DoubleXL Learn (“DoubleXL,” “we,” “us,” or “our”) operates DoubleXL Assess, an AI-assisted grading tool that integrates with the Schoology learning management system (LMS) via LTI 1.3. This Privacy Policy explains what information the service processes, how it is used and protected, and the choices available to the educational institutions and educators who use it.
We act as a school official and a service provider to the educational institution (the “School”) under the Family Educational Rights and Privacy Act (FERPA) and applicable state student-privacy laws. We process student data only under the direction of the School, solely to provide the grading service, and for no other purpose.
1. Information we process
Data received from the School’s LMS
- Student work (assignment artifacts): the content students submit — typed responses, uploaded documents (e.g., PDFs), and photos of handwritten work — retrieved from Schoology for the assignment being graded.
- Assignment and roster context: assignment identifiers, section identifiers, and the Schoology-provided student identifier and enrollment identifier needed to return a grade to the correct record.
- Educator identity: the launching teacher’s or administrator’s LTI identifier and role, used to authorize access and attribute grading decisions.
Data we generate
- AI evaluations: rubric-aligned scores, per-criterion rationale, and draft feedback produced by the grading model.
- Teacher decisions and audit records: a record of approve, edit, reject, and grade-passback actions.
We do not collect student names. The service stores only the numeric student identifier provided by Schoology; the name-to-identifier mapping remains in the School’s LMS. We do not ask students to create accounts, and students do not interact with DoubleXL directly.
2. How we use information
We use the information above only to:
- Retrieve the student work to be graded;
- Evaluate that work against the teacher’s rubric and draft feedback;
- Present the evaluation to the teacher for review, editing, or rejection; and
- Pass the teacher-approved grade back to the Schoology gradebook.
A human educator reviews and must approve, edit, or reject every AI-generated result before it becomes a grade. We do not use student data for advertising, and we do not sell student data.
3. Artificial intelligence and model training
AI evaluation runs through Cloudflare Workers AI via an authenticated Cloudflare AI Gateway. Student submission content sent to the model is used only to produce the evaluation for that submission. We do not use student data to train, fine-tune, or improve any foundation model, and we do not permit our AI sub-processor to do so.
4. Data retention and deletion
- Student work artifacts (uploaded files and extracted text) are automatically deleted on a rolling schedule — within 7 days by default — by a scheduled retention job that removes both the stored object and its database record.
- Evaluations, teacher decisions, and audit records are retained for the duration of the School’s agreement to support grade integrity and auditing, and are deleted upon termination or on verified request from the School.
- A School may request deletion of its data at any time by contacting us at the address below.
5. Sub-processors
We rely on a small set of infrastructure providers who process data on our behalf:
- Cloudflare, Inc. — application hosting, edge compute, object storage (R2), and AI inference (Workers AI / AI Gateway).
- Neon, Inc. — managed PostgreSQL database for application records.
- Schoology / PowerSchool — the School’s LMS, which is the source of student work and the destination for grades.
6. Security
All traffic is encrypted in transit over HTTPS. LMS access uses signed OAuth requests, and LTI launches are verified against Schoology’s published signing keys. Data is isolated per institution (tenant), and student-identifying content is redacted from operational logs. Access to production systems is limited to authorized personnel.
7. Children’s privacy
DoubleXL Assess is a tool for K–12 schools and is not directed to children as a consumer service. Any student data is provided by, and processed under the authority of, the School consistent with FERPA and, where applicable, COPPA (with the School providing any required consent as permitted for educational use). Parents and eligible students should direct requests to access, correct, or delete records to their School, which controls the underlying records.
8. Your rights and choices
Because we process student data on behalf of the School, requests to access, correct, or delete student records are directed to and fulfilled through the School. Schools may contact us to exercise these rights on a student’s or parent’s behalf.
9. International data
The service is operated in the United States, and data is processed in the United States. We do not intend the service for use outside the jurisdictions our Schools operate in without a separate agreement.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated to Schools directly.