Privacy Policy

1. Scope and Applicability

CourseDeck provides a SaaS platform to educational institutions and organizations (“Customers”).

We do not provide consumer-facing services directly to individual students or parents.

Depending on the context, CourseDeck acts either as:

• a Data Processor (most commonly), or
• an independent Data Controller for limited business-related data.

2. Roles Under Data Protection Law

2.1 Student and Educational Data

For student data and other data uploaded by Customers, including data relating to minors:

• Customer (School / Institution) is the Data Controller.
• CourseDeck is the Data Processor, acting solely on the Customer’s documented instructions.

CourseDeck does not determine the purposes or means of processing such data.

2.2 Business and Website Data

For limited data such as:

• website visitors,
• trial sign-ups,
• billing contacts,
• marketing communications,

CourseDeck acts as an independent Data Controller.

3. Categories of Personal Data Processed

3.1 Identifiers

• Name
• Email address
• Username
• Organization or school name
• IP address

3.2 Professional and Educational Information

• Role or job title
• Class or course information
• Attendance records
• Educational performance data

3.3 Student and Minor Data (Customer Data)

• Student name and identifiers
• Class enrollment and schedules
• Attendance and progress records
• Parent or guardian contact details (if provided by Customer)

CourseDeck processes this data only on behalf of and under the instructions of the Customer.

3.4 Usage and Technical Data

• Device and browser information
• Log files and timestamps
• Authentication and session data

3.5 Website and Analytics Data

• Aggregated usage metrics
• Page views and interaction data

Collected via cookies and analytics tools as described in our Cookie Policy.

4. Data of Minors

CourseDeck is not a child-directed service.

• CourseDeck does not knowingly collect personal data directly from children.
• All student data is provided by educational institutions acting as Data Controllers.

The Customer is solely responsible for:

• determining the lawful basis for processing minors’ data,
• obtaining verifiable parental consent where required under COPPA, GDPR-K, or similar laws,
• responding to parental or student rights requests.

Parents and guardians should contact the relevant school directly regarding student data.

5. Legal Bases for Processing (GDPR / UK GDPR)

Where CourseDeck acts as a Data Processor, processing is based on the Customer’s lawful instructions.

Where CourseDeck acts as a Data Controller, processing is based on:

• Performance of a contract
• Legitimate interests (e.g., service security, analytics, improvement)
• Legal obligations
• Consent, where required by law

6. Sub-Processors

CourseDeck uses carefully selected and contractually bound sub-processors to deliver the Service.

Current Sub-Processors include:

All sub-processors are subject to data protection obligations consistent with this Privacy Policy and our DPA.

7. Data Location and International Transfers

• Primary data hosting and processing occur in the United States, unless otherwise agreed in writing.
• Personal data may be accessed globally by authorized personnel and sub-processors.

For international transfers:

• CourseDeck relies on EU Standard Contractual Clauses (SCCs), Module Two (Controller-to-Processor).
• For UK data, SCCs are supplemented by the UK International Data Transfer Addendum.
• Additional safeguards are implemented where required.

8. Data Retention

Personal data is retained:

• for the duration of the Customer’s contractual relationship,
• as required by applicable law, or
• in accordance with Customer instructions.

Upon termination, data handling is governed by the Terms of Service and DPA.

9. Data Subject Rights

Depending on jurisdiction, individuals may have rights to:

• access
• rectification
• erasure
• restriction
• objection
• data portability

Requests relating to student data must be submitted to the Customer (school) acting as Data Controller.

10. California Privacy Rights (CCPA / CPRA)

For purposes of the California Consumer Privacy Act (CCPA) and CPRA:

• CourseDeck does not “Sell” or “Share” personal information as those terms are defined under California law.
• CourseDeck processes personal information solely for legitimate business purposes.

California residents may request:

• access to personal information,
• correction of inaccurate information,
• deletion of personal information (subject to legal exceptions).

Requests may be submitted by contacting us at privacy@coursedeck.com.

11. Security Measures

CourseDeck implements appropriate administrative, technical, and organizational measures designed to protect personal data, including:

• Row Level Security (RLS) at the database level to enforce tenant isolation
• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256
• Role-based access controls and least-privilege access
• Continuous monitoring and audit logging

No system is completely secure, but we take reasonable steps to protect personal data.

12. Updates to This Privacy Policy

We may update this Privacy Policy periodically. The “Effective Date” above reflects the most recent version.

13. Contact Us

For questions or privacy-related requests, please contact:

Email: privacy@coursedeck.com