Quastus (“we,” “us,” or “our”) operates the Quastus platform at app.quastus.com and the website at quastus.com (collectively, the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
When you create an account, we collect:
- Teachers and administrators: Name, email address, password (hashed), school affiliation, role
- Students: Name, email address, school affiliation
1.2 Content You Create
When you use the Service, we store:
- Lesson topics, planning documents, and presentation content
- Student reflections, questions, and assignment submissions
- Chat messages exchanged with AI agents during sessions
- Assignment content and grades
If you choose to connect your Google account, we access the following data depending on the features you use:
| Data Type | Google Service | Purpose |
|---|
| Document content (text, formatting, images) | Google Docs | Import lesson materials into the planning editor |
| Presentation content (slides, text, images, speaker notes) | Google Slides | Import presentations into lesson sections |
| Course metadata (course names, sections) | Google Classroom | Import classes into the platform |
| Student roster data (names, email addresses) | Google Classroom | Import student lists for class management |
We only access Google data that you explicitly select or authorize. We use the Google Picker API to let you choose specific files — we do not scan or access your entire Google Drive.
When you use the Service, we automatically collect:
- Session activity data (sections viewed, time spent, active participation)
- Browser type, device type, and IP address
- Cookies necessary for authentication and session management
2.1 Core Service Functionality
- Provide and maintain the Service, including user authentication
- Generate AI-powered lesson presentations from teacher-provided content
- Facilitate real-time classroom sessions between teachers and students
- Process student reflections and provide AI-generated feedback
- Assess student understanding levels during live sessions
- Manage class rosters and student assignments
2.2 AI Processing
We use third-party AI services (currently OpenAI) to power the following features:
- Lesson planning: Teacher-provided content (including imported Google Docs and Slides content) is sent to OpenAI’s API to generate structured lesson presentations
- Student reflection feedback: Student reflections are sent to OpenAI’s API to generate contextual, educational responses
- Understanding assessment: Student interactions are analyzed by OpenAI’s API to evaluate comprehension levels
Important: Content sent to OpenAI is processed according to OpenAI’s API data usage policy. OpenAI does not use API inputs or outputs to train their models.
2.3 Communication
- Send transactional emails (password resets, account notifications)
- Respond to support requests
- We do not sell your data to any third party
- We do not use your data for advertising, retargeting, or interest-based ads
- We do not use your data for credit-worthiness determination or lending
- We do not use your data for surveillance
- We do not use Google user data to train generalized AI or machine learning models
- We do not use student data for any purpose other than providing the educational Service
3. Google API Services — Limited Use Disclosure
Quastus’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only use Google data for the user-facing features described in this Privacy Policy
- We do not transfer Google data to others except as necessary to provide the Service, for security purposes, or as required by law
- We do not use Google data for serving advertisements
- Human employees do not read your Google data unless you have given affirmative consent, it is necessary for security purposes, or it is required by law
4. How We Store and Protect Your Data
4.1 Data Storage
- All data is stored in a PostgreSQL database hosted on [hosting provider and region]
- Data is encrypted in transit using TLS/SSL
- Data is encrypted at rest using [encryption method]
- Files and media assets are stored in Amazon S3 with server-side encryption
4.2 Multi-Tenant Isolation
Our platform uses a multi-tenant architecture where each school’s data is isolated by a unique school identifier. Teachers and students can only access data belonging to their own school. Administrative controls are enforced at the application level.
4.3 Authentication Security
- Teacher passwords are hashed using PBKDF2 with random salts
- Sessions are managed via server-side Redis-backed tokens with configurable expiration
- Student sessions expire after 24 hours; teacher sessions expire after 7 days
- Sessions can be destroyed server-side at any time (e.g., on logout or account deactivation)
4.4 Google OAuth Tokens
- Google OAuth refresh tokens are stored server-side in our database
- Refresh tokens are never exposed to the client browser
- Access tokens are short-lived (~1 hour) and refreshed automatically server-side
- You can revoke Quastus’s access to your Google account at any time (see Section 8)
5. How We Share Your Data
We do not sell, rent, or trade your personal information. We share data only in the following circumstances:
5.1 AI Service Providers
Content is sent to OpenAI’s API for lesson generation, reflection feedback, and understanding assessment. This includes:
- Teacher-provided lesson content (including imported Google Docs/Slides content)
- Student reflections and assignment submissions (for AI feedback)
OpenAI processes this data under their API terms and does not use it for model training.
5.2 Infrastructure Providers
We use third-party services to operate the platform:
- Hosting: [Provider] for application hosting
- Database: PostgreSQL hosted on [Provider]
- File Storage: Amazon Web Services (S3) for media assets
- Email: Resend for transactional emails
- Caching: Redis for session management and real-time features
These providers process data only as necessary to provide their services to us.
