Privacy Policy
How we collect, use, and protect your data — including student education records under FERPA.
Effective Date: February 19, 2026 | Last Updated: February 19, 2026
1. Overview
GradingPen ("we," "us," or "our") operates an AI-powered grading platform at gradingpen.com designed exclusively for educators. This Privacy Policy explains how we collect, use, store, and protect personal information — including student education records — when you use our services.
We are committed to compliance with the Family Educational Rights and Privacy Act (FERPA), and we treat all student data as protected education records.
2. Data We Collect
Teacher Account Data
| Data Type | Purpose |
|---|
| Full name | Account identification |
| Email address | Authentication, communication |
| School name | Institutional affiliation |
| Password (hashed) | Account security |
| Payment information | Processed by Stripe; we do not store card details |
Student Education Records
| Data Type | Purpose |
|---|
| Student names or IDs | Assignment identification |
| Essay / assignment text | AI grading and feedback generation |
| AI-generated grades | Assessment results |
| AI-generated feedback | Personalized learning feedback |
Automatically Collected Data
We collect minimal technical data necessary for service operation: IP address (for security), browser type, and basic usage analytics. We do not use tracking cookies, advertising pixels, or third-party analytics services.
3. How We Use Your Data
- Provide AI grading services: Process essays through our AI engine to generate grades and feedback
- Account management: Authenticate users and manage subscriptions
- Service improvement: Analyze aggregate, anonymized usage patterns to improve the platform
- Communication: Send essential service notifications (not marketing, unless opted in)
- Security: Detect and prevent unauthorized access or abuse
We never sell, rent, or share your data with third parties for marketing or advertising purposes.
4. AI Data Handling
GradingPen uses the Anthropic Claude API to power AI grading. Here is how student data flows through our AI system:
- Essay text and rubric criteria are sent to Anthropic's API via encrypted HTTPS connection
- Anthropic processes the data and returns grades and feedback
- Per Anthropic's API Terms of Service, data submitted via their API is NOT used to train, improve, or develop their AI models
- Anthropic does not retain API inputs or outputs beyond the duration needed to provide the service
- We do not use any other AI provider for grading
5. Data Storage & Security
- Database: Supabase (hosted on Amazon Web Services, US-based servers)
- Encryption at rest: AES-256 encryption via AWS/Supabase
- Encryption in transit: TLS 1.2+ for all data transfers
- Password security: bcrypt hashing with salt
- Access controls: Teachers can only access their own students' data
- Backups: Regular automated backups with encryption
For detailed security practices, see our Security page.
6. Third-Party Processors
| Processor | Purpose | Data Shared | AI Training |
|---|
| Anthropic | AI grading engine (Claude API) | Essay text, rubric criteria | ❌ Not used for training |
| Supabase | Database hosting | All application data | N/A |
| Stripe | Payment processing | Payment info (name, email, card) | N/A |
| AWS | Infrastructure (via Supabase) | All application data (encrypted) | N/A |
We maintain a Data Processing Agreement (DPA) with all sub-processors. Our DPA is available at /dpa.html.
7. Data Retention
- Student work: Stored until the teacher deletes it, or until account deletion
- Teacher accounts: Retained while the account is active; deleted upon request
- Payment records: Retained as required by law (typically 7 years for financial records)
- Upon account deletion: All student data, assignments, rubrics, and analytics are permanently deleted within 30 days
8. Teacher Rights
As a teacher using GradingPen, you have the right to:
- Access: View all data associated with your account at any time
- Export: Download a complete export of all your data (assignments, rubrics, analytics) via Settings
- Delete student data: Delete all student assignments and data via Settings
- Delete account: Permanently delete your account and all associated data
- Correct: Update your profile information at any time
These actions are available in your Account Settings or by contacting support@gradingpen.com.
9. FERPA & Student/Parent Rights
GradingPen is committed to FERPA compliance. Under FERPA, we act as a "school official" with a legitimate educational interest in the student data processed through our platform.
Student & Parent Rights
- Right to inspect: Parents and eligible students have the right to inspect education records. Teachers can export student data upon request.
- Right to request amendment: Parents and eligible students can request correction of inaccurate records through their teacher.
- Right to consent to disclosure: We do not disclose student education records to third parties without consent, except as permitted under FERPA (e.g., to authorized school officials).
- Right to file a complaint: Complaints regarding FERPA compliance may be filed with the U.S. Department of Education.
Our FERPA Commitments
- Student data is used solely for providing grading services
- We do not use student data for advertising, marketing, or AI model training
- We do not sell student data to any third party
- We provide data deletion upon request from the school or authorized teacher
- We maintain appropriate security safeguards for all education records
10. Children's Privacy
GradingPen is designed for use by teachers and educators, not by students directly. We do not knowingly collect personal information directly from children under the age of 13.
Teachers submit student work on behalf of their students. Schools and teachers are responsible for obtaining any necessary parental consent under FERPA and COPPA before submitting student data to our platform.
11. Cookie Policy
GradingPen uses minimal cookies:
- Authentication token: A session cookie to keep you logged in (essential, required)
We do not use:
- Third-party tracking cookies
- Advertising cookies
- Analytics cookies from third parties (e.g., Google Analytics)
- Social media tracking pixels
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised.