Legal

Privacy Policy

Last updated:

This policy explains what personal data Classentra collects, how we use it, who we share it with, and the rights you have over your data. It applies to teachers, students, and visitors to classentra.com.

Ask AI to explain

Get a quick, plain-language summary of this page without all the jargon. Opens in a new tab.

Introduction

Classentra is an independent live-course operating system built for teachers who run their own classes. This Privacy Policy covers the Classentra service at classentra.com and all related dashboards, APIs, and emails we operate.

Classentra is operated by Classentra Technologies Inc. (incorporation in progress as of May 10, 2026; registered office in Toronto, Ontario, Canada). Until that incorporation completes, the operating entity remains Les Entreprises Urbaino, a Quebec sole proprietorship; the change is administrative and does not affect your rights. Classentra is subject to Canadian federal privacy law (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (commonly referred to as Law 25) for any Quebec residents using the service, and equivalent regimes (GDPR, UK GDPR, Australian Privacy Principles, etc.) where applicable based on user location.

It applies to everyone who interacts with Classentra: teachers who create accounts to run courses, students who enrol in those courses, and visitors who browse the marketing site.

For any privacy questions, email privacy@classentra.com. We aim to respond within 30 days.

Data We Collect

From account creation and sign-in

  • Email address
  • First name, last name, and optional title (teachers)
  • Role (teacher or student)
  • Password hash — we never store plain-text passwords
  • OAuth identifiers when you sign up via GitHub or Google (user id, email, display name, avatar URL)
  • Email verification status
  • Session tokens, stored server-side and expired automatically

From product usage

  • Courses you own or are enrolled in, including title, description, dates, and visibility
  • Course items: announcements, materials, assignments, submissions, notes, sessions, files, and links
  • Messages, reactions, and read receipts in course and direct message channels
  • Personal and course-derived calendar events
  • Notifications
  • Attendance records
  • Grades and feedback on submissions
  • Files you upload, stored in Cloudflare R2

From billing (teachers only)

  • Stripe customer id
  • Plan, billing interval, billing currency, subscription status, and current period end
  • Pending plan change information
  • Invoices and payment method metadata such as card brand, last 4 digits, and expiry — full card details are stored by Stripe, never by Classentra

From paid course sales (teachers only)

  • Stripe Connect account id, status, country, and onboarding state — full Connect account details are stored by Stripe, never by Classentra
  • Course purchase records — student id, teacher id, course id, gross price, currency, application-fee amount, status, and Stripe payment-intent id
  • Coupon redemption records — coupon id, course-purchase id, discount amount, and timestamp
  • Monthly Gross Merchandise Volume (GMV) aggregates per teacher — gross sales total, refunds, fee total, course count, and student count
  • Active-student activity ledger — a 30-day rolling list of (teacher, student) pairs that had a paid enrollment, used to enforce active-student caps
  • Plan-cap state — the current cap-utilisation snapshot per teacher (NORMAL / WARNING / GRACE / HARD_BLOCK) and the timestamps that gate transitions between them
  • Fraud-signal records — system-generated risk events on a teacher account (e.g., high coupon redemption rate, off-platform link in description) with status (OPEN / DISMISSED / ESCALATED)
  • Policy acceptance records — which version (sha256 hash) of the Terms of Service, Privacy Policy, Instructor Agreement, and Community Guidelines you have accepted, plus the timestamp of acceptance

From AI features

  • AI requests initiated by teachers or students, including the course context grounded into each request
  • Usage counters such as AI units per month

From live sessions

  • Native live class participation (participant-minutes and recording metadata when applicable) via Daily
  • External meeting URLs you paste in (Zoom, Meet, Teams)

Automatically collected

  • Performance telemetry via Vercel Speed Insights — Core Web Vitals, cookieless
  • Page view analytics via Vercel Web Analytics — cookieless, with country-level geolocation derived from IP
  • Rate-limit tracking (IP address and request counts), purged automatically when the window expires
  • Standard server logs (request path, timestamp, user agent) retained for security and debugging
  • Aggregate page-view counters and UTM parameters via first-party cookies (cls_attrib, cls_utm) on course storefronts. No third-party analytics or trackers. Raw uniqueness lookup pruned after 30 days; daily aggregates retained at the course level only (no PII).

What we do not collect

  • We do not collect precise location
  • We do not fingerprint devices
  • We do not use marketing or advertising cookies
  • We do not sell personal data

How We Use Data

  • Deliver the core service: account management, course workflows, messaging, assignments, grades, and live sessions
  • Personalize the teacher and student dashboards
  • Send transactional email such as verification, password reset, billing receipts, and notifications
  • Process payments via Stripe (teachers only)
  • Generate AI suggestions grounded in your course content, teacher-controlled and opt-in per action
  • Prevent abuse and secure the platform through rate limiting, disposable-email blocking, and session management
  • Monitor performance and stability via Vercel telemetry
  • Comply with legal obligations

Legal Basis (GDPR / UK GDPR)

If you are in the EU, UK, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases:

  • Contract — to provide the service you signed up for
  • Legitimate interests — for security, fraud prevention, service improvement, and analytics
  • Consent — for optional AI features and optional email notifications where consent is the applicable basis
  • Legal obligation — for tax records and responding to lawful requests

Who We Share Data With

Classentra uses the following subprocessors. Data is shared with them only as needed to provide the service.

