Privacy Policy

Last updated: July 2026

This Privacy Policy explains how Gradde AI (“Gradde”, “we”, “us”) collects, uses, and protects personal information when you use gradde.co and app.gradde.co. For schools and districts, a Data Processing Addendum (DPA) covering FERPA, COPPA, GDPR/UK GDPR, and US state student-data laws is available on request at hello@gradde.co.

Who we are

Gradde AI provides an AI-assisted gradebook for educators and schools. For educator and school-administrator account data, Gradde is the data controller. For student records entered into Gradde, the school or educator is the data controller and Gradde acts as a data processor on their instructions. Privacy contact: hello@gradde.co

What we collect

We collect only the information needed to run the service: • Account information — name, email address, password (stored hashed), school name, role, and billing plan. • Gradebook content you enter — student names, guardian contact details (email and/or phone), scores, attendance, rubrics, comments, and report-card data. • AI-generated and teacher-edited feedback — drafts, approvals, and final comments you save or export. • Report delivery data — recipient email addresses and phone numbers when you share reports, plus delivery status. • Payment and subscription metadata — plan, seat count, billing status, and transaction references. Payment card details are collected and processed by our merchant-of-record (Freemius or, for legacy subscriptions, Paddle); Gradde does not store full card numbers. • Technical and usage data — IP address, browser/device type, authentication tokens, error logs, and optional anonymized page-performance metrics. We do not collect student data that you do not enter yourself, and we do not buy lists of student or teacher information from third parties.

How we use data

We use personal information to: • Provide, maintain, and improve the gradebook, AI feedback, and report-sharing features. • Authenticate users and enforce plan limits. • Process subscriptions and send transactional emails (account verification, password reset, report delivery). • Monitor reliability and security (error reporting, abuse prevention). • Respond to support requests and legal obligations. We do not sell personal information. We do not use your data for third-party advertising.

How AI feedback is generated

When you generate AI feedback, Gradde sends performance-related context to a large-language-model (LLM) sub-processor. This includes scores, percentages, assessment titles, subject names, rubric categories, class averages, score trends, and any optional instructions you provide. Student personal information — names, ages, demographic details, and other identifying fields — is never transmitted to the LLM. Names are replaced with a neutral placeholder token before the request is sent, then restored in the product after generation. This is a deliberate design choice: by withholding personal identifiers, we reduce the risk of demographic bias influencing generated comments, so feedback is grounded in the work itself rather than in who the student is. Teachers must review and approve AI-drafted feedback before sharing it with students or parents. Sub-processors are contractually prohibited from using your data to train their models.

Sub-processors

We use trusted service providers to operate Gradde. They process data only on our instructions and under appropriate contractual safeguards: • OpenAI — LLM inference for AI feedback generation • Supabase — managed PostgreSQL database • Railway — application hosting and Redis cache • Cloudflare — CDN, DNS, object storage (R2), and static site hosting • Resend — transactional email delivery • Freemius — subscription billing and merchant-of-record (current) • Meta (WhatsApp Cloud API) — optional report delivery to guardian phone numbers on eligible plans • Sentry — error monitoring (configured not to send personal identifiers by default) We will update this list when sub-processors change. Schools may request a current sub-processor list and DPA at hello@gradde.co.

Children's data (COPPA / FERPA / SOPIPA)

Gradde is sold to and configured by adult educators and schools. Schools using Gradde act as the data controller for student education records. Gradde is the data processor and will sign a school-official agreement or DPA on request. Schools and educators are responsible for obtaining any consents required under FERPA, COPPA, SOPIPA, or local equivalents before entering student data into Gradde.

Cookies and similar technologies

The Gradde app uses essential cookies and local storage to keep you signed in and remember session preferences. These are required for the service to function. This marketing site (gradde.co) does not use advertising or cross-site tracking cookies. If we add analytics cookies in the future, we will update this policy and, where required, obtain consent before enabling them.

Data retention and deletion

We retain account and gradebook data while your account is active and as needed to provide the service. You can request access to, correction of, or deletion of your account data at any time by emailing hello@gradde.co from the address on your account. After a verified deletion request, we delete or anonymize personal data within 30 days, except where retention is required by law or for legitimate billing, tax, or dispute-resolution purposes. Schools may request export or deletion of student data they control through the same contact.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. • EU/UK users — GDPR Articles 15–22 rights, including the right to lodge a complaint with your supervisory authority. • California users — CPRA rights including the right to know, delete, correct, and opt out of sale/sharing. Gradde does not sell or share personal information for cross-context behavioral advertising. We will respond to verified requests within the timeframes required by applicable law.

International transfers

Gradde is operated from the United States. If you access the service from outside the US, your information may be transferred to and processed in the US and other countries where our sub-processors operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses in our DPAs.

Security

Data is encrypted in transit (TLS 1.2+) and at rest by our infrastructure providers. Access to production systems is restricted to authorized personnel. We are working toward SOC 2 Type II and will publish progress when available. No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact hello@gradde.co immediately.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes that affect how we use personal information will be communicated by email or in-product notice where required by law.

Questions? Email .