Higher Ed

High School

Resources

Events

Support

Schedule a Demo

Login

Schedule a Demo

Login

Stukent, Inc. Privacy Policy

View Previous Version

Effective Date: May 4, 2026
Last Updated: March 30, 2026

This Privacy Policy explains how Stukent, Inc. (“Stukent,” “we,” “us,” or “our”) collects, uses, protects, retains, and shares information when you access or use our websites, courseware, simulations, and related educational services (collectively, the “Services”).

If Stukent enters into a Data Processing Agreement (DPA) or similar agreement with an educational institution, and that agreement addresses the same data and topic, the DPA controls to the extent of any conflict.

1. Scope and Who This Applies To

This policy applies to:

  • Students using the Services through a school or institution

  • Educators and institutional users administering courses

  • Individual consumers using the Services outside an institution

  • Visitors to our marketing website(s)

Important: The Services are designed for educational purposes. Where a school or institution provides access, Stukent acts as a service provider to that institution and processes data only as authorized by the institution and applicable law.

2. Key Definitions

This policy applies to:

  • “Personal Data” means information that identifies, relates to, describes, or could reasonably be linked to an individual (e.g., name, email, device identifiers).

  • “Student Data” means Personal Data relating to students that is processed to provide the Services to an educational institution.

  • “Customer Data” / “Your Data” means data submitted to the Services by or on behalf of a user or institution, including content and activity within the Services.

  • “De-Identified Data” means data that has been processed to remove direct identifiers and is not reasonably linkable to an individual.

3. Data Ownership (Who Owns the Data)

You and/or your educational institution own Your Data.
Stukent does not claim ownership of Your Data.

Stukent receives a limited license to access, host, process, transmit, and display Your Data only to provide, maintain, secure, and improve the Services as described in this policy and any applicable agreement (such as a DPA).

4. Data We Collect (Complete Inventory)

We collect the following categories of data:

  1. Registration and Account Data

  • Name

  • Email address

  • Username / user ID

  • Role (student, instructor, administrator)

  • Institutional affiliation (school, district, organization)

  • Course/class identifiers and roster information (where applicable)

B. LMS / SSO / Integration Data

If you access Stukent through an LMS or SSO (including LTI 1.3 integrations), we may receive:

  • LMS user ID / subject ID

  • LMS course / class identifiers

  • Enrollment / roster signals (e.g., course membership)

  • Login / authentication assertions necessary to sign you in

C. User-Generated Content and Learning Activity

Depending on the Your role, Institutional configuration, and products used, this may include:

  • Learning content, assignments, and quizzes created by educators using our content tools

  • Responses to assignments, questions, and simulated activities

  • Uploaded files or content submitted through the Services

  • Simulated social media posts or marketing artifacts created in-platform

  • Audio or video recordings if the product feature is enabled and used

  • Instructor feedback and grading inputs

D. Usage and Device Data

  • Login timestamps and session duration

  • Pages/screens accessed and feature usage

  • IP address

  • Approximate location derived from IP (if enabled)

  • Device type, OS, browser version, language, screen resolution

  • Error logs and performance telemetry

E. Support and Communications

  • Messages sent to support

  • Administrative communications (service notices)

  • For educators/institutions: onboarding and implementation communications

F. Payment Data (When Online Payments Are Enabled)

If an institution enables online payments via a third-party payment provider, the payment provider may collect:

  • Cardholder name

  • Card number, expiration date, CVV

  • Billing address and billing phone number

Stukent does not store full card numbers or CVV. Payment processing is handled by the payment provider in a PCI-compliant manner.

G. Cookies and Similar Technologies

We use cookies and similar technologies (details in Section 9), including:

  • Strictly necessary cookies (login/session, security)

  • Functional cookies (preferences)

  • Analytics cookies (optional; configurable and opt-out available)

5. How We Collect Data (Methods)

We collect data in the following ways:

  1. Directly from you when you create an account, log in, submit coursework, or contact support.

  2. From your educational institution when your institution provisions or authorizes your access, rostering, course enrollment, or account attributes.

  3. From LMS/SSO providers when you use LTI/SSO integrations and the provider sends identifiers and roster context to enable access.

