Last Updated: June 12, 2026
Our Privacy Policy
This policy explains what data GrowHall (formerly EdQwest) collects from IB DP students, teachers, and schools — including how it’s used, stored, shared, and protected.
01 Introduction
GrowHall is a cloud-based learning-support platform that provides educational content and learning resources, including instructional videos, subject notes, question banks, assessments, and associated AI-assisted features (“GrowHall”, the “Service”, “we”, “us”, or “our”).
GrowHall is operated by Teacher Tools Private Limited (the “Service Provider”), which also develops and operates Toddle.
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, how we protect it, and the rights you have over it. It applies to our website at www.growhall.com and to the GrowHall platform and its features.
GrowHall is provided to schools and educational institutions for educational use. In most cases, your school is the organisation that decides what information is collected and how it is used, and we handle that information on the school's instructions. This Policy explains both the school's role and ours.
IMPORTANT If you are a student, parent, teacher, or staff member, your school is usually the right first point of contact for questions about your data. Your school decides what information is shared with GrowHall and why.
By accessing or using GrowHall, you acknowledge that you have read and understood this Privacy Policy. You can contact us at any time with questions about this Policy at privacy@growhall.com.
02 Scope
This Privacy Policy applies to personal information we process in the following contexts:
- The GrowHall platform: information about students, teachers, staff, school administrators, and (where the school enables it) parents and legal guardians, which we process on behalf of, and on the documented instructions of, the subscribing school.
- Our website and forms: information from visitors and prospective customers who interact with www.growhall.com, request a demo, download a resource, or submit an enquiry.
- Account administration, billing, support, marketing, and customer-success activities: information about the school's authorised contacts and administrators.
- AI-assisted features ("GrowHall AI" or "Ask AI"): prompts and related interactions, processed as described in Section 12.
This Policy does not apply to the internal data-handling practices of your school, or to third-party websites that may be linked from the Service. Schools remain responsible for their own privacy notices and for the lawful basis on which they share information with us.
Our role: when we are a processor and when we are a controller
Our role under data protection law depends on the data in question.
| Context | School's role | GrowHall's role |
|---|---|---|
| Personal data within the GrowHall platform (student, teacher, staff, administrator, parent data shared by the school) | Controller / Data Fiduciary / APP entity. Decides why and how the data is used | Processor. Acts only on the school's documented instructions |
| Website visitors, demo requests, marketing, CRM, sales, customer-success and support contacts, billing data | Not applicable | Controller. We decide why and how this data is used |
Where we act as a processor, we process platform data under our Terms of Service and our Data Processing Agreement (DPA) with the school, and we do not use it for our own purposes. Where we act as a controller, for example for website and marketing data, we are directly responsible for the processing described in this Policy.
03 Definitions
To keep this Policy readable, we use the following terms:
- "Subscriber" or "School": the school or educational institution that licenses the Service and authorises its Users to access it. The Subscriber is the Controller (also called a Data Fiduciary, Organization, or APP entity, depending on the jurisdiction) of the personal data within the platform.
- "User": an individual authorised by the Subscriber to use the Service: a student, teacher, staff member, school administrator, or (where enabled) a parent or legal guardian.
- "Student Data": any data we process that can be linked back to an individual student. This includes a student's name, email address, class and subject enrolment, academic year, responses to question banks and assessments, assignment submissions, and learning-progress data.
- "Content": the educational material we make available through the Service, including instructional videos, subject notes, question banks, digital textbooks, assignment modules, and evaluation modules.
- "User-Generated Content": material created or submitted by Users through the Service, such as responses to question banks, assignment submissions, and assessment responses.
- "Controller" or "Data Fiduciary": the entity that determines the purposes and means of processing personal data. For platform data, this is the School.
- "Processor": the entity that processes personal data on behalf of, and on the instructions of, the Controller. For platform data, this is GrowHall.
- "Data Subject" or "Data Principal": the individual (student, parent, teacher, staff member, administrator) to whom the personal data relates, and who holds rights over that data.
- "Sub-processor": a third-party service provider engaged by GrowHall to process personal data in connection with the Service.
- "Large Language Models (LLMs)": advanced artificial-intelligence models trained on large datasets to understand and generate human-like language, used to power GrowHall's AI features.
