logo

FERPA, COPPA and GDRP Compliance

FERPA, COPPA and GDRP Compliance

FERPA, COPPA, and GDPR Compliance Statement for Graded.pro
Effective as of 9/5/26

Introduction

Graded.pro is dedicated to protecting the privacy and security of our users’ personal information and the personal data of the students whose work is processed through our platform. This statement explains how Graded Pro supports compliance with the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the UK and EU General Data Protection Regulation (GDPR). It should be read alongside our full Privacy Policy, which describes our data-handling practices and security measures in detail.

Graded Pro is operated by EdSystems Ltd, a company registered in England and Wales (company number 16551984), with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ.

Our Role and Yours

The role we play under data protection law depends on what is being processed and on whose behalf:

  • For account data (the information you provide to create and manage your Graded Pro account), Graded Pro is the data controller.
  • For student work and pupil-related information uploaded by a teacher acting on behalf of a school, the school is the data controller and Graded Pro acts as its data processor under a Data Processing Agreement.
  • For student data uploaded by an independent tutor or self-employed educator, the tutor is the data controller and Graded Pro acts as their data processor under our Terms and Privacy Policy.

These roles shape how each of the regimes below applies.

FERPA Compliance

  1. Education Records
    Where Graded Pro is used by US schools, we recognise that student records are protected under FERPA. We process and store information only as necessary for legitimate educational purposes, such as grading and providing feedback.

  2. School Official with Legitimate Educational Interest
    Where a school provides education records to Graded Pro for marking and feedback, we act as a “school official” with a legitimate educational interest under the FERPA school official exception. We use education records solely on the school’s instructions and do not redisclose them other than as permitted by FERPA and our agreement with the school.

  3. Access and Security
    Access to education records is restricted to authorised personnel within Graded Pro and is supported by encryption, access controls, and audit logging. The school retains primary control over disclosure; parents and eligible students should direct rights requests to the school in the first instance.

COPPA Compliance

  1. Use in an Educational Context
    Where Graded Pro is used with children under 13 in the United States, the Federal Trade Commission’s COPPA framework permits schools to consent on behalf of parents to ed-tech services used for educational purposes (the “school authorization” model). Under this model the school is responsible for obtaining or providing the consents required by COPPA. Where Graded Pro is used outside a school setting — for example by an independent tutor — the tutor or the parent is responsible for any consent required.

  2. Limited Data Use
    Personal information collected in connection with children’s use of the Service is used solely to provide marking, feedback, and related educational services. We do not use children’s data for marketing or advertising, and we do not sell, rent, or lease it.

  3. Parental Rights
    Parents and guardians have the right to review, correct, or request deletion of their children’s personal information. In a school context, please direct requests to your school in the first instance, as the school is the data controller. In an independent-tutor context, please contact the tutor. Graded Pro will support the relevant controller in responding.

GDPR Compliance

  1. Lawful Bases for Processing
    The lawful basis depends on the data and the role we are acting in:

    • For account data (Graded Pro as controller): performance of a contract (Article 6(1)(b)); legitimate interests in operating and securing the Service (Article 6(1)(f)); legal obligation, for example for tax and accounting records (Article 6(1)(c)).
    • For Pupil Data in a school context (school as controller): determined by the school, typically public task (Article 6(1)(e)) for state schools or legitimate interests / contract for independent schools.
    • For student data with independent tutors (tutor as controller): determined by the tutor, typically performance of a contract (Article 6(1)(b)) with the parent or adult student.

    Where the work contains special category data, the relevant controller is responsible for identifying the appropriate Article 9 condition.

  2. Data Subject Rights
    Individuals in the United Kingdom and the European Union have specific rights under the UK and EU GDPR, including:

    • Access: request a copy of personal data.
    • Rectification: correct or update inaccurate information.
    • Erasure (“Right to be Forgotten”): request deletion of personal data in certain circumstances.
    • Restriction / Objection: limit or object to certain processing activities.
    • Data Portability: obtain a transferable copy of personal data.
    • Complaint: lodge a complaint with the relevant supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office (ICO); in the European Union, the supervisory authority of your country of residence.

    To exercise these rights in relation to account information, please contact our Data Protection Officer. To exercise rights in relation to Pupil Data, please contact the relevant controller (your school or independent tutor) in the first instance; we will support the controller in responding.

  3. Data Protection Measures
    We use industry-standard security protocols, including TLS encryption for data in transit and encryption of data at rest. Our processes are validated under CASA Tier 2 by TAC Security.

  4. International Transfers
    Some of our sub-processors are located outside the United Kingdom and the European Economic Area, in particular in the United States. Where personal data is transferred outside the UK or EEA, we put in place appropriate safeguards as required by UK and EU GDPR, including the European Commission’s Standard Contractual Clauses for transfers from the EEA, the UK International Data Transfer Addendum (or the UK International Data Transfer Agreement) for transfers from the United Kingdom, and (where applicable) the EU–US Data Privacy Framework and UK Extension where the relevant sub-processor is certified.

Contact Information

For questions about how Graded Pro supports compliance with FERPA, COPPA, or the UK and EU GDPR — or to exercise your data protection rights — please contact our Data Protection Officer using the details set out in our Privacy Policy. We are committed to addressing enquiries promptly and transparently.

Amendments to This Statement

We may update this statement from time to time to reflect changes in our practices or in relevant regulations. Material changes will be posted on this page, and the “Effective as of” date above will be updated to reflect the latest version. We encourage you to review this document periodically.