A ready-to-sign Data Processing Agreement (DPA) for school districts. Aligned with FERPA, COPPA, and the Student Privacy Pledge. No surprises, no hidden terms.
Kuliso adheres to the principles of the Student Privacy Pledge. These are non-negotiable commitments, not marketing copy.
We will never sell personal information to any third party. No exceptions.
Student data is never used for targeted advertising of any kind.
Session transcripts and student records are never used to train AI models.
Districts and parents may request deletion of all student data within 30 days.
We notify affected districts within 72 hours of discovering a confirmed breach.
We maintain and share a list of all subprocessors that may handle student data.
Every access to student PII is logged. Schools can request audit reports.
Verified parental consent collected before under-13 students access Kuliso directly.
The following table enumerates every category of student data Kuliso collects, why we collect it, and whether it is stored as personally identifiable information (PII), anonymized, or not collected at all.
| Data Category | Specific Fields | Purpose | PII? |
|---|---|---|---|
| Account Identity | Display name, email address, language preference | Authentication, communications, interface localization | PII |
| Student Profile | Grade level, subjects, learning goals | Personalizing tutoring experience | PII |
| Session Transcripts | Student messages to AI tutor, AI responses, timestamps | Delivering tutoring service; not used for AI training | PII |
| Skill & Assessment Data | Subject mastery scores, session duration, engagement metrics | Progress tracking for students, teachers, and parents | PII |
| Parental Contact | Parent/guardian email address (optional) | COPPA consent verification; progress notifications | PII |
| Classroom Membership | Classroom ID, teacher association | Enabling teacher oversight and class-level reporting | PII |
| Technical Log Data | IP address (used transiently for one-time jurisdiction detection; not stored long-term), browser user-agent, session timestamps | Security, fraud prevention, audit trail (FERPA compliance); IP used one-time for jurisdiction detection only | Pseudonymized |
| Payment Data | Billing name, payment method (tokenized) | Teacher/parent subscription billing only — never linked to students | PII (billing only) |
| Aggregate Analytics | Platform-wide usage statistics (e.g., avg. session length) | Service improvement — no individual student identification possible | Not PII |
| Jurisdiction / Location Preference | Jurisdiction code (e.g., "TX", "VA", "ON-CA", "QC-CA") stored on student/teacher profile; IP address used transiently for initial detection and not stored | Curriculum personalization — determines which state or provincial standards appear in test bank, mastery tracker, reports, micro-lessons, and achievement cards. User can change this in Account Settings. | PII |
| Adaptive Assessment & CAT Data | Individual question responses, response times, difficulty progression, DOK performance per standard, mastery level per standard, CAT proficiency band estimates | Real-time question difficulty adaptation (CAT engine); mastery reporting for students, teachers, admins, district admins. Not used for AI training or advertising. Individual student data never visible in cross-teacher or district views — only classroom/school aggregates. | PII |
| SEL & Wellbeing Check-in Data | Optional mood ratings, self-reported confidence scores, platform-detected frustration signals (enabled per classroom by teacher) | MTSS tier routing; teacher wellbeing dashboard; identifying students who may need additional support. Visible only to student's own teacher and authorized admins. Never in cross-teacher or aggregate views. | PII (sensitive) |
| Home Language Preference | Student's home language (set by teacher or parent); AI-generated translated content cached on Kuliso servers | Generating native-language tutoring content and translated test prep. Used only for bilingual content delivery. Not used for profiling or shared with third parties. | PII |
| Device Fingerprints | Not collected | — | Not collected |
| Social Media Profiles | Not collected | — | Not collected |
| Precise Geolocation | Not collected. Jurisdiction code (state/province) stored — not GPS or street-level location. | — | Not collected |
Kuliso does NOT collect, store, or display IEP status, 504 plan status, ESOL designation, or any disability/accommodation classification. The platform contains no fields, flags, or records that identify a student as having a disability or receiving special education services.
Kuliso offers universal learning supports (text-to-speech, extended time, simplified language, visual aids, bilingual glossaries) available to all students. Teachers configure support preferences per student. The platform never asks or records why a support is enabled. This protects student confidentiality under FERPA and IDEA.
Email us to receive a countersigned DPA for your district's records. We'll respond within 1 business day and can accommodate district-specific addenda.
Request Signed DPA →This Student Data Privacy Addendum ("DPA") is entered into by and between Polsia Inc. d/b/a Kuliso ("Kuliso" or "Service Provider") and the School or School District identified above ("School"), collectively the "Parties." This DPA supplements the Kuliso Terms of Service (kuliso.org/terms) and governs Kuliso's collection, use, and disclosure of Student Data provided by the School.
