Privacy Policy
Last Updated: July 7, 2026
Effective Date: February 21, 2026
Version: 1.10.1
1. Introduction
Evolved Academics LLC ("we," "us," or "our") operates ClassLens, an AI-assistive grading tool for Google Classroom, available at www.classlens.com. This Privacy Policy describes how we collect, use, disclose, and protect information when you use ClassLens (the "Service").
Evolved Academics LLC is based in California, USA. ClassLens is designed for K-12 teachers in US public schools who use Google Classroom. We are committed to protecting the privacy of both teachers and their students.
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2.1 Teacher Account Information
When you authenticate with Google, we collect and store:
- Google profile name
- Email address
- Google account identifier
- OAuth access and refresh tokens (encrypted)
2.2 Grading Configuration
We store your grading preferences and settings, including strictness level, comment style, feedback length, late work policy, rubric preferences, and similar configuration data. These settings relate to your pedagogy and do not contain student information.
2.3 Grading Job Metadata
We retain metadata about grading jobs for service improvement and troubleshooting. This metadata includes timestamps, assignment identifiers, job status, and aggregate statistics (such as the number of submissions processed). This metadata does not include student names, email addresses, grades, submission content, or feedback text.
2.4 Information We Do NOT Store
We explicitly do not store the following data on our servers:
- Student names or email addresses
- Student grades or scores
- Student submissions, essays, or other work
- AI-generated feedback or comments
- Student demographic information
- Parent or guardian information
3. How We Use Information
We use the information we collect for the following purposes:
- Authentication: Verify your identity and maintain your session through Google OAuth.
- Grading requests: Access your Google Classroom assignments and student submissions to process grading requests that you initiate.
- Feedback delivery:Write AI-generated grades and feedback back to Google Classroom. Teachers choose between two modes per grading job. In Draft Only mode, grades are saved as Classroom drafts and the teacher releases them inside Google Classroom. In Grade & Review mode, grades are routed to the in-app Batch Review Dashboard for the teacher to review and release. In both modes, students never see grades until the teacher takes an explicit release action; ClassLens does not auto-release AI grades to students.
- Knowledge gap reports: Generate class-wide reports on areas where students may need additional instruction, delivered to your email via Gmail.
- Service improvement: Use anonymized, aggregate job metadata to improve the reliability and performance of the Service.
We do not use any collected information for advertising, marketing to students, building behavioral profiles, or any purpose unrelated to the educational grading function of the Service.
4. Google User Data
ClassLens accesses Google user data through Google OAuth and Google APIs. This section describes specifically how we handle Google user data obtained through these services.
4.1 Google User Data We Access
Through Google OAuth and Google APIs, ClassLens accesses the following Google user data:
- Google profile information (name and email address)
- Google Classroom course and assignment data
- Google Classroom student submissions
- Google Drive files attached to student submissions
- Google Sheets (for optional grade export, when authorized by the teacher)
- Gmail (for sending knowledge gap reports to the teacher, when authorized by the teacher)
4.2 How We Use Google User Data
Google user data is used exclusively to provide and improve the ClassLens grading service. Specifically, we use Google user data to:
- Authenticate teachers and maintain login sessions
- Read assignments and student submissions from Google Classroom
- Write AI-generated grades and feedback back to Google Classroom
- Export grades to Google Sheets when requested by the teacher
- Send knowledge gap reports to the teacher via Gmail when requested
- Post feedback as comments on student Google Docs when the teacher releases grades in Grade & Review mode
4.3 We Do Not Sell Google User Data
We do not sell Google user data to any third party, under any circumstances. This applies to all Google user data, including teacher data and student data accessed through Google APIs.
