Data Privacy Agreement.

Our standard agreement with schools and districts. Plain language, ready to sign.

Last updated: May 2, 2026

This Data Privacy Agreement ("DPA") supplements our Terms of Service and Privacy Policyand governs how Kixmeta Labs, LLC ("Provider", "we", "us") handles student data on behalf of a school or school district ("School") that uses GPTQuest (the "Service").

How to use this DPA

Schools and districts have three options:

  1. Accept this DPA as-is. Email contact@gptquest.ai with your school name and the name of the authorized signer. We will countersign and return a PDF within 5 business days.
  2. Sign the National Data Privacy Agreement (NDPA). We are willing to sign the Student Data Privacy Consortium's standard NDPA if your district uses it.
  3. Send us your district's own DPA. Email a draft to contact@gptquest.ai. We will review and respond within 10 business days.

1. Definitions

  • "Student Data" means personally identifiable information collected by the Service from or about a student through their use of the Service.
  • "Service" means the GPTQuest platform, websites, and related features operated by Provider.
  • "School" means the educational institution (a school, school district, or equivalent) that authorizes use of the Service for its students.
  • "Authorized Teacher" means an employee of the School who creates and manages student accounts on the Service under the School's authority.

2. Ownership of Student Data

All Student Data is and remains the property of the School and the student/parent. Provider acts only as a processor of Student Data on the School's behalf. Provider does not acquire any ownership interest in Student Data.

3. Permitted Uses of Student Data

Provider will use Student Data only to:

  • Provide and maintain the Service for the School and its students
  • Provide customer support and respond to School/parent requests
  • Improve the Service for educational purposes (in aggregated, de-identified form only)
  • Enforce the Terms of Service and detect abuse
  • Comply with legal obligations

Provider will not:

  • Sell Student Data
  • Use Student Data for advertising, marketing, or behavioral profiling of students
  • Use Student Data to train AI models, and our agreements with our AI providers prohibit them from training their public models on Service submissions
  • Disclose Student Data except as permitted in Section 6
  • Contact students directly

4. Data Collected from Students

Provider collects only the minimum data necessary:

  • A system-generated synthetic email used solely as a unique account identifier (not a real mailbox)
  • A display name (typically a pseudonym chosen by the Authorized Teacher)
  • Educational progress and gameplay data (Quest progress, XP, achievements, narrative inputs)

A current and complete list of data categories is maintained in our Privacy Policy, Section 11.

5. Subprocessors

Provider uses the third-party service providers listed in Section 8 of our Privacy Policyto operate the Service. Each subprocessor is contractually required to handle Student Data only to deliver the service Provider has engaged them for, and not for their own purposes. Provider will give the School at least 30 days' notice of any material change to its subprocessor list when the change affects Student Data.

6. Disclosure of Student Data

Provider may disclose Student Data only:

  • To subprocessors under written confidentiality and data-protection obligations
  • To the School itself, or to a parent/guardian making a verifiable request
  • To comply with a valid legal process (subpoena, court order), in which case Provider will give the School advance notice unless prohibited by law
  • In a merger, acquisition, or sale of assets, in which case the successor must assume the same obligations

7. Data Security

Provider maintains a written Information Security Program that includes:

  • Encryption of Student Data in transit (TLS) and at rest
  • Role-based access controls and least-privilege permissions for Provider personnel
  • Regular vendor risk reviews of all subprocessors
  • Employee training on privacy and data handling
  • An incident response plan covering detection, containment, investigation, and notification
  • Annual review and update of the program

Full details are in Section 9 of our Privacy Policy.

8. Data Breach Notification

If Provider becomes aware of a confirmed unauthorized acquisition of Student Data, Provider will:

  • Notify the School without undue delay and in any case within 72 hours of confirmation
  • Provide the School with a description of the incident, the categories and approximate number of students affected, the likely consequences, and the measures taken or proposed in response
  • Cooperate with the School's investigation and notification obligations to parents and regulators

9. Data Retention and Deletion

Provider retains Student Data only as long as needed to provide the Service or as required by law. Upon (a) termination of this DPA, (b) closure of a School account, or (c) the School's written request, Provider will delete or return all Student Data within 30 days, including from active systems. Backups containing Student Data will be deleted on the regular backup rotation, which does not exceed 90 days.

10. Parent and Student Rights

Provider supports the following rights, exercisable through the School:

  • Access: Review the personal information held about a student
  • Correction: Correct inaccurate Student Data
  • Deletion: Request deletion of a student's data
  • Refusal: Refuse further collection or use of a student's data

Provider will respond to verifiable requests routed through the School within 30 days.

11. Compliance with Laws

Provider designs the Service to comply with:

  • COPPA (Children's Online Privacy Protection Act, 16 CFR Part 312)
  • FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g)
  • Applicable state student-privacy laws, including California AB 1584 / SOPIPA, where the Service is used in those states

Provider operates under the COPPA school authorization exception when Student Data is collected from students under 13 through Authorized Teacher accounts.

12. Audit and Records

Upon reasonable written request (no more than once per year), Provider will provide the School with a written summary of its information security practices, subprocessor list, and any third-party security or privacy certifications then in effect.

13. Term and Termination

This DPA takes effect when the School begins using the Service or executes a signed copy, whichever is earlier. It remains in effect for as long as the School uses the Service. Either party may terminate this DPA upon 30 days' written notice. Termination of this DPA will, at the School's election, also terminate the School's use of the Service. Sections 2, 6, 8, 9, and 10 survive termination.

14. Modifications

Provider may update this DPA from time to time to reflect changes in law, the Service, or our practices. We will post any updated version here with a new "Last updated" date and notify Authorized Teachers by email at least 30 days before material changes take effect.

15. Order of Precedence

If there is a conflict between this DPA and the Terms of Service or Privacy Policy with respect to Student Data, this DPA controls.

16. Signatures

A countersigned PDF version of this DPA is available on request. To request one, email contact@gptquest.ai with:

  • Your school or district name
  • Name and title of the authorized signer
  • Mailing address
  • Approximate number of students who will use the Service

Provider will return a signed PDF within 5 business days.

Provider contact for this DPA:

Kixmeta Labs, LLC
848 E Main Street, Suite 800 #1002
Ephrata, PA 17522, United States
Email: contact@gptquest.ai