InkLoop is a K–12 diagnostic grading platform designed for teachers, schools, and parents. This policy explains what data we collect, how we use it, and the protections we put in place for student information.
1. What We Collect
- Account information — email address, full name, and role (teacher, parent, administrator) when you create an account.
- Student records — student name, grade level, and an optional date of birth used only for deduplication when the same student appears in multiple class rosters. Student records are created and managed by teachers or school administrators.
- Worksheet images — photos or scans of paper worksheets uploaded by teachers for grading. These images are processed by our AI grading system and then discarded; they are not stored long-term.
- Graded responses — per-question answers, scores, and standards codes derived from the grading process. These are stored in the student's skill record.
- Skill matrix data — mastery scores and gap flags by grade band and subject strand, updated each time a graded paper is committed.
- Usage data — which features are used and when, for product improvement purposes only. No behavioral advertising is done with this data.
2. What We Do Not Do
- We do not send student personally identifiable information (PII) to any AI model. When a worksheet is graded, only the anonymized question text and student answer content are included in the AI prompt. Student names, IDs, and demographic data are looked up after grading is complete and never leave InkLoop's own systems.
- We do not sell student data to any third party.
- We do not use student data for advertising or marketing.
- We do not share student records with other schools, districts, or organizations without explicit written authorization.
3. Who Can See Student Data
Access to student records is strictly controlled at the database level using row-level security (RLS):
- Teachers see only the students enrolled in their linked classrooms.
- Principals and administrators see only students within their school.
- Parents see only their own linked children — access established via the school's parent-student link process.
- No cross-school or cross-district data access is possible. Credentials from one school cannot be used to view data from another.
4. FERPA Rights
InkLoop operates as a school official under FERPA (the Family Educational Rights and Privacy Act) when deployed in a school or district setting. Student education records stored in InkLoop belong to the student and their family.
- Parents and eligible students (18+) may request access to their records at any time by contacting us at privacy@inkloopapp.com.
- Parents may request correction of inaccurate records.
- Parents may request deletion of all records associated with their child. Deletion requests are fulfilled within 30 days.
- For B2C accounts (parents who signed up directly), you may delete your account and all associated data from the account settings page at any time.
5. Data Storage and Security
- Data is stored in Supabase (PostgreSQL), hosted on Amazon Web Services (AWS) in the US East region.
- All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Write operations to student records are performed exclusively via InkLoop's backend API using a service-level key. Browser clients never hold write credentials.
- Every grade commit and data write is recorded in an audit log with user ID and timestamp.
6. Third-Party Services
InkLoop uses the following third-party services to operate:
- Google Gemini API — AI grading and worksheet generation. Student PII is not sent to this service (see Section 2).
- Supabase — database, authentication, and file storage.
- Vercel — frontend hosting.
- Google Cloud Run — backend API hosting.
- Wix Payments — payment processing for B2C subscriptions. Payment data is handled entirely by Wix and is not stored by InkLoop.
7. Children Under 13 (COPPA)
InkLoop does not provide accounts directly to children under 13. Student records are created by teachers and school administrators on behalf of students — students do not create their own accounts. Parents who wish to access their child's records may create a parent account, which is linked to the student's record by the school. InkLoop does not knowingly collect personal information directly from children under 13.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page and notify school administrators by email. Continued use of InkLoop after a policy update constitutes acceptance of the updated terms.