4.4 Prohibited Uses of Google User Data
ClassLens limits its use of Google user data to providing and improving the grading service. We do not use Google user data for any of the following purposes:
- Targeted advertising or personalized advertising
- Retargeted advertising or interest-based advertising
- Selling data to or providing data to data brokers
- Providing data to information resellers
- Determining credit-worthiness or for lending purposes
- Training artificial intelligence or machine learning models
- Building user profiles for non-educational purposes
- Creating or contributing to databases unrelated to the Service
- Any purpose other than providing or improving the ClassLens grading service
4.5 Sharing of Google User Data
We do not transfer or disclose Google user data to third parties except as necessary to provide the Service:
- Google Cloud Vertex AI:Student submission content is processed by Google Cloud Vertex AI solely for AI-assisted grading, governed by the Google Cloud Data Processing Addendum (CDPA). Customer data is not used to train Google's foundation models. Google Cloud Vertex AI is enrolled in Zero Data Retention (ZDR) at the project level: Google's Generative AI Services team confirmed the exception to the standard prompt logging policy on 2026-04-29 for Cloud project 135589175772 (the production Vertex AI project for ClassLens), which removes the abuse-monitoring retention window that would otherwise apply to inference inputs and outputs. Cloud Audit Logs on aiplatform.googleapis.com provide an immutable audit trail.
- Google Cloud Storage: Transient file staging for Vertex AI inference. ClassLens uploads each student submission file to a private Cloud Storage bucket in a U.S. region, IAM-scoped to a least-privileged ClassLens service account. ClassLens issues a best-effort delete call after each grading job; a bucket-level lifecycle policy enforces 24-hour automatic deletion as the safety net if the delete call fails.
- Cloudflare: Standard web traffic metadata (IP addresses, request headers) is processed by Cloudflare for CDN and security purposes.
We do not transfer Google user data to any other third parties for advertising, data brokering, resale, credit assessment, or any purpose unrelated to providing the ClassLens grading service.
4.6 Google API Services Limited Use Disclosure
ClassLens's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5. Student Data
Student data is handled with the highest level of care and is processed only transiently. The following describes the complete lifecycle of student data within our system:
5.1 Transient Processing Model
- Download:When a teacher initiates a grading job, student submissions are downloaded from Google Classroom via the Google Classroom API and Google Drive API using the teacher's authorized OAuth credentials.
- In-memory processing: Submissions are held in ClassLens server memory for the duration of a single grading call only. ClassLens does not write student submissions to its own application database, durable storage volumes, or long-term cache. Submissions are then handed off to Google Cloud Storage for transient staging as described below; that staging is governed by a 24-hour bucket lifecycle policy and a best-effort post-grading delete.
- AI processing: Submissions are uploaded to a private Google Cloud Storage bucket and referenced by Google Cloud Vertex AI for AI-assisted grading. Vertex AI processes the submissions and returns grades and feedback.
- Write-back:AI-generated grades and feedback are written back to Google Classroom in one of two teacher-selected modes. In Draft Only mode, the grade is saved as a Classroom draft and the teacher releases it inside Google Classroom. In Grade & Review mode, the grade is routed to the in-app Batch Review Dashboard for the teacher to review; on the teacher's explicit approval, ClassLens then writes the grade and any comment to Google Classroom. In both modes the teacher remains the grader and the releaser of record on every assignment; ClassLens does not release AI grades to students without an explicit teacher action.
- Deletion:After grading is complete, the in-memory copies of student submissions are discarded with the function scope. AI-generated grades and feedback are written back to Google Classroom (Draft Only mode) or held in an in-app Batch Review Dashboard (Grade & Review mode) for the teacher to review and release; the Batch Review queue uses a Redis cache that is deleted when the teacher releases grades, with a 24-hour automatic failsafe expiry. Once a grading job's results are released or expire, no student submission content, grades, or AI-generated feedback remain on ClassLens servers. For each student file uploaded to Cloud Storage, ClassLens issues a best-effort delete call (with retries) as soon as grading of that file completes; if the delete call fails, a bucket-level lifecycle policy enforces 24-hour automatic deletion as the safety net.
5.2 Student Identification
During an active grading run, ClassLens fetches each student's name and email address from the Google Classroom API so that the AI can address the student by their first name in feedback and so that, when the teacher enables email delivery of feedback, the message can be sent to the correct address. This information is held in server memory only for the duration of that grading call and is discarded when the call returns. During an active grading job, interim working data (including this roster information and per-submission results) may also transit our job cache encrypted with AES-256-GCM; it is deleted when the job completes and at the latest within 48 hours.
In our persistent storage, students are referenced only by opaque Google Classroom identifiers. The opaque identifiers are used for matching graded work back to the correct student submission in Google Classroom and for preventing duplicate grading of the same submission. We do not write student names, email addresses, or any other personally identifiable information to our database.
