What a school (and its legal advisor) needs to know before entrusting us with their community's data. Campus is built to comply with Peru's Law No. 29733 on Personal Data Protection, with the reinforced protection that minors' data requires.
All traffic runs over TLS/HTTPS with HSTS. Passwords are stored as bcrypt hashes; no one —not even us— can read them.
Each school runs on its own separate database. No school can see another's data: there is no cross-contamination.
Automatic backup of every database each night, with historical retention. The director can download a full backup at any time.
We log who accesses what and when. Role-based access control with the least-privilege principle.
Pedagogical data is never hard-deleted: it is marked deleted and can be restored, with a later scheduled purge.
Access, Rectification, Cancellation, and Opposition guaranteed, with legal deadlines and a formal privacy channel.
Data is kept for the duration of the contract. Upon termination, the school exports it and it is then deleted per a written retention policy.
We publish the full list of providers that process data on our behalf and declare international transfers before the ANPD.
Under Law No. 29733, the school is the data bank owner and Clase Privada (Campus) is the data processor: we process data only on the school's behalf and per its instructions, to provide the Service. This relationship is formalized in a Data Processing Agreement (DPA) signed with each school, whose security annex summarizes the measures on this page.
Some features use external AI models to assist teachers. Before leaving, all text is pseudonymized (names replaced with pseudonyms and DNI/phone-like numbers removed). AI suggestions always go through the teacher's human review, and each school can fully disable AI use while keeping the rest of the Service.
These are all the providers that process data on our behalf to deliver the Service. Those marked AI process pseudonymized data outside Peru.
| Provider | Purpose | Country | Policy |
|---|---|---|---|
| Hostinger International Ltd. | Server (VPS) hosting and database storage. | Lithuania (EU) / USA | view |
| Google Firebase Cloud Messaging (FCM) | Delivery of push notifications to the mobile app. | USA | view |
| MercadoPago (Mercado Libre) | Tuition and subscription payment processing (Checkout Pro). Only when the school enables the gateway. | Argentina / Brazil | view |
| SMTP email provider (Google Workspace by default) | Sending transactional email (credentials, report cards, notices). Each school may configure its own SMTP server. | USA (or as configured by the school) | view |
| Groq, Inc. · AI | AI-assisted generation of comments and reports (pseudonymized data). | USA | view |
| Cerebras Systems, Inc. · AI | AI-assisted generation of comments and reports (pseudonymized data). | USA | view |
| Mistral AI · AI | AI-assisted generation of comments and reports (pseudonymized data). | France (EU) | view |
| OpenAI, L.L.C. · AI | AI-assisted generation of comments and reports (pseudonymized data). | USA | view |
| OpenRouter, Inc. · AI | Routing to AI models (pseudonymized data). | USA | view |
| Cohere Inc. · AI | AI-assisted generation of comments and reports (pseudonymized data). | Canada | view |
| Z.ai (Zhipu AI) · AI | AI-assisted generation of comments and reports (pseudonymized data). | China | view |
International transfers are carried out with adequate safeguards and declared as a cross-border flow before the National Authority for the Protection of Personal Data (ANPD).
Formal channel for ARCO rights and any data-protection inquiry. Attended by the Data Protection Officer (DPO).