Perplex Privacy Policy

As part of our commitment to privacy, Perplex Learning Incorporated (hereafter Perplex) provides this Perplex Privacy Policy to explain how we collect, use and safeguard personal data connected to your use of Perplex.org (the website) and any provided Services. This policy also sets forth your privacy rights and the means by which you may exercise them.

In connection with the Services:

• We only collect personal information or student data (hereafter data) that is needed to provide the Services.
• We share data only with third-party vendors who help us deliver and support the Services.
• We do not share data with any third-party advertisers, nor does the website contain any targeted advertising.

In order to maintain our responsibility for information privacy, we may update this Privacy Policy to reflect changes to our practices or our business. You will be notified via the email connected to your account of any material changes to this policy that impact your privacy rights.

Effective date: October 14, 2025

Compliance statement

• Designed to support compliance with GDPR when the Service is provided to EU institutions, students or teachers.
• Operated as a processor and as a school official under FERPA when access is provided by a school.
• Not directed to children under 13 and no student targeted advertising.

Note to minors

If you are under the age of 16, please get permission from your parent or legal guardian or your school before using the Services. If we discover that we have collected any personal information from a child under the age of 16 without the proper consent required by law, we will suspend the associated account or remove that information from our database as soon as possible.

Technical data

We collect technical information generated by use of the Service, including IP address, device and browser characteristics, operating system, timestamps, pages and endpoints requested, referring URLs, approximate location derived from network data, performance metrics, and error and security logs. This is collected for visitors, students, teachers, and school administrators.

We use technical data to provide, secure, and maintain the Service, to prevent fraud and abuse, to diagnose and fix errors, and to measure reliability and performance so the classroom experience is stable for students and teachers. In the European Economic Area we obtain consent before collecting non essential analytics through cookies or similar technologies.

Identity and authentication data

We collect identity and account information when an account is created or managed, such as name, email address, account and user identifiers, and a student or teacher role.

We use identity and authentication data to create and administer accounts, protect sign in and access, associate users with classes and institutions so students can access their own work and teachers can manage their classes, provide support, and enforce policies and contracts. In school provided implementations we process this information under the institution’s documented instructions.

Academic data

We collect academic settings and goals supplied by a user or an institution, including course type or track, target outcomes, assessment dates or periods, and self assessed targets. This applies primarily to students and to teachers who configure classes.

We use academic data to tailor study plans and content, align activities to curriculum requirements, track progress, and support institution authorized reporting so students see appropriate goals and teachers can view relevant settings for their classes. Processing is carried out under contract and our legitimate interests in delivering and improving pedagogically appropriate features, or under school direction where applicable.

Usage data

We collect event level records describing how features are used, such as activities started or completed, time on task, navigation flows, and outcome indicators, together with performance telemetry. Usage data is recorded for students, teachers, and administrators as they interact with the Service and is stored and analyzed with pseudonymous identifiers rather than names or email addresses.

We use usage data to operate and improve features, recommend appropriate content, monitor service quality, and generate dashboards that reflect engagement and progress so students can follow their own progress and teachers can view class level and student level metrics for the learners they oversee. In the European Economic Area we collect non essential analytics only after consent.

User generated data

We process content that users create or upload within the Service, including typed or uploaded work, images or PDF files, and the contents of instructional or support chats together with timestamps and content identifiers. This category primarily relates to students and teachers who use learning and classroom features.

We use user generated data to deliver core learning functionality, including saving and reviewing work, providing feedback, enabling teacher review and grading, and resolving user requested issues so students can revisit their own work and teachers can review the work of students in their classes. Processing is performed under our contract with you or your institution and, for school provided access, under the institution’s instructions.

Classroom data

We collect classroom administration information supplied by an institution or a teacher, such as student lists for a class, the classroom name, and a class invite code. This information supports enrollment and instructional workflows.

We use classroom data to manage rosters and enrollment, distribute and collect assignments, display upcoming and past classroom activities, and produce institution authorized reporting so students see the classes and assignments they are enrolled in and teachers see the rosters and artifacts for the classes they manage. Processing is performed under contract and, in school contexts, as a processor acting on the institution’s instructions.

