Skip to main content
← Back to home

Data Processing Agreement

Last updated: March 20, 2026

This Data Processing Agreement (“DPA”) supplements the Classroom Loop Terms of Service and applies to the processing of personal data, including student education records, by Teacher Platform on behalf of schools and teachers (“Controller”).

1. Definitions

  • Controller: The school, school district, or individual teacher who determines the purposes and means of processing student personal data.
  • Processor: Classroom Loop, operated by Garesa Hughes, which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person, including student education records.
  • Student Data: Personal data relating to students, including names, behavior records, and classroom activity data.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

2. Roles and Responsibilities

The Controller (school/teacher) retains control over all student data and is responsible for obtaining any necessary consents and authorizations before adding student data to the Platform. The Processor (Classroom Loop) processes data only on the documented instructions of the Controller and for no other purpose.

3. Purpose and Scope of Processing

The Processor processes student personal data for the following purposes only:

  • Providing classroom management features (student roster, behavior tracking, leaderboards).
  • Enabling teacher-to-parent communications scoped to each teacher’s class.
  • Delivering parent-facing views of behavior points and class story feed.
  • Maintaining audit logs of behavior point awards and deductions.

4. Types of Personal Data Processed

  • Student first name (required) and avatar emoji (required).
  • Behavior records: category, points value, timestamp, and optional teacher note.
  • Guardian account information: name, email, phone (if provided).
  • Teacher-to-guardian messages and class announcements that may reference individual students.

The Platform does not collect student email addresses, birth dates, government-issued identifiers, financial information, or health records.

5. Data Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

  • All data encrypted in transit via TLS 1.2 or higher and at rest via AES-256 encryption provided by Supabase.
  • Row-Level Security (RLS) policies on all database tables ensure teachers can only access their own class data and parents can only access their linked child’s data.
  • Authentication provided by Supabase Auth with secure session management.
  • API routes validate user sessions and check role-based permissions before processing any request.
  • Service-role database keys are never exposed to client-side code.
  • Regular security reviews and dependency updates as part of ongoing maintenance.

6. Data Retention and Deletion

  • Student data is retained while the associated teacher account is active.
  • Student data is permanently deleted 12 months after the associated teacher account is permanently closed.
  • Controllers may request immediate deletion of specific student records by contacting privacy@teacherplatform.com. We will complete such requests within 30 days.
  • Backup copies of deleted records are purged within 90 days of deletion.

7. Data Breach Notification

In the event of a confirmed personal data breach that is likely to result in a risk to the rights and freedoms of individuals, the Processor will notify the Controller within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, the categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to mitigate the breach.

8. Sub-Processors

The Processor uses the following sub-processors to deliver the Service. All sub-processors are bound by data protection obligations no less stringent than those in this DPA.

Sub-ProcessorPurposeData Processed
SupabaseDatabase and authAll personal data (stored encrypted at rest)
StripePayment processingTeacher billing info only; no student data
Cloudflare R2File storageUploaded images and resource files
AnthropicAI content generationTeacher prompts only; student PII must not be included

GoHighLevel is used for teacher-facing marketing communications only. Student data is never transmitted to GoHighLevel.

9. Controller Rights

The Controller may, at any time, request: (a) access to the personal data we hold; (b) correction of inaccurate data; (c) deletion of data; (d) a copy of data in a portable format; or (e) restriction of processing. Send requests to privacy@teacherplatform.com.

10. Contact

Classroom Loop — operated by Garesa Hughes
Data inquiries: privacy@teacherplatform.com