1. Legislative Compliance

Federal Law

State Law

StudyPug USA Inc. will execute state-specific Data Processing Agreement addenda as required by applicable law. For states not listed above, StudyPug USA Inc. will work with the Institutional Customer to ensure compliance.

2. FERPA Compliance

When providing services to US educational institutions under a written agreement, StudyPug USA Inc. acts as a “school official” with a “legitimate educational interest” under FERPA. In this capacity, StudyPug USA Inc.:

• Performs an institutional service or function the institution would otherwise use employees to perform;

• Is under the direct control of the institution with respect to the use and maintenance of education records;

• Uses personally identifiable information (PII) from education records only for the purposes specified in the institutional agreement;

• Does not re-disclose PII from education records without consent, except as permitted by FERPA;

• Maintains education records only for the period authorized by the school or district;

• Returns or destroys education records upon request or at the conclusion of the service agreement.

Data ownership: All student education records remain the property of the school or district. StudyPug USA Inc. is a custodian, not an owner, of these records. StudyPug USA Inc. gains no rights to use student data as a commercial asset.

Direct control: The school or district retains direct control over student data at all times. StudyPug USA Inc. will not modify terms of service, data handling practices, or sub-processor arrangements affecting student data without providing at least thirty (30) days' written notice.

3. COPPA Compliance

StudyPug's services include educational content for children under 13 (Kindergarten through Grade 3). StudyPug USA Inc. complies with COPPA and the FTC's COPPA Rule, 16 C.F.R. Part 312, as amended effective June 23, 2025 (published April 22, 2025; compliance required by April 22, 2026).

School authorization: For Institutional Customers, StudyPug USA Inc. relies on the school or district's authorization to collect student information for the specified educational purposes, consistent with FTC guidance on school consent under COPPA.

Parental rights: Parents retain the right to review, request deletion of, and refuse further collection of their child's personal information. Parents may exercise these rights by contacting their child's school or district, or directly at privacynotification@studypug.com.

• Data minimization: Only information necessary to provide contracted educational services is collected. No precise geolocation (GPS or cell-tower), biometric, social media, or photographic data from children is collected. IP-derived approximate location is collected for content regionalisation.

• No advertising: Children's personal information is never used for advertising. No advertisements are served to student users.

• Retention: Children's personal information is retained only as long as necessary for the educational purpose. See Section 6.

4. Data Categories

In addition to Contact Data and Demographic Data in the general Privacy Policy, StudyPug USA Inc. collects for Institutional Customer deployments:

Learning Activity Data: course progress and completion, quiz and assessment scores, topic mastery levels, time-on-task, diagnostic assessment results, knowledge gaps identified, adaptive practice performance.

Institutional Administration Data: district or school name, class or programme identifiers, administrator and teacher contact details, seat allocation records.

Student Contact Data: name (or alias as provided by the school) and email address, as provided by the school or district for account provisioning.

StudyPug USA Inc. does not collect biometric data, social media identifiers, health information, precise geolocation data (GPS or cell-tower), photographs, or data beyond what is necessary. IP-derived approximate location is collected for content regionalisation.

• Third-party tracking exclusion: Google Analytics and other third-party analytics or advertising tracking services are not used in Institutional Customer student sessions. No student data is transmitted to third-party analytics or advertising providers.

• AI training exclusion: Student data is not used to train, develop, or improve StudyPug's AI models or any third-party AI systems.

5. Data Usage Limitations

• No advertising: Student data is never used for targeted, behavioural, or any advertising.

• No sale of data: StudyPug USA Inc. does not sell, rent, or trade student personal information to any third party.

• No non-educational profiling: No personal profiles of students are created for non-educational purposes.

• No AI training: Student data is not used to train generative AI models.

• No third-party marketing: Student contact information is not shared with third parties for marketing purposes.

• Educational purpose only: All data collection, use, and processing is limited to providing, maintaining, supporting, and improving the educational services specified in the institutional agreement.

6. Data Retention and Deletion

Active accounts: Learning Activity Data and personal information are retained for the duration of the institutional subscription. Post-subscription: data retained for ninety (90) days after expiry or termination, then permanently deleted. Immediate deletion may be requested at any time.

Deletion timeline: All deletion requests processed within thirty (30) calendar days. Deletion is irreversible. Written confirmation provided.

Retained data: Following deletion, only anonymized aggregate data and billing contact financial records are retained. No student-identifiable information is retained.

7. Data Security and Residency

All US Institutional Customer data is stored in the United States on Amazon Web Services servers in the US-East-1 (Virginia) region. StudyPug Inc.'s Canadian-based team may access this data for customer care and support purposes.

Security measures include: encryption of data at rest (AES-256) and in transit (TLS 1.2+); role-based access controls; regular security assessments and vulnerability monitoring; employee privacy training; incident response procedures (see Section 8).

8. Data Breach Notification

In the event of a security incident, StudyPug USA Inc. will:

• Notify the Institutional Customer's designated contact within five (5) business days, and in any event no later than seven (7) calendar days of becoming aware of the breach;

• Provide a written incident report: nature and scope; data categories; estimated number of affected students; measures taken or proposed; recommendations to mitigate harm;

• Co-operate with the Institutional Customer's breach response and notification procedures;

• Report to applicable federal or state regulatory authorities as required by law. Note: New York Education Law § 2-d (8 NYCRR §121.10(a)) requires vendor notification to the school within 7 calendar days of discovery; the school then notifies parents/students without unreasonable delay;

• Take all reasonable steps to contain the breach and prevent recurrence.

9. Sub-Processors

StudyPug USA Inc. will notify Institutional Customers in writing at least thirty (30) days before engaging any new sub-processor with access to student personal information. Institutional Customers may object within that notice period. Written confirmation of security measures is obtained from each sub-processor before granting access to student data.

10. Accessibility

StudyPug is working toward WCAG 2.1 Level AA conformance consistent with: the Americans with Disabilities Act (ADA) and the DOJ's April 2024 final rule establishing WCAG 2.1 AA as an enforceable standard for public entities; Section 508 of the Rehabilitation Act, where applicable. A VPAT (WCAG 2.1 edition) is in preparation and will be provided upon request. See studypug.com/support/accessibility/.

11. Data Processing Agreement

StudyPug USA Inc. is prepared to execute a Data Processing Agreement (DPA) with each Institutional Customer specifying FERPA obligations, COPPA compliance, data handling procedures, security commitments, breach notification procedures, and state-specific requirements.

StudyPug USA Inc. supports the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (NDPA) framework and will work with Institutional Customers to execute DPAs consistent with applicable state alliance requirements.

12. Institutional Customer Rights

Institutional Customers have the right to:

• Request a copy of all personal information and Learning Activity Data for their students, in a commonly used electronic format, within thirty (30) days;

• Request correction of inaccurate personal information;

• Request deletion of student data at any time, subject to Section 6 timelines;

• Receive written confirmation of any data deletion;

• Receive thirty (30) days' written notice before material changes to this Supplement take effect;

• Designate a privacy contact to receive all notifications and reports from StudyPug USA Inc.

13. Contact

For all privacy inquiries related to US institutional accounts:

Privacy and Data Protection Officer, StudyPug USA Inc.
c/o Woodburn Wedge, 6100 Neil Road, Suite 500, Reno, Nevada 89511
Email: privacynotification@studypug.com

We will acknowledge all privacy inquiries within five (5) business days.

This document is issued by StudyPug USA Inc. and is effective as of the date stated above.
© 2015–2026 StudyPug Inc. All rights reserved.