Legal

Privacy Policy

Last updated: March 25, 2026

This Privacy Policy explains how Classroom ("we," "us," or "our") collects, uses, discloses, and otherwise processes information in connection with Classroom.so and our preschool and early learning management platform (the "Service").

Controller. For personal information we collect about visitors, account holders, and billing contacts in our own business capacity, we act as the data controller (or "business" under U.S. state laws).

Processor / service provider. For personal information that customer organizations (schools, centers, networks) submit about children, parents, staff, and other individuals to operate their programs, we generally process that information only on the organization's instructions to provide the Service. In that role we act as a processor (under GDPR) or service provider / contractor (under U.S. state laws). Contact the organization first if you have questions about student lists, classroom data, or how they use Classroom.

This policy should be read with our Cookie Policy and Terms of Service.

1. Information we collect

1.1 You provide to us

  • Account and profile: Name, email, password (hashed), phone (if provided), organization name, role, and preferences (e.g. language, theme).
  • Organization operations: Data your organization enters into the Service—such as branches, classes, attendance, daily reports, health or developmental notes, documents, billing records, messages, and similar content. This may include special categories of data where your organization chooses to record them.
  • Transactions: Billing address, plan details, and payment information. Card data is typically processed by our payment processor (Stripe); we do not store full card numbers on our servers.
  • Support and contact: Information you send when you contact us, including email content and attachments.
  • Marketing: If you opt in, your contact details for newsletters or product updates.

1.2 Collected automatically

  • Device and log data: IP address, browser type, device identifiers, timestamps, pages or screens viewed, referring URLs, and diagnostic data.
  • Usage data: Feature usage, performance metrics, and error logs to operate and improve the Service.
  • Cookies and similar technologies: As described in our Cookie Policy.

1.3 From others

  • Organization invitations: If someone invites you to an organization, we receive your email and invitation context.
  • Authentication providers: If you sign in with a third party (e.g. Google), we receive information that provider shares with us according to your settings with them.
  • Payment processors: Status of payments, subscription state, and fraud-prevention signals.

2. How we use information

We use information to:

  • Provide, maintain, secure, and improve the Service
  • Create and manage accounts and organizations; authenticate users
  • Process payments, subscriptions, trials, and credits (including AI credits where applicable)
  • Send transactional messages (invoices, receipts, security alerts, product notices)
  • Provide support and respond to requests
  • Operate optional AI features you or your organization enable—by sending relevant prompts and context to model providers to generate responses (see Section 4)
  • Monitor for abuse, fraud, and security incidents; enforce our terms
  • Comply with legal obligations and defend our rights
  • Analyze usage in aggregated or de-identified form; with marketing only where permitted and, where required, with consent

Legal bases (EEA/UK/Switzerland, where applicable): performance of a contract, legitimate interests (security, improvement, analytics that are not overridden by your rights), consent (where we rely on it, e.g. certain cookies or marketing), and legal obligation.

3. How we share information

  • Customer organizations: Users in the same organization see information according to role and permissions the organization configures.
  • Service providers (subprocessors): We use vendors for hosting, databases, email delivery, payments, analytics, security, and AI inference, who process data on our instructions and are bound by confidentiality and appropriate safeguards. We do not sell your personal information.
  • Legal and safety: We may disclose information if required by law, legal process, or government request, or to protect the rights, safety, and property of users, us, or the public.
  • Business transfers: In a merger, acquisition, financing, or sale of assets, information may be transferred subject to appropriate protections.
  • With your direction: When you ask us to share information or integrate a third-party service you choose.

4. AI features and model providers

When you or your organization uses AI-assisted features, we may send prompts, context, and content you provide (which may include personal information your organization has entered) to third-party AI providers to generate output. Do not submit secrets or data you are not permitted to share. We configure services to support organization-scoped use; review outputs before use (see Terms). Providers may process data under their terms and security programs; we select providers and settings aligned with our security review.

5. Data retention

We retain information as long as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Organizations may delete or export certain data in-product subject to role permissions. After account closure, we delete or anonymize personal information within a reasonable period unless a longer period is required for legal, tax, or security reasons. Backups may retain residual copies for a limited time before automatic overwrite.

6. Security

We implement technical and organizational measures appropriate to the risk (encryption in transit, access controls, monitoring). No system is 100% secure; we cannot guarantee absolute security.

7. International transfers

We are based in the United States. If you access the Service from elsewhere, your information may be transferred to and processed in the U.S. and other countries where we or our vendors operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

8. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing or withdraw consent where processing is consent-based.

  • For data we hold as controller (e.g. your account and billing contact details): contact us via Contact or hello@classroom.so.
  • For data your organization entered about you (e.g. as a parent or staff member in their tenant): contact that organization first; we will assist them as required.

California residents (CPRA): You have rights to know, delete, and correct personal information, and to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information in the conventional sense. We may use analytics cookies as described in our Cookie Policy; you can manage preferences via our cookie controls where available.

European users: You may lodge a complaint with your local supervisory authority.

9. Children

The Service is not directed at children for independent use. Organizations use the Service to manage programs that involve children; parents and guardians may access portals the organization enables. We do not knowingly sell personal information of minors under 16 (or as defined by applicable U.S. state law). If you believe a child has provided us personal information directly in error, contact us.

10. Changes to this policy

We may update this Privacy Policy. We will post the new version and update the "Last updated" date. Material changes may require additional notice under law or as we determine appropriate.

11. Contact

Privacy questions: Contact page or hello@classroom.so.

For data protection requests regarding information we process as a processor for your school or center, we may ask to coordinate with your organization's administrator.