Marketing and communications data

For teachers, administrators, and other users who opt in, we collect communication preferences, subscription status, and engagement with our messages.

We use marketing and communications data to deliver product updates, onboarding information, surveys, and other messages consistent with the user’s preferences and to honor unsubscribe and opt out choices. Essential service notices related to the Service may be sent regardless of marketing preference where permitted by law.

Financial data

If you purchase goods or services from us, payment information is processed by our payment processor, currently Stripe. We receive and store tokens and limited billing details such as billing name, email, and billing address as needed to complete the transaction, issue receipts, and maintain records. We do not store full card numbers on our systems.

We use financial data to process transactions, provide access to paid features, handle receipts and account queries, detect and resolve payment issues, and comply with tax and accounting obligations. For institutional purchases we may also process purchase order identifiers and billing contacts supplied by the institution.

Service providers

We use the following service providers to operate and support the Service. Each provider is engaged under a written contract that limits use to providing the contracted services and requires confidentiality and security. Transfers, where relevant, are supported by the EU United States Data Privacy Framework or the European Commission 2021 Standard Contractual Clauses.

• Supabase (AWS us east). Database, authentication, APIs, and operational logging for the application.
• Google Firebase. Authentication and cloud storage of files uploaded through the Service.
• PostHog. Product analytics processed in an EU data center and configured to limit direct identifiers and honor consent choices in the EEA.
• OpenAI. Processing of messages and content to power AI features such as chat and automated feedback.
• Anthropic. Processing of messages and content to power AI features such as chat and automated feedback.
• Google Gemini. Processing of messages and content to power AI features such as chat and automated feedback.
• Vercel. Hosting and delivery of the website and application.
• Stripe. Payment processing and billing support. We do not store full card numbers on our systems.
• Sentry. Error monitoring and performance telemetry for the application and website.
• Langfuse. Observability and analytics for AI features, configured to limit direct identifiers and honor consent choices where applicable.

This list may be updated from time to time. For questions about our providers or to request the current list, contact privacy@perplex.org.

International transfers

Our primary hosting is in the United States. If personal data from the European Economic Area or Switzerland is processed in the United States or another country, we rely on the EU United States Data Privacy Framework where available or on the European Commission 2021 Standard Contractual Clauses with appropriate safeguards. We will provide additional information about these safeguards on request.

Cookies and similar technologies

We use cookies and similar technologies that are necessary to operate the Service. In the European Economic Area we obtain consent before setting non essential analytics cookies and we honor the choices you make through our cookie controls.

Rights and requests

You may request access, correction, or deletion of personal data by contacting privacy@perplex.org or visiting https://perplex.org/privacy-settings. Where access is provided by an institution, requests may need to be routed through that institution. We aim to respond within 30 days and will comply with applicable law.

Retention

We keep personal data for as long as needed to provide the Service and to meet legal obligations. In general, technical and analytics records are kept for a limited period, user generated and classroom data are kept for the active relationship, identity data is kept for the life of the account and a short period after closure, and financial records are kept as required by law. We delete or de-identify data when it is no longer needed.

Security and incident response policy

We use administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit and at rest and least privilege access controls. We strive to ensure that all our employees are aware of the importance of confidentiality and maintaining the privacy and security of your information.

If we become aware of unauthorized access to or disclosure of personal data, we will investigate promptly, take steps to contain and remediate the issue, and keep appropriate records. Where an institution provides access, we will notify the institution without undue delay consistent with our contract so the institution can meet its own obligations.

When notification to individuals or authorities is required by law, we will provide that notice in the manner and within the time periods required, and we will cooperate with the institution and with regulators. Notices may be delivered by email or through in-product messaging and will describe what happened, what information was involved, the steps we have taken, and available guidance for affected users.

Contact

To ask questions or to exercise rights of access, correction, or deletion, contact privacy@perplex.org. For school provided accounts, requests may be routed through the school or district consistent with its policies.