Privacy, Security, andStudent Data Protection

Monday Education provides educational services to schools, educators, students, and families. We process personal data to deliver learning, administration, communication, and platform security functions.

Depending on the service context, Monday Education may act as a data controller, processor, service provider, or school official under customer instructions and applicable law.

This policy describes our baseline privacy practices. For institution-managed deployments, contracts such as a data processing agreement may define additional role-specific responsibilities.

Identity and account data: name, email, role, school affiliation, account identifiers, and profile settings.

• Education data: classes, assignments, submissions, grades, attendance, engagement events, and learning progress.
• Support and communication data: support tickets, requests, feedback, and service communications.
• Technical and security data: device, browser, IP, authentication logs, audit logs, and abuse-prevention signals.
• Institution and integration metadata: tenant configuration, enabled integrations, and administrative settings.

We map each processing activity to a specific purpose and legal basis, and we document that mapping in our internal records.

• For EEA/Norway users, legal bases generally include contract performance, legal obligation, legitimate interests, and consent where required.
• For school-directed processing, we act under institutional instructions for educational service delivery and operational support.
• For direct account and service operations, we may act as controller for security, fraud prevention, support, and legal compliance.
• We do not use student personal data for unrelated behavioral advertising, and we apply purpose limitation and data minimization principles.
• Where consent is required, we provide specific choices and withdrawal mechanisms that are as easy to use as the original consent flow.

We do not sell personal information. We disclose data only for service delivery, school-authorized workflows, legal obligations, and security operations.

• Recipient categories may include schools and authorized staff, cloud infrastructure providers, support vendors, analytics tools, and legal authorities where required.
• Service providers handling personal data on our behalf are contractually bound by confidentiality, security, and use restrictions.
• For school-related student records, disclosure and reuse controls are aligned with contractual and regulatory obligations, including FERPA context where applicable.
• We maintain governance processes for vendor due diligence, subprocessor oversight, and access controls proportionate to data sensitivity.

We implement technical, administrative, and organizational safeguards designed to protect confidentiality, integrity, and availability of personal data.

• Controls include encryption in transit, access management, least-privilege principles, logging, monitoring, and change-management procedures.
• We run risk-based security reviews, vulnerability management practices, and periodic control improvements.
• When an incident affects personal data, we follow documented response procedures to contain, assess, remediate, and communicate.
• Where legally required, we notify supervisory authorities, institutions, and affected individuals within applicable statutory timelines.
• No system is risk-free, but we continuously strengthen our controls and response readiness.

We retain personal data only for defined purposes and legal obligations, using category-based retention criteria.

• Core account and learning records are retained while needed for active educational services and institution obligations.
• Security, audit, and operational logs are retained according to risk, legal, and compliance requirements.
• When data is no longer required, we delete, anonymize, or securely isolate it according to documented retention and disposal procedures.
• Institutions may have additional retention instructions under contract and applicable education records obligations.

Depending on jurisdiction and context, data subjects may request access, correction, deletion, portability, objection, or restriction of certain processing.

• EEA/Norway users may exercise GDPR rights and may lodge complaints with a competent supervisory authority, including Datatilsynet in Norway.
• US users may have additional state privacy rights, including California rights to know, delete, correct, and opt out where applicable.
• For student records managed by schools, requests may be routed through the institution when required by law or contract.
• Parents and eligible students have specific rights in FERPA-governed contexts through their educational institution.
• We apply verification steps before fulfilling requests and keep records of request handling outcomes.
• To exercise rights, use the privacy request channels listed in the Contact section below.

We use essential technologies to provide secure sign-in, session continuity, and platform functionality.

• We may use analytics technologies to understand service usage and improve reliability and usability.
• Where required by law, we provide choice mechanisms for non-essential technologies.
• Cookie behavior can also be managed through browser and device controls, though disabling some technologies may impact service quality.
• We review tracking practices to support purpose limitation, data minimization, and regional legal requirements.
• We do not use child student data collected in school context for unrelated behavioral advertising.

Because we support international customers and providers, personal data may be processed across borders.

• For EEA data transfers, we use applicable legal mechanisms such as adequacy decisions or standard contractual clauses, depending on transfer context.
• Where required, we apply supplementary technical and organizational safeguards proportionate to transfer risk.
• We assess vendor transfer controls and require contractual commitments for confidentiality, security, and lawful processing.
• You may contact us for additional information about transfer safeguards relevant to your deployment.

We design student-facing services with elevated protections for minors and education records.

• When required by law, including COPPA contexts, we support appropriate parent or school authorization models for child accounts and data processing.
• Schools using the platform are responsible for institution-level notices and permissions required under their local legal obligations.
• If we learn child data was processed inconsistently with applicable law or contract, we take corrective action, which may include restricting or deleting data.
• Parents, guardians, and institutions may contact us regarding student privacy questions, rights requests, and data handling concerns.

We may update this policy to reflect legal developments, product changes, and security or compliance improvements.

• Material changes will be communicated through appropriate channels such as in-product notice, administrative alerts, or email where required.
• The current version and effective date are always published on this page.
• Where required by law, we will seek additional notice or consent before applying materially changed processing practices.
• We encourage institutions and users to review this policy periodically.

For privacy, student data, or compliance questions, contact our privacy team.

• General privacy contact: privacy@monday-edu.com
• Legal department contact: legal@monday-edu.com
• Rights requests: use the in-product request flow or contact us by email with the subject line Privacy Request.
• School administrators may request DPA, subprocessor, transfer safeguard, and retention details through account support channels.
• If you are in Norway or the EEA, you may also lodge a complaint with your supervisory authority, including Datatilsynet.