Student Data Privacy Addendum

Effective Date: May 7, 2025

This Student Data Privacy Addendum (“DPA”) is supplemental to the Brisk Terms of Use available at www.briskteaching.com/terms (“Terms of Use”). Capitalized terms that are not defined in this DPA have the meaning set out in the Terms of Use. 

When Brisk is used by an Educational Institution or Teacher for an educational purpose, Brisk may collect or have access to Student Data (as such terms are defined in the Terms of Use). The processing of Student Data may be subject to the Family Educational Rights and Privacy Act (“FERPA”), the Children’s Online Privacy and Protection Act (“COPPA”), or other applicable federal or state Student data privacy laws (together, the “Applicable Data Protection Laws”). To support compliance with Applicable Data Protection Laws, the parties agree as follows:

  1. School Official. Educational Institution acknowledges and agrees that Brisk is acting as a “school official” on behalf of Educational Institution under FERPA and otherwise processing Student Data on Educational Institution’s behalf under other Applicable Data Protection Laws. Educational Institution represents and warrants that Educational Institution has the authority under Applicable Data Protection Laws to provide Brisk consent to collect personal information from Students for the purpose of providing the Services. To the extent required by Applicable Data Protection Laws, Educational Institution will inform parents and legal guardians how Student Data will be processed by the Services.
  2. Collection of Student Data. Brisk will collect, access, use, process, store, and disclose Student Data solely as necessary for the purpose of performing the Services. For example, if a User uses Brisk’s browser extension’s Inspect Writing Feature to analyze a Student’s writing sample, Brisk’s Service will process any Student Data included in the document to provide the requested Services.
  3. Confidentiality. Brisk agrees to treat Student Data as confidential and not to share it with third parties other than as described in this DPA and in the Agreement or with written consent of Educational Institution. Brisk will not sell, disclose, make available or otherwise transfer Student Data to any third party without the prior written consent of Educational Institution, except to the extent that the transfer is necessary to provide the Services. For example, we will share Student Data with Brisk’s AI service providers to enable the provision of the Services. For clarity, the services providers are not permitted to use the Student Data to train their AI models.  Third parties who receive Student Data will be contractually bound to maintain the confidentiality of the Student Data and comply with data protection consistent with those provided in this DPA. 
  4. No Targeted Advertising. Brisk is prohibited from using, disclosing, or selling Student Data to (a) inform, influence or enable Targeted Advertising; or (b) develop a profile of a Student, family member/guardian or group, for any purpose other than providing the Services. For the purposes of this section, “Targeted Advertising” shall mean the presenting of an advertisement to a Student where the selection of the advertisement is based on Student Data or inferred over time from the usage of Brisk’s Services or the retention of such Student’s online activities or requests over time for the purpose of targeting subsequent advertisements. “Targeted Advertising” does not include any advertising to a Student on an internet website based on the content of the webpage or in response to a Student’s response or request for information or feedback. 
  5. Adaptive or Customized Learning. Notwithstanding anything to the contrary in this DPA, Brisk is expressly permitted to use Student Data for adaptive learning or customized Student learning (including generating personalized learning recommendations). 
  6. De-Identified Data. Notwithstanding anything to the contrary in this DPA, Brisk will have the right to de-identify Student Data for the following purposes: (a) assisting the Educational Institution or other governmental agencies in conducting research, analytics and other studies; and (b) research, analytics and development of the Services and demonstration of the effectiveness of the Services; and (c) as otherwise permitted under Applicable Data Protection Laws. Brisk agrees not to attempt to re-identify de-identified Student Data. Brisk's use of de-identified Student Data will survive termination of this Addendum or any request by Educational Institution to return or destroy Student Data.
  7. Legally Compelled Disclosure. If Brisk is legally compelled to disclose any Student Data (whether by judicial or administrative order, applicable law, rule or regulation), then Brisk will use reasonable efforts to provide Educational Institution with prior written notice before making the disclosure so Educational Institution can seek a protective order or other appropriate remedy to prevent the disclosure or to ensure confidentiality. Brisk will not be required to provide such notice if Brisk is prohibited from doing so by the applicable order, law, rule or regulation. 
  8. Direct Notice to School - COPPA Authorization. School hereby authorizes Brisk to collect, use and disclose personal data from children under 13 years old in connection with the provision of the Services as set out in this Agreement. Upon written request from School with regard to such data, Brisk will provide an opportunity to review the child’s personal data, the right to delete the child’s personal data; and the ability to cease further collection or use of the child’s personal data. If the School declines to provide consent or withdraws consent for the further collection or use of a child’s personal data, Brisk may no longer be able to provide the Services for that child. School affirms that it will provide appropriate notices to parents of the School’s use of third-party services such as Brisk’s Services.
  9. Data Rights. Brisk will reasonably assist Educational Institution in complying with requests from individuals to exercise rights with regard to Student Data under Applicable Data Protection Laws. 
  10. Data Security. Brisk will implement and maintain reasonable administrative, physical and technical safeguards designed to prevent any unauthorized use, access, processing, destruction, loss, alteration, or disclosure of Student Data. Brisk will implement and maintain policies and procedures in place to limit access to Student Data to only those employees that have a need-to-know based on specific job function or role. 
  11. Security Incident. In the event of an unauthorized release, disclosure or acquisition of Student Data that compromises the security, confidentiality or integrity of the Student Data maintained by Brisk (“Security Incident”), Brisk will notify Educational Institution without undue delay. Brisk will adhere to all federal and state requirements with respect to the Security Incident, including, when appropriate or required, the required responsibilities and procedures for notification and mitigation of the Security Incident.
  12. Data Destruction. Within thirty (30) of the termination of the Agreement, or earlier upon Educational Institution’s reasonable request, Brisk will return or destroy the Student Data.