Privacy Policy
Effective: 2026-06-14 · Last updated: 2026-06-14
1. Who we are
These services are operated by Octafish Systems, LLC (referred to in this policy as “Octafish,” “we,” “us,” or “our”), a limited liability company. Our public-facing platform lives at octafish.com and includes the family of educational tools we offer (currently Recycle Assignments, with additional tools in development).
For privacy questions, data requests, or to report a concern, contact privacy@octafish.com.
2. Scope of this policy
This policy describes how Octafish collects, uses, shares, and protects information when you use any of our apps or visit our website. It applies to:
- Teachers and administrators who sign in with a Google account.
- Students who use any Octafish app that is configured to accept student sign-in.
- School and district administrators who manage site licenses on behalf of their organization.
Each Octafish app is designed to keep its data handling within the scope this policy describes. We will revise this policy and notify users before launching a feature that requires broader data handling than what is documented here.
3. Information we collect
3.1 From your Google account when you sign in
When you sign in with Google, we receive and store:
- Your email address, used as your account identifier.
- Your name, displayed in your account and on screens where ownership of an action needs to be shown (for example, “Invited by Jane Smith”).
- A stable identifier from Google (the “subject” identifier), used to recognize you across sign-ins even if your email address changes.
- OAuth access and refresh tokens for any Google scopes you grant to a specific Octafish app, stored securely and used only to make API calls on your behalf to the Google services you authorized.
3.2 From your use of Google Classroom (Recycle Assignments and future Classroom-integrated apps)
When you grant Octafish access to your Google Classroom data, we read and store only the data necessary to provide the features you initiated:
- Course list: ID, name, section, status, and creation date for courses where you are a teacher.
- Assignment metadata: title, description, work type, state, point value, and creation date for assignments and materials in courses you select.
- Linked materials (Drive files, YouTube videos, links, forms) — only the reference to these materials, not the file contents themselves. We do not download or store the contents of attached files.
We do not request, read, or store student rosters, student submissions, student profile photos, parent contact information, or any other “restricted” Google Classroom data. Our apps are intentionally designed to stay within Google’s “sensitive” scope tier.
3.3 From your use of our apps
We collect operational data generated by your use, including:
- Selections you make in the interface (for example, which courses are marked as source or target).
- Action history (for example, a record of which assignments you have copied to which courses, so we can show you what you have already done).
- Standard server logs (IP address, timestamps, request paths, user agent) used for security, debugging, and abuse prevention. Logs are retained no longer than 90 days.
3.4 From your school or district (site-licensed organizations)
If your school or district holds an Octafish site license, the designated license administrator may manage who has access by sending invitations to specific email addresses and may, where required by applicable district policy, request reports on usage by teachers under the license. We do not provide district administrators with access to teachers’ in-app content.
4. How we use information
We use the information described above to:
- Provide the features you request inside our apps.
- Recognize you across sessions and across the Octafish platform.
- Show you a history of your actions (for example, “already copied” indicators).
- Communicate operational matters with you (account, security, service changes).
- Investigate security incidents, prevent abuse, and meet legal obligations.
5. Our Limited Use of Google User Data
Octafish’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide or improve user-facing features prominently visible in the Octafish app you are using.
- We do not transfer Google user data to third parties except as necessary to provide or improve those features, for security purposes, or to comply with applicable law.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data, except with your explicit consent, for security purposes (for example, investigating abuse), to comply with applicable law, or for our own internal operations using data that has been aggregated and anonymized.
6. Information specific to K-12 students
Octafish apps that involve student users are designed to be deployed by schools and districts under their authority. When a school authorizes an Octafish app for use in its classrooms:
6.1 FERPA (United States)
We act as a “school official” with a legitimate educational interest under the U.S. Family Educational Rights and Privacy Act (FERPA), 34 CFR § 99.31(a)(1)(i)(B). Student records we receive or generate are used only to provide the educational service for which we were retained, are not re-disclosed except as authorized, and remain under the direct control of the school.
6.2 COPPA (United States)
Some students using our apps may be under 13. The U.S. Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before personal information is collected from a child under 13. Octafish relies on the school to obtain that consent on behalf of parents as part of the school's deployment authorization. Districts that have not obtained or do not provide such consent should not deploy Octafish to students under 13.
6.3 State student privacy laws
Several U.S. states have specific student data privacy laws that apply to vendors like us, including New York Education Law 2-d, California SOPIPA and AB 1584, Illinois SOPPA, Texas HB 18, and similar statutes in other states. Octafish operates in compliance with these laws and is willing to sign the applicable Data Privacy Agreement (DPA) for each district. Districts should request a DPA prior to deployment.
6.4 What we do not do with student data
- We do not sell student personal information, ever.
- We do not use student personal information for targeted advertising, ever.
- We do not use student personal information to train artificial intelligence or machine learning models that are not specifically for the educational service the student is using.
- We do not share student personal information with social networks, marketing partners, or data brokers.
7. Sub-processors and third parties
We use the following third-party services to operate our apps. We have evaluated each for privacy and security and use them only as described:
| Service | Purpose | Data shared |
|---|---|---|
| Google (OAuth 2.0, Google Classroom API) | User authentication; Classroom data access at user’s direction | The Google data described in § 3.1 and § 3.2 |
As we add features that require additional third parties (for example, an email delivery service or an AI assistant for a future app), we will update this list and notify affected users in advance. We will not introduce a new sub-processor that handles student personal information without ensuring that sub-processor offers an enterprise data agreement with no training on submitted data and a no-secondary-use commitment.
8. Data retention and deletion
We retain account information and app data for as long as your account is active. You may request deletion of your account and all associated data at any time by emailing privacy@octafish.com. We will complete the deletion within 30 days of a confirmed request, except where we are required by law to retain a portion of the data for a longer period.
When a site license expires and is not renewed, the affected teachers may continue to access their own individual data at no charge unless and until their accounts are also deleted.
Server logs are retained no longer than 90 days. Backups are retained on a rolling schedule and any deletion request is honored across active backups as they roll forward.
9. Data security
We take reasonable measures to protect your information, including:
- All connections to Octafish are encrypted in transit using HTTPS (TLS 1.2+).
- OAuth tokens are stored separately from user identifying information and are revocable on demand.
- Access to production systems is restricted to authorized personnel and is logged.
- We follow the principle of least privilege when granting internal access.
- We perform regular backups of operational data.
No system is fully secure. If we become aware of a security incident affecting your information, we will notify you without undue delay and, where required by law, within 72 hours of becoming aware of the incident.
10. Your rights and choices
You have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Request deletion of your account and associated data.
- Revoke Octafish’s access to your Google account at any time from your Google account security page or from within an Octafish app on the “Connect Google” controls.
- Receive a copy of the data we hold about you in a portable format.
- Object to or restrict certain uses, where required by applicable law.
To exercise any of these rights, email privacy@octafish.com.
11. International users
Octafish’s servers are located in the United States. By using our services from outside the U.S., you consent to your information being transferred to and processed in the U.S. We do not currently market our services outside North America.
12. Changes to this policy
We will update this policy as our services evolve. For material changes, we will notify users by email or in-app banner at least 14 days before the change takes effect. The effective date at the top of this page reflects the most recent change.
13. Contact us
Octafish Systems, LLC
509 Franklin Street
Brighton, MI 48116
United States
Privacy contact: privacy@octafish.com
General contact: hello@octafish.com