Effective date: September 3rd , 2025
Last updated: January 1st , 2026
Company: Resso Group Inc. (“Resso.ai”, “we”, “us”)
Applies to: Resso.ai services provided to schools, school boards, and other educational institutions (“Institutions”), including K–12 and post-secondary (the “Services”).
1) Scope and purpose
This Privacy Policy describes how we collect, use, disclose, retain, and protect information when the Services are used under an agreement with an Institution (including board-wide, school-wide, classroom subscriptions, pilots, or trials).
This Education & Institutional Privacy Policy does not apply to Resso.ai’s corporate/commercial offerings or marketing websites, which are governed by separate policies available at: https://www.resso.ai/privacy
2) Roles and accountability
When an Institution subscribes to or authorizes use of the Services, the Institution typically controls how the Services are configured and used in its environment (for example: who can access, which features are enabled, and whether accounts are identified or pseudonymous). Resso.ai provides and supports the Services in accordance with the Institution’s instructions and the applicable agreement.
Privacy contact:
Email: contact@resso.ai
Mail: 5151 New St. Burlington ON, L7L 1V3 Canada
Attention: Martin Borowski
3) Information we collect
We collect only the information needed to provide, secure, and support the Services.
A) Account and access information
Depending on the Institution’s deployment configuration, we may collect:
• Name, school/board affiliation, role (student/educator/admin)
• Email address or other identifier used for authentication
• Login/security metadata (e.g., timestamps, device/browser details, IP address for security)
SSO: If the Institution enables single sign-on (SSO), we may receive limited identity attributes from the Institution’s identity provider to authenticate and provision access.
B) Student/educator content
Depending on features enabled and user actions, we may process content users create or upload, such as:
• practice responses, reflections, and assignments
• resumes, cover letters, and other career materials
• teacher feedback, rubrics, and related learning artifacts
Copyright: Students and educators (or the Institution, where applicable) retain ownership of their content. Resso.ai receives a limited license to host, process, and display that content only to provide the Services.
C) In-app usage and learning activity
We may collect in-app events needed to operate the Services, such as:
• feature usage, completion status, and progress indicators
• administrative actions (e.g., creating classes/groups, assigning activities)
D) Technical, security, and diagnostic information
We collect logs and diagnostics to protect and operate the Services, including:
• system logs, error reports, audit logs for administrative actions
• device/browser type and approximate network location derived from IP (for security)
What we do not collect
• No targeted advertising data
• No GPS location data
• No tracking of student behavior outside the Services (no browsing history, search history, or social media tracking)
• No marketing analytics embedded in the student/educator application environment
4) How we use information
We use information to:
1. Provide the Services (including delivering features the Institution enables)
2. Authenticate users and administer accounts and permissions
3. Maintain security, prevent misuse, and investigate suspicious activity
4. Provide support and respond to Institution requests
5. Maintain, debug, and improve reliability and performance
No marketing use of student data: We do not use student personal information for marketing or targeted advertising.
De-identified and aggregated data: We may create and use de-identified/aggregated information to improve service quality and safety and to develop product insights, provided it does not reasonably identify a student, educator, or Institution and we do not attempt re-identification.
5) AI and model training
Resso.ai may use automated processing to provide feedback and functionality within the Services.
No training on Institution data by default: We do not use Institution data (including student or educator content) to train our models or third-party foundation models unless the Institution explicitly opts in through a written agreement that defines scope, safeguards, and any limitations.
6) How we disclose information
We disclose information only as necessary for the purposes in this Policy.
A) To the Institution
Institution administrators and authorized staff may access information and reports as configured by the Institution, including account management, roster information, and progress/usage reports, subject to role-based access controls.
B) To service providers (subprocessors)
We use vetted third-party service providers to host and operate the Services (for example: cloud hosting, email delivery for administrative notices, logging/monitoring, and customer support tools). These providers:
• act only on our instructions,
• are contractually required to protect information, and
• must maintain safeguards equivalent to or stronger than ours.
Subprocessor transparency: We maintain a list of subprocessors used for the Education Services and will provide it upon request and/or via a published subprocessor page for Institutions. We will provide advance notice of material subprocessor changes where required by agreement or applicable expectations.
C) For legal compliance and safety
We may disclose information if required to comply with law, regulation, legal process, or valid governmental request. Where legally permitted, we will notify the Institution and cooperate to narrow the request.
D) Business transfers
If Resso.ai undergoes a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. Any successor will be required to protect the information under obligations that are equivalent to or stronger than those in this Policy and the applicable Institution agreement. We will provide notice to Institutions consistent with our contractual commitments and applicable law.
7) Data residency and storage
Default for Ontario Institutions: Institution data is hosted and stored in Canada using Microsoft Azure Canada regions, unless otherwise agreed in writing with the Institution.
Storage model: Data is stored in secure cloud infrastructure. Some limited operational metadata may be processed by essential service providers used for authentication, security monitoring, or support, as disclosed in the subprocessor list and agreements.
8) Data retention and deletion
Retention depends on the Institution’s deployment configuration, enabled features, and agreement terms.
• We retain information only as long as needed to provide the Services, meet contractual obligations, and comply with legal requirements.
• Upon expiration or termination of the Institution’s subscription, we will delete Institution data within a defined period, subject to any agreed export window and legal retention requirements.
• Backups are retained for a limited period and are purged on a rolling basis after deletion.
Institution control: Institutions may request earlier deletion or specific retention configurations where supported and documented in the agreement.
9) Security safeguards
We maintain appropriate administrative, technical, and physical safeguards designed to protect information, including:
• encryption in transit and at rest
• role-based access controls and least-privilege access
• MFA for administrative access
• logging and monitoring
• vulnerability management and patching
• backups and disaster recovery processes
Additional security details may be provided to Institutions under a security appendix or as part of procurement due diligence.
10) Incident response and breach notification
We maintain an incident response protocol for containment, investigation, remediation, and communication.
If we confirm a security incident involving Institution data, we will notify the Institution without undue delay and in accordance with any timeframe specified in the Institution agreement, and we will provide information reasonably needed for the Institution to meet its legal and policy obligations.
11) Children and student users
The Services are intended for use in educational settings under an Institution’s authorization and supervision, and as permitted by applicable law and board policy. Institutions are responsible for providing notices and obtaining any required permissions/consents for student use.
12) Individual rights and requests
For Education deployments, privacy requests (access, correction, deletion) are typically handled through the Institution. Students, educators, or guardians should contact their school/board administrator first. Institutions may also contact Resso.ai at the privacy contact above for assistance.
13) Changes to this Policy
If we make material changes to this Policy, we will provide notice to Institutions by one or more of:
• email to the Institution’s designated administrative contact(s),
• in-app administrative notification, and/or
• prominent notice within the Services before changes take effect.
14) Contact us
Email: contact@resso.ai
Mail: 5151 New St. Burlington ON, L7L 1V3 Canada
Attention: Martin Borowski