Where is Playlab hosted?
Playlab’s cloud infrastructure is based in the US and cloud services are hosted on Amazon Web Services (AWS). See https://trust.playlab.ai/subprocessors for a list of subprocessors.What data does Playlab collect?
Playlab collects:- Account information (name, contact information, credentials)
- User content (including prompts and responses)
- Product configuration
- Usage data about how users interact with the platform
- Student data provided by educational institutions
Who does Playlab share user information with?
Playlab may share information with:- Service providers that help operate our platform
- Academic and scientific researchers (de-identified data only)
- Legal authorities when required by law
What laws and standards does Playlab comply with?
We work with legal counsel to monitor changes in education privacy law and keep our practices current. Here’s where we stand on the frameworks most commonly asked about: Family Educational Rights and Privacy Act (FERPA) FERPA governs how we protect, use, and disclose student education records. Our systems have been reviewed by an independent legal and technical team for FERPA compliance. We are an approved vendor with the New York City Department of Education, having completed their security and privacy review process. Children’s Online Privacy Protection Act (COPPA) Playlab voluntarily complies with COPPA. We don’t knowingly collect personal information from children under 13 unless authorized by a school. We rely on schools to provide appropriate consent and use student data only for educational services. Student Data Privacy Agreements For K-12 partners, we sign student data privacy agreements as required by districts and state law. We’ve signed agreements with the NYC DOE, the California Student Data Privacy Consortium (CA-NDPA, including the AI annex), and a multi-state NDPA covering Massachusetts, Maine, Illinois, Missouri, New Hampshire, Ohio, Rhode Island, Tennessee, Vermont, and Virginia. See our full list at learn.playlab.ai/faq/Data Privacy Agreements. SOC 2 Playlab is completing a SOC 2 Type II audit. Contact us for the latest status or to request documentation. California Consumer Privacy Act (CCPA) We comply with the CCPA. We don’t sell or share personal information as defined by the CCPA. California residents can exercise their rights by emailing legal@playlab.ai. General Data Protection Regulation (GDPR) EU and UK users have rights under the GDPR and UK GDPR, including the right to access, correct, delete, restrict, or object to processing of their personal information. Contact legal@playlab.ai to exercise these rights. Please email us at legal@playlab.ai with any questions or concerns.Does Playlab use my data for AI model training?
No data originating from Playlab is used by our subprocessors to train AI models. Some subprocessors may retain data for up to 30 days to provide services and identify abuse. Playlab’s long-term equity mission includes building open educational AI models that can be downloaded and used privately and for free. We are not currently training models on user data. If we pursue training for open models in the future, we would do so in phases, with explicit informed consent, clear data eligibility categories, and an auditable de-identification process. If you have questions or want to opt out now, email dsar@playlab.ai.Does Playlab sell data or use it for advertising?
No, Playlab does not sell or rent personal information to third parties. Playlab also does not use personal information for advertising or allow third parties to collect it for marketing purposes.Who can view Playlab user conversations?
Conversations are visible only to the app’s creators and other users who have been granted access through their organization and space permissions. Student conversations are treated as anonymous by default, and are only attributable to a specific student when an authorized educator or administrator in the same organization has access and the student is authenticated in that organization.How does Playlab address privacy risk?
Playlab approaches privacy risk as an ongoing program focused on data minimization, clear consent and transparency, and compliance with global privacy regulations, with particular attention to protecting vulnerable communities. In practice, this means we:- Limit what personal data we collect and retain to what is needed to provide the service.
- Support data subject rights (like access, correction, and deletion) through our data subject request process.
- Document and assess privacy impacts of our processing, including through our Data Protection Impact Assessment (DPIA).
- Maintain a defined deletion process for removing data when it is no longer needed.
- Work with outside legal expertise to stay current with privacy requirements and expectations.
Where can I read more about Playlab’s policies?
- Terms of Use - Legal agreement for platform access; acceptable use, account rules, liability limits
- Privacy Policy - Data collection, use, storage, sharing practices
- Usage Policies - Prohibited content/behavior rules and enforcement mechanisms
- Service Terms - Terms related to Beta service
- Sharing & Publication Policy - Content sharing rules, ownership rights, visibility, licensing
What security program does Playlab follow?
Playlab maintains an information security program focused on protecting customer data through technical and operational safeguards, with continuous risk assessment and improvement. This includes controls like:- Enforcing strong authentication and role-based access controls across internal systems.
- Monitoring for outages, anomalous behavior, and potential security events across multiple layers.
- Requiring code review, testing, and approval before any change reaches production.
- Running automated security scanning and annual penetration tests.
- Maintaining a defined incident response process for detecting, containing, and learning from security events.
How does Playlab monitor for security issues?
We use multiple layers of monitoring and detection to identify outages, anomalous behavior, and potential security events, including edge protection, application monitoring, and cloud-native audit logging and alerting.How does Playlab reduce the risk of vulnerabilities?
Code changes are version controlled and require testing, review, and approval before deployment. We run automated dependency and code security scanning, and we perform annual penetration tests. Our most recent pen test report is available in our trust center.How does Playlab control access to systems and data?
We require two-factor authentication on all internal accounts and manage access centrally through an identity provider. Access is scoped by role, and employees and contractors undergo background checks.How does Playlab handle security incidents?
We have an incident response process designed to detect, contain, investigate, and learn from security events. Incidents are classified by severity, and we notify affected customers when their data is involved. After resolution, we conduct a post-mortem.For privacy concerns, data requests, or suspected violations of privacy laws, users can contact Playlab at support@playlab.ai.