- "Personal Data" or "Personal Information": any information relating to an identified or identifiable individual.
04 Information We Collect
We collect only the information needed to provide, secure, support, and improve the Service. The categories below describe what we collect and how we refer to it.
4.1 Information schools provide to set up and run the platform
When a School subscribes to GrowHall and registers its Users, the School provides, or directs Users to provide, the following:
| Data subject | Information collected |
|---|---|
| Teachers | Title, first name and surname; email address; job title; subject and teaching-level information; subject assignments; products or services signed up for; user activity logs |
| Staff | Name; email address; user activity logs |
| Students | First name and surname; email address; class and subject enrolment; academic year; responses to question banks and assessments; assignment submissions; learning-progress data and usage statistics such as videos watched, modules completed, and scores achieved; user activity logs |
| School administrators | Name; email address; role; user activity logs |
| Parents or legal guardians (only where the School enables parent access) | First name and surname; email address |
4.2 Organisational and account information
To set up and administer the School's account, manage billing, and provide support, we collect: organisation name; address details; main phone number; general email address; number of students on roll; products or services subscribed to; and usage statistics.
4.3 Information you provide through our website and forms
When you visit www.growhall.com or interact with us, we may collect your name, email address, role, school name, country or region, and any other information you choose to provide when you request a demo, download a resource, subscribe to updates, complete a form, or contact us for support.
4.4 User-Generated Content
When Users interact with the Service, we process the content they create or submit, for example responses to question banks, assignment submissions, and assessment responses, in order to deliver the Service's functionality such as recording progress and enabling teachers to review submissions.
4.5 Log and technical data
We collect technical information generated when you use the Service or visit our website, which may include IP address, browser type, device type, operating system, and activity logs (records of actions taken within the platform). We use this information to operate and secure the Service, authenticate Users (including keeping you signed in), diagnose problems, and understand usage.
4.6 AI feature inputs
If your School has enabled GrowHall's AI features, we process the prompts and inputs Users submit to those features in order to generate responses. See Section 12 (AI Features and Automated Processing) for full details, including the safeguards that apply.
4.7 Sensitive data: what we do not ask for
We do not require, and we ask Users not to submit, special-category or sensitive personal data (such as health information, racial or ethnic origin, religious beliefs, biometric identifiers, or precise geolocation) through the Service or, in particular, through the AI features. Users are instructed not to include personal, sensitive, or confidential information in AI prompts. If a School needs to process sensitive data within the platform, it remains the Controller and is responsible for setting an appropriate lawful basis and obtaining any required consents.
05 Information We Receive From Other Sources
We may receive personal information about you from sources other than you directly, including:
- Your School. Most platform information about students, teachers, staff, and parents reaches us because the School (or a teacher or administrator acting for the School) provides it when setting up accounts, classes, and rosters.
- Single sign-on (SSO) providers. Where the School configures SSO, GrowHall supports sign-in through Microsoft and Google. When you use SSO, we receive the limited information needed to create or authenticate your account, such as your name and email address. We do not send personal information back to the login provider except as required to complete authentication.
- Service providers acting on our behalf. For example, our support, customer-success, and analytics providers may supply us with information about how the Service is being used.
If we combine information from these sources and it relates to an identifiable person, we treat the combined information as personal information and handle it in accordance with this Policy.
06 How We Use Information
We use personal information only for the purposes described in this Policy and, for platform data, only as authorised by your School. The principal purposes are:
- To provide and operate the Service: creating and managing user accounts; authenticating Users and managing access; and delivering, hosting, and displaying licensed Content (videos, subject notes, digital textbooks, question banks, assignment and evaluation modules).
- To support teaching and learning: recording responses to question banks and assessments, assignment submissions, and learning-progress data; and generating reports on student usage and performance for the School's instructional purposes.
- To facilitate communication: sending operational and service-related messages, for example notifications, alerts, and password-reset instructions, and, where enabled by the School, facilitating communication between the School and parents.
- To provide customer support and administer accounts: responding to enquiries, managing subscriptions and renewals, billing, and system administration.
- To secure and maintain the Service: monitoring for security, fraud, and abuse; logging and diagnosing faults; and maintaining the integrity, availability, and resilience of our systems.
