Data Processing Agreement

Last updated:

1.Introduction

This Data Processing Agreement (“DPA”) is entered into between Gamivize LLC, a limited liability company with its principal place of business in Alexandria, Egypt (“Gamivize”), and the School, educational institution, or organization that has agreed to Gamivize’s Terms of Service (“School”).

This DPA describes how Gamivize collects, uses, stores, and protects personal data — particularly student data — in connection with the Gamivize platform. It forms part of the agreement between Gamivize and the School and should be read alongside the Gamivize Terms of Service.

Gamivize takes its role as a processor of student data seriously. This document is written to be clear and straightforward, because we believe schools and families deserve to understand exactly how student data is handled — not just that it is handled responsibly.

2.Roles and Responsibilities

Who controls the data? The School is the data controller. This means the School decides what data is collected, for what purpose, and who has access to it within the platform. The School is responsible for ensuring it has the appropriate legal authority to share student data with Gamivize.

What is Gamivize’s role? Gamivize is the data processor. This means Gamivize processes personal data only on behalf of the School, only for the purposes the School has authorized, and only in the ways described in this DPA. Gamivize does not make independent decisions about how student data is used.

What does this mean in practice? The School instructs Gamivize through its use of the platform — for example, by creating student accounts, assigning courses, and generating reports. Gamivize acts on those instructions to deliver the Service. If a school wants data deleted, exported, or restricted, Gamivize will fulfill that request as described in this DPA.

3.What Data Gamivize Collects

Gamivize collects only the data necessary to deliver the educational service. Below is a clear breakdown by user type.

Student Data

  • First and last name

  • School-assigned username or student ID Email address (only if provided by the School at its discretion)

  • Grade level or class

  • Learning progress data — course completion status, quiz scores, and assignment results

  • Game performance data — points earned, badges, levels achieved, and leaderboard rankings

  • Login timestamps and platform activity logs

Teacher and Administrator Data

  • Full name

  • Work email address

  • Job title and role

  • School or institution name

  • Login and activity data within the platform

Parent Data

  • Full name

  • Email address

  • Communication and community interaction data within the School’s parent forum or community feature

What Gamivize does not collect Gamivize does not collect home addresses, financial information, government identification numbers, health or medical information, special education status, disability information, race or ethnicity, or biometric data. Schools should not upload any such sensitive data to the platform.

4.Why Gamivize Processes This Data

Gamivize processes personal data for the following specific purposes only:

  • Delivering the Service — to provide, operate, and maintain the Gamivize LMS on behalf of the School

  • Learning analytics and reporting — to generate progress reports and performance insights for teachers and administrators

  • Gamification features — to operate the points, badges, levels, and leaderboard mechanics within the educational context

  • Parent engagement — to support parents in monitoring their child's progress and participating in the school community

  • Customer support — to help the School and its users resolve issues with the platform

  • Legal compliance — to meet Gamivize's obligations under applicable law

Gamivize does not process personal data for any other purpose. If Gamivize ever needs to process data for a new purpose, it will notify the School in advance and seek agreement before doing so.

5.What Gamivize Will Never Do With Student Data


Gamivize makes the following firm commitments regarding student data:

We will never sell student data. Gamivize will not sell, rent, lease, trade, or otherwise transfer student personal information to any third party for commercial purposes, under any circumstances.

We will never use student data for advertising. Gamivize does not display advertising to students and does not use student data to target advertising at anyone.

We will never build commercial profiles of students. Gamivize does not use student data to create behavioral profiles, interest graphs, or any other commercial data products about students.

We will never use student data to train AI or machine learning models. Gamivize does not use student personal data to train artificial intelligence, machine learning systems, or any automated decision- making models.

We will never share student data with unauthorized third parties. Student data is shared only with the subprocessors described in Section 6 of this DPA, and only to the extent necessary to deliver the Service.

6.Children's Privacy — COPPA and FERPA

COPPA (Children's Online Privacy Protection Act) The Gamivize platform may be used with students under the age of 13. In the educational context, schools may provide consent on behalf of parents for the collection of student personal data — but only where that data is used exclusively for an educational purpose and for no commercial purpose.

By accepting this DPA, the School confirms that it is providing COPPA consent on behalf of the parents and guardians of its students under 13 for the limited educational data collection described in this DPA. Gamivize provides the School with all required COPPA data collection notices, and the School is responsible for making those notices available to parents upon request.

All student data — regardless of whether a student is under or over 13 — is handled with the same protections described in this DPA.

FERPA (Family Educational Rights and Privacy Act) Gamivize acknowledges that any student education records shared by the School are disclosed under the FERPA "school official" exception. Under this exception, Gamivize agrees to:

  • Operate under the direct control of the School with respect to the use of student education records

  • Use student education records only for the legitimate educational purposes described in this DPA

  • Not disclose student education records to any other party without the School's written authorization

  • Support the School in meeting its FERPA obligations to students and parents

Gamivize supports schools in meeting their FERPA obligations. Gamivize is a data processor, not an independent data controller under FERPA — the School retains control and responsibility over its student records at all times.

