Legal

Student Data Privacy Addendum

Effective Date: April 28, 2026

Cues Technologies Inc.  |  9171 Wilshire Blvd, Ste 500, Beverly Hills, CA 90210

hello@gradingpal.com

FERPACOPPASOPIPANY Ed Law 2-d

Table of Contents

Applicable Law Overview

This Student Data Privacy Addendum (“DPA”) is designed to comply with the following federal and state student data privacy laws. The table below summarizes each law's scope and GradingPal's commitment under each framework.

Law / RegulationWhat It CoversGradingPal's Commitment
FERPA (Family Educational Rights and Privacy Act) 20 U.S.C. § 1232gProtects the privacy of student education records maintained by schools. Governs disclosure of personally identifiable information from education records.GradingPal acts as a "school official" with a legitimate educational interest. We access Student Data only as directed by the Educational Institution and never disclose education records without proper authorization.
COPPA (Children's Online Privacy Protection Act) 15 U.S.C. §§ 6501–6506Protects the online privacy of children under 13. Requires verifiable parental consent or school operator consent before collecting personal information from children under 13.GradingPal relies on the Educational Institution's authorization to collect personal information from children under 13 used in connection with the Services provided to the School. We do not collect more information than is reasonably necessary.
SOPIPA (CA Student Online Personal Information Protection Act) Cal. Bus. & Prof. Code §§ 22584–22585Prohibits operators of K–12 websites and online services from using student personal information for non-educational purposes, including targeted advertising and building profiles.GradingPal does not use Student Data for targeted advertising, does not sell Student Data, and does not build student profiles for non-educational purposes. These prohibitions flow down to all sub-processors.
NY Education Law 2-d (New York) N.Y. Educ. Law § 2-dRequires educational agencies and their vendors to protect the confidentiality, privacy, and security of student and teacher personally identifiable information.GradingPal complies with all NY Education Law 2-d requirements, including data security standards, breach notification, data return/destruction obligations, and the Parents' Bill of Rights for Data Privacy.
Other Applicable State LawsVarious additional state student data privacy laws may apply based on where the Educational Institution is located.GradingPal commits to complying with all applicable federal and state student data privacy laws as they may be enacted or amended from time to time.

Preamble

This Student Data Privacy Addendum (“DPA”) is supplemental to the GradingPal Terms of Use available at www.gradingpal.com/terms (“Terms of Use”). Capitalized terms that are not defined in this DPA have the meaning set out in the Terms of Use. In the event of a conflict between this DPA and the Terms of Use, this DPA shall control with respect to the processing of Student Data.

When GradingPal is used by an Educational Institution or Teacher for an educational purpose, GradingPal may collect or have access to Student Data (as defined below). The processing of Student Data may be subject to the Family Educational Rights and Privacy Act (“FERPA”), the Children's Online Privacy and Protection Act (“COPPA”), the California Student Online Personal Information Protection Act (“SOPIPA”), New York Education Law 2-d, or other applicable federal or state student data privacy laws (together, the “Applicable Data Protection Laws”). To support compliance with Applicable Data Protection Laws, the parties agree as follows:

Definitions

“Student Data” means any personally identifiable information that is directly related to an identifiable Student, including but not limited to: educational records as defined by FERPA; covered information as defined by SOPIPA; personally identifiable information as defined by COPPA; and any information that is subject to protection under NY Education Law 2-d or other Applicable Data Protection Laws. Student Data includes, without limitation, Student names and contact information, submitted assignments and coursework across all assignment types including written work, handwritten submissions, essays, exams, worksheets, quizzes, problem sets, presentations, audio, video, art and design, and other content types, grades and feedback, performance analytics, and interaction data generated through the Services.

“Educational Institution” means a school, school district, school board, or other educational agency or institution that enters into an agreement with GradingPal to use the Services for educational purposes.

“Targeted Advertising” means presenting an advertisement to a Student where the selection of the advertisement is based on Student Data or inferred over time from the usage of GradingPal's Services or the retention of such Student's online activities or requests over time for the purpose of targeting subsequent advertisements. Targeted Advertising does not include advertising to a Student on an internet website based solely on the content of the webpage, or in response to a Student's request for information or feedback.

“De-Identified Data” means data from which all personally identifiable information has been removed or obscured so that the remaining information does not reasonably identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.

