Privacy Policy - AI/MCP

Privacy Policy (AI/MCP) - Agent Connector Addendum

Supplementary to the Compass Privacy Policy (policies.compass.education)
This policy should be read in alignment with the relevant jurisdiction privacy policy for your school. Compass refers to the relevant legal entity for your agreement.

IMPORTANT: AI/MCP integration is strictly opt-in for schools

Compass does not enable AI agent integrations by default. No Compass user's data is connected to any AI service unless their school has made an active decision to enable a specific integration and the individual user has personally authorised their own account.

If you have not taken steps to connect your account, your Compass data is not accessible to any AI agent or MCP-connected service.

A note for schools and administrators

Schools are responsible for determining whether any AI agent integration is appropriate for their environment. Before enabling any MCP-connected AI service, schools should carefully assess whether the integration aligns with their organisation's privacy policy, data management framework and security standards, as well as any applicable obligations under state or federal legislation.

Compass provides the technical infrastructure to support these integrations. The decision to use them and the responsibility for ensuring that decision is appropriate for your school community rests with each school. Compass recommends schools consult with their privacy officer or legal adviser before enabling any AI integration.

1. What This Addendum Covers

The Compass AI Agent Connector (the Connector) is an integration that allows users of approved AI assistants and agents such as Claude (Anthropic), Copilot (Microsoft), Gemini (Google) and ChatGPT (OpenAI) [and/or others which may vary from time-to-time] to interact with their Compass account using natural language, where that AI assistant supports the Model Context Protocol (MCP). This addendum describes how the Connector collects, uses and handles personal information, specifically the data flows that occur between Compass, the AI provider and the user when the Connector is active.

This addendum applies to all Compass users who connect their account to an approved AI assistant via an MCP-based connector. It should be read alongside the main Compass Privacy Policy (policies.compass.education/privacy) and the relevant privacy policy of the AI provider you are using.

Who Can Use the Connector

Access to the Connector is subject to two prerequisites:

• School approval: the Connector is only available where the user's school or education authority has approved the integration with the specific AI provider as an MCP-connected agent. Schools control which AI providers are enabled for their Compass environment. If your school has not approved the relevant AI provider, you will not be able to connect your account.

• User permissions: within an approved school environment, only users who hold the required Compass account permissions may connect and use the Connector. The data accessible through the Connector is limited to what you are already authorised to access within your Compass account. No additional data access is granted by connecting to an AI agent.

School administrators are responsible for managing both integration approvals and user permission levels within their Compass environment.

2. Who Operates the Connector

The Connector is operated by Compass. The Connector is built on the Model Context Protocol (MCP), an open standard that enables AI assistants to securely interact with external services. It is compatible with any MCP-supported AI provider that has been approved by a school for use with Compass.

Privacy contact: legal@compass.education

3. How the Connector Works

When you install the Connector and authorise it via OAuth, you grant your approved AI assistant permission to read and interact with specific data in your Compass account on your behalf. The Connector uses MCP as the communication layer between the AI provider and Compass.

Each time you ask your AI assistant to perform a task involving Compass data, the Connector retrieves only the data necessary to complete that specific request. The Connector does not pre-index or continuously sync your Compass data. Every interaction is stateless. Data is retrieved on demand and is not cached or stored by the Connector beyond the active session.

4. What Data the Connector May Access

Depending on the permissions you grant during the OAuth authorisation flow, the Connector may access the following categories of data from your Compass account:

• Student and staff profile information (name, year level, class group, identifiers)

• Attendance records

• Academic results, learning tasks and report data

• Timetable and scheduling information

• Communication records (where permitted by your school's Compass configuration)

• School and organisational metadata

The Connector requests only the minimum permissions necessary for the features you use. You can review and revoke permissions at any time via your AI provider's connector settings or your Compass account settings.

5. How Data Is Used

Data accessed through the Connector is used solely to fulfil the specific instruction you give your AI assistant during your conversation. Compass does not use data retrieved via the Connector for:

• Training AI or machine learning models

• Advertising or marketing

• Profiling or automated decision-making outside your explicit instruction

• Any purpose beyond completing the task you requested

The AI provider processes your Compass data as part of delivering their service. Each provider's handling of that data is governed by their own privacy policy. We recommend reviewing the relevant AI provider's privacy policy before connecting your account.

6. Data Passing Through Your AI Provider

When you use the Connector, your Compass data passes through the AI provider's infrastructure as part of the MCP protocol. Each provider has its own data retention and processing practices. Compass does not control how AI providers handle or retain data once it has been transmitted.

Compass does not independently store the content of your AI conversations or the Compass data returned during a session. You should review the privacy policy of your specific AI provider to understand how they handle data received via MCP connections.

7. Authentication and Security

The Connector uses OAuth 2.1 with PKCE (Proof Key for Code Exchange) to authenticate your Compass account with your AI provider. Access tokens are encrypted in transit and at rest.

Compass maintains appropriate technical and organisational security measures consistent with our juridictional privacy obligations. For security concerns relating to the Connector, contact legal@compass.education.

Revoking Your MCP Permission

You may revoke your AI agent connector permission at any time, independently of your school's integration approval. To revoke:

• Via your AI provider: go to the connector or integration settings within your AI assistant and disconnect the Compass connector

• Via Compass: contact your school administrator to remove MCP access from your account

• By request: email legal@compass.education and we will revoke your access token within 5 business days

Revoking permission stops the Connector from accessing your Compass account immediately. It does not affect your Compass account, the data stored within it or your school's broader integration approval. Any data that passed through the AI provider's infrastructure prior to revocation is subject to that provider's retention policy.

8. Children's Data

Compass is a school management platform and the Connector may access data relating to students, including minors. Schools and education authorities are responsible for ensuring appropriate authorisation before enabling the Connector for use with student data. Compass applies appropriate technical and organisational measures to safeguard personal data relating to children, consistent with Compass' Privacy Policy.

School administrators should review their obligations under applicable state and federal privacy legislation before enabling staff access to student data via the Connector.

9. Your Rights

Your rights in relation to data accessed via the Connector are the same as those set out in the Compass Education Privacy Policy, including rights to access, correction, erasure, restriction and portability.

To exercise any of these rights, contact: legal@compass.education

For complaints, you may contact the Office of the Australian Information Commissioner (oaic.gov.au). If you are located in the UK or EEA, additional rights may apply under UK GDPR or EU GDPR. See the relevant Compass privacy policies at policies.compass.education.