5.3 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process (e.g., a court order or subpoena).
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify affected users before any such transfer and provide the opportunity to delete their data.
6. Student Data and Education Privacy
6.1 FERPA Compliance
When schools share student data with Quastus (including through Google Classroom), we act as a “school official” with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA). We:
- Only access student data for the purpose of providing the educational Service
- Do not re-disclose student personally identifiable information (PII) to unauthorized parties
- Do not use student education records for purposes beyond what the school has authorized
- Maintain appropriate security safeguards for student data
- Support schools in meeting their FERPA obligations
Schools that use the Google Classroom integration should include Quastus in their annual FERPA notification of rights.
6.2 COPPA Compliance
The Children’s Online Privacy Protection Act (COPPA) applies to children under 13. Our approach:
- Teachers (adults) create accounts and manage classes — they may connect Google accounts
- Students join sessions using email codes provided by their teacher — they do not use Google Sign-In
- When students under 13 use the platform, the school provides consent on behalf of parents under the “school consent” exception to COPPA
- We do not knowingly collect personal information from children under 13 outside of the school context
6.3 Data Processing Agreements
Schools may request a Data Processing Agreement (DPA) before using the Service. We support the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement framework. Contact us at [privacy email] to initiate a DPA.
6.4 State Privacy Laws
We comply with applicable state student data privacy laws, including but not limited to:
- California: Student Online Personal Information Protection Act (SOPIPA)
- New York: Education Law 2-d
- Colorado: Student Data Transparency and Security Act (SB 22-515)
- Illinois: Student Online Personal Protection Act (SOPPA)
7. Data Retention
7.1 Account Data
- Teacher accounts: Data is retained for as long as the account is active. Upon account deletion, personal data is deleted within 30 days. Anonymized usage data may be retained for analytics.
- Student accounts: Data is retained for as long as the associated school relationship is active. Schools may request deletion of all student data at any time.
7.2 Lesson and Session Content
- Lesson content, presentations, reflections, and assignment data are retained for as long as the associated teacher account is active
- Teachers can delete individual topics and their associated data at any time
7.3 Google-Imported Data
- Content imported from Google Docs and Slides is stored as part of the lesson content and follows the same retention policy as lesson data
- Student roster data imported from Google Classroom is stored as user records and follows the same retention policy as student accounts
- Disconnecting your Google account does not automatically delete previously imported data — you can request deletion separately (see Section 8)
7.4 AI Processing Data
- Content sent to OpenAI for processing is not stored by Quastus beyond what is saved as part of the normal Service functionality (e.g., AI-generated lesson sections, reflection responses)
- OpenAI retains API inputs for up to 30 days for abuse monitoring, per their policy
8. Your Rights and Choices
8.1 Access and Export
You can access your data at any time through the Service. Teachers can view and export their lesson content, presentations, and student data.
8.2 Deletion
- Delete your account: Contact us at [privacy email] to request full account deletion. We will delete your personal data within 30 days.
- Delete specific content: Teachers can delete individual topics, sessions, and assignments through the Service interface.
- Delete imported data: You can request deletion of data imported from Google Workspace by contacting us at [privacy email].
8.3 Disconnect Google Account
You can revoke Quastus’s access to your Google account at any time:
- From Quastus: Go to your Account page and click “Disconnect Google”
- From Google: Visit Google Account Permissions, find Quastus, and click “Remove Access”
Disconnecting removes our ability to access your Google data going forward. Previously imported data remains in the Service unless you separately request its deletion.
8.4 Opt Out of AI Processing
Teachers can choose not to use AI-powered features. However, certain core features (lesson generation, reflection feedback) require AI processing to function.
8.5 School Administrator Rights
School administrators can:
- View and manage all teacher and student accounts within their school
- Request bulk deletion of all school data
- Request a copy of all school data for portability
9. Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|
host_session | Teacher authentication | 7 days |
student_session | Student authentication | 24 hours |
superadmin_session | Platform admin authentication | 7 days |
We do not use advertising cookies, tracking pixels, or analytics cookies that share data with third parties.
10. International Data Transfers
Our servers are located in [region/country]. If you access the Service from outside this region, your data will be transferred to and processed in [region/country]. By using the Service, you consent to this transfer.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page with a new “Last Updated” date
- Sending an email to registered users for significant changes
Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, your data, or our privacy practices, contact us at:
For student data privacy inquiries, DPA requests, or Google data access concerns, contact: help@quastus.com
For Google data access concerns, contact: help@quastus.com