Data Privacy & PII Protection

Last updated: June 21, 2026

EduGears AI is built for classrooms and the sensitive information they handle. This page explains what personally identifiable information (PII) we process, why, and the controls that keep it safe — a student-data-focused companion to our full Privacy Policy.

1. Personal Data We Process (PII)

EduGears AI processes the minimum personal data needed to deliver AI tools inside your LMS: a user's name, email, role (teacher or student), and the user and course identifiers your LMS passes through LTI 1.3. We also store the content created or submitted within the tools — generated resources, question banks, student submissions, and tutor conversations. Your LMS administrator stays in control of what is shared: you can configure your LMS to restrict or withhold student names and email addresses if your institution requires it, and EduGears AI will operate using the LMS-provided identifiers alone.

2. Data Minimization & Purpose Limitation

We collect only what a feature needs, and use it only to provide that feature. We never sell personal data, never build advertising profiles, and never use student data for any purpose beyond delivering the service you launched from your LMS. By default, files you upload (such as source PDFs or notes used to ground AI generation) are deleted the same day. The one exception is files uploaded for question generation, which are kept for one week so you can generate more questions from the same source. A portal administrator can adjust these retention settings if your institution requires it.

3. How Student Data Is Protected

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Access is isolated per institution using Row Level Security, so one school can never see another's data. Administrative access is least-privilege and audited.

4. AI Providers & Your Data

When a tool calls an AI model — OpenAI, Anthropic, Google Gemini, DeepSeek, or Sarvam AI — only the content needed for that request is sent, over encrypted channels. Student data is never used to train third-party models. Institutions can also Bring Your Own Key (BYOK) so AI requests run entirely under their own provider account. Any AI provider key you add (BYOK) is always encrypted at rest and is only decrypted in memory for the moment a request is sent — never stored in the clear or logged.

5. FERPA, COPPA & GDPR Compliance

EduGears AI acts as a school official and service provider under FERPA, processing student records solely to perform the functions your institution authorizes. For students under 13 we rely on school consent under COPPA, and we support GDPR data-subject requests for institutions in scope. A Data Processing Agreement is available on request.

6. Retention, Deletion & Data Residency

Personal data is kept only as long as your institution uses the service or as needed to provide it. Administrators can delete content at any time, and we honor verified deletion requests — including a same-day purge on request. By default, your data is hosted in the USA. Regional deployments for the UK and India are available on request to keep data in-region, and we consider additional regions on request.

7. Your Rights & Choices

Institutions and their users can access, correct, export, or delete the personal data we hold. Requests are routed through your institution's administrator to verify identity and authority. BYOK and per-institution controls let you tighten data handling even further. A current list of sub-processors is available on request.

8. Contact Us

Questions about how we handle PII, or need a Data Processing Agreement or sub-processor list? Email us at support@edugears.ai and we'll respond promptly.