5.3 No Secondary Use
Student data is never used for any purpose other than completing the grading job requested by the teacher. We do not use student data for advertising, profiling, product development, model training, or any non-educational purpose.
6. Third-Party Services
The Service relies on the following third-party services to function. Each service is used solely for the purposes described below.
| Service | Purpose | Data Shared |
|---|---|---|
| Google Classroom API | Access assignments and student submissions; write back grades | Teacher OAuth tokens; reads/writes assignment and submission data |
| Google Drive API | Download student-submitted files (documents, PDFs) | Teacher OAuth tokens; reads file content |
| Google Sheets API | Export grades and feedback to Google Sheets when requested by the teacher | Teacher OAuth tokens; writes grade data to teacher-owned spreadsheets |
| Gmail API | Deliver knowledge gap reports to teacher email | Teacher OAuth tokens; sends emails to the teacher |
| Google Cloud Vertex AI | AI inference of student submissions during grading | Student submission content (transiently). Governed by the Google Cloud Data Processing Addendum (CDPA); customer data is not used to train Google's foundation models. Project-level Zero Data Retention approved by Google 2026-04-29 (Cloud project 135589175772). No prompt logging. |
| Google Cloud Storage | Transient file staging for Vertex AI inference | Student submission files (transiently). Private bucket in a U.S. region, IAM-scoped to a least-privileged ClassLens service account. Best-effort delete after each grading job; bucket-level lifecycle policy enforces 24-hour automatic deletion as the safety net. |
| Cloudflare | CDN, DDoS protection, and secure tunneling | Standard web traffic metadata (IP addresses, request headers) |
| Google Analytics 4 (GA4) | Signup, conversion, subscription-lifecycle, and public-demo event measurement | Discrete server-side events only (signup, trial start, trial conversion, purchase, trial expiry, and public-demo interactions). Each carries an anonymous client identifier, the Google Click ID (gclid) when present, and event timestamps; the purchase event also carries the plan, the amount charged and currency, and an opaque payment-processor transaction reference. No teacher name, email, IP address, or other personally-identifying information is sent to GA4. Governed by the Google Analytics Terms of Service. |
| Google Ads | Paid-acquisition campaign measurement and ad-click to signup attribution | Aggregated conversion counts and Google Click ID (gclid) match-back. No teacher email, name, or other personally-identifying information is sent to Google Ads for conversion measurement. Governed by the Google Ads Data Processing Terms. |
| Stripe | Subscription billing and payment processing for paid plans | Teacher billing information. ClassLens sends Stripe the teacher's email address, the teacher's ClassLens account identifier (the Google account ID, so the payment maps to the correct account), and the selected plan. Name, billing address, and payment-method details are entered by the teacher directly into Stripe's hosted checkout and are not collected or stored by ClassLens; Stripe webhook notifications are processed only to read subscription status. ClassLens retains only the Stripe customer and subscription identifiers and the resulting subscription status (for example, whether a plan is scheduled to cancel). No student data is ever sent to Stripe. Governed by the Stripe Services Agreement and the Stripe Data Processing Agreement. |
| Amazon Web Services (AWS) | Cloud hosting for the ClassLens application, database, and cache | ClassLens runs on AWS infrastructure in a U.S. region. The AWS-hosted database and cache hold teacher account data (such as email address, encrypted Google OAuth tokens, and subscription records) on an ongoing basis, and hold student submission content only transiently: during grading, and, for jobs the teacher reviews in the in-app Batch Review Dashboard, until the teacher releases grades, with a 24-hour automatic expiry as the failsafe. No student submission content persists after grades are released or the 24-hour window elapses. ClassLens self-manages the application, database, and cache on AWS compute and storage. Governed by the AWS Data Processing Addendum. |
6.1 Vertex AI Data Handling
AI evaluation is performed by Google Cloud Vertex AI under the Google Cloud Data Processing Addendum (CDPA). Customer data is not used to train Google's foundation models. Google Cloud Vertex AI is enrolled in Zero Data Retention (ZDR) at the project level: Google's Generative AI Services team confirmed the exception to the standard prompt logging policy on 2026-04-29 for Cloud project 135589175772 (the production Vertex AI project for ClassLens), which removes the abuse-monitoring retention window that would otherwise apply to inference inputs and outputs. Cloud Audit Logs on aiplatform.googleapis.com provide an immutable audit trail of every inference call. Processing is pinned to U.S. regions where supported.
