ClassMate logo
ClassMate
Schools Privacy Subprocessors Back to app

Data Privacy Agreement Readiness

This page is a district-facing summary of how ClassMate approaches student-data use, subprocessors, security, breach response, and DPA review. It is intended to support school privacy review and contracting, not replace a signed agreement.

Last updated: April 15, 2026

DPA review supported

Districts can submit a TXSPA, NDPA, or district-specific DPA for legal and operational review.

Student-data limits

School-managed student data is intended to be used to provide the requested service, support operations, and protect the platform.

District-safe option

District deployments can disable community and chat-style social surfaces when a district requires a more restricted student experience.

Important legal note

This page is an organized vendor summary, not a substitute for district legal review. Final obligations are set by the signed DPA, applicable law, and district policy.

1. DPA request process

District reviewers can request DPA review by emailing hello@classmate.plus.

Include the district name, the requested agreement form, the district legal or privacy contact, the intended student age range or grade band, and whether school-managed Google accounts will be used.

2. Student-data use limits

No sale of personal data stated No third-party ad networks in current repo Use limited to service delivery and operations
  • Student data is intended to be used to deliver the requested academic product features and related support, security, and operations.
  • District-managed student use should be reviewed against district approval standards before rollout.
  • Optional connected-service data is processed only when the user or district-enabled workflow turns on that feature.
  • Requests for district-specific use restrictions should be documented in the executed DPA.

3. Sharing and subprocessors

Current third-party processors identifiable from the codebase are summarized at /subprocessors.html.

  • Primary infrastructure and application data services are provided through Supabase and Vercel.
  • Stripe is used for paid web billing flows.
  • Google, Canvas, and other connected services are optional and feature-dependent.
  • District legal review should evaluate the provider list together with the privacy policy and requested DPA terms.

4. Security and incident response

  • ClassMate uses technical and organizational controls intended to protect account and application data.
  • Operational access should be limited to service personnel or providers with a legitimate business need to support the service.
  • Districts may request written incident-response and breach-notification terms as part of DPA review.
  • Breach-notification timing and cooperation obligations should be documented in the signed DPA and applicable district contract materials.

5. Retention, deletion, and return of data

  • Data is intended to be retained only as reasonably necessary to provide the service, maintain security, comply with legal obligations, and support legitimate operational needs.
  • The product includes account deletion and user-managed controls for profile edits and integration disconnects.
  • District-specific deletion, return, or post-termination handling requirements should be set in the executed DPA.

6. District-safe deployment option

Some districts require a more restricted student deployment that does not expose public chat, community, or creator-style social areas. ClassMate supports a district-safe mode that disables those surfaces for a district deployment.

If a district wants students to sign in with school-managed Google accounts, that rollout should happen only after district approval, privacy review, and DPA review are complete.

8. District review contact

District privacy, legal, procurement, and DPA requests can be sent to hello@classmate.plus.