  4. Automatically when you use the Services (Usage and Device Data, security logs).

  5. Via cookies and similar technologies when you access our website(s) or web-based Services.

  6. From payment providers only as needed to confirm payment status (we do not receive full card details).

6. How We Use Data

We use data only for the following purposes:

  1. Provide and Operate the Services

  • Create and manage accounts

  • Authenticate users (including through SSO/LMS)

  • Deliver courseware, simulations, grading, and feedback workflows

  • Maintain course rosters and enrollment where authorized

B. Support and Customer Success

  • Provide technical support

  • Respond to requests and troubleshoot issues

  • Provide educator implementation support

C. Safety, Security, and Integrity

  • Prevent fraud and abuse

  • Monitor for suspicious activity

  • Maintain audit logs, backups, and recovery operations

  • Enforce our Terms and acceptable use

D. Improve and Develop the Services

  • Fix bugs and improve reliability and performance

  • Improve user experience and accessibility

  • Analyze aggregated trends to improve educational resources

E. Communications

  • Send essential service-related messages (security, downtime, account notices)

  • Send marketing communications only to non-student recipients who have opted in or where permitted by law; we do not send marketing emails to students

F. Legal Compliance

  • Comply with legal obligations, court orders, and lawful requests

  • Protect rights, safety, and integrity of users, institutions, and Stukent

7. How We Share Data (Including “Who” and “What”)

We do not sell or rent Personal Data.
We do not allow third-party companies to advertise or independently promote products through the in-product Services.

We share data only as described below:

  1. With Educational Institutions (When You Use Stukent Through a School)

We share Student Data with the associated institution (and authorized educators/admins) for:

  • Course administration (rosters, progress, grades, completion)

  • Support and compliance (FERPA/COPPA-aligned workflows where applicable)

B. With Subprocessors (Service Providers)

We use vetted third-party service providers (“Subprocessors”) to operate the Services. Each Subprocessor is bound by a written contract requiring:

  • Confidentiality

  • Security controls appropriate to the risk

  • Use limitations (only to provide contracted services)

  • Breach notification obligations

  • Compliance with the applicable customer/vendor agreement and DPA terms

What we share: We share only the minimum data necessary for the Subprocessor to provide its service.

A current list of Subprocessors is maintained in our Trust Center.

C. With Integrations You Enable (LMS, Google Classroom, etc.)

If your institution enables an integration (e.g., Google Classroom, Canvas, LMS/LTI), we process integration data to:

  • Sync rosters and enrollments

  • Provision accounts

  • Enable a seamless login experience

We do not share integration data with other third parties except as necessary to provide the Services, comply with law, or with explicit consent.

D. Payment Processing

Payment data is collected and processed by the payment provider. Stukent receives confirmation of payment status and transaction identifiers as needed to provide access.

E. Legal Reasons

We may disclose data when we have a good-faith belief disclosure is necessary to:

  • Comply with law, regulation, legal process, or lawful government request

  • Protect safety, rights, or property

  • Prevent fraud, abuse, or security incidents

F. Business Transfers

If Stukent is involved in a merger, acquisition, financing, or sale of assets, we may transfer data as part of that transaction subject to:

  • Continued confidentiality and security

  • Notice as required by law and contract

  1. Opt-Out of Third-Party Sharing (User Controls)

We provide meaningful opt-outs where feasible:

  1. Analytics opt-out: Users (or institutions) can opt out of non-essential analytics collection and sharing through cookie controls and/or institutional configuration.

  2. Marketing opt-out: Non-student recipients can opt out of marketing emails using the unsubscribe mechanism and account preferences.

  3. Integrations: Institutions can disable LMS/SSO/integration features that involve data exchange, which may limit functionality.

  4. Non-essential cookies: You can reject non-essential cookies at any time (see Section 9).

If an institution is the account administrator, users may need to route certain requests through the institution to ensure authorized administration of Student Data.

9. Cookies and Similar Technologies (Full Disclosure + Inventory)

  1. What We Use

We use:

  • Cookies (small text files stored on your device),

  • Local storage/session storage (in-browser storage),

  • Similar technologies used for security, preferences, and optional analytics.Notice as required by law and contract

We do not use cookies for targeted advertising in the in-product Services.

B. Cookie Categories

  1. Strictly Necessary Cookies
    Used for login, session management, security, and load balancing.

  2. Functional Cookies
    Used to remember preferences (e.g., language, UI settings).

  3. Analytics Cookies (Optional)
    Used to understand usage patterns and improve performance and user experience.
    These can be disabled via our cookie controls.

C. Cookie Inventory

We do not use cookies for targeted advertising in the in-product Services.

10. Advertising and Tracking Commitments

  1. Advertisements displayed: The in-product Services do not display third-party advertisements.

  2. Targeted advertising: We do not target users for advertising within the Services.

  3. Third-party ad tracking: We do not permit third parties to track or collect information for advertising purposes within the Services.

  4. Beacons/pixels for ad purposes: We do not use web beacons/pixels for advertising purposes within the Services.

  5. Opt-out from advertisers: Because we do not share data with advertisers for the Services, there is no advertiser data sharing to opt out of within the Services. For our marketing website(s), users can opt out of non-essential cookies/analytics as described in Section 9.

