Privacy Policy

1. Roles and responsibilities

For many educational deployments, the school, teacher, institution, ministry, or organization is the controller or educational authority that decides why ActivityLock is used. ActivityLock acts as a service provider or processor for platform operation, subject to applicable agreements and laws.

Where an individual teacher creates an account independently, that teacher is responsible for providing required notices and obtaining required consents from students, parents, guardians, or institutions before using monitoring or assessment features.

2. Information we may process

• Account information: name, email, role, school or institution details, subject, plan, billing status, support messages, and settings.
• Educational content: exams, activity questions, answer keys, uploaded PDFs, annotations, student submissions, marks, notes, rubrics, exports, and feedback.
• Monitoring data: timestamps, session identifiers, browser focus changes, fullscreen status, device and browser information, screen size, permission status, connection state, activity logs, and violation signals.
• Media or evidence where enabled: screenshots, screen sharing signals, webcam or microphone permission events, or other proctoring evidence depending on teacher or institution settings.
• AI data: writing answers, prompts, marks, feedback, cognitive level labels, similarity flags, confidence scores, analytics, and teacher-provided AI marking instructions.
• Technical data: IP address, user agent, cookies, local storage identifiers, crash logs, security logs, and usage metrics.
• Payment data: plan, subscription, checkout references, invoices, and payment status. Full card details are handled by payment processors and are not stored by ActivityLock.

3. Why we process information

We process information to provide accounts, run exams and activities, enable monitoring selected by teachers or institutions, save submissions, grade activities, provide AI marking and analytics, maintain security, prevent abuse, process payments, provide support, comply with legal obligations, and improve reliability.

Depending on jurisdiction, legal bases may include contract performance, legitimate interests, consent, school authorization, public interest or educational task, compliance with law, or processor instructions from an institution.

4. Children, students, COPPA, FERPA, and school authorization

ActivityLock may be used with students, including minors. Institutions and teachers are responsible for determining whether parental consent, school consent, student consent, or another legal basis is required. For children under 13 in the United States, schools may provide consent for educational technology used for school-authorized educational purposes where permitted by COPPA guidance.

For FERPA-covered institutions, ActivityLock may process education records as a school official or service provider when configured by the institution, subject to institutional control, legitimate educational interest, and applicable contractual or policy safeguards.

5. AI and automated analysis

AI-generated marks, feedback, analytics, similarity indicators, cognitive level labels, and review warnings are not final decisions. Teachers and institutions must review AI output before using it for grades, discipline, eligibility, progression, or significant educational decisions.

AI processing may involve third-party AI infrastructure. We aim to send only the information needed to perform the requested feature, such as the question, answer, max marks, marking settings, and relevant context.

6. Storage, third-party integrations, and international transfers

ActivityLock may use Firebase, Google Cloud, Google Drive, Microsoft OneDrive, Stripe, AI providers, email providers, and other service providers. Information may be processed in countries different from where users are located. We use contractual, technical, and organizational measures intended to protect transferred data where required.

When teachers connect Google Drive or OneDrive, certain PDFs, submissions, exports, or related files may be stored in the teacher-owned cloud account. Disconnecting that account may affect ActivityLock access to those files.

7. Retention and deletion

Retention depends on account settings, institution instructions, plan status, technical backups, legal obligations, and operational needs. Teachers and institutions should export or delete data according to their own policies. We may retain audit logs, payment records, security logs, legal acceptance records, and abuse-prevention records where necessary.

Deletion requests may be limited where records must be retained for legal compliance, dispute resolution, security, backup recovery, billing, or legitimate educational record obligations.

8. Disclosure

We may disclose information to authorized teachers, institution administrators, students where appropriate, service providers, payment processors, cloud providers, support personnel, legal authorities when required, and parties involved in security, abuse, billing, or legal enforcement.

9. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object, export, or complain about personal data processing. Students should usually contact their teacher or institution first because the school or institution often controls educational records.

10. Security

We use technical and organizational safeguards designed to protect data. However, no online service is completely secure. Users must protect passwords, devices, browser sessions, connected cloud accounts, and institution access controls.

11. Policy updates

We may update this Policy. Material changes may require renewed acceptance or notice. Acceptance records may include version, timestamp, IP address, user agent, and device information for audit readiness.