File handling: each student submission is downloaded from Google Classroom into ClassLens server memory, uploaded to a private Google Cloud Storage bucket controlled by ClassLens, referenced by Vertex AI via a gs:// URI for inference, and deleted from Cloud Storage immediately after grading. The Cloud Storage bucket is in a U.S. region, has public-access prevention enforced, and is IAM-scoped to a least-privileged ClassLens service account. ClassLens issues a best-effort delete call after each grading job; a bucket-level lifecycle policy enforces 24-hour automatic deletion as the safety net if the delete call fails.
We do not use grounding, context caching, or other features that would extend retention periods or share submissions across customers.
6.2 Marketing Analytics and Conversion Tracking
We use Google Analytics 4 (GA4) and Google Ads to measure visitor traffic to our marketing pages, to attribute first-time signups to marketing campaigns, and to record a small, fixed set of server-side conversion and subscription-lifecycle events described below. We never send student data to these services.
When a visitor arrives at a classlens.com marketing page from a Google Ads click, the URL contains a Google Click ID (gclid) parameter. We write this value to a first-party cookie named "_gcl_aw" with a 90-day expiration so we can attribute a subsequent signup to the originating ad click. We also write a first-party cookie named "cl_cid" containing a randomly-generated UUID v4 to maintain a stable anonymous identifier for marketing-analytics purposes. Both cookies are first-party cookies on the classlens.com domain.
When a teacher completes Google OAuth and creates a ClassLens account for the first time, we send a server-side "sign_up" event to GA4. The event payload contains the gclid (when present), the anonymous cl_cid identifier, the event name, and a timestamp. It does not contain the teacher's name, email address, hashed email, IP address, or any account credential. We treat the cl_cid and gclid as "online identifiers" under applicable privacy law (including the California Consumer Privacy Act, the EU General Data Protection Regulation, and equivalent frameworks) and disclose them as such in this section. The event fires once per first-time signup and is not fired on returning logins or on subsequent navigation within the application.
Marketing-page analytics is deployed only on classlens.com marketing pages, which are directed to educators and school administrators, not to children. GA4 and Google Ads tracking is never deployed in any student-facing flow or anywhere student data is processed.
Beyond the first-signup event above, ClassLens sends a small, fixed set of opaque conversion and subscription-lifecycle events to GA4: starting a free trial, converting a trial to a paid plan, completing a purchase, and a trial expiring to the free plan. These fire server-side when your billing or subscription state changes. The trial and expiry events carry only a randomly generated ephemeral identifier, the event name, and a timestamp. The purchase event additionally carries the plan you purchased, the amount charged and the currency, and an opaque payment-processor transaction reference; Google cannot resolve that reference to you, though we can associate it with your own billing record. None of these events contains your name, email address, IP address, account credentials, or any student data, and Google ad personalization is disabled on every one of them. Because they fire from server-side state changes rather than your browser, they are not linked to your browser session.
We do NOT track in-app behavior. ClassLens does not record page views, clicks, navigation, dashboard use, or any browsing activity inside the application. The only analytics we send are the discrete, opaque marketing-page, signup, public-demo, and subscription-lifecycle events described in this section.
On the public demo at classlens.com/demo, which requires no login, we record a small set of interaction events, for example that the demo was viewed, a sample finding was opened, or the demo call-to-action was clicked. Each event carries at most a short label chosen from a fixed predefined list, never free text, and is associated with the anonymous cl_cid identifier so that a demo visit can be attributed to a later signup. No student data is involved.
You have multiple ways to opt out:
- Opt out of Google ad personalization: https://myadcenter.google.com/. This stops Google from using your data to personalize ads but does not stop GA4 measurement.