Terms and Conditions

1. School Official Status

Educational Institution acknowledges and agrees that GradingPal is acting as a “school official” on behalf of Educational Institution under FERPA with a legitimate educational interest in accessing Student Data, and is otherwise processing Student Data on Educational Institution's behalf under other Applicable Data Protection Laws.

Educational Institution represents and warrants that Educational Institution has the authority under Applicable Data Protection Laws to provide GradingPal with consent to collect personal information from Students for the purpose of providing the Services. To the extent required by Applicable Data Protection Laws, Educational Institution will inform parents and legal guardians how Student Data will be processed by the Services, including by providing a link to GradingPal's Privacy Notice at www.gradingpal.com/privacy.

2. Collection and Use of Student Data

GradingPal will collect, access, use, process, store, and disclose Student Data solely as necessary for the purpose of performing the Services on behalf of the Educational Institution. GradingPal will not use Student Data for any purpose other than those set forth in this DPA and the Agreement.

The following table describes the categories of Student Data collected, the source of that data, and the purpose for which it is used:

CategoryData ElementsSourcePurpose
Student IdentityFirst name, last name, email addressProvided by teacher when setting up a classroom, or by students directly when joining a teacher-invited classroom, or imported via Google Classroom integrationAccount creation, classroom roster management, delivery of feedback
Academic InformationGrade level, school subject(s), course name(s)Provided by teacher when creating a class or assignment, or imported via Google Classroom integrationContextualising AI grading and feedback to the appropriate educational level and subject
Submitted AssignmentsWritten work, handwritten submissions, essays, exams, worksheets, quizzes, problem sets, presentations, audio, video, art and design, PDFs, images, and other instructional content submitted by studentsSubmitted by students directly, uploaded by teachers on behalf of students, or read from Google Classroom via the Google Classroom APIAI-powered rubric-aligned scoring and written feedback generation
Grades and ScoresAI-generated scores, teacher-reviewed scores, existing gradesGenerated by GradingPal; or read from Google Classroom via the Google Classroom API where the teacher has connected their classroomGrading, performance analytics, teacher reporting
AI-Generated FeedbackWritten feedback comments generated by GradingPal's AI grading featuresGenerated by GradingPal based on submitted assignment contentDelivery to students and teachers via the Service
Performance AnalyticsAggregate and individual performance data derived from grades and submission patternsDerived by GradingPal from grades and submissionsTeacher-facing performance insights and reporting. Submission metadata and student identifiers are also shared with Mixpanel Inc. for internal product analytics purposes only — not for advertising or profiling.
Technical DataIP address, browser type, device informationCollected automatically when a student accesses the ServiceSecurity, fraud prevention, and service operation

Where a teacher has connected GradingPal to their Google Classroom account, GradingPal may also read assignment details and student roster information from Google Classroom via the Google Classroom API, and may write AI-generated scores and feedback back to Google Classroom on the teacher's instruction. GradingPal's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

GradingPal will not use Student Data to develop, improve, or train any artificial intelligence or machine learning model, including the AI models used to provide the Services, unless explicitly authorized in writing by the Educational Institution.

3. Confidentiality

GradingPal agrees to treat Student Data as confidential and will not share it with third parties other than as described in this DPA, the Agreement, or with the written consent of Educational Institution.

GradingPal will not sell, disclose, make available, or otherwise transfer Student Data to any third party without the prior written consent of Educational Institution, except to the extent that the transfer is necessary to provide the Services. GradingPal will share Student Data with the following categories of third parties as necessary to provide the Services:

  • AI service providers (including Anthropic PBC, OpenAI OpCo LLC, Google LLC, Microsoft Corporation via Azure AI Foundry, and Mistral AI SAS) and document processing providers (including Unstructured Technologies Inc.) to generate rubric-aligned scores, written feedback, and process submitted assignments. These providers are explicitly prohibited from using Student Data to train their AI models.
  • Mixpanel Inc. for internal product analytics. Mixpanel receives student identifiers and submission metadata solely to help GradingPal understand how the Service is used and improve it. Mixpanel does not use Student Data for advertising, profiling, or any non-educational purpose.
  • Internal operations providers (including Notion Labs Inc., Slack Technologies LLC, and Linear Orbit Inc.) where personal data is referenced in the course of investigating technical issues, debugging, or internal communications. Access to Student Data in these tools is limited to authorised GradingPal personnel on a need-to-know basis.

