Privacy Policy

Last Updated: March 11, 2026

1. Introduction

Groupimize LLC ("Groupimize," "we," "our," or "us") is committed to protecting the privacy of students, instructors, and institutional users who access our services. This Privacy Policy describes how we collect, use, store, and disclose information through our Canvas LTI-integrated instructional tool.

Groupimize is designed for use within higher education courses and operates exclusively as a tool integrated into the Canvas Learning Management System (LMS) via the Learning Tools Interoperability (LTI) standard. We are committed to compliance with the Family Educational Rights and Privacy Act (FERPA), applicable state privacy laws, and institutional data protection policies.

2. Scope

This Privacy Policy applies to all users who access Groupimize through Canvas LTI integration, including students, instructors, and institutional administrators. It covers data collected, processed, and stored by Groupimize in connection with our educational services.

3. Information We Collect

3.1 Information Received from Canvas (Automatic)

When you access Groupimize through Canvas, the following information is transmitted to us automatically via the LTI launch:

Canvas User ID (a pseudonymous identifier assigned by your institution's Canvas instance)
Full name (as configured in Canvas by your institution)
Canvas Course ID and course title
User role (student or instructor)

We do not collect email addresses, student ID numbers, dates of birth, Social Security Numbers, financial data, or health data.

3.2 Information You Provide (User-Initiated)

Survey responses to instructor-assigned multiple-choice questions, which may include optional demographic questions (e.g., personality type) at the instructor's discretion
Peer review ratings of teammates (letter-grade scale, A through F)
Optional written peer review comments

3.3 Information We Do Not Collect

Groupimize does not collect or process:

Email addresses
Student ID numbers or government identifiers
Financial or payment information
Health or medical data
Political, religious, or philosophical beliefs
Biometric or genetic data
Location or GPS data
Browsing history or tracking cookies

Groupimize uses only a single session cookie required for application functionality. No analytics cookies, tracking pixels, or web tracking technologies are used.

4. How We Use Your Information

We use the information we collect exclusively for the following educational purposes:

Facilitating algorithmic student group formation based on instructor-defined survey criteria
Enabling structured peer review of group collaboration
Calculating aggregated soft skill performance metrics (KPA scores) for instructors and individual students
Displaying group compositions and peer review results to authorized instructors
Supporting the educational mission of the courses in which Groupimize is deployed

We do not use your data for product improvement, analytics, marketing, advertising, profiling, or any non-educational purpose. We do not sell, rent, or trade your personal information to any third party.

5. Data Retention and Deletion

5.1 Course Finalization

When an instructor finalizes a course, or automatically 30 days after the course or semester ends, the following actions occur:

Permanently deleted: Student names, all individual survey responses, and demographic data submitted for group formation.
Retained: Canvas User ID (pseudonymous), peer review scores and comments, and aggregated KPA metric. This retained data uses pseudonymous Canvas User IDs rather than directly identifiable information, supporting longitudinal assessment of student soft skill development across courses.

5.2 User Deletion Requests

Users may request complete deletion of their personal data at any time by contacting support@groupimize.com. Deletion requests will be fulfilled within 30 days.

5.3 Contract Termination

Upon termination of a service agreement with an institution, institutional data will be available for export for 90 days. After this period, all institutional data will be permanently deleted from our systems and backups.

6. Data Security

Groupimize implements the following security measures to protect your information:

Encryption in transit via TLS 1.2+ (HTTPS enforced on all connections via Application Load Balancer with AWS Certificate Manager)
Encryption at rest via AWS RDS with AWS Key Management Service (AES-256)
Role-based access control: students see only their own data within enrolled courses; instructors see only their own courses
Rate limiting on all sensitive endpoints (Redis-backed)
CSRF protection on all form submissions
Server-side input validation and error sanitization
Firewall (UFW) and AWS Security Groups restricting network access
SSH key-based authentication for server access (password authentication disabled)
Parameterized database queries (SQLAlchemy ORM) to prevent SQL injection
Auto-escaping HTML templates (Jinja2) to prevent cross-site scripting
AWS Web Application Firewall (WAF) with managed rule groups protecting against OWASP Top 10 vulnerabilities, known malicious IPs, and common exploit patterns
Application Load Balancer spanning three availability zones for traffic routing and SSL/TLS termination
AWS GuardDuty for continuous network-based threat detection and anomaly monitoring
VPC Flow Logs capturing all network traffic for security analysis
CloudWatch Alarms with SNS email notifications for automated monitoring of system health and error rates
AWS Inspector for continuous automated vulnerability scanning

