Bill 194 Compliance Matrix

Data must be stored in Canada

All data hosted in AWS Montreal (ca-central-1)

No transfer to foreign jurisdictions without consent

Data never leaves Canada. No cross-border transfers.

Collect only necessary personal information

We collect 0 (zero) fields of student PII. Only randomized emoji identifiers.

Purpose limitation for collected data

Data used solely for educational progress tracking. No marketing or advertising.

Retention limitation

Student data auto-purged at end of school year or upon teacher request.

No collection of student names

Students identified by random usernames only (e.g., "CosmicPanda42").

No collection of student emails

No email required. Authentication via emoji-based passphrase.

No collection of biometric data

Not collected. No facial recognition, voice, or fingerprint data.

Parental consent for students under 13

Not required. Zero PII architecture means no personal information to consent to.

Data encrypted in transit

TLS 1.3 for all connections. HTTPS enforced.

Data encrypted at rest

AES-256 encryption on database storage (Supabase/PostgreSQL).

Secure authentication

Teachers: Supabase Auth with bcrypt hashing. Students: Zero-knowledge emoji login.

Access controls

Row-level security (RLS) policies. Teachers only see their own classes.

Student nicknames protected

Client-side AES-256-GCM encryption. Server never receives plaintext or key.

Key derivation

PBKDF2 with 600,000 iterations (OWASP 2023 recommendation).

Decryption capability

Platform cannot decrypt nicknames. Only teacher with passphrase can.

Clear privacy policy

Published at /privacy. Plain language. Updated December 2025.

Data Processing Addendum available

Available at /dpa for institutional customers.

Contact for privacy inquiries

support@argraide.com

Vetted subprocessors only

Supabase (Canada), Stripe (PCI-DSS compliant), Vercel (USA - no student data).

AI processing disclosure

AI generates activities only. No student data sent to AI providers.