PRIVACY POLICY FOR STRING

Who: Site visitors, School Administrators, Teachers signing up.
Data: Name, email address, job title, school name, billing information, IP address.
Purpose: To schedule demos, process payments, and manage school accounts.

Who: Students using the platform (rostered by the School).
Data:
- Identifiable Info: Name, email (usually school-issued), grade level, class enrollment.
- Performance Data: Grades, assignment submissions, quiz results.
- AI Behavioral Data: Interaction logs, learning patterns, time-on-task, and "Learning DNA" insights generated by our algorithms.
Purpose: Strictly to provide the educational service, generate learning insights, and assist teachers.

If you choose to connect your Google account, String accesses the following specific data scopes:

• Profile Information: Your name, email address, and profile picture (to create your user account).
• Language Preferences: To display the interface in your preferred language.
• Classroom Rosters (If authorized): We access course rosters and student lists solely to set up classes within String at the teacher's direction.

We use Google User Data strictly to:

• Authenticate your identity and log you into the Service.
• Provision your account and role (Teacher vs. Student).
• Display your profile information within the user interface.

We do not share Google User Data with third parties, except:

• As strictly necessary to provide the Service (e.g., cloud hosting providers who act as data processors and are bound by confidentiality).
• We do not sell Google User Data to advertisers or data brokers.
• We do not transfer Google User Data to third-party AI tools for the purpose of training their models.

Google User Data is stored using industry-standard encryption:

• In Transit: All data is transmitted via secure HTTPS (TLS 1.2+).
• At Rest: Data is encrypted using AES-256 encryption standards in our secure databases.

String's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• No Public Training: We DO NOT use personally identifiable Student Data to train open/public AI models (like ChatGPT).
• Internal Improvement: We may use de-identified and anonymized data to refine our internal algorithms and improve the accuracy of our educational insights.
• AI Accuracy: While we strive for precision, AI-generated insights (such as "Learning DNA") are probabilistic estimates. They should be used to support—not replace—professional educator judgment.

• Service Providers (Sub-processors): We use trusted third-party vendors to help run our infrastructure. They are contractually bound to protect data and typically include:
  • Cloud Hosting: AWS (Amazon Web Services) and Google Cloud Platform.
  • AI Processing: OpenAI API (utilized under enterprise agreements where data is not used for model training).
  • Analytics: Google Analytics and PostHog (utilized for website and app performance monitoring).
• Legal Compliance: If required by law (e.g., a subpoena), we may disclose information to law enforcement.
• Business Transfers: If String is acquired, the successor company will continue to be bound by the terms of this Privacy Policy regarding Student Data.

• FERPA (Family Educational Rights and Privacy Act): We comply with FERPA. We access Student Data only as a "School Official" with a "legitimate educational interest" in the student's education.
• COPPA (Children Under 13):
  • Authorized Collection: We knowingly collect personal information from children under the age of 13 only for the use and benefit of the School.
  • School Consent: We rely on the School to provide consent for the collection of this information on behalf of the parent, as permitted by COPPA.
  • Strict Usage: This data is used solely for educational purposes and is never used for commercial purposes unrelated to education (such as behavioral advertising).
• SOPIPA (California): We do not engage in targeted advertising to students or create profiles of students for non-educational purposes.

• Data Controller: The School/District is the Data Controller.
• Data Processor: String is the Data Processor.
• International Transfer: Your data is processed in the United States. We utilize Standard Contractual Clauses (SCCs) or the Data Privacy Framework to ensure compliant transfers.

• Active Accounts: We retain Student/Google User Data for as long as the School's subscription is active.
• Termination: Upon contract termination, we will delete or de-identify Student Data within 60 days of the termination date, or upon the School's specific written request.
• Data Deletion Requests: Users (or Schools on behalf of users) may request deletion of their Google User Data by contacting [email protected]. We will process these requests within 30 days.
• Backups: Encrypted backups may exist for an additional 30 days before being overwritten in our standard cycle.

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256).
• Access Controls: Only authorized employees with a specific need (e.g., support engineers) can access database records, and all access is logged.
• Vulnerability Testing: We perform regular security audits of our code and infrastructure.

• Access & Correction: Parents or eligible students wishing to review, correct, or delete their data should contact their School administration directly. We will assist the School in fulfilling these requests within a reasonable timeframe.
• Stop Usage: Schools may request that we stop processing their data by cancelling their subscription.