Privacy Policy

Effective Date: July 17, 2025

This Privacy Policy describes how Grady Labs and our autonomous grading service, Grady, collect, use, and protect the information we process when you use our services. Our commitment is rooted in a “privacy-by-design” approach, ensuring that student and institutional data is handled with the highest standard of care.

This public-facing policy provides a transparent overview of our practices. Grady Labs also maintains a complete and detailed internal Data Privacy policy (TR-2025-004), which is available to our institutional partners under a Non-Disclosure Agreement (NDA).

Our Role: Data Processor

It is important to understand the roles regarding your data.

  • The Data Controller is the educational institution (e.g., your university, school, or online educational platform or program). They own the student data and determine the purposes for its use.
  • The Data Processor is Grady Labs. We process data strictly on behalf of and under the instruction of the institution for the sole purpose of providing our grading service, Grady.

All student requests regarding their data, such as access and deletion, should be directed to their institution's administrators. We are fully committed to assisting our institutional partners in fulfilling these requests.

What Information We Process (and What We Don't)

Our system is engineered on the principle of data minimization. We only process the information absolutely necessary to perform our grading service.

We Process: The content of a student's submission for a specific assignment. This is sent to us along with internal, non-identifying IDs from the Learning Management System (LMS) (e.g., Canvas) so we can return the grade to the correct place.

We Do NOT Process: We never ingest, process, or store any Personally Identifiable Information (PII). This includes, but is not limited to:

  • Student or instructor names
  • Email addresses
  • Student ID numbers
  • IP addresses or device information (server logs are purged in near real-time)

How We Process and Protect Information

Our entire data flow is designed for maximum security and privacy.

  • Secure Transfer: An instructor initiates grading through the LMS. The assignment content is sent to Grady over a secure, encrypted connection.
  • Immediate Anonymization: The moment we receive a submission, it is processed by our proprietary anonymization technology. This advanced process sanitizes, paraphrases, and transforms the text to retain academic meaning while making it impossible to trace back to the original author. The original submission is securely destroyed as soon as the data are sanitized, which is typically within two minutes.
  • Secure, Ephemeral Grading: The now fully anonymized content is graded within a secure, confidential computing environment (such as AWS Nitro Enclaves).
  • Grade Return: The score and feedback are returned to the institution's LMS.
  • Zero Retention: Once the grade is returned, the anonymized version of the submission is permanently and securely wiped from our systems, typically within 30 minutes. Nothing persists on our servers.

Our Core Privacy Principles

Our commitment to you is defined by these core principles:

  • Data Minimization: We only ever receive the assignment content itself, never personal identifiers.
  • Ephemeral Processing: Data exists on our systems only for the few minutes needed to grade it. We operate on a strict zero-retention policy post-grading.
  • Deep Anonymization: We use a proprietary process to paraphrase and de-identify all submissions before analysis. This ensures that the content sent to AI models cannot be linked to an individual student.
  • Synthetic Training Data Only: We do not use student data (not even anonymized versions) to train our AI models. Our models are trained exclusively on high-quality, synthetically generated data created in-house.
  • No Tracking: We do not use cookies or any other session or device tracking technologies.
  • No Data Sale: We will never sell, rent, or share student or institutional data. Our business model is based solely on providing our grading service.
  • US Data Residency: All data is processed on secure servers located within the United States.

Compliance with Data Protection Laws

Our “privacy-by-design” architecture inherently complies with major data protection regulations.

  • FERPA: We act as a “school official” under FERPA, using data only for legitimate educational interests as directed by the institution and never re-disclosing it.
  • US State Privacy Laws (CCPA/CPRA, etc.): We act as a “Service Provider.” Since we do not collect personal information or retain any data, we inherently satisfy the core requirements of these laws regarding data access, deletion, and the right to opt-out of data sales.
  • GDPR: For institutions serving EU citizens, we act as a Data Processor and provide a Data Processing Agreement (DPA). We have a special GDPR Operational Mode that guarantees a human instructor has the final, absolute authority to review and override any AI-generated grade, ensuring a “right to human intervention.”

Third-Party Services

We use a limited number of trusted third-party services to provide our service.

  • Cloud Infrastructure: We use Amazon Web Services (AWS) for secure compute and storage, located in the US.
  • AI Models: We send only the fully anonymized and paraphrased text to AI providers for analysis. We have contractual agreements and technical controls in place with these providers to ensure this anonymized data is not logged or used for their model training.

Data Requests and Governance

  • Student Data Requests: As we hold no personal data, requests for access or deletion are best handled by your institution. We will respond within two business days to any institutional request to formally confirm that we hold no data related to a specific user.
  • Government & Law Enforcement Requests: We will only disclose data if compelled by a valid and legally binding order. However, our zero-retention architecture is our primary safeguard; in practice, no student or institutional data exists on our servers to be produced.
  • Policy Governance: This policy is maintained and reviewed annually by our Chief Information Security & Privacy Officer (CISPO), Periklis A. Papakonstantinou. Professor Papakonstantinou is a distinguished expert in Cryptography, Cybersecurity, and Data Privacy who oversees our privacy program and ensures our practices meet the highest ethical and legal standards.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and revise the “Effective Date” at the top.

Contact Us

If you are an institutional partner and have questions about this policy or our privacy practices, please contact our CISPO at corporate@gradyai.com.