7. Third-Party Services

Groupimize uses the following third-party services:

Amazon Web Services (AWS): Provides cloud infrastructure (EC2 compute, RDS PostgreSQL database, KMS encryption, Application Load Balancer, WAF, GuardDuty, Inspector, CloudWatch, Route 53 DNS, and Certificate Manager). AWS acts as a data processor and does not access or use student data for its own purposes. AWS maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications. All data is stored in the US-East-2 (Ohio) region.

No other third parties have access to institutional or student data. We do not share data with advertising networks, data brokers, or analytics providers.

8. FERPA Compliance

Groupimize is designed to operate in compliance with the Family Educational Rights and Privacy Act (FERPA). We function as a "school official" with "legitimate educational interests" under FERPA, as our services are used to support instructional activities authorized by the institution. We access only the education records necessary to provide our services, use education records solely for the purposes for which we are authorized, and do not disclose education records to third parties except as required to provide our services (i.e., AWS as a data processor) or as required by law.

9. Access Control

Groupimize enforces strict role-based access controls:

Students can view only their own survey responses, group assignments, peer review submissions, and KPA scores within courses in which they are enrolled.
Instructors can view survey responses, group compositions, peer review results, and KPA scores only for courses they teach.
No cross-course data access is possible.
Only the Groupimize founder/administrator has access to the production database for maintenance purposes, via SSH key authentication.

10. Your Rights

You have the right to:

Access the personal data we hold about you
Request correction of inaccurate personal data
Request deletion of your personal data
Request that we stop processing your personal data
Receive a copy of your personal data in a structured format

To exercise any of these rights, please contact us at support@groupimize.com. We will respond within 30 days. Students may also contact their institution's registrar to exercise rights under FERPA.

11. Data Hosting and Location

All data is collected, processed, and stored within the United States. Our infrastructure is hosted on Amazon Web Services in the US-East-2 (Ohio) region. No data leaves the United States. Groupimize LLC is incorporated in Massachusetts and subject to U.S. federal and Massachusetts state laws.

12. Data Breach Notification

In the event of a data breach affecting personal information, Groupimize will notify affected institutions within 72 hours of confirming the breach, in compliance with Massachusetts data breach notification law (M.G.L. c. 93H) and applicable state and federal regulations. Notification will include the nature of the breach, the data affected, and the remedial actions taken. Groupimize maintains cyber liability insurance to support breach response and remediation.

13. Law Enforcement Requests

Groupimize will only disclose information to law enforcement when required by valid legal process (subpoena, court order, or warrant). The affected institution will be notified of such requests unless prohibited by law. We do not voluntarily share data with law enforcement.

14. Automated Processing and Decision-Making

Groupimize uses a simulated annealing optimization algorithm to assist instructors with student group formation. This algorithm provides group assignment recommendations based on instructor-defined survey criteria. Instructors retain full discretion to review, modify, and approve all group assignments before they are finalized. No fully automated decisions are made about students without instructor oversight. Peer review scores are aggregated mathematically (averaging) with no automated decision-making applied to the results.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to institutional administrators with at least 30 days advance notice. The "Last Updated" date at the top of this policy indicates the most recent revision. Continued use of Groupimize after changes are communicated constitutes acceptance of the revised policy.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Groupimize LLC
Email: support@groupimize.com
Address: 68 Harrison Ave, Ste 605 #424374, Boston, MA 02111
Website: https://groupimize.com