- To improve the Service: analysing usage on a de-identified or pseudonymised basis wherever feasible, to understand how features are adopted and to improve performance and reliability.
- To provide AI-assisted features: processing prompts to generate responses, as described in Section 12.
- For our website, marketing, and sales activities: operating and improving our website; responding to demo requests and enquiries; managing customer relationships; and, where permitted, sending marketing communications (see Section 11).
- To comply with law and protect rights: meeting legal, regulatory, tax, and accounting obligations; enforcing our Terms; and establishing, exercising, or defending legal claims.
We do not:
- sell personal data;
- use personal data for targeted advertising, or allow data brokers or advertisers to collect data through the platform;
- use educational data or Student Data for profiling, automated decision-making producing legal or similarly significant effects, or any commercial purpose unrelated to providing the Service; or
- use personal data submitted through the platform to train third-party AI models (see Section 12).
If we ever wish to use information for a materially new purpose, we will provide notice and obtain the appropriate School or individual permission before doing so.
07 Legal Bases for Processing (GDPR and UK GDPR)
Where the GDPR or UK GDPR applies, we rely on the following legal bases. For personal data within the platform, the School (as Controller) determines the lawful basis for collecting and sharing the data with us, and we process it as a Processor on the School's documented instructions. For data where we act as Controller, such as website and marketing data, the bases below apply directly to us.
A. Platform data (GrowHall acting as Processor for the School)
| Purpose | Legal basis |
|---|---|
| Providing access to the platform and its core functionality (Content delivery, assessments, progress tracking) | Performance of a contract between the School and GrowHall; processing as Processor on the School's documented instructions |
| Creating and managing user accounts, classes, and rosters | Processor acting on the School's documented instructions |
| Providing technical and user support to authorised Users | Legitimate interests in the effective and uninterrupted operation of the Service |
| Sending operational communications (notifications, password resets) | Performance of contractual obligations to the School; legitimate interests in facilitating use of the platform |
| Securing the platform (fraud detection, abuse prevention, monitoring) | Legitimate interests in safeguarding the platform, services, and user community |
| Enabling SSO or third-party authentication (Microsoft, Google) where configured by the School | Performance of contractual obligations; supporting secure access |
| Analysing pseudonymised or de-identified usage to support effective use | Legitimate interests in service improvement, with privacy safeguards |
B. Website, marketing, and business-operations data (GrowHall acting as Controller)
| Purpose | Legal basis |
|---|---|
| Operating, securing, and improving our website | Legitimate interests in a secure, functional website |
| Responding to demo requests, enquiries, content downloads, and contact forms | Consent provided at submission, and/or steps taken at your request before entering a contract |
| Sending marketing and informational communications | Consent, or legitimate interests in promoting our services where permitted by law |
| Managing customer relationships, renewals, and customer success | Performance of the contract with the School; legitimate interests in account management |
| Website and product analytics (including via cookies) | Legitimate interests in optimising the Service; where required by law, consent for non-essential cookies |
| Complying with legal obligations and responding to lawful requests | Compliance with a legal obligation; legitimate interests in protecting our legal rights |
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You may object to such processing as described in Section 17. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
08 How We Share Information
We share personal information only as necessary to operate the Service and as described below. We do not sell personal data.
- With your School. Platform data is accessible to authorised Users at your School in line with their roles. For example, teachers can see their students' submissions and progress.
- With service providers and sub-processors. We use selected third parties to host, operate, support, and improve the Service. They are contractually required to process personal data only on our instructions and only to provide their services to us. See Section 9 for the current list.
- For AI features. Where your School has enabled AI features, prompt text is transmitted to our LLM providers solely to generate responses, subject to the safeguards in Section 12.
- For legal and safety reasons. We may disclose personal information where required by applicable law, regulation, court order, or valid request from a public authority, or where necessary to enforce our Terms, protect the rights, safety, and security of our users or the public, or establish, exercise, or defend legal claims. We will not disclose personal data in response to law-enforcement or other legal demands unless legally required to do so, and, where feasible and lawful, we will notify the relevant School before disclosure.
- In a corporate transaction. If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected Schools, and any acquiring entity will be required to honour this Policy and any applicable DPA.
We do not share personal data with third parties for their own marketing or advertising purposes.
