Privacy Policy
Effective date: [EFFECTIVE_DATE]
Last updated: [LAST_UPDATED]
1. Who we are
PaperGrade is an AI-assisted grading tool for K–12 math teachers operated by PaperGrade LLC (“PaperGrade,” “we,” “us”), registered in Missouri. Contact: privacy@getpapergrade.com.
2. Scope of this policy
This policy covers getpapergrade.com and the PaperGrade web and mobile applications (the “Service”). The Service is designed for use by educators and school districts. It is not offered directly to students, parents, or consumers.
3. COPPA: school-consent model
PaperGrade relies on the FTC’s school-consent exception under the Children’s Online Privacy Protection Act (COPPA). When a teacher or school district uses PaperGrade to grade student work, the school — not PaperGrade — obtains any parental consent required under COPPA, acting as the parent’s agent for the limited educational purpose of grading and standards-mastery tracking.
By using the Service, teachers and districts agree that:
- They have authority under applicable law and their district’s policies to enter student information and upload student work into PaperGrade.
- Student data is collected solely for educational purposes authorized by the school.
- PaperGrade will not use student data for advertising, profiling, or any purpose outside those authorized by the school.
Parents of students whose work is processed by PaperGrade may contact their child’s teacher or district to exercise rights of access, correction, and deletion. We will honor verified requests routed through the school.
4. FERPA
When used by a school, PaperGrade operates as a “school official” with a “legitimate educational interest” under FERPA (34 CFR § 99.31(a)(1)). Student education records uploaded to the Service remain under the direction and control of the school. The school is the data controller; PaperGrade is the processor.
5. What we collect
From teachers / district staff (account holders):
- Name, work email, school or district name
- Password hash (never plaintext)
- Billing contact info (name, email; card data is collected directly by Stripe and never stored by us)
- Product usage and error telemetry
From student work (entered by teachers):
- Student first name, last name, and optional student ID or grade level
- Photos or scans of handwritten math assignments
- Transcribed answers, grading results, standards-mastery signals, and teacher annotations
- IEP goal text and progress notes, when the teacher chooses to use the IEP features
We do not collect from students directly. Students do not create accounts. We do not request student email addresses, home addresses, biometric identifiers, precise geolocation, or social-media handles.
6. How we use data
- Grade uploaded student work and return results to the uploading teacher.
- Map work to the teacher’s selected standards framework (e.g., Missouri MLS, Common Core).
- Generate standards-mastery summaries and IEP progress notes when requested by the teacher.
- Operate, secure, and improve the Service (error monitoring, performance).
- Process payment for teacher or district subscriptions.
- Respond to support requests.
We do not:
- Sell student or teacher data.
- Use student data to train AI models.
- Use student or teacher data to serve advertising.
- Build advertising profiles of any user.
- Disclose student data to third parties except to the sub-processors listed below, to the school that uploaded the data, or as required by law.
7. Sub-processors
PaperGrade uses the following sub-processors, all operating in the United States:
| Sub-processor | Purpose | Data categories |
|---|---|---|
| Supabase | Auth, database, file storage | Account data, student work, grading results |
| Vercel | Web hosting, CDN, edge functions | Account data, student work in transit |
| Anthropic | AI transcription and grading | Scanned student work, generated grading output |
| Stripe | Payments processing | Billing contact, payment tokens |
| Resend | Transactional email | Teacher email, email content |
| PostHog | Product analytics | Account ID, usage events (student data excluded) |
| Sentry | Error monitoring | Account ID, scrubbed error traces (PII scrubbed) |
Anthropic details.Student work is sent to Anthropic’s API for AI transcription and grading. Anthropic acts as our processor. Per Anthropic’s current policies, API inputs and outputs are retained only for a limited operational period, are not used to train Anthropic’s models, and are subject to Anthropic’s Trust Center commitments. [TODO-ATTORNEY: verify and insert current Anthropic API retention window before publication.]
8. Data retention schedule
| Data type | Retention |
|---|---|
| Original scanned student work (images/PDFs) | 90 days from upload, then deleted from storage, unless the teacher archives the assignment |
| Transcribed answers and grading results | Duration of the teacher’s or district’s account, plus 30 days after account closure |
| IEP goals and progress notes | Duration of the teacher’s or district’s account, plus 30 days after account closure |
| Teacher / admin account records | Until account closure, plus 30 days for standard database backups |
| Billing and tax records | 7 years from transaction date (tax-compliance requirement) |
| Application and security logs | 30 days |
| Automatic database backups | 30 days rolling |
When a school or teacher requests deletion of specific student records, we delete them from production systems within 30 days and from backups within the 30-day backup rotation.
9. Security
- All data encrypted in transit (TLS 1.2+) and at rest.
- Row-level security on every table that holds teacher or student data.
- PII-scrubbing logger; student names and answers are never written to application logs.
- Principle of least privilege for staff access; access is audited.
- Incident response runbook with notification to affected schools within 72 hours of a confirmed breach.
10. Rights
Teachers can access, correct, download, and delete their account data from the app or by emailing privacy@getpapergrade.com.
Student data is controlled by the school. Parents and students should direct access, correction, and deletion requests to the teacher or district. On receipt of a verified request from the school, PaperGrade will act within 30 days.
11. State-specific notices
- Missouri: PaperGrade complies with the Missouri Student Data Privacy Act and executes a Missouri NDPA with districts that request one.
- California: We do not sell personal information as defined by the CCPA/CPRA. SOPIPA-covered obligations are met by the practices described above.
- New York:For New York districts, PaperGrade adheres to Education Law § 2-d and Part 121 obligations via the parents’ bill of rights supplied in the district NDPA.
- Other states:We execute the SDPC national NDPA or a district’s required DPA on request.
12. International users
The Service is offered only within the United States. We do not market to users in the EU, UK, or other jurisdictions with data-residency requirements. Do not upload student data from outside the United States.
13. Changes
We will post changes to this policy on this page and update the “Last updated” date. Material changes will be emailed to account holders at least 30 days before taking effect.
14. Contact
Privacy questions: privacy@getpapergrade.com
Mailing address: [TODO-ATTORNEY: insert registered business address]