Privacy Notice

This Privacy Notice applies to the products and services of Cues Technologies Inc. ("GradingPal," "we," "our," or "us") that link to this page, including GradingPal's web application and any related tools and integrations (collectively, our "Service").

Through our Service, we provide AI-powered grading tools that assist with rubric-aligned scoring, feedback generation across multiple assignment types including written work, handwritten submissions, essays, exams, worksheets, quizzes, problem sets, presentations, audio, video, art and design, and other instructional content, as well as performance analytics and other instructional productivity tasks. This Privacy Notice describes how we: (1) collect, use and disclose your personal data as a controller when you use our Service or otherwise engage with us; and (2) how we process personal data in our role as a processor when our Service is used by providers of educational services, such as schools and school districts (collectively, "Schools"), as well as teachers and authorized school users and administrators (collectively, "Educators").

When the Service is used as part of a School's educational curriculum, the personal data related to students ("Students") that is (i) provided to GradingPal by a School, or (ii) collected by GradingPal during the provision of the Service to a School, may include information defined as "educational records" by the Family Educational Rights and Privacy Act ("FERPA"), "covered information" under California's Student Online Personal Information Protection Act ("SOPIPA"), "personal information" under Canadian provincial and territorial privacy legislation, "personal information" under the Australian Privacy Act 1988 (Cth), or other information protected by similar data privacy laws. We call this information "Student Data." The School is the controller of Student Data, and we handle Student Data in our role as a processor on behalf of the School. If you are a Parent or Student and have questions about specific practices relating to Student Data provided to GradingPal by a School, please direct your questions to your School.

For Australian users, please refer to Section 11 of this Privacy Notice for additional information about our overseas disclosure requirements and complaints handling process.

1. What Is Personal Data?

When we use the term "personal data" in this Privacy Notice, we mean any data or information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular natural person or household.

2. Our Collection of Personal Data as a Controller

Information You Provide — Teachers

• Identity and account data: Full name, username, profile photo, email address, and authentication tokens (SSO via Google, Microsoft, or other providers).
• Professional and employment data: School or institution name and address, role and job title, subjects taught, grade levels, class rosters, and employee or staff ID where integrated with a school information system (SIS).
• Billing and payment data: Billing name and address, subscription and invoice history. Payment method tokens are handled directly by Stripe and are not stored by GradingPal.
• User-generated content: Assignments, rubrics, lesson materials, grading criteria, comments and feedback authored by teachers, and communications sent through the Service including custom invitation messages to students.

Personal Data Automatically Collected

We and our third-party providers may use cookies and related technologies (such as web beacons, pixels, embedded scripts, and logging technologies) to automatically collect certain data regarding how you interact with our Service, including log files and analytics data. This may include:

• Technical and device data — IP address, device type, operating system, browser type and version, session identifiers, log data, and timestamps;
• Usage and analytics data — features used, clicks, time spent, grading patterns, error reports, and diagnostic data; and
• Location data derived from your IP address.

Personal Data from Third Parties

We also obtain personal data from third parties, which we may combine with data we collect directly. Sources include:

• Third-Party Platforms: Some parts of our Service allow you to log in or link your account with a third-party platform, such as Google. If you register through or link your GradingPal account with Google (e.g., Google Classroom, Google Docs, Google Drive), we may collect personal data associated with your Google account, including your name, email address, courses, student rosters, course materials, document content, and Student submissions. Our Service's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Referral Information: We may receive your contact information from people who think you may be interested in our Service, for example through a referral program.
• Other Sources: We may collect personal data from publicly available sources, third-party data providers, or through transactions such as mergers and acquisitions.