09 Service Providers and Sub-Processors
We use a few third-party services in order to operate and improve GrowHall. All these services are contractually prohibited from using that information for any other purpose other than to provide the GrowHall service. You can find a list of our third party service providers here.
We commit to give you an opportunity to opt out where we disclose your personal information to an independent third party or if your personal information is to be used for a purpose that is materially different from those communicated and/ or authorized by you. If you otherwise wish to limit the use or disclosure of your personal information, please contact us at privacy@growhall.com.
In case of the sale, merger, bankruptcy, sale of assets or reorganisation of our company, we may disclose or transfer your data to the acquiring or successor entity. We will notify you of the same. The acquiring entity will be required to comply with the terms of this Privacy Policy and any applicable Data Processing Agreement in relation to your data.
GrowHall will not disclose personal data in response to law enforcement or other legal demands unless legally required to do so. Where feasible, we will notify the relevant school or account owner before disclosure unless the law or a court order prohibits us from providing notice.
10 Analytics and Cookies
We and our service providers use cookies and similar technologies (such as local storage) to operate the Service and understand how it is used.
- Strictly necessary or functional: for example, to keep you signed in (we authenticate Users using secure tokens) and to remember your preferences. These are required for the Service to work.
- Performance and analytics: to understand how the Service and website are used, diagnose errors, and improve performance and reliability.
- Support and customer-success: our in-product support and customer-success tools may set cookies to provide chat support and measure feature usage.
We do not use cookies or similar technologies on the platform to serve advertising, and we do not allow third parties to collect data through the platform for advertising purposes.
On our website, cookies may also be set by our CRM and marketing provider and our support provider. Where required by law, we ask for your consent before placing non-essential cookies. You can manage non-essential cookies through the cookie settings on our website or through your browser settings. Disabling some cookies may affect how the Service works. The specific cookies we use, including their providers, purposes, and retention periods, are described in our Cookie Policy.
11 Marketing Communications
We may send marketing and informational communications, such as product updates, newsletters, and event invitations, to school contacts and to individuals who have asked to hear from us, where permitted by applicable law and in line with your preferences.
- We rely on your consent or on our legitimate interests in promoting our services, as permitted by the law applicable to you.
- Every marketing email includes an easy way to unsubscribe, and you can opt out at any time by using that link or by contacting privacy@growhall.com.
- Opting out of marketing does not stop operational or service-related messages (such as notifications, security alerts, and billing communications), which are necessary to provide the Service.
We do not use Student Data or other platform data for marketing.
12 AI Features and Automated Processing
This section explains how we handle information when GrowHall's AI features ("GrowHall AI", including the "Ask AI" feature) are used. It applies only if your School has enabled these features.
How the AI features work. GrowHall AI uses Large Language Models provided by reputable third-party AI vendors to support learning, for example by answering questions based on GrowHall's curated content. When a User submits a prompt, that prompt is transmitted to the relevant LLM vendor for processing so that a response can be generated and returned within the Service.
We use one or more third-party Large Language Model (LLM) providers to deliver these features. The providers we use may change over time. Our current providers, which include Amazon Bedrock and Microsoft Azure, are listed at www.growhall.com/3rdparty, and we keep that list up to date. We will reflect material changes in this Policy.
NOTE Users are asked not to include personal information in prompts, and our AI providers do not use prompts submitted through GrowHall to train their models.
Our safeguards:
- Encryption in transit. Prompts are encrypted while being transmitted to the LLM vendor.
- Minimise personal data in prompts. Users are instructed not to include personally identifiable information, sensitive personal data, or confidential information in their prompts, and the Subscriber is responsible for making its Users aware of this. Where personal data is inadvertently included in a prompt, it is processed only to generate the requested response and is subject to the safeguards described in this Policy.
- No training on your data. Our AI vendors do not use prompts submitted through GrowHall to train their models.
- Minimal retention. We do not retain prompts or AI-generated responses beyond what is necessary to deliver the feature.
- Access controls. Access to the AI features and any associated data is restricted to authorised personnel on a least-privilege basis.
Educational use and fair use. GrowHall AI is intended for educational purposes only. Excessive, automated, or abusive use, attempts to reverse-engineer or manipulate the AI, and the submission of inappropriate, offensive, unlawful, or infringing content are prohibited. Access to AI features may be monitored, reduced, suspended, or terminated to maintain fair use and system integrity.
