Where can I read more about Playlab’s Data and Privacy policy?

You can read more about Playlab Privacy Policies to learn more. For additional details, you can also read our Terms of Use and Privacy Policy.

How does Playlab monitor security?

  • Playlab is protected by Cloudflare with security scanning and alerts enabled.
  • For performance and error monitoring we use sentry.io and built-in application monitoring inside Fly.io.
  • Playlab recently passed a third-party code audit and our SOC II audit is in progress.
  • Changes to the platform are reviewed before being released, and we use automated dependency and code security scanning systems to monitor our codebase.

Where is Playlab hosted?

  • Our servers and all services except for Mistral AI integration are based in the US. Mistral API servers are based in the European Union.
  • Our servers are hosted on Fly.io, a SOC-2 certified provider with similar sets of controls (e.g., access control, VPN, management of underlying infrastructure) as AWS/GCP/Azure.

How does Playlab protect student information?

  • Students can use apps anonymously without sharing personal information.
  • If you collect student usage data, students can create an account directly or sign up using Single Sign-on services like Clever or Google.
  • We only collect a student’s name, email, and enrolled classes through sign-up or rostering services.
  • All data generated by students stays private to your organization and is only accessible to people with requisite permissions.
  • Playlab does not share your data with AI models for training.

What educational privacy laws does Playlab comply with?

Playlab adheres to applicable privacy laws including:

  • Family Educational Rights and Privacy Act (FERPA)
  • Children’s Online Privacy Protection Act (COPPA)
  • ERMA
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR) for EU users (In Process)

How does FERPA compliance actually work?

FERPA has clear requirements for how we protect student information, use it, and disclose it. We had an independent legal and technical team review our systems to ensure compliance, and our systems have been audited by New York City Public schools.

How does COPPA compliance actually work?

Playlab voluntarily complies with COPPA. We do not knowingly collect personal information from children under 13 unless a school has authorized us to collect such information. We rely on schools to provide appropriate consent for students under 13 to use our services. We use Student Data only for providing educational services and do not retain it longer than necessary.

What happens if a student adds Personal Information in their response?

All data is logically segregated to your organization and workspace - adding information to Playlab is similar to adding information to a Google Doc or Drive. We are exploring integrations with services that automatically strip personal information. Any data used for research will be de-identified and anonymized.

What happens if I say something it doesn’t like?

Playlab prohibits posting offensive, harmful, or misleading content. If users violate the Terms of Service, Playlab may suspend or terminate access without notice for material breaches.

However, the platform will moderate responses for bias or negative content.

Is my data used to train AI models?

No data originating from Playlab is used by our AI Providers to train AI models.

  • When using Mistral, Mistral does not retain conversational data beyond the time needed to generate a response.
  • When using OpenAI or Anthropic, they may retain conversation data for up to 30 days to provide services and identify abuse.

Playlab’s equity mission is to build fully open educational AI models that can be downloaded and used privately and for free. We plan to de-identify conversational data to train open educational AI models that will be shared freely. If you’d like to opt-out, email [email protected].

What personal information does Playlab collect?

Playlab collects:

  • Account information (name, contact information, credentials)
  • User content (including prompts and responses)
  • Communication information
  • Usage data about how users interact with the platform
  • Student data provided by educational institutions

How does Playlab use personal information?

Playlab uses information to:

  • Improve their services
  • Communicate with users
  • Prevent fraud and ensure security
  • Comply with legal obligations
  • Support academic and scientific research through de-identified data

Does Playlab sell data or use it for advertising?

No, Playlab does not sell or rent personal information to third parties. They also do not use personal information for advertising purposes or allow third parties to collect personal information for marketing purposes.

Can we view user conversations?

Only creators and those with permissions can view conversations with their Playlab app. Conversations are marked anonymous unless used by another workspace member logged into Playlab. This information is not used to train AI or repurposed for other reasons.

How does Playlab handle AI-generated content accuracy?

Playlab acknowledges that AI tools may generate responses that aren’t always factually accurate. They advise not to rely on the factual accuracy of outputs. If users notice inaccurate personal information, they can flag the conversation in the app.

How does Playlab manage security incidents?

How we identify security risks

  • Playlab employs various automated security scanning tools configured to provide real-time alerts.
  • All employees and contractors pass background checks before starting work.
  • Playlab requires 2FA on all internal accounts and centrally manages access through an identity provider.
  • All Playlab devices run up-to-date antivirus and firewall software.

How we handle incidents

  • Incidents are classified into four categories: Low, Medium, High, and Critical.
  • Customers potentially affected by Critical incidents are notified within 24 hours, and those affected by High incidents within 72 hours.
  • After incident resolution, a post-mortem is conducted and shared with any customers whose data was affected.

Data return, transition, and destruction

  • Archived apps or workspaces are deleted from our systems after 30 days. To protect against accidental deletion, users cannot directly delete apps or workspaces.
  • If you accidentally archive a workspace or app, email us within 20 days for restoration.
  • All conversational data is de-identified and deleted after 12 months.

Who might Playlab share user information with?

Playlab may share information with:

  • Service providers that help operate their platform
  • Academic and scientific researchers (de-identified data only)
  • Legal authorities when required by law

How robust is Playlab against prompt injection?

While nothing is currently perfect, there are additional moderations and safety measures built into Playlab to make prompt injection more difficult.

What should users do if they have privacy concerns or questions?

For privacy concerns, data requests, or suspected violations of privacy laws, users can contact Playlab at [email protected].

Does Playlab allow third-party tracking or advertising?

No, Playlab does not allow third-party advertisements, marketing, or other third-party advertising or promotions in their services. They also don’t permit contextual advertisements in the services.