All third parties who receive Student Data are contractually bound to maintain its confidentiality and comply with data protection standards consistent with those provided in this DPA.

4. Prohibition on Targeted Advertising

GradingPal is prohibited from using, disclosing, or selling Student Data to:

  1. inform, influence, or enable Targeted Advertising directed at any Student; or
  2. develop a profile of a Student, family member or guardian, or group of students, for any purpose other than providing the Services.

GradingPal does not display advertising of any kind within the Services. This prohibition extends to all Authorized Sub-processors and other third parties to whom GradingPal discloses Student Data.

5. Adaptive and Customized Learning

Notwithstanding anything to the contrary in this DPA, GradingPal is expressly permitted to use Student Data for adaptive learning or customized Student learning purposes, including:

  • Generating personalized grading feedback and recommendations tailored to an individual Student's submitted work;
  • Adjusting the level and type of feedback provided based on a Student's grade level or course context; and
  • Enabling teachers to identify performance trends and tailor instruction to individual or group needs.

6. De-Identified Data

Notwithstanding anything to the contrary in this DPA, GradingPal will have the right to generate, use, and disclose De-Identified Data for the following purposes:

  1. assisting the Educational Institution or other governmental agencies in conducting research, analytics, and other studies;
  2. research, analytics, and development and improvement of the Services and demonstration of the effectiveness of the Services; and
  3. as otherwise permitted under Applicable Data Protection Laws.

GradingPal agrees not to attempt to re-identify De-Identified Data. GradingPal's right to use De-Identified Data will survive termination of this DPA or any request by Educational Institution to return or destroy Student Data.

7. Legally Compelled Disclosure

If GradingPal is legally compelled to disclose any Student Data (whether by judicial or administrative order, applicable law, rule, or regulation), GradingPal will use reasonable efforts to provide Educational Institution with prior written notice before making the disclosure so that Educational Institution can seek a protective order or other appropriate remedy. GradingPal will not be required to provide such notice if it is prohibited from doing so by the applicable order, law, rule, or regulation.

8. COPPA Authorization — Direct Notice to School

Educational Institution hereby authorizes GradingPal to collect, use, and disclose personal data from children under 13 years old in connection with the provision of the Services as set out in this DPA, pursuant to the school operator exception under COPPA (16 C.F.R. § 312.5(b)(1)).

Upon written request from Educational Institution with regard to such data, GradingPal will:

  • Provide Educational Institution with an opportunity to review the child's personal data;
  • Provide Educational Institution with the right to request deletion of the child's personal data; and
  • Provide Educational Institution with the ability to cease further collection or use of the child's personal data.

If Educational Institution declines to provide consent or withdraws consent for the further collection or use of a child's personal data, GradingPal may no longer be able to provide the Services for that child. Educational Institution affirms that it will provide appropriate notices to parents of the School's use of third-party service providers such as GradingPal's Services.

9. New York Education Law 2-d Compliance

To the extent GradingPal provides Services to Educational Institutions located in New York State, or that are otherwise subject to New York Education Law 2-d (“NY Ed Law 2-d”), GradingPal agrees to comply with all applicable requirements of NY Ed Law 2-d and its implementing regulations, including the following:

9.1 Limitations on Use

  • GradingPal will not sell Student Data or use or disclose it for any marketing or advertising purpose;
  • GradingPal will not disclose Student Data to any third party without prior written consent of the parent or eligible student, except as permitted under FERPA, NY Ed Law 2-d, and the Agreement;
  • GradingPal will not use Student Data for any purpose not explicitly authorized in this DPA or the Agreement; and
  • GradingPal will limit its employees', officers', and contractors' access to Student Data to those individuals who have a legitimate need to access such data for the purpose of providing the Services.

9.2 Data Security

  • GradingPal will implement and maintain data security practices that are consistent with industry standards and that comply with the data security requirements of NY Ed Law 2-d;
  • GradingPal will implement and maintain an information security program that includes administrative, technical, and physical safeguards appropriate to the nature and scope of the Student Data processed; and
  • GradingPal will require all sub-processors that handle Student Data on its behalf to implement data security practices that are at least as protective as those required by this DPA.

