parents, students, or regulators.
  5. Publish a post-mortem to the school within 14 days of containment.

Our full Incident Response Plan is available in the Trust Center.

10. Contact

Privacy questions, data requests, or security reports:

The current primary contact is the founder. For urgent security issues, please use the security email and mark the subject line URGENT.

11. FERPA and StandUp's Role as a "School Official"

StandUp is designed to comply with the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99).

When a school uses StandUp, StandUp acts as a "school official" with a legitimate educational interest under 34 CFR § 99.31(a)(1)(i)(B). This means:

  • StandUp performs a service for the school that the school would otherwise use employees to perform.
  • StandUp is under the direct control of the school with respect to the use and maintenance of education records.
  • StandUp is subject to FERPA's requirements governing the use and redisclosure of personally identifiable information from education records.
  • Student data from the school belongs to the school and the student, not to StandUp.
  • StandUp will not redisclose education records to any other party without the school's written authorization, except as permitted by FERPA (for example, in response to a valid subpoena, after notice to the school).
  • StandUp will not use education records for any purpose other than the educational service the school has authorized.

11.1 FERPA Data Handling Summary

  • Collection: Education records are collected only when teachers, school admins, or students enter or upload them into StandUp.
  • Storage: Education records are stored in Supabase (US), encrypted at rest, access-controlled via RLS policies.
  • Processing: Processing is limited to the educational service — delivering lessons, generating quizzes, answering student questions, and providing teachers with class analytics. AI processing is performed under the sub-processor terms in Section 8.
  • Deletion: Education records are deleted upon school request (per Section 7) or at contract termination (per Section 6), whichever comes first.
  • Directory information: StandUp does not treat any student data as "directory information" and does not disclose any student data publicly.

11.2 Parent and Eligible Student Rights

FERPA gives parents (and students 18+ or in postsecondary programs) the right to inspect, review, and request correction of education records. StandUp honors these rights through the school — parents and eligible students should contact their school IT admin, who will work with StandUp to fulfill the request.

11.3 Compliance Commitments

  • StandUp will not sell or rent education records.
  • StandUp will not use education records for advertising or marketing.
  • StandUp will not use education records to train AI models.
  • StandUp will notify the school of any data breach involving education records within 72 hours of confirmation.
  • StandUp will return or destroy education records upon contract termination, per the school's written instructions.

12. Changes to This Policy

If we make material changes to this Privacy Policy, we will notify schools in writing at least 30 days before the changes take effect. Non-material changes (typo fixes, clarifications) will be published with an updated "Last updated" date.

13. See Also

  • School Privacy Addendum — school-specific terms, sub-processor opt-out, data residency, contract termination
  • Trust Center — security documentation, data flow diagram, incident response plan, IT Admin FAQ
  • Data Processing Agreement (DPA) — SDPC National DPA pre-filled with StandUp's practices, available on request

StandUp is an educational technology product. We exist to help students learn. Every decision in this Privacy Policy is made with that purpose in mind.

StandUp School Privacy Addendum

Last updated: 2026-04-05

StandUp School Privacy Addendum

Last updated: 2026-04-05 Effective date: 2026-04-05

This addendum supplements the StandUp Privacy Policy and addresses the specific concerns of school IT administrators evaluating StandUp for use in their district, school, or institution. Where this addendum and the main Privacy Policy overlap, the stricter commitment applies.

This addendum is designed to answer, in one document, every standard question we hear from IT admins — so you don't have to email us to get the basics.

1. No Data Selling — Explicit Commitment

StandUp does not sell, rent, lease, license, trade, or otherwise disclose student, teacher, or school data to any third party for monetary or other valuable consideration.

This commitment is unconditional. It applies:

  • Now and for the duration of any contract with a school.
  • After contract termination (we do not retain rights to sell data we previously held).
  • In the event of a merger, acquisition, or bankruptcy — any successor entity would be contractually bound to the same commitment, and schools would be notified and given a deletion option before any transition.

If StandUp is ever acquired, schools will be notified at least 30 days before the transition and may request full deletion of their data before it completes.

2. No Advertising — Explicit Commitment

StandUp does not run advertisements inside the product. StandUp does not have advertising partners. StandUp does not use student, teacher, or school data to build advertising profiles or to target ads on any platform, inside or outside the product.

There are no tracking pixels from advertising networks embedded in StandUp. There are no third-party ad SDKs in the codebase.

3. No Model Training on Student Data

StandUp does not use student data to train, fine-tune, or evaluate any AI model — neither our own models nor any third party's models.

Our AI sub-processors (Anthropic, OpenAI) are contractually bound by their commercial terms to not train on API-submitted content. We rely on and contractually reinforce these commitments.

If StandUp ever develops proprietary models, they will be trained on licensed or synthetic data, never on student content.

4. Retention Periods for School Accounts

Data Retention for School Accounts
Active teacher/student accounts Kept while enrolled in an active class
Account after student leaves a class Retained to end of school year, then archived per school policy
Q&A posts, AI Tutor transcripts, quiz results Retained to end of school year; exportable before purge
AI Tutor and Live Voice Tutor transcripts 90 days rolling purge, regardless of school year
Application and security logs 30 days (application), 1 year (security/audit)
Backups Rolling per managed backup window
Post-termination 30-day export window; full purge within 30 days of window close

Schools may request shorter retention for their account by written agreement.

5. Breach Notification — 72 Hours to School Admin

In the event of a confirmed security incident involving unauthorized access to school data, StandUp will:

  • Notify the school's designated IT admin contact within 72 hours of confirmation, by email and by phone call if provided.
  • Include: what happened, what data was affected, when it occurred, what containment steps were taken, and what the school should do next.
  • Provide a written post-mortem within 14 days of containment.
  • Cooperate with any notifications the school must make to parents, students, state regulators, or law enforcement.