- Opt out of cross-context behavioral advertising sharing (California residents): use the Do Not Sell or Share My Personal Information link in our site footer, or set the Global Privacy Control (GPC) signal in your browser; we honor GPC automatically and skip the browser-originated GA4 and Google Ads events for any visitor whose browser signals it. The server-side conversion and subscription-lifecycle events fire from state changes with no browser request, so there is no browser signal to read at the moment they fire.
- Block cookies in your browser: doing so will not prevent you from using ClassLens, but conversion attribution for your visit will not be possible.
- Request deletion of GA4 data already collected: contact steven.swanson@evolvedacademics.com with the cl_cid value from your browser's cookie store; we will issue a GA4 data deletion request for that identifier. The server-side conversion and lifecycle events use per-event random identifiers not linked to your cl_cid; on request we will also delete the purchase records associated with your billing account.
GA4 event-level data is retained for up to 14 months and then automatically deleted. Aggregated reports are retained indefinitely. Google Ads conversion data is retained per Google's standard ads-data retention schedule. Both services may transfer data outside your country of residence (including from the European Economic Area to the United States) under Google's Standard Contractual Clauses and the EU–U.S. Data Privacy Framework.
6.3 California Residents — Sale and Sharing of Personal Information
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), our use of Google Ads conversion attribution may be considered "sharing" of personal information for cross-context behavioral advertising. Specifically, when you arrive at our marketing site from a Google Ads click, the Google Click ID (gclid) associated with that click is transmitted back to Google Ads for the purpose of measuring whether the click resulted in a signup.
We do not sell personal information for monetary consideration, and we do not share personal information with third parties for their own purposes. We disclose it only to the service providers and subprocessors that operate the Service on our behalf, including those listed in Section 6 above, and only as needed to provide the Service.
To opt out of sharing for cross-context behavioral advertising:
- Use the Do Not Sell or Share My Personal Information link in our site footer.
- Enable the Global Privacy Control (GPC) signal in your browser. We honor GPC signals automatically and will skip GA4 and Google Ads fires for any visit where GPC is set to enabled.
These opt-outs apply to your browser. If you visit ClassLens from a different browser or device, you may need to set the opt-out again.
7. Data Retention
| Data Type | Purpose | Retention Period | Deletion Method |
|---|---|---|---|
| Teacher account data | Account identification, communication, billing | Duration of active account + deleted within 30 days of account termination | Database deletion via account deletion endpoint; all teacher-associated tables purged in a single transaction |
| OAuth tokens | Authenticated access to Google Classroom, Drive, and Gmail APIs | Duration of active account + deleted within 30 days of account termination | Revoked and deleted upon account deletion |
| Grading preferences | Configure AI grading behavior per teacher's pedagogy | Duration of active account + deleted within 30 days of account termination | Deleted upon account deletion |
| Grading job metadata (no student PII) | Billing reconciliation, usage tracking, subscription quota enforcement | Duration of active account + 30 days. Contains no student data. | Deleted upon account deletion |
| Student submissions (server memory only) | AI evaluation against teacher-configured rubric | Duration of a grading job. Grading results are cached in Redis for teacher review and deleted when the teacher returns grades (24-hour maximum failsafe) | Deleted when the teacher returns grades; 24-hour automatic expiry as failsafe |
| Cloud Storage submission staging | Transient file staging for Vertex AI inference | Best-effort delete call after grading; bucket-level 24-hour lifecycle policy is the safety net | Best-effort delete via the Cloud Storage API (with retries), backed by a bucket-level lifecycle policy enforcing 24-hour automatic deletion |
| Session data (Redis) | Maintain authenticated login state | 7-day idle window, 30-day absolute maximum; destroyed on logout | Automatic Redis key expiration: the session key expires after 7 days of inactivity and is capped at a 30-day absolute lifetime. Also deleted on explicit logout or account deletion. |
| Server logs | Debugging, performance monitoring, security incident response | 30 days, then automatically rotated | Log rotation (file size and date based) |
| Knowledge Gap Reports (aggregate, de-identified) | Class-wide learning pattern analysis for instructional improvement | Duration of active account + 30 days post-deletion. Contains aggregate class-level data only (criterion names, met/not-met counts, teaching recommendations) -- no individual student names, IDs, or PII. | Cascade-deleted when teacher account is deleted |
| Deleted account tombstones | Free-tier abuse prevention | Indefinite. Contains only a one-way SHA-256 hash of the Google ID and a lifetime submission and token count -- non-reversible, cannot be linked to a person without the original Google ID. | Manual purge upon request if original Google ID is provided for verification |
8. Data Security
We implement industry-standard security measures to protect the data we process:
- Encryption at rest: Server disk volumes and database backups are encrypted at rest at the infrastructure layer (encrypted EBS volumes). OAuth access and refresh tokens receive an additional layer of application-level encryption using AES-256-GCM before being written to the database.