9.3 Breach Notification

  • In the event of a breach or unauthorized release of Student Data, GradingPal will notify the Educational Institution in the most expedient manner possible and without unreasonable delay;
  • Such notification will include, to the extent known at the time: the nature of the breach or unauthorized release; the Student Data involved; and the measures taken or planned to contain, remediate, and prevent recurrence of the breach; and
  • GradingPal will adhere to all applicable federal and state requirements with respect to the breach, including required responsibilities and procedures for notification and mitigation.

9.4 Parents' Bill of Rights

GradingPal acknowledges that Educational Institutions subject to NY Ed Law 2-d are required to publish a Parents' Bill of Rights for Data Privacy and Security and to provide a supplemental information form to parents and eligible students describing how GradingPal uses Student Data. GradingPal agrees to provide Educational Institutions with all information reasonably required to complete such supplemental information form upon request. This information includes:

  • The name and contact information of GradingPal's privacy officer or designated privacy contact;
  • The categories of Student Data collected or processed by GradingPal;
  • The purposes for which Student Data is collected or processed;
  • The sub-processors to whom GradingPal discloses Student Data and for what purposes; and
  • GradingPal's data retention and destruction policies with respect to Student Data.

9.5 Supplemental Information

NY Ed Law 2-d Supplemental Information

GradingPal Privacy Contact: hello@gradingpal.com | Cues Technologies Inc., 9171 Wilshire Blvd, Ste 500, Beverly Hills, CA 90210

Student Data Collected: Student names and contact information; submitted assignments and coursework across all supported assignment types (including written work, handwritten submissions, essays, exams, worksheets, quizzes, problem sets, presentations, audio, video, art and design, and other content types); AI-generated grading scores and feedback; performance analytics; grade-level and course information; interaction data with the Service.

Purpose: To provide AI-powered grading, feedback generation, performance analytics, and related instructional tools to Educational Institutions and their students.

Sub-processors Receiving Student Data: Anthropic PBC (AI services); OpenAI OpCo LLC (AI services); Google LLC — Google AI/Gemini (AI services); Microsoft Corporation — Azure AI Foundry (AI services); Mistral AI SAS (OCR and document model); Unstructured Technologies Inc. (document parsing); Amazon Web Services Inc. — AWS S3 (file storage); Google LLC — Google Cloud Platform (infrastructure); Supabase Inc. (database); Vercel Inc. (hosting); Render Services Inc. (hosting); Velt Inc. (collaborative annotations); Mixpanel Inc. (internal product analytics); Axiom Inc. (application logs). Full list available at www.gradingpal.com/sub-processors.

Data Retention: Student Data is retained only as long as necessary to provide the Services. Student Data is deleted within 30 days of termination of the Agreement upon request, unless required to be retained under applicable law.

10. Data Rights

GradingPal will reasonably assist Educational Institution in complying with requests from individuals to exercise rights with regard to Student Data under Applicable Data Protection Laws, including rights of access, correction, and deletion. Upon written request from Educational Institution:

  • GradingPal will provide Educational Institution with access to Student Data in GradingPal's possession;
  • GradingPal will correct inaccurate Student Data identified by Educational Institution; and
  • GradingPal will delete Student Data as directed by Educational Institution, subject to any legal retention obligations.

11. Data Security

GradingPal will implement and maintain reasonable administrative, physical, and technical safeguards designed to prevent any unauthorized use, access, processing, destruction, loss, alteration, or disclosure of Student Data. These safeguards include, at a minimum:

  • Encryption of Student Data at rest (AES-256) and in transit (TLS 1.2 or higher);
  • Role-based access controls limiting access to Student Data to only those employees with a need-to-know based on their specific job function or role;
  • Multi-factor authentication for internal systems that access or store Student Data;
  • Documented information security policies and procedures;
  • Regular security risk assessments and vulnerability testing;
  • Employee training on data privacy and security practices; and
  • Contractual data protection obligations on all sub-processors that handle Student Data.

12. Security Incident Notification

In the event of an unauthorized release, disclosure, or acquisition of Student Data that compromises the security, confidentiality, or integrity of the Student Data maintained by GradingPal (“Security Incident”), GradingPal will notify Educational Institution without undue delay and in compliance with applicable law, including NY Ed Law 2-d where applicable.

Such notification will include, to the extent known at the time of notification:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records involved;
  • The Student Data affected by the Security Incident;
  • The likely consequences of the Security Incident;
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects; and
  • Contact information for the GradingPal representative from whom Educational Institution may obtain further information.