Human oversight and automated decision-making. GrowHall does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. AI-generated outputs are intended to support educators and learners.
13 International Data Transfers
GrowHall is hosted on Amazon Web Services (AWS). To support performance and compliance, we store platform data in the AWS region closest to, or most appropriate for, the School's location:
- For users in Europe, data is stored in Ireland.
- For users in Australia, data is stored in Sydney.
- For users in Hong Kong, data is stored in Hong Kong.
- For users in the United States, data is stored in Northern Virginia.
- For users in the United Arab Emirates, data is stored in Dubai.
- For users in Singapore and South-East Asia, data is stored in Singapore.
- For users in other regions, data may be stored in one of the locations above.
If we transfer personal information outside the region in which it was originally stored, for example to one of our sub-processors (see Section 9), we use appropriate safeguards. These may include:
- an adequacy decision, for example a transfer to a country recognised as providing an adequate level of protection; or
- the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Agreement or UK Addendum, and equivalent mechanisms under other applicable laws, together with any supplementary measures required; or
- another valid transfer mechanism recognised under applicable law.
You may request more information about the safeguards we use by contacting privacy@growhall.com.
14 Data Retention
We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, to provide the Service, and to comply with our legal, contractual, accounting, and regulatory obligations.
- Platform data. We process platform data for as long as the Subscriber's subscription is active. Following termination or expiry of the Licensing Contract, and at the Subscriber's choice and documented instruction, we will either return the data in a structured, commonly used, machine-readable format, or securely delete it, subject to the retention rights below.
- Post-termination retention. We may retain personal data for up to seven (7) years following termination or expiry of the Licensing Contract (or longer where required by law). This period is set primarily to meet legal, tax, accounting, audit, dispute-resolution, and regulatory-compliance obligations, and to provide reasonable post-termination support such as data retrieval or account reactivation. During any such period, the data is not actively processed for other purposes, remains protected by appropriate security measures, and is accessible only to authorised personnel.
- Secure deletion. On expiry of the applicable retention period, we securely and irreversibly delete the data and, on reasonable request, confirm deletion in writing. Residual copies may persist in automated backups for a limited period in line with our backup-retention schedules. Such copies are not actively processed and are purged on schedule.
- Data subject request assistance. For requests requiring the extraction, compilation, or delivery of personal data from our systems (such as access, rectification, erasure, restriction, or portability requests), we require a minimum of ten (10) business days from receipt of the Subscriber's documented request, so that the data provided is accurate, complete, and securely transmitted.
We also instruct our approved sub-processors to delete personal information they process on our behalf in accordance with their contractual obligations.
15 Data Security
We implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and risks of the processing. Our measures include the following.
Encryption and cryptography
- Encryption at rest using AES-256, and encrypted client-server communication over HTTPS using TLS version 1.2 or higher for data in transit.
- Password protection using industry-standard hashing algorithms.
- Defined policies on the use of encryption, cryptographic authentication and integrity controls, and cryptographic key management.
Authentication and access control
- Authentication using JSON Web Tokens with refresh tokens.
- Role-based access control (RBAC) restricting access to personal data based on job function and business need.
- User-access management from initial registration through to removal of access when no longer required, with special restrictions for privileged access and regular access reviews, applying the principle of least privilege.
Application security
- Input sanitisation to help prevent injection attacks.
- Use of environment variables for sensitive configuration values and credentials.
Operations security
- Documented operational procedures, controlled changes to IT systems, and separation of development, test, and operational environments.
- Malware protection and user-awareness controls.
- Regular backups taken and retained in line with a backup policy.
- Logging and continuous monitoring of system, administrator, and security events, with access logs and security alerts.
- Technical vulnerability management, including patching and controls over software installation.
Physical, environmental, and organisational security
- Hosting on secure, access-controlled cloud infrastructure (AWS), with physical entry controls and secure areas protecting equipment, and secure disposal of storage media.
- Asset inventory and ownership, information classification and handling, and confidentiality obligations and training for personnel authorised to access personal data.