11. How We Protect Data (Security Practices)

We maintain a comprehensive, multi-layered security program that includes administrative, technical, and physical safeguards designed to protect Personal Data and Student Data against unauthorized access, disclosure, alteration, and destruction.

A. Encryption (Sensitive/Confidential Data "Throughout")

  • Encryption in transit: We encrypt data transmitted over the internet using TLS 1.2 or higher.

  • Encryption at rest: We encrypt data stored on our servers using AES-256 (or equivalent).

  • Scope: All confidential and sensitive information is encrypted in transit and at rest, including Student Data and authentication credentials.

B. Password Standards (Strong Password Creation — Enforced)

For accounts that use password login (i.e., not purely SSO):

  • Minimum length: 12 characters

  • Requires at least 3 of 4: uppercase, lowercase, number, symbol

  • Blocks common/compromised passwords

  • Secure password storage using modern hashing (salted, adaptive hashing)

  • Rate limiting and/or account lockout protections after repeated failed attempts

C. Two-Step Authentication (2FA/MFA)

  • Our Classic Platform supports SSO through LMS/LTI integrations.

  • Our CTE Platform supports SSO through LMS/LTI Integrations and through Google SSO.

  • For direct login accounts, we provide two-step authentication (MFA) as an available security feature for eligible users and administrators (e.g., authenticator app or email-based verification), and we may require it for higher-risk administrative access.

D. Breach Notification

If a breach affects Personal Data, we will:

  • Promptly investigate and contain the incident,

  • Notify affected parties and regulators as required by law and contract,

  • Provide information about the nature of the breach, data affected, mitigation steps taken, and recommended user actions.

12. Data Retention (Specific Retention Schedule)

We retain data only as long as necessary for the purposes described in this policy and as required by law or contract, and then securely delete or de-identify it.

A. Core Retention Rules

  • Active accounts: retained while the account is active and the institution relationship is in effect.

  • After termination: retained for the minimum period needed for legal, security, dispute resolution, and contract compliance.

B. Retention Schedule

C. De-Identified Data

We may retain De-Identified Data long-term to improve Services and educational resources.

13. Deletion (Complete Deletion + Process)

We maintain a comprehensive, multi-layered security program that includes administrative, technical, and physical safeguards designed to protect Personal Data and Student Data against unauthorized access, disclosure, alteration, and destruction.

A. Right to Delete

Users (or institutions acting on behalf of users) may request deletion of Personal Data and Student Data.

B. What “Deletion” Means

Deletion means:

  • Removing Personal Data from active systems

  • Deleting or irreversibly de-identifying data where feasible

  • Preventing further processing except where legally required

C. How to Request Deletion

  • Institution-managed accounts (students/teachers): Requests should be submitted through the institution administrator or educator of record, or via support with institutional authorization.

  • Direct consumer accounts: Requests can be submitted via support@stukent.com.

D. Deletion Timeline

  • We will complete deletion within 30 days of verifying the request (unless a shorter timeline is required by law or contracted), and we will provide confirmation when complete.

E. Exceptions (Narrow and Specific)

We may retain limited data only when necessary to:

  • Comply with a legal obligation

  • Resolve disputes

  • Enforce agreements

  • Prevent fraud or abuse

  • Maintain security logs required for integrity

F. Backups

Backups are retained for a limited period (see Data Retention section for details). When backups age out, deleted data is removed as part of the normal backup lifecycle.

14. Children's Privacy and Student Data

We collect and process Personal Data of users under 18 only on behalf of and with authorization from an educational institution.

  • Student Data is used only to provide the educational Services authorized by the institution.

  • Student Data is never used for marketing, profiling for advertising, or sold to third parties.

  • Institutions are responsible for parental consent workflows where required (e.g., COPPA/FERPA contexts), and Stukent supports institutional requests related to access, correction, and deletion.

  1. . International Data Transfers

Data processed under this policy is hosted and processed in the United States. By using the Services, you understand your data will be processed in the U.S., subject to the protections described here and any applicable DPA.

16. Third-Party Links and External Tools

Our Services may link to third-party websites or include optional third-party tools. This policy does not apply to those third parties. You should review their policies before providing data to them.

17. Notice of Changes (Including Subprocessors)

  1. Policy Updates

We will provide at least 30 days’ notice of material changes by posting an updated policy and updating the Effective Date.

B. Subprocessor Changes (Required Notice)

We will notify customers / institutions at least 30 days before adding or replacing a Subprocessor that processes Student Data, by:

  • Updating the Trust Center Subprocessor list

  • Providing a changelog entry

  • Offering a subscription/email notification mechanism for institutions

Institutions may raise objections within the notice period as permitted by contract/DPA.

18. Contact Us

Email: support@stukent.com
Phone: (855) 788-5368
Mailing Address: 1755 International Way, Idaho Falls, ID. 83402