LearnPlayThis is a template for review by your institution. For a counter-signed agreement on your district's paper, contact us at our school contact form. This template is provided for transparency and does not constitute legal advice.
Last updated: 22 June 2026. This Data Processing Agreement ("DPA") forms part of the agreement between the educational institution ("School", the data controller) and LearnPlay ("Processor") governing the processing of personal data of students and staff ("School Data") in connection with the LearnPlay service.
1. Roles
The School is the data controller and determines the purposes and means of processing School Data. LearnPlay acts as the data processor and processes School Data only on the School's documented instructions, including as set out in this DPA and the main service agreement.
2. Scope & purpose of processing
LearnPlay processes School Data solely to provide the educational service: creating teacher and student profiles, delivering classes, homework and assessments, recording progress and results, and producing reports for the School's authorized staff. LearnPlay does not sell School Data and does not use it for advertising or for building profiles unrelated to the service.
3. Categories of data & data subjects
| Data subjects | Categories of personal data |
|---|---|
| Students | First name (or chosen display name), age band, avatar, class enrolment, activity, scores and progress. Children sign in with a name and PIN — no email is required from a child. |
| Teachers / staff | Name, email address, account credentials (hashed), classes created. |
| School admin | Name, email, school/organization name, billing contact. |
4. Sub-processors
LearnPlay uses a limited set of sub-processors to operate the service (for example: cloud hosting, transactional email, and payment processing for billing). Sub-processors are bound by data-protection obligations no less protective than those in this DPA. A current list is available on request, and the School will be notified of material changes with a reasonable opportunity to object.
5. Security
LearnPlay implements appropriate technical and organizational measures, including: encryption in transit (HTTPS), hashed and salted credentials, access controls and least-privilege administration, network isolation of the database, and regular backups. Access to School Data is limited to personnel who need it to provide or support the service.
6. Confidentiality
Personnel authorized to process School Data are bound by confidentiality obligations and process the data only as needed to deliver the service.
7. Data subject rights & assistance
LearnPlay assists the School in responding to requests from data subjects (access, correction, deletion, portability). Authorized School admins can export their students' records (JSON or CSV) and un-enrol students directly from the school dashboard at any time. A child's account is owned by their parent/guardian, who retains independent control of it.
8. International transfers
Where School Data is transferred across borders, LearnPlay relies on an appropriate transfer mechanism (such as Standard Contractual Clauses) where required by applicable law.
9. Data breach notification
LearnPlay will notify the School without undue delay after becoming aware of a personal-data breach affecting School Data, and will provide information reasonably needed for the School to meet its own notification obligations.
10. Retention & deletion
LearnPlay retains School Data only as long as needed to provide the service or as required by law. On termination, or on the School's written request, LearnPlay will delete or return School Data within a reasonable period, except where retention is required by law. Un-enrolling a student removes the School's access to that student's records in the dashboard.
11. Audits
On reasonable request and notice, LearnPlay will make available information necessary to demonstrate compliance with this DPA.
12. Compliance frameworks
The service is designed to support the School's compliance with GDPR and GDPR-K (children's data), the U.S. Family Educational Rights and Privacy Act (FERPA), and the Children's Online Privacy Protection Act (COPPA). The School remains responsible for obtaining any consents required under applicable law.