Privacy Policy
Last updated: 2026-06-30
ClassPods provides classroom workflow tools for K-12 teachers and schools. This page describes our privacy posture for account data, classroom data, and school inquiry data. We operate to a GDPR-equivalent posture: lawful basis, minimal collection, documented subprocessors, regional data residency on request, and signed Data Processing Addenda for schools.
What we collect
- Teacher account data: email, name, locale preference, authentication tokens.
- Classroom content: quizzes, lesson packs, assignments, and other material a teacher creates or imports.
- Student responses: answers submitted during live games or assignments. By default, students join with a room code or share link โ no student email or account is required.
- Billing: processed by Stripe; we store invoice metadata and plan state, not card numbers.
- School inquiries: the information you provide in the school lead form.
- Operational logs: minimal request and error logs needed for security and reliability.
Legal basis (GDPR-equivalent)
We process personal data on the basis of (i) contract โ providing the ClassPods service to teachers and schools; (ii) legitimate interests โ operating, securing, and improving the service; and (iii) consent, where required (analytics cookies, optional features).
Data hosting and residency
ClassPods runs on managed infrastructure (primarily Supabase and Vercel). Production data is hosted in a single region selected for low GCC latency. Schools that require a specific data-residency region (EU, Middle East, or other) can request it during procurement; we will document the chosen region in the signed DPA.
Subprocessors
- Supabase โ primary database, authentication, and storage.
- Vercel โ application hosting and edge delivery.
- Stripe โ payment processing and subscription management.
- Resend โ transactional and lifecycle email delivery.
- OpenAI and OpenRouter โ generative model providers used for lesson-pack, quiz, and worksheet drafting and for grading free-response answers. Teacher and student prompts are sent to the provider; we do not opt our usage into provider model training.
- Google Analytics 4 โ anonymized product analytics; loaded only after cookie consent.
- Meta Pixel โ measurement of marketing and school-interest campaigns on our public site; loaded only after cookie consent and never used on student gameplay screens.
Students and parents
The default flow is room-code-only: students join a live game or assignment without an account and we never request a parent email. Student accounts are optional and only required for features like cross-class progress tracking. We do not market to parents and do not sell or rent any data.
Community library
Content created on the Free plan may be published to the ClassPods community library with attribution, as described during signup and in-product. Paid plans default new content to private.
Retention
We retain account and classroom data for the active life of an account. Teachers can request export and deletion at any time; schools can request bulk deletion at contract end. Email suppressions (bounces, complaints) and billing records are retained for the legally required period.
Your rights
You may request access, correction, export, or deletion of your personal data at any time. School controllers may exercise these rights on behalf of their teachers and students under the signed DPA. Send requests to hello@classpods.org.
Security
Core measures include managed authentication, role-based access controls, encrypted transport (TLS), encryption at rest via Supabase, environment-based credential handling, and minimum-necessary access for the ClassPods team.
Cookies and consent
Essential cookies needed to sign in and operate the Service are always set. Non-essential analytics and marketing tags โ Google Analytics 4 and the Meta Pixel โ load only after you accept analytics cookies in our consent banner. You can decline at any time, and your choice is stored for up to one year and can be changed later. Students joining a live game or assignment with a room code are not subject to these marketing tags.
International data transfers
Some of our subprocessors operate in other countries, so your data may be processed outside your own jurisdiction. Where this happens, we rely on appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) and, for schools, document the chosen data-residency region in the signed Data Processing Addendum.
Schools and the DPA
For school customers, the school is the data controller and ClassPods is the processor. Our processing commitments, subprocessor list, and data-residency options are set out in our Data Processing Addendum, which can be signed during procurement. Your use of the Service is also governed by our Terms of Service.
Changes
We may update this page as the product and compliance posture evolve. Material changes are reflected on this page and the "last updated" date is revised.