3. Our Use of Personal Data

We use personal data to:

• Verify your identity and check whether you are permitted to access certain features of our Service;
• Provide our Service, including AI-powered grading, rubric alignment, feedback generation across multiple assignment types, and performance analytics;
• Personalize our Service, including by recognizing you and remembering your information when you return;
• Conduct research and analytics on our user base and our Service;
• Send communications, including via email and notifications;
• Improve and customize our Service to address the needs and interests of our user base;
• Test, enhance, update and monitor the Service, and diagnose or fix technology problems;
• Help maintain the safety, security and integrity of our Service, technology assets and business;
• Enforce our contractual rights, resolve disputes, carry out our obligations, and protect our business interests and the interests and rights of third parties;
• Prevent, investigate or provide notice of fraud or unlawful or criminal activity;
• Comply with contractual and legal obligations and requirements; and
• Fulfill any other purpose for which you provide personal data, or any other lawful purpose that you consent to.

4. Our Disclosure of Personal Data

We may share, transmit, disclose, grant access to, make available, and provide personal data with and to third parties, as follows. For more information on how we share Student Data, please see Section 5 below.

• AI Service Providers: We share personal data with service providers who enable us to provide AI-powered services, including providers of the large language models and machine learning infrastructure used to power our grading and feedback features. Our current AI service providers include Anthropic PBC, OpenAI OpCo LLC, Google LLC (Gemini), Microsoft Corporation (Azure AI Foundry), and Mistral AI SAS. These providers are contractually prohibited from using your data to train their own AI models. GradingPal itself does not use Student Data or other personally identifiable information to train AI models. Where we use data to evaluate or improve our Service, we do so only with fully de-identified data that no longer constitutes personal data.
• Infrastructure and Hosting Providers: We share personal data with our infrastructure and hosting providers, including Amazon Web Services Inc. (AWS S3), Supabase Inc., Vercel Inc., Render Services Inc. (Render.com), Google Cloud Platform, and Upstash Inc. These providers host and process data as necessary to operate and deliver the Service.
• Other Service Providers: We share personal data with service providers who assist with data analysis, fraud prevention, analytics, IT services, customer support, payment processing, and web hosting. Our current list of service providers is available at www.gradingpal.com/sub-processors. We impose contractual limits on how all service providers may use the personal data they receive.
• Your School: If you interact with our Service through your School, we may disclose your information to your School and to authorized administrators.
• Payment Processors: We use Stripe, Inc. to process payments. Stripe may collect and process payment information subject to its own privacy policy and terms of service.
• Email Providers: We use Resend Inc. and Loops Inc. to deliver transactional and lifecycle emails to teachers. These providers receive teacher name and email address only and do not receive Student Data.
• Analytics and Monitoring Providers: We use Mixpanel Inc. for internal product analytics to understand how the Service is used. Mixpanel receives teacher interaction data and student-related usage data including student identifiers and submission metadata. This data is used solely for internal product improvement and is not used for advertising, profiling, or any purpose unrelated to improving the Service. We use Sentry (Functional Software Inc.) for error tracking and Axiom Inc. for application log management and observability. These providers help us identify issues and understand how the Service is used.
• Collaboration and Real-time Providers: We use Ably Realtime Ltd. for WebSocket infrastructure and Velt Inc. for collaborative annotation features on student submissions. Ably processes session and connection data only. Velt renders annotation interfaces on student submission content for teacher feedback purposes.
• Internal Operations Providers: We use Notion Labs Inc., Slack Technologies LLC, and Linear Orbit Inc. for internal project management, communications, and operations. Personal data may occasionally be referenced in these tools in the course of investigating technical issues, debugging, or internal communications. Access to personal data in these tools is limited to authorised GradingPal personnel on a need-to-know basis.
• Customer Support Providers: We use Chatwoot Inc. to provide in-app customer support to teachers. Chatwoot receives teacher contact information and support correspondence only and does not receive Student Data.
• Business Transaction or Reorganization: We may disclose personal data to a third party during negotiation of, in connection with, or as an asset in a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets. Personal data may also be disclosed in the event of insolvency, bankruptcy, or receivership. We will impose contractual limits on how applicable third parties may use personal data they receive in such a transaction.
• Legal Obligations and Rights: We may disclose personal data to third parties, such as legal advisors and law enforcement: (i) in connection with the establishment, exercise, or defense of legal claims; (ii) to comply with laws or to respond to lawful requests and legal process; (iii) to protect the rights and property of GradingPal, our agents, users, and others; (iv) to detect, suppress, or prevent fraud; (v) to protect the health and safety of us, our users, or any person; or (vi) as otherwise required by applicable law.
• With Your Consent or At Your Direction: We may share information about you with third parties whenever you consent to or direct such sharing.

