Privacy Policy

When a teacher or educational institution uses CoRubrics to manage class, student, rubric, form, submission, and grade information, that teacher or institution will usually act as the data controller. CoRubrics acts as a data processor and processes that data on their instructions.

CoRubrics acts as an independent controller for data needed to administer accounts, operate the website, manage security, billing if applicable, service communications, support, legal compliance, and internal product improvement.

Educational institutions and teachers acting as controllers who need to formalize a Data Processing Agreement (DPA) under Article 28 of the GDPR can consult it at corubrics.co/dpa.

We process only the data reasonably necessary to operate an educational assessment tool. The specific information depends on how the teacher or institution configures the platform.

We process personal data to provide CoRubrics, maintain the security of the service, and comply with applicable obligations. Depending on the context, the lawful basis may be performance of a contract or pre-contractual steps, legitimate interests in operating and improving the service, compliance with legal obligations, or the bases determined by the educational institution as controller. Where we rely on legitimate interests, we ensure those interests are not overridden by the data subjects' interests or fundamental rights.

CoRubrics is designed for educational contexts and may process data relating to minors when a teacher or institution enters that information. Students do not need a full account to respond to a form; they access forms through links or tokens generated for a specific assessment.

Under Spanish law (LOPD-GDD, Art. 7), the minimum age for digital consent is 14 years. For students below that age, the teacher or institution must have a lawful basis other than consent — such as the exercise of their teaching role or an applicable legal provision.

The teacher or educational institution must ensure it has the lawful basis, notices to families, and authorizations required to use the platform in its environment. CoRubrics does not use student data for advertising or commercial profiling.

We do not sell personal data. We share data only when necessary to provide the service, comply with law, or protect legitimate rights. Providers act under contractual commitments and may process data only for authorized purposes.

AI features are optional and are intended to help teachers create or improve rubrics. When a teacher uses an AI feature, the content entered in the prompt is sent to Anthropic (AI provider, based in the United States) via Vercel AI Gateway to generate a response. The model used is Claude Haiku.

We recommend not including sensitive personal data or unnecessary student information in prompts. CoRubrics may internally analyze usage data, errors, prompts, and outputs in aggregated or pseudonymized form to improve product quality, security, and reliability. We do not use that data to sell profiles or for third-party advertising.

When a teacher submits feedback about CoRubrics, the response is initially linked to their account so we can understand its context and follow up where useful. After review, we may anonymize it by removing that link and retain the scores and comments to improve the product. Anonymization does not rewrite personal data that the teacher may have included in free text, so we recommend not including sensitive information or student data.

CoRubrics seeks to use infrastructure located in the European Economic Area where available and reasonable for the service. The main database provider (Supabase, EU region) processes application data within the EEA.

Some providers necessary for the service operate from the United States or on global infrastructure: Anthropic (AI), Vercel (hosting and infrastructure), Resend (transactional email), Sentry (error monitoring), Upstash (usage limiting), Google when Google Classroom is connected, and Microsoft when Microsoft Teams is connected. For these transfers, appropriate GDPR safeguards are applied, such as adequacy decisions, standard contractual clauses (SCCs) in their current version, supplementary measures, or other mechanisms recognized by applicable law.

We apply technical and organizational measures designed to protect data against unauthorized access, loss, alteration, or improper disclosure. Among other measures, CoRubrics uses authentication, per-user access controls, database-level security policies, hashed form tokens, usage limits, audit logs, and encrypted communications when the service is served over HTTPS.

No system is absolutely secure. In the event of a personal data breach, we will notify the Spanish Data Protection Agency (AEPD) within 72 hours of becoming aware of the incident, where required by applicable law, and will inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

We retain personal data for as long as necessary to provide the service, maintain the account, comply with academic or legal obligations, resolve disputes, prevent abuse, and protect platform security.

Teachers can export their data and request deletion through the privacy tools available in the account. When deletion is executed, CoRubrics revokes active form tokens and marks associated academic data as deleted, except for information that must be retained for a reasonable period for security, audit, legal obligations, or backups.

Feedback that is still linked to the teacher account is deleted when erasure is executed. Feedback that was previously anonymized can no longer be associated with an account and may be retained for internal product analysis.

As a guide to retention periods: teacher account data is kept while the account is active and for up to 3 years after deletion to address claims or legal obligations; security and audit logs are kept for up to 12 months; backup copies may retain data for up to 90 additional days after effective deletion. Student data is deleted when the teacher deletes it or when the account is deleted.

Subject to applicable law, you may request access, rectification, erasure, objection, restriction of processing, and portability of your data. You may also withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.

We respond to requests within 30 days of receipt. In cases of particular complexity or volume, this period may be extended by a further two months, with notice provided within the first month.

If you are a student or family member and your data was entered by an educational institution or teacher, CoRubrics may need to refer or coordinate the request with that controller. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD): C/ Jorge Juan, 6, 28001 Madrid — www.aepd.es — or with another competent supervisory authority in your country.

CoRubrics uses cookies and similar technologies necessary for authentication, sessions, language, security, and basic service operation. Teacher session cookies (managed by Supabase Auth) are HTTP-only session cookies that expire on logout or after a period of inactivity. The device cookie for student forms (cr_dev) is a long-duration HTTP-only cookie that binds the form to the student's browser for security purposes. In the current version, we do not use third-party advertising cookies and do not sell information obtained through cookies.

If we introduce optional analytics or non-essential technologies in the future, we will provide appropriate notice and request consent where legally required under the LSSI and GDPR.

We may update this policy to reflect legal, technical, or product changes. We will publish the current version on this page and indicate the last updated date. If changes are material, we will seek to provide reasonable notice (for example, by email to registered teachers) before they take effect.

CoRubrics is not currently required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR or the LOPD-GDD. Privacy queries and requests are handled directly at privacy@corubrics.co. If the volume or nature of processing were to change in a way that required a DPO appointment, we would update this policy accordingly.

This policy is governed primarily by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and by Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and the Guarantee of Digital Rights (LOPD-GDD). In matters relating to information society services, Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE) also applies.

The competent supervisory authority in Spain is the Spanish Data Protection Agency (AEPD). You can obtain further information and lodge complaints at www.aepd.es or C/ Jorge Juan, 6, 28001 Madrid.