Breach notification. In the event of a personal data breach affecting personal data, we will notify the affected School without undue delay and, where feasible, within 72 hours of becoming aware of it, so that the School can meet its own notification obligations. Where required by law, we will also support notification to relevant authorities and affected individuals. Our notification will include, as information becomes available, a description of the nature of the breach, its likely consequences, and the measures taken or proposed to address it.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. We work continuously to protect your information and to improve our safeguards.
16 Children's Privacy
GrowHall is designed for use by schools and is provided for educational purposes. Students do not sign up independently. Access is arranged and managed by the School in accordance with applicable requirements. Some Users may be minors, and we apply the approach set out below.
- School-consent model. As a third-party operator and service provider, we rely on the School to obtain and hold any consents required by law before personal data is shared with us, and to provide any required privacy notices. The School determines whether parental consent is required and obtains it where necessary.
- United States (COPPA). We rely on School consent for children under 13 under the Children's Online Privacy Protection Act (COPPA). Our role under FERPA is set out in the FERPA statement below.
- European Economic Area, UK, and Switzerland (GDPR). Where parental consent is required for the processing of children's personal data, the School (as Controller) is responsible for obtaining it.
- Australia. The School is responsible for obtaining parental consent for children where required under the Privacy Act 1988.
- India (DPDPA). For Users under 18, the School is responsible for obtaining verifiable parental or guardian consent as required under the Digital Personal Data Protection Act, 2023.
FERPA (School Official). For schools in the United States, GrowHall acts as a "School Official" with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA). We access and use education records only for the authorised educational purposes for which the School provides them, under the direct control of the School, and we do not re-disclose education records except as permitted by FERPA or as directed by the School.
We do not encourage Users to share personal information publicly, and we do not knowingly collect personal data from children except as arranged by the School. If you believe a child's data has been provided to us without the appropriate consent, please contact your School, or email us at privacy@growhall.com and we will work with the School to address it.
17 Your Privacy Rights
Depending on where you live, you may have some or all of the following rights over your personal data:
- Be informed about how your personal data is collected, used, and shared.
- Access the personal data we hold about you.
- Correct inaccurate or incomplete personal data.
- Delete your personal data in certain circumstances.
- Restrict or object to certain processing, including direct marketing.
- Withdraw consent where processing is based on consent.
- Data portability: receive your data in a structured, commonly used, machine-readable format, where applicable.
- Non-discrimination for exercising your rights.
- Appoint an authorised agent to act on your behalf, where local law permits.
- Lodge a complaint with your local data protection authority.
How this works in practice. Because most platform data is controlled by your School, if you are a student, parent, teacher, or staff member, you should direct requests about platform data (access, correction, deletion, withdrawal of consent) to your School, which controls the data and decides how it is handled. We cannot act on such requests directly, but we will support your School in responding to them as required by law. For information that we control directly, for example website, marketing, or enquiry data, you can exercise your rights with us directly. See Section 19 for how to make a request.
18 Region-Specific Privacy Disclosures
The following disclosures supplement this Policy for individuals in specific regions. Where a region-specific disclosure conflicts with the rest of this Policy, the region-specific disclosure controls for residents of that region.
18.1 European Economic Area, United Kingdom, and Switzerland (GDPR, UK GDPR, Swiss FADP)
- For platform data, your School is the Controller and GrowHall is the Processor. We execute a Data Processing Agreement with Schools in the EEA, UK, and Switzerland.
- Our legal bases are described in Section 7, and your rights in Section 17. You have the right to lodge a complaint with your supervisory authority. In the UK this is the Information Commissioner's Office; in Switzerland the Federal Data Protection and Information Commissioner; or your local EEA authority.
- International transfers are handled as described in Section 13, including the EU and UK Standard Contractual Clauses and, for Switzerland, the Swiss-recognised version of those clauses.
18.2 California (CCPA and CPRA)
- When we process platform data on behalf of a School, we act as a service provider and process personal information only to provide the Service.
- In the preceding 12 months, we have collected the categories of personal information described in Section 4, such as identifiers, education and professional information, internet activity, and user-generated content. We do not sell personal information and do not share it for cross-context behavioural advertising, and we do not use sensitive personal information for purposes beyond those permitted.
- California residents have the right to know or access, delete, correct, and opt out of sale or sharing (we do not sell or share), and the right not to be discriminated against for exercising these rights. Education records covered by FERPA are handled under that framework.
- To exercise your rights, see Section 19. If your data was provided by a School, please direct your request to the School.