5. Student Data

To help Schools address their obligations to protect student data privacy, we have implemented additional controls and procedures for Schools that use the Service as part of their educational curriculum. When the Service is used in this way, personal data related to Students that is (i) provided to GradingPal by a School, or (ii) collected by GradingPal during the provision of the Service to a School, may include information defined as "educational records" by FERPA, "covered information" under SOPIPA, "personal information" under Canadian provincial and territorial privacy legislation, or other information protected by similar data privacy laws. We call this information "Student Data."

What Student Data We Collect

We collect the following categories of Student Data to provide the Service:

• Identity data — full name, username, profile photo, and student ID number where integrated with a school information system (SIS).
• Account and authentication data — email address (which may be school-issued) and SSO authentication tokens.
• Academic information — class enrolments, course and section assignments, grade level, school subject(s), and course name(s), provided by the teacher or imported from Google Classroom or a school information system.
• Submitted assignments and coursework — written work, handwritten submissions, essays, exams, worksheets, quizzes, problem sets, presentations, audio, video, art and design, PDFs, images, and other instructional content submitted directly, uploaded by a teacher, or read from Google Classroom.
• Grades, scores, and AI-generated feedback — AI-generated rubric-aligned scores and written feedback, teacher-reviewed scores, and existing grades read from or written back to Google Classroom on the teacher's instruction.
• Communications data — messages, notifications, and other communications sent between teachers and students through the Service.
• Performance analytics — aggregate and individual performance data derived from grades and submissions, used to provide teacher-facing reporting.
• Technical and device data — IP address, device type, operating system, browser type, session identifiers, log data, and timestamps collected automatically when a student accesses the Service.
• Usage and analytics data — interaction patterns, time-on-task, submission timestamps, and feature usage data.

Google Classroom Integration

GradingPal integrates with Google Classroom. When a teacher connects their Google Classroom account, GradingPal may read class rosters, course details, and student submissions from Google Classroom, and may write AI-generated scores and feedback back to Google Classroom on the teacher's instruction. GradingPal's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Our Commitments Regarding Student Data

• As between us and the School, Student Data is owned and controlled by the School. Our collection and use of Student Data is in our role as a processor and is governed by our agreements with Schools and by applicable privacy laws.
• We collect, maintain, use and share Student Data only for an authorized educational purpose and as described in our agreement with the School, or as directed by the School or by the Student's parent or legal guardian.
• We do not use or disclose Student Data for targeted advertising purposes.
• We do not build a personal profile of a Student other than in furtherance of an educational purpose.
• We maintain a comprehensive data security program designed to protect the types of Student Data maintained by the Service.
• We will never sell Student Data unless the sale is part of a corporate transaction such as a merger, acquisition, or bankruptcy, in which case we will require the new owner to continue to honor the terms of this Privacy Notice or provide the School with notice and an opportunity to opt out of the transfer by deleting the Student Data before the transfer occurs.
• We will not make any material changes to our Privacy Notice or agreements that relate to the collection or use of Student Data without first giving notice to the School and providing a choice before Student Data is used in a materially different manner than was disclosed when the information was collected.

New York Education Law 2-d

For Schools and students in New York State, we comply with New York Education Law 2-d and its implementing regulations. In connection with our NY school contracts, we agree to:

• Limit our use of Student Data to the purposes set forth in our agreement with the School;
• Not sell Student Data;
• Not disclose Student Data to any third party without prior written consent of the parent or eligible student, except as permitted under FERPA, Education Law 2-d, and our agreement with the School;
• Maintain data security practices consistent with industry standards and applicable law;
• Notify the School in the event of a data breach or unauthorized release of Student Data in accordance with NY Education Law 2-d; and
• Upon expiration or termination of our agreement, return or destroy Student Data as directed by the School.