| Term | Definition |
|---|---|
| "Student Data" | Personally identifiable information from a student's education record that is subject to FERPA, as defined in 34 CFR Part 99, or any state equivalent. Includes student names, grade levels, session transcripts, assessment data, and all categories listed in the Data Inventory above. |
| "Covered Student" | Any student enrolled in the School whose Student Data is shared with or processed by Kuliso. |
| "Eligible Student" | A Covered Student who has reached age 18 or is attending a postsecondary institution, and who therefore holds FERPA rights independently (34 CFR § 99.3). |
| "Under-13 Student" | A Covered Student under the age of 13, subject to additional COPPA protections (16 CFR Part 312). |
| "Authorized Purpose" | The provision of AI tutoring services to Covered Students as contracted between the School and Kuliso. No other purpose is authorized under this DPA. |
| "School Official" | As defined in FERPA, 34 CFR § 99.31(a)(1): a school official with a legitimate educational interest. Kuliso operates in this capacity. |
| "Breach" | Any confirmed unauthorized access to, disclosure of, or use of Student Data. |
| "Subprocessor" | Any third-party service provider engaged by Kuliso to process Student Data in the course of delivering the service. |
| "Privacy Audit Log" | The system-generated record of every access to Student Data maintained by Kuliso for FERPA compliance purposes. |
2.1 This DPA applies to all Student Data provided to Kuliso by the School in connection with the Kuliso tutoring service.
2.2 Kuliso processes Student Data solely for the Authorized Purpose — providing AI-assisted tutoring to Covered Students. All other uses of Student Data are prohibited unless expressly agreed to in writing by the School.
2.3 The School authorizes Kuliso to process Student Data as a "school official" under FERPA, 34 CFR § 99.31(a)(1), with a legitimate educational interest in the performance of the tutoring service.
2.4 This DPA does not authorize Kuliso to: (a) sell or rent Student Data; (b) use Student Data for any commercial purpose unrelated to the Authorized Purpose; (c) disclose Student Data to third parties except Subprocessors listed in Section 7; or (d) use Student Data to build advertising profiles.
Kuliso agrees to:
The School agrees to:
5.1 Detection: Kuliso maintains monitoring systems to detect unauthorized access or anomalous activity involving Student Data.
5.2 Initial notification: Upon discovering a confirmed or reasonably suspected Breach affecting Student Data, Kuliso will notify the School's designated privacy contact within 72 hours via email.
5.3 Notification content: The initial notification will include, to the extent known: (a) the nature of the Breach; (b) the categories and approximate number of affected students; (c) the likely consequences; (d) the measures taken or proposed to address the Breach.
5.4 Remediation: Kuliso will take prompt steps to contain the Breach, prevent further unauthorized access, and restore service integrity. Kuliso will cooperate with the School's incident response team and provide updated information as the investigation progresses.
5.5 School notification obligations: The School is responsible for notifying parents, guardians, and applicable state authorities as required by law. Kuliso will provide reasonable assistance in preparing such notifications upon request.
6.1 Kuliso retains Student Data for the duration of the active service agreement, plus up to 90 days following termination (to allow data export).
6.2 Upon written request from an authorized School representative or verified parent/guardian (for COPPA-covered students), Kuliso will:
6.3 Kuliso may retain anonymized, aggregated statistics (with no personally identifiable information) after deletion for service improvement research.
6.4 Privacy Audit Logs (Section 10) are retained for a minimum of 5 years as required for FERPA compliance, even after student account deletion. These logs contain no personal tutoring content.
6.5 To submit a deletion request, use the Privacy Request Center or contact support@kuliso.org with "Data Deletion Request — [School Name]" in the subject line.
Kuliso uses the following Subprocessors that may access or process Student Data in the course of providing the service:
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Google (Gemini API) | AI language model (Gemini 2.5 Pro & 2.0 Flash for tutoring responses). Google’s API Terms prohibit training on API request data. All processing on US servers. API Terms ↗ | United States |
| Render.com | Cloud hosting of the Kuliso web application. SOC 2 Type II certified. Privacy Policy ↗ | United States |
| Neon (Neon, Inc.) | PostgreSQL database hosting. Student Data stored here (AES-256 encrypted at rest). Privacy Policy ↗ | United States |
| Stripe, Inc. | Payment processing (teacher/parent billing only — student data NOT shared with Stripe). Privacy Policy ↗ | United States |
Kuliso will provide at least 30 days' written notice before adding or replacing Subprocessors that have access to Student Data, allowing Schools to object. If a School reasonably objects to a new Subprocessor, Kuliso will use commercially reasonable efforts to accommodate the objection.
8.1 The School hereby designates Kuliso as a "school official" under FERPA, 34 CFR § 99.31(a)(1), with a legitimate educational interest in accessing Student Data for the Authorized Purpose.
8.2 Kuliso acknowledges this designation and agrees to be subject to FERPA's requirements applicable to school officials, including:
8.3 The School acknowledges its responsibility under FERPA to identify Kuliso as a school official in its annual FERPA notice or equivalent parental notification procedures.
8.4 Parent/Eligible Student Rights: Parents of minor students (and Eligible Students on their own behalf) retain the right to: (a) inspect and review their child's education records maintained by Kuliso; (b) request amendment of inaccurate records; (c) request deletion of records; and (d) receive a copy of their child's data. Requests should be directed to the Privacy Request Center or emailed to support@kuliso.org.