  • Vercel — application hosting, Speed Insights, and Web Analytics (US / global)
  • Neon — PostgreSQL database hosting (US)
  • Cloudflare R2 — file storage for materials, submissions, and assets (global)
  • Stripe — payment processing, invoicing, and billing management (US / global)
  • OpenAI — AI generation, teacher-routed and course-grounded (US)
  • Daily — native live class video infrastructure (US / global)
  • Resend, Postmark, or SES — transactional email delivery (US / EU)
  • GitHub — OAuth sign-in, only if you choose to sign up with GitHub (US)
  • Google — OAuth sign-in, only if you choose to sign up with Google (US)

We do not share personal data with advertisers, data brokers, or any third party not listed above.

International Data Transfers

Classentra hosts its primary application and database in the United States (Vercel iad1, Washington D.C., and Neon aws-us-east-1, Virginia). Most of our subprocessors — Vercel, Neon, Stripe, Resend, OpenAI, Daily, LiveKit, Cloudflare, Upstash, Inngest, Sentry — are also based in the United States or operate primarily from US regions. By creating an account, you understand that your personal information will be transferred to and processed in the United States and other jurisdictions in which our subprocessors operate.

We rely on the following safeguards to protect cross-border transfers, depending on where you live:

  • EU/EEA, UK, and Switzerland: Module 2 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with the UK ICO International Data Transfer Addendum or IDTA where applicable, and the Swiss FDPIC adaptations. Where the recipient is self-certified to the EU-US Data Privacy Framework, that adequacy decision applies in addition. We have completed a Transfer Impact Assessment as required by Schrems II.
  • Canada (Quebec residents): A Privacy Impact Assessment under Quebec Law 25 §17 has been completed and documented for each material transfer outside Quebec.
  • Canada (other provinces): PIPEDA's accountability principle applies; we remain accountable for personal information transferred to processors and require comparable protection by contract.
  • Australia: Disclosure under APP 8 — we remain accountable for the overseas recipient's compliance with the Australian Privacy Principles.
  • Other jurisdictions: equivalent contractual safeguards (consent, comparable-protection clauses, or local mechanisms) apply.

A current list of our subprocessors, their locations, and the safeguards in place is published at classentra.com/subprocessors and is also available on request by writing to privacy@classentra.com. Notable processors and their primary regions: Vercel (US, application hosting), Neon (US, database), Stripe (US, payments), Resend (US, email), OpenAI (US, AI features), Daily and LiveKit (US, live video), Cloudflare R2 (US, file storage), Upstash (US, caching), Inngest (US, background jobs), Sentry (US, error tracking).

Some countries impose hard data-residency or local-storage requirements that we cannot satisfy at this time (notably China, Russia, Vietnam, Kazakhstan, and any country subject to comprehensive Canadian or US sanctions). Account creation from these jurisdictions is not permitted. Existing users who travel to these regions may experience interrupted access.

Data Retention

  • Account data — retained while your account is active. Deleted within 30 days of an account deletion request, except where we are legally required to keep financial records.
  • Course content — retained while the owning teacher's account is active. Deleting a course permanently removes its items, materials, and messages.
  • Messages — retained while the course or conversation exists. Deleted when the course or a participant is fully removed.
  • Billing records — retained as long as required by tax law (typically seven years).
  • Rate-limit logs — purged automatically after the window expires.
  • Telemetry and analytics — subject to Vercel's default retention windows.
  • Course purchase records and Connect onboarding metadata — retained for 24 months after the most recent purchase, then archived for tax/audit purposes only.
  • Coupon redemption records — retained 24 months after the redemption.
  • Monthly GMV aggregates — retained 24 months for cap-enforcement audit; older months are summarized to yearly totals.
  • Active-student activity ledger — rolling 30-day window; entries older than 30 days are deleted automatically.
  • Plan-cap state — retained while the teacher account is active.
  • Fraud-signal records — retained 24 months from creation, regardless of status, to support investigation and regulatory enquiries.
  • Policy acceptance records — retained for as long as the account exists, plus 24 months after deletion, as evidence of consent.

Your Rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (the right to be forgotten)
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Withdraw consent for consent-based processing
  • Lodge a complaint with your local data protection authority

To export your data in a portable format, sign in and use the "Download my data" button in Settings — we email you a signed download link within a few minutes. To delete your account and associated data, use the "Delete Account" button in Settings. To exercise any other right, email privacy@classentra.com. We will respond within 30 days.

Security

  • Passwords are hashed and never stored in plain text
  • Sessions are stored server-side with automatic expiry
  • Disposable email addresses are blocked at sign-up
  • Rate limiting protects against brute force and abuse
  • All traffic to classentra.com is served over HTTPS
  • Card data never touches Classentra servers — Stripe Elements handles card entry directly (PCI SAQ-A)

Children

Classentra is not directed at children under 13 (or 16 in the EEA). Teachers who use Classentra with minors are responsible for obtaining parental or guardian consent and for ensuring compliance with local child-protection law, including COPPA in the United States.

Changes to This Policy

We will post updates to this policy on this page and bump the "Last updated" date at the top. Material changes will be communicated via email or an in-product notification before they take effect.

Contact

For privacy questions, data requests, or concerns about how Classentra handles your information, email privacy@classentra.com.