18.3 Other U.S. States (Colorado, Virginia, Connecticut, Utah)
For residents of Colorado, Virginia, Connecticut, and Utah, we comply with applicable state privacy laws. We do not sell personal data, do not use personal data for targeted advertising, and do not engage in profiling that produces legal or similarly significant effects. You have rights to access, correct, delete, and obtain a portable copy of your personal data, and, where applicable, to appeal a refused request. When we process data on behalf of a School, we act as a processor under these laws. To exercise your rights, see Section 19; for platform data, contact your School.
18.4 Australia (Privacy Act 1988 and Australian Privacy Principles)
We handle personal information in accordance with the Australian Privacy Principles. We collect personal information only as necessary to provide the Service, rely on Schools to obtain any required consents (including parental consent for children), and are transparent about how we collect, use, and disclose personal information. Where we disclose personal information overseas (see Section 13), we take reasonable steps so that it is handled consistently with the APPs. You may complain to the Office of the Australian Information Commissioner (OAIC).
18.5 New Zealand (Privacy Act 2020)
We comply with the Information Privacy Principles under the Privacy Act 2020. We collect personal information for the purposes described in this Policy, take reasonable steps to keep it secure, and, where we disclose personal information overseas, take steps consistent with the cross-border disclosure requirements of the Act. In the event of a privacy breach likely to cause serious harm, we will support the relevant notifications. You may complain to the Office of the Privacy Commissioner.
18.6 Brazil (LGPD)
For individuals in Brazil, we process personal data in accordance with the Lei Geral de Protecao de Dados (LGPD). For platform data we act as an operador (processor) on the School's instructions, and the School is the controlador. You have rights of confirmation and access, correction, anonymisation, blocking or deletion, portability, information about sharing, and to withdraw consent. International transfers are carried out under LGPD-recognised safeguards. You may contact the Autoridade Nacional de Protecao de Dados (ANPD).
18.7 India (DPDPA)
We are committed to complying with the Digital Personal Data Protection Act, 2023 (DPDPA). For platform data, the School generally acts as the Data Fiduciary and GrowHall as a Data Processor. We process personal data of Data Principals for the purposes described in this Policy, rely on Schools to obtain verifiable parental or guardian consent for Users under 18 where required, and implement reasonable security safeguards. Data Principals have rights of access, correction, completion, updating, erasure, grievance redressal, and nomination. You may contact our Grievance Officer (Section 21) and, where unresolved, the Data Protection Board of India.
19 Exercising Your Rights
- Platform data (student, parent, teacher, staff, administrator data shared by a School): please contact your School, which controls the data. We will support the School in fulfilling your request.
- Data we control directly (website, marketing, enquiries): contact us at privacy@growhall.com.
When you contact us, please include enough information for us to verify your identity and locate your data, a clear description of your request, and the right or rights you wish to exercise. We will respond within the timeframe required by the law applicable to you. We may need to verify your identity before acting and, in limited cases, may be unable to fully comply, for example where an exception applies. If we decline a request, we will explain why and how you can contest the decision. We do not charge a fee for most requests unless permitted by law, for example for manifestly unfounded or excessive requests.
You may also withdraw consent for processing based on consent at any time, and unsubscribe from marketing using the link in any marketing email.
20 Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make changes that we believe will materially affect your rights, we will provide notice, for example by email or a prominent notice, at least 30 days in advance where practicable. If you continue to use the Service after the changes take effect, you accept the updated Policy. For previous versions, contact us at privacy@growhall.com.
21 Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us.
- Privacy and data protection enquiries: privacy@growhall.com
- Data Protection Officer: Anshul Chauhan
- Grievance Officer (India): Anshul Chauhan
- Postal address: Teacher Tools Private Limited, 2nd Floor, No. 590, Phoenix Primus, 1st Cross Road, 12th Main, HAL Stage 2, Indiranagar, Bengaluru, Karnataka 560038, India
When contacting us about a grievance, please include your name and contact details, a clear description of the issue, and any relevant supporting information so we can respond promptly. We aim to acknowledge grievances within a few business days of receipt and to resolve them within 30 days, or sooner where required by applicable law.
Ready to see
GrowHall in action?
Take a guided tour of GrowHall with our team.