- Encryption in transit: All data transmitted between our servers, Google APIs, Cloud Storage, and Vertex AI uses TLS (Transport Layer Security): TLS 1.2 minimum, TLS 1.3 negotiated where the client supports it.
- No public-facing database ports: All databases and caches are hosted on private networks and are not directly accessible from the internet.
- Parameterized queries: All database queries use parameterized statements to prevent SQL injection attacks.
- Least-privilege access: Each service component has only the minimum permissions necessary to perform its function.
- Secure tunnel architecture: Our application is accessed through a Cloudflare tunnel, which eliminates the need for open inbound ports on our infrastructure.
9. FERPA Compliance
The Family Educational Rights and Privacy Act (FERPA) governs the privacy of student education records. Evolved Academics is designed to operate in compliance with FERPA.
9.1 School Official Designation
Evolved Academics operates as a "school official" under FERPA (34 CFR 99.31(a)(1)(i)(B)) when authorized by the school or district. We perform an institutional service (grading assistance) that the school would otherwise use its own staff to complete. We require institutional authorization, through a Data Processing Agreement (DPA) or equivalent authorization from the school or district, before processing student education records.
9.2 Institutional Authorization Required
FERPA authorization must come from the school or district, not from individual teachers alone. We require that teachers confirm their school or district has authorized the use of AI grading tools before processing student data. We support and encourage schools and districts to execute a Data Processing Agreement with Evolved Academics.
9.3 Direct Control
The school maintains direct control over student data processed by the Service. Teachers initiate every grading action. No student data is processed without explicit teacher initiation. Student data is not retained beyond the duration of the grading job. Schools and districts may request deletion of all data at any time.
9.4 No Redisclosure
We do not redisclose personally identifiable information from student education records except to approved subprocessors (such as Google Cloud Vertex AI and Google Cloud Storage) as disclosed in this policy and authorized by the school or district in the applicable Data Processing Agreement. Subprocessors are contractually bound to use student data only for the educational purpose for which it was disclosed.
10. Children's Privacy Notice (COPPA)
Evolved Academics, LLC ("we," "us," "ClassLens") operates ClassLens (https://www.classlens.com), a teacher-facing web application that integrates with Google Classroom for AI-assisted grading. This notice describes our practices regarding children's personal information as required by the Children's Online Privacy Protection Act (COPPA) and the 2025 COPPA Rule amendments (16 CFR 312).
10.1 Who Uses ClassLens
ClassLens is used exclusively by teachers (adults). Students do not create accounts, log in, or interact with ClassLens. All data processing is initiated by the teacher.
10.2 What Children's Information We Process
When a teacher initiates a grading job, ClassLens transiently processes the following children's information via the teacher's Google Classroom account:
| Data Element | Purpose | Stored? |
|---|---|---|
| Assignment submissions (text, documents, PDFs, images) | AI grading against teacher's rubric | No — processed in memory, discarded after grading |
| Student names | Personalized feedback | No — used transiently; redacted from logs |
| Google Classroom IDs (opaque) | Match submissions to the correct student; prevent duplicate grading of the same submission | Opaque only in persistent storage — see Section 5.2 for the full in-memory vs persisted breakdown |
| Student email addresses | Optional email delivery of feedback | No — used for single send, not stored |
10.3 How Children's Information Is Used
Children's information is used solely to generate grades and feedback at the teacher's direction. We do not use children's information for advertising, marketing, AI model training, profiling, or any purpose other than the educational grading service.
10.4 How Long We Keep Children's Information
We do not store children's personal information. All student data is processed transiently in server memory during active grading and is discarded immediately upon completion. See Section 7 (Data Retention) for our full retention policy. For detailed information about our data retention practices, including specific timeframes and deletion procedures for each data category, see our Written Data Retention Schedule, available upon request at steven.swanson@evolvedacademics.com.