How We Share and Disclose Student Data

We disclose Student Data solely as needed to provide the Service on behalf of specific Schools in accordance with our agreements with those Schools or with the consent of the School or Parent. Student Data may be accessible by users who are authorized to use the Service on behalf of the School, such as school or district administrators.

We also disclose Student Data to trusted service providers who have a legitimate need to access such information on our behalf, subject to appropriate contractual terms. These providers are contractually prohibited from using Student Data for any purpose other than providing services to us. Our AI service providers (Anthropic PBC, OpenAI OpCo LLC, Google LLC, Microsoft Corporation via Azure AI Foundry, and Mistral AI SAS) are specifically prohibited from using Student Data to train their AI models.

How We Use De-Identified Data

Where permitted by law and in accordance with our agreements with Schools, we may generate, use, and disclose de-identified information for adaptive learning purposes, research, analytics, and development and improvement of our Service. "De-identified information" means data from which all personally identifiable information has been removed or obscured so that the remaining information does not reasonably identify an individual. We agree not to attempt to re-identify de-identified data.

How We Retain Student Data

We will not knowingly retain Student Data beyond the time period required to support an educational purpose, unless authorized by the School. Schools are responsible for maintaining current class rosters and for managing Student Data they no longer need by submitting a deletion request to hello@gradingpal.com. GradingPal is also developing the ability for school plan customers to configure automated data deletion schedules directly within the product — allowing schools to set deletion cycles aligned to their assessment calendar without manual intervention. This feature will be available to institutional customers on school plans.

If you are using the Service on behalf of a School and wish to access, delete, or close your account, please contact us at hello@gradingpal.com. If you are a Parent or Student, please direct your request to your School.

6. Children's Privacy — Student-Facing Features

GradingPal's student-facing features are designed to assist learners in reviewing AI-generated feedback on their submitted work. GradingPal does not permit children under the age of 13 to create accounts or access the Service directly outside of a school context. All access to the Service by children under 13 must be school-mediated — meaning access is granted through a school account by an authorized Teacher or Educational Institution. GradingPal will not collect personal data from children under 13 except through school-mediated access as described below. If an individual attempts to create an account and indicates they are under 13, they will be directed to access the Service through their school.

When GradingPal provides the Service on behalf of a School, the School provides consent for GradingPal to collect information from Students under the age of 13 through the Service, as permitted by the Children's Online Privacy Protection Act ("COPPA") and other applicable data privacy laws. In this case:

• We collect and process personal data from Students under 13 solely at the direction of and under the control of a School, and do not require Students to disclose more information than is reasonably necessary to use the Service.
• At all times, Schools have the right to request to review or delete personal data from Students under 13, or to decline to permit further collection or use of such data, by contacting hello@gradingpal.com.
• Schools are responsible for providing appropriate notice to Parents of the School's use of third-party service providers such as GradingPal. We recommend that School customers provide a link to this Privacy Notice to all Parents.

Data Collected from a Child

When a child under 13 uses the Service, we collect the following information:

• Information provided through use of the Service, including any files, documents, images of handwritten work, or other information the child chooses to provide;
• Student-related information, such as topics of study, assignments, submitted work, and grades;
• Usage information, such as date and time of visit, time spent on our Service, and activities completed; and
• Device data and log files, including IP address, operating system, device type, and browser type.

We do not require the child to provide any more information than is reasonably necessary to use the Service.

How a Parent Can Access or Delete a Child's Data

A parent or guardian has the right to access the personal data we have collected from their child, withdraw consent for further collection, and request deletion. If you are a Parent of a child under 13 using the Service outside of school, please contact us at hello@gradingpal.com. If you are a Parent of a Student under 13 using the Service through a School, please contact your child's School. We will respond to the School's instructions with respect to your child's personal data.