GradingPal's notification of or response to a Security Incident under this clause shall not be construed as an acknowledgement by GradingPal of any fault or liability with respect to the Security Incident.

13. Data Return and Destruction

Within thirty (30) days of the termination or expiration of the Agreement, or earlier upon Educational Institution's reasonable written request, GradingPal will, at the election of Educational Institution:

  1. return to Educational Institution all Student Data in GradingPal's possession in a commonly used, machine-readable format; or
  2. securely destroy all copies of Student Data in GradingPal's possession and provide Educational Institution with written certification of such destruction.

Notwithstanding the foregoing, GradingPal may retain Student Data: (i) to the extent required by applicable law; (ii) in the form of De-Identified Data as permitted by clause 6; or (iii) as otherwise expressly authorized by Educational Institution in writing. Any Student Data retained after the termination of the Agreement will continue to be subject to the confidentiality and security obligations of this DPA.

GradingPal is developing the ability for school plan customers to configure automated Student Data deletion schedules directly within the product, enabling Educational Institutions to set deletion cycles aligned to their assessment calendar. This feature will be made available to institutional customers on school plans and will be subject to the terms of this DPA when released.

14. Sub-Processor Obligations

GradingPal will use commercially reasonable efforts to ensure that any sub-processor that has access to Student Data maintains appropriate data protection standards consistent with applicable law and the nature of the Student Data processed. GradingPal will remain fully liable to Educational Institution for the acts and omissions of its sub-processors with respect to their handling of Student Data.

GradingPal will maintain a current list of sub-processors that have access to Student Data and will make this list available to Educational Institution upon request. GradingPal will provide Educational Institution with at least fourteen (14) days' advance written notice before adding or replacing any sub-processor that will process Student Data, to allow Educational Institution an opportunity to object.

15. Term and Survival

This DPA is effective as of the date the Educational Institution first uses the Services or enters into the Agreement, whichever is earlier, and will continue in full force and effect for as long as GradingPal processes Student Data on behalf of Educational Institution. The obligations of this DPA that by their nature should survive termination, including but not limited to obligations relating to confidentiality, data security, data destruction, and De-Identified Data, will survive termination or expiration of the Agreement.

16. Amendments

GradingPal may update this DPA from time to time to reflect changes in applicable law or our data practices. GradingPal will provide Educational Institution with at least thirty (30) days' prior written notice before any material changes to this DPA take effect. Educational Institution's continued use of the Services following such notice constitutes acceptance of the updated DPA.

Where required by applicable law, GradingPal will provide Educational Institution with an opportunity to opt out of material changes before the Student Data is used in a materially different manner than was disclosed when the information was collected.

Exhibit A: New York Education Law 2-d Vendor Certification

Pursuant to New York Education Law 2-d and its implementing regulations (8 NYCRR Part 121), Cues Technologies Inc. (GradingPal) hereby certifies the following:

  • GradingPal will not sell Student Data;
  • GradingPal will not use or disclose Student Data for marketing or advertising purposes;
  • GradingPal will not use Student Data for any purpose not explicitly authorized in the Agreement or this DPA;
  • GradingPal will implement and maintain a data security program that is consistent with the NIST Cybersecurity Framework or equivalent industry-recognized security standards;
  • GradingPal will comply with the data breach notification requirements of NY Ed Law 2-d and will notify the Educational Institution of any breach or unauthorized release of Student Data without unreasonable delay;
  • GradingPal will ensure that all subcontractors and sub-processors that have access to Student Data are bound by data protection obligations consistent with this DPA and NY Ed Law 2-d; and
  • GradingPal will cooperate with the Educational Institution to provide parents and eligible students with access to their Student Data and the ability to request correction or deletion of such data.

Note: Some New York school districts may require a separate executed NY Ed Law 2-d addendum using their own template. GradingPal is prepared to execute such district-specific forms. Contact hello@gradingpal.com for assistance.

Executing This Addendum

Educational Institutions wishing to execute a signed copy of this Student Data Privacy Addendum should contact hello@gradingpal.com. By using GradingPal's Services for educational purposes, Educational Institutions agree to the terms and conditions of this DPA.

Applicable Laws: FERPA | COPPA | SOPIPA | NY Education Law 2-d  |  Effective Date: April 28, 2026
Cues Technologies Inc. (GradingPal)  |  hello@gradingpal.com