Last updated: 2/20/2026
This Data Policy outlines how GradeVideo collects, processes, stores, and protects data within our educational video platform. We are committed to maintaining the highest standards of data security and privacy, particularly for educational records protected under FERPA.
Includes: student submissions, grades, feedback, assessments, attendance data, and any information directly related to a student's educational experience. This data has the highest protection level and is only accessible to authorized educational personnel.
Includes: names, email addresses, roles, school affiliations, and account credentials. Protected under standard privacy regulations and used for account management and service provision.
Includes: video files, transcripts, comments, annotations, and assignment descriptions. Processed for service functionality with appropriate security controls.
Includes: access logs, performance metrics, feature usage statistics, and system monitoring data. Typically anonymized and used for service improvement.
Data provided directly by users when creating accounts, submitting assignments, providing feedback, or using platform features.
Usage data collected automatically through platform interactions, including video playback metrics, engagement tracking, and system performance data.
Class rosters, course information, and organizational structure provided by educational institutions through secure integration methods.
All data processing follows the principles of: purpose limitation (data used only for specified educational purposes), data minimization (collecting only necessary data), and accuracy (maintaining correct and up-to-date information).
Data is stored in secure, redundant systems with: encryption at rest, regular backups, geographic distribution for reliability, and access logging for audit trails.
Data follows a defined lifecycle from creation through archival to deletion, with retention periods based on: legal requirements, educational needs, and user preferences.
- Encryption (AES-256) for data at rest and TLS 1.3 for data in transit - Secure authentication with multi-factor authentication options - Regular security testing and vulnerability assessments - Network segmentation and firewalls - Intrusion detection and prevention systems
- Role-based access control with principle of least privilege - Regular security training for all personnel - Background checks for employees with data access - Incident response procedures and regular drills - Data access logging and regular audits
- Secure data centers with 24/7 monitoring - Environmental controls and backup power systems - Physical access restrictions and visitor management - Equipment disposal procedures
Data is shared within the platform based on educational roles and permissions: teachers access their students' data, students access their own work, administrators access data within their jurisdiction.
Data may be transferred to: subprocessors for service provision (see subprocessor list), educational authorities for compliance, legal authorities when required by law, and users requesting their own data.
International data transfers occur only with appropriate safeguards including standard contractual clauses and compliance with applicable data protection regulations.
- Educational records: Retained according to institutional requirements and legal mandates (typically 3-7 years after student departure) - Personal information: Retained while the account is active plus legal retention periods - Content data: Retained according to user preferences and institutional policies - Analytics data: Anonymized after 90 days, retained in aggregate form for 2 years
We implement clear retention schedules, automated deletion processes, and archival procedures for long-term storage requirements. Users can request early deletion subject to legal and educational requirements.
Users can access their personal data through account settings and request additional information about data processing activities.
Users can correct inaccurate personal information. Educational record corrections follow institutional procedures and FERPA guidelines.
Users can request deletion of their account and personal data, subject to legal retention requirements and educational record-keeping obligations.
Users can request their data in a structured, machine-readable format for transfer to other services.
In the event of a data breach, we follow established notification procedures: immediate investigation and containment, assessment of breach impact, notification of affected users and authorities within legally required timeframes, and provision of remediation assistance.
We maintain compliance with: FERPA (Family Educational Rights and Privacy Act), COPPA (Children's Online Privacy Protection Act), state privacy laws, and international data protection regulations.
Annual security audits, quarterly compliance reviews, regular penetration testing, and independent assessments of our data handling practices.
All educational institutions using GradeVideo receive comprehensive data processing agreements that outline: data protection responsibilities, security measures, breach notification procedures, and compliance commitments.
For data protection inquiries, requests, or concerns: