Privacy Policy
Last Updated: May 19, 2026
Company: BassemLabs Inc.
Website: bassemlabs.com
Privacy Contact: [email protected]
This Privacy Policy explains how BassemLabs Inc. collects, uses, discloses, and protects personal information when schools and their users use our services.
1. Scope
This policy applies to information processed through our products, websites, and support services, except where a separate written agreement applies.
2. Information We Collect
We may collect:
- Account and profile data (for example: name, email, role, organization affiliation).
- Authentication and access data (for example: login events, session metadata).
- School-management records and user-submitted operational data (for example: student/guardian/staff profiles, enrollment and admissions records, attendance, grades/report cards, class and scheduling data, billing/invoice records, communication records, and configured custom fields/forms).
- Service usage data (for example: feature activity, operational logs, browser/device metadata).
- Support and communications data (for example: help requests, emails).
- Integration data provided by customers through configured third-party services.
3. How We Use Information
We use personal information to:
- Provide, secure, and maintain the service.
- Operate the core school-management workflows and data records that schools manage in the platform.
- Authenticate users and enforce access controls.
- Deliver support and troubleshoot issues.
- Improve reliability, performance, and product quality.
- Comply with legal obligations and enforce agreements.
4. Data Hosting and Residency
BassemLabs runs on Amazon Web Services (AWS), including us-east-1 (United States) and ca-central-1 (Canada).
By default, we store school data in the region closest to the customer, and we can enforce region-specific storage commitments where required for compliance or contractual reasons.
5. Data Sharing
We do not sell personal information.
We may disclose information to:
- Service providers that support infrastructure or operations.
- Payment providers required to process transactions.
- Communication providers used for customer notifications.
- Professional advisors (for example legal or audit) where needed.
- Authorities where required by law or to protect rights, safety, or security.
Current core service providers include:
- Amazon Web Services (AWS) for cloud infrastructure.
- Stripe for payment processing.
- Twilio for messaging/notification delivery.
- OpenAI for AI-assisted report-card comment generation.
6. International Transfers
Depending on the selected service region and enabled features, data may be processed in Canada, the United States, or both. We use contractual and organizational safeguards appropriate to applicable law.
7. Security Safeguards
We apply technical and organizational safeguards, including:
- Role-based access controls, scoped permissions, and strict tenant isolation controls.
- Encryption at rest using AES-256 for core storage systems.
- HSM-backed root-key architecture for encryption of private integration material (such as API keys and credentials).
- Encryption in transit with TLS 1.2 minimum and TLS 1.3 by default where client/device compatibility allows.
- Internal service-to-service communication protected with TLS 1.3.
- Monitoring, alerting, operational security controls, and auditable access/modification trails.
- Audit-log retention for access/modification records for at least 90 days.
No method of transmission or storage is 100% secure, but we continuously improve our safeguards.
8. Breach Notification
If we confirm a security incident involving your data, we will notify the affected school without undue delay and no later than 24 hours after confirmation of the incident, unless a shorter period is required by law or contract.
Where required by law, we will support customers with information needed for regulator and affected-individual notification obligations.
9. Data Retention and Deletion
We retain data as needed to provide services, meet legal obligations, resolve disputes, and enforce agreements.
When a school offboards:
- The school may request a full export of customer data through a verified manual support process.
- The school may request deletion of customer data, subject to legal retention obligations.
- If deletion is not requested, user access for teachers/parents/students can be disabled while allowing the organization owner to retain historical access as needed.
Even after deletion requests, we may retain limited records we are legally required to keep (for example core organization account records and invoicing records).
10. Your Rights
Depending on jurisdiction, individuals may have rights to access, correct, delete, or request portability/restriction of personal information.
Requests can be submitted to [email protected].
11. Education Data
Where our services are used in education contexts, we process data according to school instructions and applicable privacy and education laws, including customer contractual requirements.
12. Children
Our services are designed for schools and are used under school and parent/guardian governance. We process student information as instructed by schools under applicable law and agreement terms.
13. Third-Party Integrations
Schools may enable integrations (for example Google Classroom). Third-party platform privacy practices are governed by their own policies and terms.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be posted with an updated effective date.
15. Contact
For privacy questions or requests, contact:
[email protected]
BassemLabs operates as a remote-first company and does not publish a public office address. Official legal notices can be coordinated through the contact email above.