Privacy Policy

1. Introduction

StandUp ("we", "our", or "us") is committed to protecting the privacy of students, teachers, and parents who use our educational platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information. We are designed for use by students in grades 9-12 and college, and we take student data privacy seriously.

2. Information We Collect

Account Information

• Email address
• Display name (chosen by the user, not required to be a real name)
• Role (teacher or student)

Educational Data

• Questions asked in class (stored anonymously by default)
• Quiz responses and scores
• AI tutor conversation history
• Class enrollment information (class code and role)
• Lesson materials uploaded by teachers

Automatically Collected

• Device type and browser (for bug fixing and compatibility only)
• Feature usage patterns and timestamps (for improving the service)

What We Do NOT Collect

• Real student names (display names are chosen by students)
• Social security numbers, home addresses, or phone numbers
• Student grades or official academic records from school systems
• Precise location data (we do not track GPS or location)
• Financial information from students

3. How We Use Your Information

• Provide AI-powered tutoring responses grounded in lesson materials
• Enable anonymous Q&A between students and teachers
• Generate quizzes based on uploaded lesson content
• Show teachers aggregate class understanding (not individual student identities for anonymous questions)
• Monitor content for safety threats, harassment, and self-harm (see our Acceptable Use Policy)
• Improve service quality and fix bugs
• Send important service notifications

We do not use student data for advertising, marketing, or any purpose unrelated to providing educational services.

4. Student Privacy (FERPA & COPPA)

We are committed to complying with the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).

• Age requirement: StandUp is intended for students aged 13 and older (grades 9-12 and college). We do not knowingly collect personal information from children under 13.
• Parental consent: For students under 18, we recommend that schools or parents provide consent before use. When used through a school, the school's existing consent processes (e.g., student handbook opt-in/opt-out) apply.
• Anonymity by default: Student questions are anonymous. Teachers cannot see who asked a question unless content safety policies are violated (see Acceptable Use Policy for unmasking rules).
• No sale of data: We never sell, rent, or trade student data to third parties for any reason.
• Educational records: We do not access, store, or process official school educational records (grades, transcripts, IEPs, etc.).
• Parental rights: Parents or guardians may request access to, correction of, or deletion of their child's data at any time by contacting us.

5. Data Sharing & Third Parties

We only share data in the following limited circumstances:

With Teachers

Teachers see aggregated class data and anonymous questions. Individual student identity is only revealed when content safety policies are violated, following a documented escalation process.

AI Processing Providers

Student questions and lesson materials are processed by AI providers (Anthropic Claude and/or OpenAI) to generate tutoring responses, quizzes, and content moderation. These providers:

• Process data only to fulfill our requests (not for their own training)
• Do not receive student names, email addresses, or other identifying information
• Are bound by their own data processing agreements and privacy policies
• Anthropic's API data is not used to train models (per their API privacy policy)

Infrastructure Providers

Our application is hosted on Vercel (serverless hosting on AWS infrastructure) and our database is hosted on Supabase (managed PostgreSQL on AWS). Both providers:

• Store data in US-based data centers
• Encrypt data at rest and in transit
• Comply with SOC 2 Type II security standards

Legal Requirements

We may disclose information when required by law, subpoena, or court order, or when necessary to protect the safety of students or others (e.g., credible threats of violence or self-harm).

6. Data Security

We implement the following security measures:

• All data encrypted in transit (TLS/HTTPS) and at rest (AES-256)
• Row Level Security (RLS) on all database tables, ensuring users can only access their own data
• Secure authentication with hashed passwords and OAuth 2.0
• Environment-based secrets management (no credentials in code)
• AI content moderation to detect and block threats, harassment, and personal information before posting
• Rate limiting on all API endpoints to prevent abuse
• Automated daily database backups with point-in-time recovery

7. Data Retention & Deletion

• Active data: Educational data is retained while a class is active and for one additional school year for continuity.
• Inactive data: Data for classes with no activity for 12 months is automatically deleted.
• Account deletion: Users may delete their account at any time. All associated data is permanently removed within 30 days.
• Data export: Teachers can export their class data (questions, quiz results, analytics) at any time.
• Contract termination: If a school or district terminates their agreement with StandUp, all associated data is purged within 60 days. We will provide written confirmation of data deletion upon request.

8. Your Rights

You (or your parent/guardian if under 18) have the right to:

• Access your personal data
• Correct inaccurate information
• Request deletion of your data
• Export your data in a standard format
• Opt out of non-essential communications
• Receive notification of data breaches affecting your information

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

9. Incident Response

In the event of a data breach or security incident, we will: (1) contain the incident immediately, (2) notify affected users and school administrators within 24 hours, (3) notify parents of affected minors, (4) cooperate with law enforcement if required, and (5) provide a full incident report. For details, see our Incident Response Plan.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern:

Email: privacy@standuplearn.com
Founder: Daniel Nwah
Website: standuplearn.com