Privacy Policy

1. Introduction

GrassLMS (“we,” “us,” or “our”) is a software-as-a-service learning management system that helps schools and learning centers teach programming, mathematics, and languages. We are committed to protecting the privacy of all users of our platform, including school administrators, teachers, students, and parents.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your data. If you have any questions, you can reach our privacy team at privacy@learnhub.app.

GrassLMS acts as the data controller for account and platform data. When a school or learning center subscribes to our service, they may also act as a data controller for their students’ educational data, and we act as a data processor on their behalf.

2. Data We Collect

2.1 Account Data

When you create an account or when a school creates one on your behalf, we collect your name, email address, role (administrator, teacher, student, or parent), and the organization you belong to.

2.2 Learning Data

As you use the platform, we collect data related to your educational activities. This includes course progress, lesson completion status, exercise scores, assignment submissions (including code submissions), time spent on lessons and exercises, and quiz results.

2.3 Communication Data

We collect the content of discussion comments you post within courses and any messages you send to our support team.

2.4 Technical Data

When you access the platform, we automatically collect your IP address, browser type and version, device type, operating system, and referring URL. We also use essential cookies to keep you logged in and remember your preferences. See our Cookie Policy for details.

2.5 Payment Data

Subscription payments are processed by Stripe. We do not store credit card numbers, CVVs, or full bank account details on our servers. Stripe provides us with a transaction reference, the last four digits of the card, and the billing address to manage your subscription. For details on how Stripe handles your payment data, please refer to Stripe’s Privacy Policy.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Providing and operating the learning platform
• Authenticating your identity and managing your account
• Tracking your learning progress and generating progress reports
• Providing teachers and school administrators with analytics about student performance
• Providing parents with visibility into their child’s learning activity
• Running the AI Tutor feature to assist students with coursework
• Responding to your support requests and communications
• Improving the platform, fixing bugs, and developing new features
• Ensuring the security and integrity of the platform
• Complying with legal obligations

We do not use your data for advertising. We do not sell your data. We do not use third-party analytics or tracking services.

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your data based on:

• Contract Performance: Processing necessary to provide you with the service you or your school subscribed to, including account management, learning features, and progress tracking.
• Legitimate Interest: Processing necessary for platform security, fraud prevention, bug fixing, and service improvement, where our interests do not override your rights.
• Consent: Where required, such as for optional communications or when processing data of children where school or parental consent applies.
• Legal Obligation: Processing required to comply with applicable laws, regulations, or legal proceedings.

5. Who We Share Data With

We share personal data only in the following limited circumstances:

• Stripe: We share the minimum data necessary for Stripe to process subscription payments. This includes billing name, email, and payment method details. Stripe acts as an independent data controller for payment processing.
• Schools and Administrators: School administrators can see the account data and learning data of students and teachers within their organization.
• Teachers: Teachers can view the learning progress, exercise submissions, and scores of students assigned to their courses.
• Parents: Parents linked to a student account can view their child’s learning progress and activity.

We do not sell personal data. We do not share data with advertisers. We do not use third-party analytics services such as Google Analytics. We do not share data with any other third parties except as described above or as required by law.

6. AI Tutor and Your Data

GrassLMS includes an AI Tutor feature that helps students with coursework. The AI model is entirely self-hosted on our own servers. No student data, questions, code, or conversation content is sent to any external AI provider or third-party service.

AI Tutor conversations are processed in real time to generate responses. We do not store AI conversation history long-term. Conversation data may be temporarily held in server memory during your session and is not retained after the session ends.

7. Children’s Privacy (COPPA Compliance)

We understand that many of our users are minors, including children under the age of 13. We take the protection of children’s data seriously.

• School Consent: When a school subscribes to GrassLMS and creates student accounts, the school provides consent on behalf of parents for the collection and use of students’ educational data, as permitted under COPPA and FERPA. The school acts as the parent’s agent in providing this consent, and data is used solely for educational purposes.
• No Direct Collection from Children: We do not knowingly collect personal data directly from children under 13 without school or parental consent. If a child attempts to register without going through a school or parent, the account will not be created.
• Parental Rights: Parents have the right to review their child’s personal data, request corrections, and request deletion. To exercise these rights, contact us at privacy@learnhub.app or contact your child’s school.
• Limited Data Collection: We collect only the data necessary to provide the educational service. We do not collect more data from children than is reasonably necessary for participation in the platform.

8. Data Retention

• Active Accounts: We retain your data for as long as your account is active and the subscribing school maintains its subscription.
• After Account Termination: When a school terminates its subscription or an individual account is deleted, we retain account data for 30 days to allow for reactivation or data export. After 30 days, your data is permanently deleted from our active systems.
• Backups: Encrypted backups that may contain your data are retained for up to 90 days after deletion from active systems, after which they are purged.
• Legal Requirements: We may retain certain data longer if required by law, such as billing records for tax compliance.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS everywhere)
• SSL certificates are provided by Let’s Encrypt and automatically renewed
• Passwords are hashed using bcrypt and never stored in plain text
• Student code submissions are executed in sandboxed environments isolated from the main system
• Regular automated backups with encryption at rest
• Access to production systems is restricted to authorized personnel only
• The AI Tutor runs on our own servers, so student data never leaves our infrastructure for AI processing

While no system is 100% secure, we continuously work to improve our security posture. If you discover a security vulnerability, please report it to privacy@learnhub.app.

10. International Data Transfers

Our servers are hosted by Hetzner in Germany, within the European Union. Your data is stored and processed in the EU, which provides strong data protection under the GDPR.

Stripe, our payment processor, may transfer and process payment data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, as well as Stripe’s own data protection measures.

No other personal data is transferred outside the European Economic Area.

11. Your Rights

Under the GDPR (EU/EEA Residents)

You have the right to:

• Access your personal data and receive a copy
• Rectification of inaccurate or incomplete data
• Erasure (“right to be forgotten”) of your data
• Data Portability — receive your data in a structured, machine-readable format
• Restriction of processing in certain circumstances
• Object to processing based on legitimate interest
• Withdraw Consent at any time, where consent is the legal basis
• Lodge a Complaint with your local data protection authority

Under the CCPA (California Residents)

You have the right to:

• Know what personal information we collect, use, and disclose
• Delete your personal information
• Opt-Out of the sale of personal information (note: we do not sell personal information)
• Non-Discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@learnhub.app. We will respond within 30 days. For school-managed student accounts, requests may need to be submitted through the school.

12. Cookies

We use only essential and functional cookies. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. If we make material changes, we will notify you at least 30 days before the changes take effect by posting a notice on the platform and, where possible, sending an email to the address associated with your account. The “Effective Date” at the top of this page indicates when the policy was last updated.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 30 days.