State Student Privacy Laws Gamivize's data practices are designed to comply with the California Student Online Personal Information Protection Act (SOPIPA) and equivalent student privacy laws enacted across US states. These laws prohibit the use of student data for commercial profiling, data selling, and any non-educational purpose — all of which Gamivize explicitly commits to in Section 4 of this DPA.

7.Third-Party Services (Subprocessors)

To deliver the Service, Gamivize works with a small number of carefully selected third-party technology providers ("subprocessors") who may process School or student data on Gamivize's behalf. All subprocessors are bound by data protection agreements that require them to handle data with at least the same level of protection described in this DPA.

A current list of Gamivize's subprocessors is available upon request by contacting info@gamivize.com.

Adding new subprocessors Gamivize will provide the School with at least 30 days' written notice before engaging any new subprocessor that will process student data. If a School has a reasonable objection to a new subprocessor, Gamivize will work with the School in good faith to address the concern.

8.Data Security

Gamivize maintains appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures are proportionate to the nature of the data processed and the risks involved in providing an educational platform.

Access to student data within Gamivize is limited to authorized Gamivize personnel who require it to deliver or support the Service, on a strict need-to-know basis. All such personnel are bound by confidentiality obligations.

Schools that require detailed information about Gamivize's specific security practices are encouraged to contact us at info@gamivize.com. We are committed to transparency and will respond to reasonable security inquiries from schools and their procurement teams.

9.Warranties and Disclaimers

In the event of a confirmed data breach affecting student personal data, Gamivize will notify the School within 72 hours of becoming aware of the breach.

  • The notification will include, to the extent known at the time:

  • The nature and scope of the breach

  • The categories of data affected

  • The approximate number of individuals affected

  • The likely consequences of the breach

  • The steps Gamivize has taken or plans to take to address the breach and mitigate its effects

The School is responsible for determining whether and how to notify parents, guardians, and any relevant regulatory authorities in accordance with applicable law.

10.Data Retention and Deletion

While the subscription is active Gamivize retains personal data for as long as the School's subscription is active and as needed to provide the Service.

When a subscription ends Upon termination or expiration of the School's subscription:

  • The School has 30 days to export its data using the platform's export tools

  • After the 30-day export window, Gamivize will delete all School and student data from active systems

  • All data will be fully purged from backup systems within 60 days of deletion from active systems

Early deletion requests Schools may request the deletion of their data at any time by contacting info@gamivize.com. Gamivize will fulfill deletion requests within 30 days of receiving a written request.

Anonymized aggregate data Following deletion, Gamivize may retain anonymized, aggregated, non- identifiable statistics derived from platform-wide usage — data that cannot be linked to any individual student, teacher, or school — for internal product improvement purposes.

11.Parent and Student Rights

Gamivize respects the rights of students and parents under FERPA, COPPA, and applicable state law.

How parents can exercise their rights Parents who wish to access, review, correct, or request the deletion of their child's personal data should submit their request directly to their School. The School, as data controller, will coordinate with Gamivize to fulfill the request. Gamivize will respond to School- initiated data requests within 30 days.

Why requests go through the School This process preserves the correct legal structure under FERPA and COPPA — the School controls student education records, and Gamivize acts on the School's instructions.

Direct parent-to-Gamivize requests will be acknowledged and redirected to the relevant School.

12.International Data and Future Expansion

Student data is currently processed to deliver the Service to Schools in the United States. Gamivize does not currently operate in the European Union. Should Gamivize expand to EU markets in the future, this DPA will be updated prior to any such expansion to address applicable requirements under the General Data Protection Regulation (GDPR).

13.Changes to This DPA

Gamivize may update this DPA from time to time to reflect changes in the law, our practices, or theService. For material changes, Gamivize will provide at least 30 days' written notice to the School's registered administrator via email and via an in-app notification. Continued use of the Service after the effective date of any update constitutes the School's acceptance of the revised DPA.

14.Contact Us

If your school has questions about this DPA, wants to request a copy of our subprocessor list, has a data deletion or access request, or wants to discuss our security practices in more detail, please contact us:

Gamivize LLC Alexandria, Egypt info@gamivize.com

We aim to respond to all privacy-related inquiries within 5 business days.

This Data Processing Agreement was last updated on [13/05/2026]. It forms part of the Gamivize Terms of Service and should be read alongside it at gamivize.com/legal/terms.

Ready to Gamify Learning at your School?

Ready to Gamify Learning at your School?

Request a Demo

Request a Demo

Request a Demo