📋 Data Processing Agreement (DPA)

For Schools, Districts, and Educational Institutions

Effective Date: December 6, 2025

1. Introduction

This Data Processing Agreement ("DPA") is entered into between GuroHero ("Processor" or "Service Provider") and your educational institution ("School" or "Data Controller"). This DPA supplements our Terms of Service and Privacy Policy.

2. Scope and Applicability

This DPA applies when GuroHero processes personal data on behalf of your school in connection with the GuroHero lesson planning service. This is particularly relevant for GDPR compliance if your school is located in the EU or has EU students.

      ⚠️ Important Note: Schools must NOT input student personal data (names, IDs, grades, etc.) into GuroHero. This DPA assumes lesson planning is done at the educator level only, with no student PII collected.
    

3. Data Processing Details

A. Data Controller

Your educational institution acts as the Data Controller

B. Data Processor

GuroHero acts as the Data Processor

C. Subject Matter

Processing of educator account data and lesson plan content

D. Nature of Processing

Storage of lesson plans and educational content
Authentication and account management
Service analytics and improvement
Payment processing (for paid plans)

4. Types of Personal Data Processed

GuroHero may process the following personal data:

Educator name and email address
School affiliation (optional)
Lesson plan content (which should NOT contain student PII)
Usage logs and analytics
IP address for security and service improvement

5. Duration of Processing

GuroHero will process personal data for as long as your school uses the Service, plus 30 days following account termination for backup and recovery purposes.

6. Processor Obligations

GuroHero commits to:

Process data only on documented instructions from your school
Ensure persons authorized to process data are under confidentiality obligations
Implement appropriate technical and organizational security measures
Assist your school with data subject rights requests (access, deletion, portability)
Delete or return all personal data upon termination of the service agreement
Allow your school to audit our data processing practices upon reasonable notice
Notify your school without undue delay of any personal data breach

7. Sub-Processors

GuroHero uses the following sub-processors for data processing:

Google Firebase: Cloud hosting, authentication, and database services
Google Gemini AI: AI-powered content generation (lesson specifications only, no student data)
Google Analytics: Service usage analytics (anonymized)

Your school will be notified if we add or change sub-processors. You may object to new sub-processors by contacting us at info@gurohero.online.

8. Data Subject Rights

GuroHero will assist your school in fulfilling the following rights of data subjects upon request:

Right of Access: Educators can access their personal data
Right to Rectification: Corrections to inaccurate data
Right to Erasure: Deletion of personal data
Right to Data Portability: Receive data in a structured format
Right to Object: Objection to certain processing

9. Data Security

GuroHero implements the following security measures:

HTTPS/TLS encryption for data in transit
Encryption at rest for sensitive data in Google Firebase
Access controls and authentication (Google Sign-In, Firebase Auth)
Regular security monitoring and updates
Compliance with OWASP security standards
Annual third-party security assessments

10. Data Breach Notification

In the event of a confirmed data breach affecting personal data processed under this DPA, GuroHero will:

Notify your school within 24 hours of discovery
Provide details of the breach, affected data, and potential impact
Describe measures taken to mitigate the breach
Assist your school in meeting regulatory notification requirements

11. International Data Transfers

Your data is stored in Google Firebase data centers, which may be located in the United States or other jurisdictions. By using GuroHero, your school consents to the transfer of personal data outside the EU (if applicable) in accordance with appropriate safeguards and legal mechanisms.

12. Data Deletion Upon Termination

Upon termination of your school's account:

All personal data will be deleted from production systems within 30 days
Backup copies may be retained for up to 90 days for recovery purposes
Your school may request immediate deletion, which will be processed within 5 business days
A deletion confirmation will be provided upon completion

13. Contact for Data Protection Inquiries

For questions about this DPA, data processing practices, or to exercise data subject rights, please contact:

Email: privacy@gurohero.online
Email: info@gurohero.online
Response Time: 10 business days

14. Governing Law

This DPA is governed by the laws of the Philippines. However, if your school is in the EU, GDPR requirements will supersede conflicting provisions in Philippine law.

15. Updates to This DPA

GuroHero may update this DPA from time to time to reflect changes in data processing practices or legal requirements. Schools will be notified of material changes.

Ready to Sign?

Schools can request a formal signed DPA by contacting our support team at info@gurohero.online. Please include your school name, contact person, and jurisdiction.