Data Collection Practices
Last updated: March 26, 2026
| Data Type | Purpose | Retention | Shared With |
|---|---|---|---|
| Name & Email | Account creation, authentication | Account life + 3 years | Instructor (name only) |
| School / Institution | Instructor verification, institutional reporting | Account life + 3 years | None |
| Assignment Submissions | Grading, academic record | Account life + 3 years | Course instructor |
| Scores & Grades | Gradebook, analytics, student progress | Account life + 3 years | Course instructor, LMS (via LTI) |
| IP Address | Security, fraud prevention, session management | 90 days | Sucuri (WAF) |
| Browser / Device Info | Platform compatibility, support troubleshooting | 90 days | None |
| Payment Records | Transaction processing, refunds, accounting | 7 years | Stripe (processor) |
| Email Logs | Delivery confirmation, support follow-up | 1 year | Mailgun (delivery) |
Cookies & Tracking
Varsity Learning uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics services (no Google Analytics, no Facebook Pixel).
- Session cookie: Authenticates your login session. Expires when you close the browser or after 2 hours of inactivity.
- CSRF token cookie: Prevents cross-site request forgery attacks. Essential for form security.
- Remember-me cookie: Optional, set only if you choose "Remember me" at login. Expires after 30 days.
What We Do NOT Collect
- Social Security numbers or government-issued IDs
- Biometric data (fingerprints, facial recognition)
- Location data (GPS or geolocation)
- Social media profiles or contacts
- Health or medical information
- Credit card numbers (handled entirely by Stripe)
Third-Party Services
Amazon Web Services (AWS): Hosting, database, and file storage. Data resides in US-West-1 (N. California). SOC 2, ISO 27001 certified.
Stripe: Payment processing. PCI DSS Level 1 certified. We never handle or store raw credit card data.
Mailgun: Transactional email delivery (password resets, enrollment confirmations). Email addresses shared for delivery only.
Sucuri: Web Application Firewall and DDoS protection. Processes HTTP requests including IP addresses.
LTI Integration Data
When Varsity Learning is integrated with a Learning Management System (Canvas, Blackboard, Moodle, Brightspace) via LTI 1.3, limited data is exchanged per the LTI specification: user identifier, course context, roles, and grade passback. The LMS controls what data is sent; we process only what is necessary for the integration.
Data Deletion Requests
To request deletion of your data, email support@varsitylearning.com. We will process requests within 30 days. Note that some data may be retained to comply with legal obligations or legitimate institutional records requirements.