For Under-13 Students who access Kuliso outside of a school enrollment — for example, via a direct family subscription — Kuliso requires verifiable parental consent before the student account becomes active:
For Under-13 Students, Kuliso applies additional data minimization:
Kuliso determines student age from the grade level and date of birth (if provided) at account creation. If a student is identified as under 13, additional consent verification steps are applied as described in Section 9.1. Schools using the school operator exception are responsible for representing that students in their roster meet applicable age requirements or that appropriate parental consent has been obtained.
Kuliso maintains a Privacy Audit Log that records every access to Student PII, including:
Audit logs are retained for a minimum of 5 years. Schools may request a log excerpt for specific students or date ranges by emailing support@kuliso.org.
Kuliso enforces the following access control boundaries:
Authorized school district administrators may request an audit report for any subset of their enrolled students by submitting a written request to support@kuliso.org. Reports will be provided within 10 business days.
The following rights are available to parents of minor Covered Students, and to Eligible Students (age 18+) on their own behalf. All requests are processed through the Privacy Request Center or by emailing support@kuliso.org.
| Right | Description | Response Time |
|---|---|---|
| Right to Inspect | Request to view all data Kuliso holds for a student, including session transcripts, assessment records, and profile data | 10 business days |
| Right to Export | Request a machine-readable copy (JSON) of all student data for portability or record-keeping | 10 business days |
| Right to Correct | Request correction of factually inaccurate records (e.g., wrong grade level, incorrect name) | 10 business days |
| Right to Delete | Request permanent deletion of all student data. Deletion from active systems within 30 days; backup purge within 90 days | 30 days |
| Right to Restrict | Request that specific data not be used for aggregate analytics or shared with Subprocessors | 10 business days |
| COPPA Consent Withdrawal | Parents of Under-13 Students may withdraw parental consent at any time, which suspends the account and initiates deletion | Immediate suspension; 30-day deletion |
In addition to FERPA and COPPA, Kuliso is designed to comply with the following state student privacy laws. Districts in states not listed may contact us to discuss specific requirements.
| Law | Jurisdiction | Key Requirements Met |
|---|---|---|
| SOPIPA Bus. & Prof. Code § 22584 |
California | No behavioral advertising; no data sale; data deleted on request; no third-party profiling |
| AB 1584 | California | DPA in place; data returned or deleted at contract end; data not used for non-educational purposes |
| NY Ed. Law § 2-d | New York | Parents' Bill of Rights included in DPA; Subprocessors contractually bound; breach notification within 60 days |
| ATIPPA HB 18 |
Texas | No sale; no targeted advertising; data used only for educational purpose; deletion rights honored |
| Student Data Privacy Act | Colorado | Data inventory published; subprocessors disclosed; deletion within required timeframe |
| PPRA | Federal | No marketing surveys administered to students; no behavioral research without consent |
| PIPEDA Personal Information Protection and Electronic Documents Act |
Canada (Federal) | Consent-based collection; data minimization; no third-party disclosure for non-educational purposes; individual access and correction rights; Privacy Officer available; complaints escalable to Office of the Privacy Commissioner of Canada |
| Quebec Law 25 Loi 25 / Bill 64 — Act Respecting the Protection of Personal Information in the Private Sector |
Quebec, Canada | Privacy by design; confidentiality incident notification to CAI; right of access, rectification, and de-indexation; privacy impact assessment completed for cross-border AI processing (Gemini API); QEP curriculum standard alignment |
For districts in states with specific DPA template requirements (e.g., New York's standard template), Kuliso can execute the state-specific template in addition to this DPA. Contact support@kuliso.org.
13.1 This DPA is effective upon the date the School first uses Kuliso services and remains in effect for the duration of the service relationship.
13.2 This DPA terminates automatically upon termination of the School's service agreement with Kuliso.
13.3 The obligations in Section 3 (Kuliso's Obligations), Section 5 (Breach Notification), Section 6 (Data Deletion), and Section 10 (Audit Logging) survive termination of this DPA.
13.4 Upon termination, Kuliso will provide the School with a final data export (upon written request) within 30 days, after which all Student Data will be deleted per Section 6.
14.1 This DPA shall be governed by the laws of the State of Delaware, without regard to conflict of law principles. Nothing in this DPA limits either party's compliance with applicable federal and state student privacy laws.
14.2 Kuliso may update this DPA with 30 days' written notice to the School. If a School objects to a material change, it may terminate the DPA without penalty within the notice period.
14.3 This DPA, together with the Kuliso Terms of Service and any executed school purchase agreement, constitutes the complete agreement between the Parties regarding Student Data privacy.
14.4 If any provision of this DPA is found to be unenforceable, the remaining provisions continue in full force and effect.
By signing below (or by executing a countersigned version provided by Kuliso), both Parties agree to the terms of this Student Data Privacy Addendum.
Email us to receive a PDF version of this DPA pre-signed by Kuliso's authorized representative. We'll return it within 1 business day and can accommodate district-specific additions or amendments on request.
support@kuliso.org · For DPA requests, pilot programs, and district pricing
support@kuliso.org · For data access, deletion, and COPPA consent requests