The 72-hour clock starts from when StandUp confirms the incident, not from when it was first suspected. Suspicions trigger our internal incident response process but do not trigger external notification until confirmed, to avoid false alarms.

Schools should provide a primary IT admin contact and a backup contact at onboarding so the notification can reach a human quickly.

6. Sub-Processor List and Opt-Out Mechanism

The following third parties process school data on StandUp's behalf:

Sub-Processor Purpose Data Sent Location Training on Data?
Supabase Database, storage, auth All stored application data US No
Vercel Application hosting, edge delivery Request metadata, cached static assets US (primary) No
Anthropic (Claude) AI Tutor, quiz gen, recaps, moderation Prompt content with PII stripped US No (per Anthropic Commercial Terms)
OpenAI Failover AI Tutor, quiz gen, specific tiers Prompt content with PII stripped US No (per OpenAI Business Terms)
Google (OAuth) Sign-in (optional) Email, name, profile photo if user opts in US No

6.1 Opt-Out Mechanism

Schools may request to opt out of specific AI sub-processors. Supported opt-outs:

  • Claude-only routing: all AI traffic for your school routes to Anthropic only.
  • OpenAI-only routing: all AI traffic for your school routes to OpenAI only.
  • No-AI mode (on request): disable AI-powered features for your school, keeping Q&A, CatchUp, and manual tools.

Opt-outs are implemented at the tenant level and take effect within 24 hours of written confirmation. There is no fee to opt out.

Schools cannot currently opt out of Supabase or Vercel, as they are core infrastructure. If a school requires a different hosting arrangement, that is a custom contract conversation — contact us.

6.2 Sub-Processor Changes

StandUp will notify schools at least 30 days before adding a new sub-processor that will receive student data, giving schools time to object or opt out.

7. Data Residency

All school data is stored in the United States:

  • Supabase primary database: US region
  • Supabase Storage (files): US region
  • Vercel hosting: US primary
  • AI sub-processor endpoints: US

Edge caching of static assets (JavaScript, CSS, images) may occur at global edge locations. No student-generated content, no education records, and no personal data is cached at edge.

StandUp does not currently offer non-US data residency. If your school requires EU, Canada, or other regional residency, please contact us before signing.

8. Encryption

8.1 Encryption at Rest

  • All data in Supabase (database and storage) is encrypted at rest using AES-256, managed by Supabase's infrastructure.
  • Backups are encrypted at rest under the same standard.
  • Secrets (API keys, service credentials) are stored in Vercel environment variables with encryption at rest.

8.2 Encryption in Transit

  • All connections between client browsers, Vercel, Supabase, and AI sub-processors use TLS 1.3 (or TLS 1.2 minimum for legacy clients).
  • HSTS is enforced on all StandUp domains.
  • No cleartext transmission of education records at any hop.

9. Per-Student Data Export and Delete

School IT admins can, at any time, request:

  • Export of a specific student's data — delivered as a JSON or CSV bundle containing the student's profile, Q&A posts, AI Tutor transcripts, quiz results, and class participation records.
  • Deletion of a specific student's data — full deletion from primary storage within 72 hours of verified request; backups age out on normal rotation (maximum 30 days).
  • Bulk export of a class or school — for end-of-year archiving or migration.
  • Bulk deletion of a class or school — for graduating cohorts or contract closeout.

Requests are submitted through the school admin console (when available) or by email to danielnwah123@gmail.com. StandUp verifies the requester is an authorized school admin before acting.

Typical turnaround: 7 business days for routine requests, faster for urgent ones.

10. Contract Termination — Export Window and Purge

When a school's contract with StandUp ends, or when a school chooses to stop using StandUp:

  1. 30-day export window. Starting on the termination date, the school has 30 days to export all of its data through the admin console or by requesting a bulk export from StandUp.
  2. Purge notification. StandUp will send a reminder at day 15 and day 25 of the export window.
  3. Primary purge. Within 30 days after the export window closes (i.e., day 60 from termination at the latest), all school data is purged from primary storage, including database records, storage files, and AI Tutor transcripts.
  4. Backup expiration. Backups containing school data age out on their normal rotation. StandUp does not restore from expired backups after termination.
  5. Written confirmation. StandUp provides written confirmation to the school once purge is complete.

Schools may request a shorter or longer export window in writing. Schools that require a certificate of destruction can request one at no additional cost.

11. Reference to SDPC National DPA

StandUp's data handling practices are aligned with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA). We offer a pre-filled National DPA (with an optional Maryland Exhibit for MD-based schools) as our standard contracting vehicle.

Where the signed DPA and this addendum conflict, the signed DPA controls.

12. Cross-Reference

For the full data collection and handling details, see the StandUp Privacy Policy. The main policy covers:

  • What data we collect (Section 1)
  • How we use it (Section 3)
  • Who can access it (Section 5)
  • FERPA "school official" designation and compliance commitments (Section 11)
  • Contact information for privacy and security requests (Section 10)

For security architecture, incident response, and the full sub-processor data flow diagram, see the StandUp Trust Center.

13. Contact for School IT Admins

We aim to respond to IT admin inquiries within 2 business days.

This addendum is intended to make StandUp's school posture clear on the first read. If a question you care about isn't answered here, email us — we'll answer it, and if it's a common question, we'll add it to this document.

Download StandUp School Privacy Addendum PDF

Questions? Email privacy@standuplearn.com