U
Udooku

Privacy Policy

Last updated: 10 June 2026

This Privacy Policy explains how Udooku ("Udooku", "we", "us") handles personal information in connection with our Student Information System (the "Service"). It applies to information about the institutions that subscribe, their staff, and the students whose records those institutions manage in the Service.

1. Our role: controller vs. processor

For account and billing information about a subscribing institution and its staff, Udooku is the controller. For student records that an institution enters into the Service, the institution is the controller and Udooku acts as its processor — we process that data only to provide the Service and on the institution's instructions. We do not sell or rent personal information and we do not use student data for advertising. Our binding processor commitments to institutions — including FERPA "school official" status, security and breach notification — are set out in our Data Processing Agreement.

2. Information we collect

  • Account & staff data — names, email addresses, role and authentication data for the people who use the Service on your behalf.
  • Customer Data (student records) — the information your institution uploads or enters: applicant and student profiles, enrollment, attendance, grades, documents, and tuition records.
  • Payment data — subscription and student-payment transactions are processed by Stripe. We receive limited details (e.g., card brand, last four digits, status); we do not store full card numbers.
  • Technical & usage data — log data such as IP address, browser, and actions taken, used to operate, secure and improve the Service.

3. How we use information

  • To provide, maintain, secure and support the Service;
  • To process subscriptions and student payments through Stripe;
  • To authenticate users and enforce access controls and plan limits;
  • To communicate with you about your account, security and service changes;
  • To comply with legal obligations and enforce our Terms.

4. Service providers (sub-processors)

We share data with vendors who process it on our behalf, under contracts that require appropriate protection:

  • Stripe — payment processing for subscriptions and student payments.
  • Cloudflare R2 — encrypted storage for documents in the Digital Vault.
  • Amazon Web Services (AWS) — application hosting and managed, encrypted databases.

We do not sell or rent personal information, and we do not share it with third parties for their own marketing.

5. How we protect data

We use encryption in transit (TLS/SSL) and at rest, short-lived signed links for document access, role-based access controls, per-organization tenant isolation, audit logging of sensitive actions, and reputable cloud infrastructure (AWS) with redundant backups. No system is perfectly secure, but we work to protect your data and to limit access to those who need it to operate the Service.

Breach notification. If we confirm a security breach affecting an institution's data, we notify that institution without undue delay and no later than 72 hours after confirmation, so it can meet its own duty to notify affected students and regulators. The binding commitment is in our Data Processing Agreement.

6. Data retention

  • We retain Customer Data for as long as your subscription is active.
  • After cancellation we retain your data for 90 days so you can resubscribe and restore it, or request an export. After 90 days we permanently delete it from our active systems, and encrypted backups are purged on our normal cycle.
  • Your institution remains responsible for retaining records it is legally required to keep (e.g., BPPE's five-year requirement). Export those before cancelling.
  • We may retain limited account/billing records longer where required for legal, tax or accounting purposes.

7. Your rights & choices

Depending on your location and role, you may have rights to access, correct, export or delete personal information. Because student data is controlled by the institution, if a student, parent or staff member asks us directly to access, copy (for example, a transcript), correct or delete their records, we do not act on it ourselves — we forward the request to the institution's administrator and assist the institution in responding. To make a request, email support@udooku.com.

8. Students & children's data

We handle student records on behalf of the institution and only to provide the Service. With respect to education records, the institution designates Udooku as a "school official" with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)): we act under the institution's direct control, use the records only to provide the Service, and do not re-disclose them except on the institution's instructions or as required by law. The institution remains responsible for any required FERPA notices and consents. We do not use student data to build advertising profiles or for any purpose other than providing the Service. See our Data Processing Agreement for details.

9. Cookies & sessions

We use strictly necessary cookies to keep you signed in and to secure the Service. We do not use third-party advertising cookies.

10. International transfers

We and our providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, provide reasonable notice.

12. Contact

Questions about this policy or your data? Email support@udooku.com.