Privacy Policy

BrightGrades is an educational platform for K–12 students, teachers, and parents. We help students learn, teachers teach, and families stay connected to their child's academic progress.

BrightGrades is used exclusively in school settings. Accounts are created by schools and districts, not by individual students or parents acting alone.

We collect only what is necessary to provide the platform:

• **Name and grade level** — provided during account setup or roster import. • **School affiliation** — the school your account is associated with. • **Assignments and grades** — schoolwork submitted through the platform. • **Login activity** — timestamps used for security and streak tracking.

We do NOT collect: • Social Security numbers • Home address or physical location data • Financial information • Health or medical records

BrightGrades takes children's privacy seriously and complies with the Children's Online Privacy Protection Act (COPPA).

Before any student under 13 can access BrightGrades, we require verified parental consent:

• When a student under 13 creates or activates an account, we ask for a parent or guardian's email address. • We send the parent a consent request explaining what we collect and how we use it. • The student cannot access the platform until the parent approves. • Parents can deny consent at any time, which immediately blocks the student's access.

We never collect more information than is necessary for the student's educational experience. We do not use student data for behavioral advertising or profiling, regardless of age.

BrightGrades operates as a "school official" under FERPA (Family Educational Rights and Privacy Act). This means student educational records are owned by the school, not BrightGrades.

Parents and eligible students (age 18+) have the right to:

• **Inspect records** — Request to view your child's education records held by the school. • **Request corrections** — Ask the school to correct inaccurate or misleading information. • **Restrict disclosure** — Request that the school limit who can access your child's records.

To exercise these rights, contact your school administrator. Schools are responsible for complying with FERPA requests. BrightGrades will cooperate fully with any school-initiated data request.

If your child is under 13, you have additional rights under COPPA:

• **Review data** — You can request a copy of all data we have collected about your child. • **Request deletion** — You can request that we delete your child's account and all associated data. • **Withdraw consent** — You can withdraw consent at any time, which will block your child's access to the platform.

To exercise these rights, use the **Data & Privacy** section in your parent portal, or email us at privacy@brightgrades.com. We will respond within 30 days.

We share student data only with the following trusted service providers, and only as needed to operate the platform:

• **Clerk** — Authentication and session management. COPPA compliant. • **Neon** — Database hosting (PostgreSQL). SOC 2 certified. • **Anthropic** — AI content generation features. We send only question text — never student names, IDs, or personal information.

We never sell student data. We never share data with advertisers. We never use student data for purposes other than providing the educational platform.

We use industry-standard security practices to protect your data:

• **In transit** — All data is encrypted using TLS (HTTPS). • **At rest** — Data is stored on encrypted PostgreSQL servers hosted by Neon. • **Access controls** — Only authorized personnel can access production data, and all access is logged. • **Security reviews** — We regularly review our security practices and promptly address vulnerabilities.

If you believe you have found a security issue, please contact privacy@brightgrades.com immediately.

We retain data only as long as necessary:

• **Active accounts** — Data is retained while the account is active and the school's subscription is current. • **Deleted accounts** — When an account is deleted (by request or school decision), all associated data is permanently purged within 30 days. • **Schools** — Schools may export all data at any time and request immediate deletion by contacting privacy@brightgrades.com.

If you have questions about this Privacy Policy or want to exercise your rights, reach out to us:

**Email:** privacy@brightgrades.com

We respond to all privacy inquiries within 2 business days.