Skip to main content

School Data Protection Addendum

Last updated: July 10, 2026

Template for review. This is a plain-language starting template that a school or district can review when evaluating CramClub. It is not a signed contract and is not legal advice. To put a binding data protection agreement in place, or to use your own district DPA (for example, a Student Data Privacy Consortium / SDPC agreement), contact us at support@cramclub.app. Where a signed agreement exists between CramClub and a school, that agreement controls over this page.

This Addendum describes how CramClub, Inc. (“CramClub”, “we”) handles student data when a school, district, or teacher (the “School”) uses the Service with students. It supplements our Privacy Policy and Terms of Service.

1. Roles & Data Ownership

The School controls student data. As between the parties, the School (or the student and their parent/guardian, as applicable) owns and controls all student data processed through the Service. CramClub acts as a service provider / processorthat processes student data solely on the School's behalf and under its documented instructions.

CramClub claims no ownership of student data or student-created content and does not use it for any purpose other than providing and supporting the Service to the School.

2. Permitted Use of Student Data

We use student data only to:

  • provide, maintain, and support the Service for the School and its students;
  • generate study content, practice questions, scores, and progress reporting for teachers and students;
  • secure the Service and prevent misuse; and
  • comply with law and the School's instructions.

We do not use student data to advertise to students, to build non-educational profiles, or for any commercial purpose unrelated to the Service.

3. FERPA

To the extent CramClub receives personally identifiable information from student education records, it does so as a “school official” with a legitimate educational interestunder the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 CFR Part 99), performing an institutional service the School would otherwise perform itself. CramClub is under the direct control of the School with respect to the use and maintenance of education records, uses those records only for authorized purposes, and does not re-disclose them except as directed by the School or as permitted by FERPA.

4. SOPIPA & Student Privacy Commitments

Consistent with California's Student Online Personal Information Protection Act (SOPIPA) and comparable state student-privacy laws, CramClub does not:

  • use student data to target advertising to students;
  • sell or rent student data;
  • build a profile of a student except in furtherance of authorized educational purposes; or
  • disclose student data except as permitted for educational, legal, safety, or School-authorized purposes, or to the sub-processors listed below.

Student data is not used to train third-party general-purpose AI models, and named, identifiable student data is not sent to third-party AI providers in a form that identifies an individual student.

5. Sub-processors

We use a limited set of vetted service providers to operate the Service. Each is bound by contract to protect data and to use it only to provide services to us:

Sub-processorPurpose
SupabaseDatabase hosting, authentication, file storage
StripePayment processing (for paid plans only)
AnthropicAI processing for study features (no model training on your data)
PostHogProduct analytics (consent-gated; not used for student ad targeting)
ResendTransactional email delivery (e.g., login links, service notices)

We will make commercially reasonable efforts to notify the School of material changes to this list before onboarding a new sub-processor that handles student data.

6. Security

We maintain reasonable administrative, technical, and physical safeguards, including:

  • encryption of data in transit (TLS) and encryption at rest via our hosting provider;
  • role-based access controls and database Row Level Security;
  • least-privilege access for staff and audit logging; and
  • regular review of our providers' security posture.

No system is perfectly secure, but we work to protect student data against unauthorized access.

7. Breach Notification

If we become aware of a confirmed security breach that compromises student data, we will notify the affected School without undue delayand, absent other legal requirements, within a commercially reasonable time after confirming the breach. Our notice will describe the nature of the incident, the data involved (to the extent known), the steps we are taking, and recommended actions. We will reasonably cooperate with the School to meet the School's own notification obligations under applicable law.

8. Data Return & Deletion on Termination

Upon the School's request, or upon termination of the School's use of the Service, we will return and/or delete student data within a commercially reasonable period (targeting 30 days), except where retention is required by law. Schools and students may also request access, correction, export, or deletion of student data at any time during the term.

Students and parents can delete an individual account and its associated personal data using the “Delete my account” option in account settings, subject to the School's administration of School-managed accounts.

9. Changes to This Addendum

We may update this Addendum. If we make material changes affecting student data, we will update the date above and, where a signed agreement exists, follow the change process in that agreement.

10. Contact

For DPA requests, security questions, or student-data inquiries, email support@cramclub.app.