10.5 Who We Share Children's Information With
Student submission content is processed by Google Cloud Vertex AI (with files staged via Google Cloud Storage) for AI evaluation, governed by the Google Cloud Data Processing Addendum. Customer data is not used to train Google's foundation models. Google Cloud Vertex AI is enrolled in Zero Data Retention (ZDR) at the project level: Google's Generative AI Services team confirmed the exception to the standard prompt logging policy on 2026-04-29 for Cloud project 135589175772 (the production Vertex AI project for ClassLens), which removes the abuse-monitoring retention window that would otherwise apply to inference inputs and outputs. We do not share children's information with any other third parties, advertisers, or data brokers.
10.6 School Consent
We rely on school and district consent under COPPA (16 CFR 312.5(c)(1)). Schools and districts authorize the use of ClassLens through Data Processing Agreements, acting as agents for parents for educational-purpose data collection.
10.7 Parents' Rights
Parents retain the following rights regarding their child's data:
- Review: Request a description of the information collected from their child. We can confirm: no student data is retained after grading.
- Deletion:Request deletion of their child's information. We can confirm: no student data is stored on our servers.
- Opt out: Request, through the school, that their child be excluded from AI grading. Teachers can omit individual students from grading jobs.
- No conditioning: ClassLens only accesses data necessary for the grading function requested by the teacher. We do not condition service on collection of more data than necessary.
To exercise any parental right, contact us at support@evolvedacademics.com.
10.8 Security
We maintain a written information security program including encryption (TLS 1.2 minimum in transit, TLS 1.3 negotiated where supported; AES-256-GCM at rest for sensitive data, AWS-managed KMS at the volume layer), access controls, annual risk assessments, and vendor due diligence. Full details are described in Section 8 (Data Security) and are available upon request.
11. California Privacy Rights
11.1 SOPIPA Compliance
The Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code 22584-22584.5) applies to operators of services designed and marketed for K-12 school purposes. Evolved Academics complies with SOPIPA by:
- Not engaging in targeted advertising using any student data
- Not building non-educational profiles of students
- Not selling student information to any third party
- Not using student data for any purpose other than the K-12 educational grading purpose
- Implementing reasonable security procedures
- Deleting student data upon school or district request
11.2 CalOPPA Compliance
In compliance with the California Online Privacy Protection Act (CalOPPA, Cal. Bus. & Prof. Code 22575-22579), this Privacy Policy is publicly posted and accessible from every page of our website. This policy describes the categories of personally identifiable information collected, the categories of third parties with whom information may be shared, and the process by which users can review and request changes to their information.
11.3 AB 1584 (Education Code 49073.1) Compliance
AB 1584 governs contracts between school districts and third-party technology providers in California. Evolved Academics supports AB 1584 compliance by:
- Providing a Data Processing Agreement that specifies data collection, usage, security measures, and deletion timelines
- Acknowledging that student-generated content remains the property of the student and the district
- Providing districts with the ability to access and request deletion of data
- Committing to breach notification in accordance with California law
12. Your Rights
As a teacher using Evolved Academics, you have the following rights regarding your personal data:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may request that we correct any inaccurate personal data.
- Deletion: You may request that we delete your account and all associated data. Upon receiving a deletion request, we will delete your teacher account data, revoke your OAuth tokens, and remove your grading preferences.
- Data portability: You may request a copy of your grading settings and preferences in a machine-readable format.
- Revoke access:You may revoke the Service's access to your Google account at any time through your Google account settings.
Schools and districts may exercise rights on behalf of teachers and students, including requesting access to or deletion of all data associated with their institution. To exercise any of these rights, contact us at support@evolvedacademics.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify registered teachers by email at least 30 days before material changes take effect
- Notify school districts that have executed a Data Processing Agreement with us
Continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised terms.
14. Contact Us
If you have questions or concerns about this Privacy Policy, our data practices, or if you wish to exercise any of your rights, please contact us:
We aim to respond to all inquiries within 30 days. For urgent matters related to data breaches or student privacy concerns, we will respond within 72 hours.