Legal

Privacy Policy

Last updated June 12, 2026

Tolus, Inc. (“Tolus”, “we”) provides an oral defense layer for written assignments. This policy describes what we collect, why we collect it, who we share it with, and how we handle it. We follow this policy for every teacher and every student who uses Tolus.

Who the policy applies to

Tolus has two types of users: teachers, who sign in with a Google account to set up defenses for their classes, and students, who complete a defense using a one-time PIN provided by their teacher. Students do not create accounts. We also receive contact details from people who apply to our beta.

What we collect from teachers

  • Name, email address, and Google profile photo (from Google sign-in).
  • Google Classroom course list, assignments, and student rosters for the courses you connect.
  • A long-lived Google OAuth refresh token. We store this token so Tolus can continue to act on your behalf in Google Classroom and Google Drive — reading assignment materials and student submissions, and writing grades and transcript documents back — without asking you to re-authorize before every defense. The token is stored server-side and is used only for the purposes described in this policy.
  • The defense configurations you create: assignment context, rubrics, and pass thresholds.

What we collect from students

  • The student’s full name, email address, and Google Classroom user ID, as supplied by the teacher’s roster.
  • The student’s Google profile photo. We fetch this live for display to the teacher and do not store it.
  • A per-student PIN used to start the defense. Because the teacher must be able to see and distribute the PIN, it is stored in readable (un-hashed) form by design.
  • The audio of the oral defense, streamed from the student’s browser for real-time transcription (see below).
  • The text transcript of the defense, the AI’s questions, the resulting score, and the AI feedback.
  • Any free-text feedback the student chooses to submit after a defense.
  • For security and abuse prevention, a truncated (masked) IP prefix and a device identifier in our authentication logs.

Student voice and audio

During a defense, the student’s spoken audio streams directly from the browser to our speech-to-text subprocessor (Deepgram) over an encrypted connection for real-time transcription. Tolus never stores the audio — we keep only the resulting text transcript.

We want to be transparent that we treat a person’s voice as biometric personal information and handle it accordingly. Even though Tolus does not retain audio, we handle the streamed voice with that sensitivity in mind: it is used solely to transcribe the defense, it is not used to identify, profile, or advertise to anyone, and it is never sold or used to train models.

How we use it

  • To run the defense: the AI uses the student’s submission, the rubric, and the in-progress conversation to ask follow-up questions and produce a score and feedback.
  • To deliver results: the score and transcript are returned to the teacher and posted back to Google Classroom, and a transcript document is created in the teacher’s Google Drive and shared to the student’s email when configured.
  • To operate, secure, and improve the service: we log requests for debugging and abuse prevention, and we relay student-submitted feedback to our team.

We do not sell or share student data, share it with advertisers, use it for targeted advertising or profiling, or use it to train any model. Student submissions and transcripts sent to our AI subprocessor are excluded from training under that provider’s API terms.

Subprocessors

We rely on a small set of vendors to operate Tolus. Each is contractually bound to handle data only to provide service to us.

  • OpenAI — generates defense questions, scoring, and text-to-speech audio for the AI’s questions. Receives the student’s submission text, the live transcript, and the rubric. This data is excluded from training under OpenAI’s API terms.
  • Deepgram — real-time speech-to-text. Receives the student’s defense audio directly from the browser.
  • Supabase — hosts our Postgres database in the United States. Stores all of the personal data described above.
  • Google — authenticates teachers and provides read and write access to Google Classroom and Google Drive on the teacher’s behalf. Tolus uses the per-file drive.file scope to create transcript documents, and a restricted read scope (drive.readonly) to read teacher-attached assignment materials and the student’s submitted files, which Tolus did not create.
  • Vercel — hosts the Tolus web application. Vercel Analytics runs on our marketing pages and the teacher dashboard (/dashboard), but is disabled on the student-facing defense pages (/defense). It collects only anonymous, aggregate usage metrics — no cookies or persistent identifiers, and no transcript content or student answers.
  • Resend — delivers our transactional email. This includes student-feedback emails sent to our team (which contain the student’s name and the verbatim feedback they submitted) and beta-application emails.

Google Limited Use disclosure

Tolus’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain English, here is how we handle Google Workspace data:

  • What we access. With the teacher’s authorization, we read the teacher’s Classroom courses (classroom.courses.readonly), rosters (classroom.rosters.readonly), and student submissions (classroom.student-submissions.students.readonly); the teacher’s assignment materials; and the specific files a student attached to the relevant Classroom assignment. We read each rostered student’s email address (classroom.profile.emails) and profile photo (classroom.profile.photos) so the teacher can identify students in the roster and so each transcript is shared to the correct student’s email; the profile photo is fetched live for display and is not stored. We request a restricted Drive scope (drive.readonly) solely to read those specific assignment-related files so the AI can ask defense questions grounded in the student’s actual work. We also create and write transcript documents in the teacher’s Drive using the per-file drive.file scope.
  • What we create and write. Using the classroom.coursework.students scope, Tolus creates the defense assignment (coursework) inside the teacher’s chosen Google Classroom course — this is how students receive the defense link — and posts each student’s grade back to that assignment when the defense is complete.
  • How we use it. Only to operate the defense for that teacher: creating the defense assignment, generating grounded questions, returning scores and transcripts, and posting grades and transcript documents back to Classroom and Drive.
  • How we store it. Defense configurations, transcripts, and scores are stored in our US database. The text of the assignments and teacher-attached materials you select is stored in the defense configuration so the AI can ground its questions, and it persists with the defense until the defense is deleted. For a student’s own attached submission files, we read the content to generate the defense; portions of the submission may be quoted in the transcript record, which is retained under the retention periods described below (up to 18 months by default) and then deleted.
  • How we share it. Only with the subprocessors listed above, and only as needed to run the service. Google user data is never sold, never used for advertising, and never used to train AI or machine-learning models. No human reads Google user data except where strictly necessary to operate the service, address a security issue, or comply with applicable law.

Children and COPPA

Tolus is a service for schools and is not directed to children for independent sign-up. Where students are under 13, Tolus relies on the school or teacher to provide consent on behalf of parents under the school-consent pathway recognized in FTC guidance under COPPA: the school authorizes the collection of student information solely for the educational purpose the school has approved.

  • Student data is used only for the school-authorized educational purpose — running and scoring the defense.
  • We do not serve targeted advertising to students and do not build advertising or behavioral profiles of students.
  • A school may review the student information we hold and request its deletion at any time.
  • We do not retain student personal information indefinitely; it is deleted on request, when the associated defense or account is removed, and automatically at the end of the retention periods described below (see Data retention and deletion).

Data retention and deletion

Transcripts, scores, feedback, and configurations are retained so they remain available to the teacher alongside the gradebook, but not indefinitely. As a current default, defense records are automatically deleted 18 months after they are created unless your school requests a different period, and authentication logs are deleted after 90 days. Teachers may also delete any defense at any time, and closing an account deletes all associated data. When you delete a defense or close your account, the removal is synchronous, not on a delayed schedule.

  • Deleting a defense. When a teacher deletes a specific defense, we synchronously remove that defense’s configuration and all of its associated defense sessions, student feedback, and session tokens. PINs and authentication-log entries scoped to that defense’s course are removed when no other active defense relies on them. A student record is removed when the student is no longer enrolled in any other course you run on Tolus.
  • Closing your account. When a teacher closes their account (deletes all of their data), we synchronously remove every defense the teacher owns and all of the associated student records under their control.
  • Audio. We never store audio, so there is nothing to delete.
  • Transcript Google Docs. Transcript documents are created in the teacher’s own Google Drive and are governed by the teacher’s Google account. When you delete a defense, Tolus removes its database copy and reference; it does not delete the file in your Drive — you control that file directly in Google.

To request deletion, a teacher can delete the defense or close their account, or you can email hlincontacts@gmail.com.

Student and family rights

Tolus acts as a school official under FERPA only under a signed district data privacy agreement (DPA), processing student records solely at the direction of and under the control of the school, and does not re-disclose them except to the subprocessors listed above under contract (see our FERPA page). Students and parents may request access to, correction of, or deletion of a student’s defense records by contacting their teacher or school, or by emailing us at hlincontacts@gmail.com.

California privacy (CCPA/CPRA and SOPIPA)

For California residents: Tolus does not sell or share personal information, does not use student personal information for targeted advertising or to build student profiles, and maintains reasonable security procedures appropriate to the data we handle, as required by the California Consumer Privacy Act (as amended by the CPRA) and the Student Online Personal Information Protection Act (SOPIPA).

Subject to applicable exceptions, you have the right to know what personal information we hold, to request its deletion or correction, to opt out of any sale or sharing (we do neither), and not to receive discriminatory treatment for exercising these rights. To exercise any of these rights, email hlincontacts@gmail.com. For student records held on behalf of a school, we will direct or coordinate the request with the school as the controlling party.

Security

Data is encrypted in transit (TLS). Stored Google OAuth refresh tokens are encrypted at rest using AES-256-GCM application-layer encryption. Row-level security is enabled (default-deny) on every database table containing personal data as defense-in-depth; the application connects through a dedicated service role. We also use timing-safe PIN comparison, signed (HMAC) score and feedback tokens, request rate limiting, an origin check on state-changing requests, and short-lived session tokens. We are candid that student PINs are stored in readable (un-hashed) form by design, so that teachers can see and distribute them. We do not export student data outside the subprocessors listed above. Tolus maintains a Written Information Security Program (WISP), available to schools on request at hlincontacts@gmail.com. Our controls are designed to align with the SOC 2 Trust Services Criteria (security, availability, and confidentiality); Tolus is not yet SOC 2 audited, and a formal SOC 2 audit is on our roadmap.

Changes

We’ll update this page if our practices change. Material changes will be communicated to active teacher accounts by email.

Contact

Questions about this policy? Email hlincontacts@gmail.com.