Privacy, Security & Compliance
At Escaply, protecting student and educator data is fundamental to how we design, develop, and operate our platform.
Our commitment to student privacy
Escaply helps educators create engaging, interactive learning experiences while minimizing the collection and processing of personal information. We believe educational technology should support learning without compromising privacy.
We are committed to:
- Protecting student and educator information.
- Collecting only the data necessary to provide our services.
- Being transparent about how data is processed.
- Supporting schools in meeting their privacy obligations.
- Maintaining strong security and data protection practices.
- Never selling student data.
Student privacy by design
Escaply is built around the principle of data minimization.
In most educational scenarios, students can participate in activities using nicknames rather than personal accounts. This significantly reduces the amount of personally identifiable information processed by the platform.
We continuously evaluate our systems and processes to ensure that privacy considerations are incorporated into product design, development, and operations.
GDPR compliance
For educational customers, Escaply acts as a Data Processor on behalf of schools, districts, municipalities, universities, and other educational institutions. The educational institution remains the Data Controller and determines the purposes and legal basis for processing personal data.
Escaply processes personal data solely for the purpose of providing educational services and only in accordance with customer instructions and applicable data protection laws, including the European Union General Data Protection Regulation (GDPR).
Educational institutions may request:
- Access to their data
- Correction of inaccurate data
- Export of customer data
- Deletion of customer data
- Information regarding subprocessors
- Information regarding security measures
A Data Processing Addendum (DPA) is available upon request.
FERPA compliance
Escaply is designed to support educational institutions in meeting their obligations under the Family Educational Rights and Privacy Act (FERPA). Escaply:
- Uses student information solely to provide educational services.
- Does not sell student information.
- Does not use student information for advertising purposes.
- Does not create advertising profiles based on student activity.
- Allows schools to maintain control over student records.
- Supports correction and deletion requests.
- Processes student information only as directed by educational institutions.
Schools retain ownership and control of student education records.
COPPA compliance
Escaply supports educational use in accordance with the Children’s Online Privacy Protection Act (COPPA). When Escaply is used by schools, districts, or educational institutions, schools may provide consent on behalf of parents where permitted by applicable law.
Escaply:
- Collects only information necessary to provide educational services.
- Does not knowingly use children’s information for advertising purposes.
- Does not sell children’s personal information.
- Applies data minimization principles to student participation.
- Supports school-controlled deployment and account management.
Data we collect
Educators
Escaply may process the following information for educator accounts:
- Name
- Email address
- School or organization affiliation
- Authentication identifiers provided through Single Sign-On (SSO)
- User-generated content, including games, educational materials, and resources
- Optional profile image
This information is used solely to provide, secure, and improve the service.
Students
Escaply is designed to minimize student data collection. Depending on how a school chooses to use the platform, Escaply may process:
- Nicknames or player aliases
- Gameplay progress
- Activity completion status
- Scores and results
- Responses submitted during educational activities
- Device and browser information
- IP addresses
Escaply does not require students to provide personal contact information in order to participate in educational activities.
Single Sign-On (SSO)
Escaply supports Single Sign-On (SSO) authentication to simplify account management and improve security. Educational institutions may choose to manage access through approved identity providers and domain-based authentication controls. This allows schools and districts to maintain control over educator access while reducing administrative overhead.
Artificial intelligence & responsible use
Escaply uses Microsoft Azure OpenAI services to assist educators in creating educational content and learning experiences. Our AI functionality is designed to support educators while maintaining strong privacy protections.
Our AI commitments
- Student data is not used to train AI models.
- Student responses and educational records are not submitted for model training.
- AI functionality is limited to educator-driven content creation workflows.
- Customer content is not used to improve or train OpenAI foundation models.
- AI processing is provided through Microsoft’s enterprise Azure OpenAI environment.
Escaply remains committed to the responsible and transparent use of artificial intelligence in education.
Data hosting & residency
Escaply is hosted on Microsoft Azure infrastructure.
Primary hosting location
Gävle, Sweden. Customer data is stored within the European Economic Area (EEA).
We implement technical and organizational safeguards designed to protect customer information against unauthorized access, disclosure, alteration, or loss.
Security measures
Escaply maintains a range of technical and organizational safeguards, including:
- Encryption in transit using TLS
- Encryption at rest
- Secure cloud infrastructure hosted on Microsoft Azure
- Role-based access controls
- Controlled administrative access
- Backup and recovery procedures
- Security monitoring and incident response processes
- Access restrictions based on business need
Access to customer data is limited to authorized personnel who require access to perform their responsibilities.
Data retention & deletion
Customer data is retained for the duration of the customer relationship. Upon customer request or contract termination:
- Customer data will be deleted within 30 days unless otherwise required by law.
- Schools may request deletion of student data at any time.
- Deleted information may remain in encrypted backups for up to 90 days before permanent removal.
Escaply provides reasonable assistance to educational institutions that require data export or deletion.
Subprocessors
Escaply works with carefully selected service providers to deliver and maintain the platform.
| Provider | Purpose |
|---|---|
| Microsoft Azure | Cloud hosting and infrastructure |
| Azure OpenAI | AI-assisted content creation |
| HubSpot | Educator account management and communications |
| MailerLite | Onboarding and educational communications |
| Stripe | Payment processing |
All subprocessors are subject to contractual obligations regarding privacy, confidentiality, and security.
Customer rights
Educational institutions may request:
- Access to customer data
- Export of customer data
- Correction of inaccurate information
- Deletion of customer data
- Information regarding subprocessors
- Information regarding security practices
Requests may be submitted at any time.
Data Processing Addendum (DPA)
Escaply provides a Data Processing Addendum (DPA) for educational customers that governs the processing of personal data in accordance with applicable data protection laws, including GDPR. Organizations requiring a copy of our DPA may contact us directly.
Contact us
For privacy, security, or compliance-related inquiries, please contact:
Escaply AB
Email: info@escaply.com
We are committed to working collaboratively with schools, districts, municipalities, universities, and educational organizations to ensure student data remains protected and secure.