Legal

COPPA School Notice

Last updated June 12, 2026

This notice describes the personal information Tolus collects from students, how we use and share it, and the rights schools and parents have. It is provided so that a school or district may, where it chooses, authorize the collection of students’ personal information on behalf of parents, relying on the school-consent pathway recognized in Federal Trade Commission guidance under the Children’s Online Privacy Protection Act (COPPA) and its Rule (16 CFR Part 312). This pathway rests on FTC guidance — including the FTC’s COPPA FAQs and its 2022 policy statement on ed tech — rather than an express provision of the Rule, which the FTC declined to codify in its 2025 amendments. Tolus collects and uses student personal information only for the school-authorized educational purpose of running oral-defense assessments, and for no other commercial purpose.

Where a school cannot or chooses not to authorize collection on parents’ behalf, Tolus must instead obtain verifiable parental consent before collecting personal information from a child under 13.

What we collect from students

From the teacher’s Google Classroom roster (under the teacher’s authorization):

  • Student full name, email address, and Google Classroom user ID.
  • Profile photo — fetched live for display to the teacher only; not stored by Tolus.

During an oral defense:

  • Voice audio — streamed in real time to our speech-to-text provider for transcription; never stored by Tolus.
  • The text transcript of the defense (the student’s spoken answers and the AI’s questions).
  • The student’s submitted work, read to ground the defense questions.
  • The mastery score and written feedback the AI produces, and any feedback the student chooses to submit.

For access and security:

  • A class PIN, issued by the teacher, used by the student to start the defense.
  • Limited authentication logs: a masked IP-address prefix and a device identifier.

How we use it

We use student personal information solely to operate the assessment for the school: to generate defense questions, score the spoken defense, return the score and transcript to the teacher, and post the grade back to the school’s Google Classroom. We do not use it for any other purpose.

Who we share it with

Each subprocessor is contractually bound to handle data only to provide its service to us:

  • OpenAI — generates defense questions, scores the defense, and produces speech audio; receives submission text, transcript, and rubric. Data is excluded from model training under OpenAI’s API terms.
  • Deepgram — real-time speech-to-text; receives the student’s voice audio. Audio is not stored.
  • Supabase — encrypted database hosting in the United States.
  • Google — authentication and Classroom/Drive data accessed on the teacher’s behalf.
  • Vercel — application hosting. Product analytics is disabled on student defense pages.
  • Resend — transactional email; receives a student’s name and any feedback the student submits, sent to the teacher’s administrator.

What we do not do

  • We do not use student personal information for targeted advertising.
  • We do not build profiles of students for any purpose unrelated to the assessment.
  • We do not sell, rent, or trade student personal information.
  • We do not use student personal information to train, create, or improve any machine-learning or AI model.

Review, deletion, and retention

  • A school may review the student personal information we hold and request deletion at any time by contacting hlincontacts@gmail.com.
  • A teacher may delete any individual defense, or close their account, which deletes the associated student records.
  • We do not retain student data indefinitely: defense records are automatically deleted 18 months after creation (unless the school requests a different period), and authentication logs are deleted after 90 days.

Security

Data is encrypted in transit (TLS), and stored Google OAuth refresh tokens are encrypted at rest with AES-256-GCM. Database access is limited to a dedicated service role, with row-level security enabled on all tables containing personal data as defense-in-depth. We maintain a Written Information Security Program, available to schools on request. Our controls are designed to align with the SOC 2 Trust Services Criteria; Tolus is not yet SOC 2 audited, and a formal audit is on our roadmap.

Notice to parents

Schools relying on the school-consent pathway should make this notice available to parents. A parent may review the personal information we have collected from their child, refuse to permit further collection or use, and request deletion — by contacting their school or by emailing us at hlincontacts@gmail.com.

Contact

Questions or requests: hlincontacts@gmail.com.