7. Your Privacy Choices

You may control your information in the following ways:

• Profile and Account Settings: You may update your account information and change some of your account controls by visiting your account settings page or emailing us at hello@gradingpal.com.
• Disconnecting Third-Party Platforms: You may disconnect your GradingPal account from third-party platforms such as Google Classroom at any time by visiting your account settings page.
• Marketing Communications: You can stop receiving promotional email communications from us by clicking on the "unsubscribe" link in such communications. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes to features of the Service, technical and security notices).
• California Privacy Rights (CCPA/CPRA): If you are a California resident, you have the right to: (i) know what personal data we collect about you; (ii) request deletion of your personal data; (iii) opt out of the sale or sharing of your personal data (we do not sell or share personal data for advertising purposes); (iv) correct inaccurate personal data; and (v) limit the use and disclosure of sensitive personal information. To exercise these rights, please contact us at hello@gradingpal.com. We will not discriminate against you for exercising your privacy rights.
• Do Not Sell or Share My Personal Information: We do not sell or share personal data for cross-context behavioral advertising. If you wish to submit a formal opt-out request, you may contact us at hello@gradingpal.com.
• Accessing, Reviewing, Modifying or Deleting Your Information: If you want to access, review, modify or delete your information, please contact us at hello@gradingpal.com. We will respond in compliance with applicable data protection laws.

8. Security

GradingPal has a multi-tiered approach to protecting personal data that includes technical and organizational safeguards. Our security controls include, for example:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher);
• Role-based access controls, limiting access to personal data to personnel with a need-to-know;
• Multi-factor authentication for internal systems;
• Firewalls, intrusion detection systems, and anti-malware protections;
• Regular security audits and vulnerability assessments;
• A documented data breach response plan; and
• Staff training on data privacy and security practices.

For Schools that provide us with a designated point of contact for security breaches, GradingPal maintains a Student Data breach response protocol. In the event of unauthorized access to, disclosure or acquisition of Student Data, designated points of contact at Schools will be notified by email or other direct communication channels in accordance with the protocol and applicable law, including NY Education Law 2-d where applicable.

By default, we process and store personal data in the United States and other jurisdictions where our service providers are located. Please be aware that your personal information could therefore be accessed by law enforcement agencies, courts and other governmental authorities in those jurisdictions.

For individual Teacher accounts, GradingPal retains personal data for as long as the account remains active. Upon account closure, personal data will be deleted within 30 days of a written deletion request submitted to hello@gradingpal.com. For school and institutional accounts, data retention is governed by the terms of the applicable agreement and applicable law. Student Data is retained only for as long as necessary to provide the contracted Service and is deleted in accordance with the terms of the school's agreement with GradingPal.

9. Contact Us

If you have any questions or requests in connection with this Privacy Notice or other privacy-related matters, please contact us at:

10. Updates to This Privacy Notice

We will update this Privacy Notice from time to time. When we make changes, we will update the "Effective Date" at the beginning of this Privacy Notice. If we make material changes, we will provide reasonable notice to you, such as by email to your registered email address, by prominent posting on this website or our online services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.

We will not make any material changes to this Privacy Notice that relate to the collection or use of Student Data without first giving notice to the School and providing a choice before Student Data is used in a materially different manner than was disclosed when the information was collected.

11. For Australian Users Only

In some cases, we may need to disclose your personal information to our related entities, contractors and service providers that are located outside of Australia. Where this occurs, we take reasonable steps to ensure that all personal information is handled in a manner consistent with the Australian Privacy Principles. These overseas recipients are likely to be located in the United States.

If you have a complaint or believe we are in breach of the Australian Privacy Principles, or a relevant registered code under the Privacy Act 1988 (Cth), you can use the contact details in Section 9 above to notify us of any privacy complaints you have against us.

We will acknowledge your complaint in writing and will provide an estimated timeframe for our response (no more than 30 days). While it is our hope to resolve any complaints you may have, you can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.