Rationarium Privacy Policy

Effective Date: January 1, 2026 Review Cycle: Annual Policy Owner: Chief Executive Officer / Chief Technology Officer, Rationarium Inc. Last Documented Review: December 9, 2025

Purpose

Rationarium Inc. (“Rationarium,” “we,” “us”) provides dedicated WeBWorK hosting to educational institutions. This Privacy Policy describes what data we handle, why we handle it, and how we protect it.

Rationarium takes a minimalist approach to data. We collect only what is necessary to deliver our service, we do not use institutional or student data for marketing or analytics, we do not sell data, and we do not share data with anyone other than our sole infrastructure sub-processor, DigitalOcean LLC.

Who This Policy Covers

Rationarium’s hosting service is sold exclusively to educational institutions. When an institution contracts with Rationarium, that institution is the data controller for any student, instructor, or administrative records stored in its WeBWorK instance. Rationarium acts as a data processor on the institution’s behalf and handles that data solely to deliver the contracted service.

This policy also covers visitors to rationarium.org and individuals who contact us directly.

Data We Handle

Institutional Instance Data. Each Rationarium customer runs on a dedicated server. The data stored in a customer’s WeBWorK instance is determined by the institution and typically includes:

• Names of students, instructors, and administrators
• Institutional email addresses (optional; email functions are disabled in their absence)
• User identifiers supplied by the institution’s LMS or SIS
• Course enrollments, assignment submissions, and grades
• Authentication credentials — passwords are stored only as cryptographic hashes; institutions using LTI or LDAP never expose credentials to Rationarium

Rationarium does not require, collect, or store:

• Social Security numbers
• Dates of birth
• Home addresses or phone numbers
• Payment card information (billing is handled through institutional purchase orders)
• Health information

Website Visitors. When you visit rationarium.org we collect standard server log information including IP address, browser type, pages requested, and timestamps. These logs are used for security monitoring and are not used for advertising, profiling, or third-party analytics.

Direct Communications. When you contact us at support@rationarium.org or andrew@rationarium.org we retain your message and our response to provide continuity of support.

How We Use Data

We use data only to:

1. Deliver and maintain WeBWorK hosting under the terms of our agreement with the institution
2. Respond to support requests from institutional administrators, instructors, and students
3. Monitor server health, performance, and security
4. Investigate and respond to security incidents
5. Meet legal obligations, including responses to lawful court orders

We do not:

• Sell or rent personal information to anyone
• Use institutional or student data for any marketing purpose
• Share data with advertising networks, data brokers, or third-party analytics providers
• Use institutional or student data to train artificial intelligence or machine learning models
• Aggregate or de-identify institutional data for resale or commercial research

Data Sharing

Rationarium shares data with exactly one sub-processor: DigitalOcean LLC, our hosting provider. DigitalOcean operates SOC 2 Type II and CSA STAR Level 1 certified data centers and processes data only to provide the underlying infrastructure. A current list of DigitalOcean’s certifications is available at https://www.digitalocean.com/trust/certification-reports.

We will disclose data only when:

• The institutional customer authorizes disclosure in writing
• Disclosure is required by law, regulation, or lawful court order
• Disclosure is necessary to protect the rights, safety, or property of Rationarium, its customers, or the public

If Rationarium is ever involved in a merger, acquisition, or asset sale, institutional customers will be notified in advance and any data transfer will be subject to the customer’s contract terms and applicable regulatory protections.

Data Retention

• Institutional instance data is retained for the duration of the hosting agreement. At termination, the customer is offered a full data export. Data is then deleted from active systems within thirty (30) days and from backups as those backups age out of the retention window (seven days).
• Nightly encrypted backups are retained for seven days on a rolling basis.
• Website server logs are retained for ninety (90) days.
• Support correspondence is retained for the duration of the customer relationship and for one year thereafter.

Security

Rationarium maintains the following safeguards for all customer environments:

• Single-tenant isolation. Every customer runs on a dedicated server. Customer data is never commingled with other customers’ data.
• US-based hosting. All production servers run in DigitalOcean’s New York data center (nyc3).
• Transport encryption. All client-to-server communication is protected by TLS 1.2 or higher.
• Backup encryption. Nightly backups are encrypted before storage.
• Access controls. Rationarium staff access production servers only via SSH public key. Password authentication is disabled and privileged root login is prohibited.
• Continuous monitoring. Every customer environment is monitored for availability, performance, and security events, with alerts routed to on-call staff via push notification.
• Incident response. A written Incident Notification Policy governs investigation and customer communication.

No system is perfectly secure. Rationarium commits to notifying institutional customers of any confirmed security incident affecting their data in accordance with our Incident Notification Policy and applicable law.

FERPA (Family Educational Rights and Privacy Act)

When Rationarium hosts WeBWorK for a U.S. educational institution, student records stored in the instance are treated as education records under FERPA (20 U.S.C. § 1232g). Rationarium acts as a school official performing an institutional service under the school-official exception (34 CFR § 99.31(a)(1)(i)(B)):

1. Rationarium performs a service for which the institution would otherwise use its own employees;
2. Rationarium operates under the direct control of the institution with respect to the use and maintenance of education records;
3. Rationarium uses education records only for authorized purposes and does not redisclose them; and
4. Rationarium returns or destroys education records upon termination of the contract.

Rationarium will execute a customer-specific FERPA data-use agreement upon request.

International Users and GDPR

Rationarium’s service is designed for U.S. educational institutions and all infrastructure is located in the United States. Rationarium does not actively market to European Union residents.

Where an EU-based institution engages Rationarium, or where EU residents access a Rationarium-hosted instance through their institution, Rationarium will:

• Process data only on the documented instructions of the institutional customer acting as data controller
• Apply data minimization — collecting only what is required to deliver the service
• Honor access, correction, and deletion requests coordinated by the institution
• Maintain records of processing and support compliance with Articles 28 and 32 of the GDPR

Institutional customers requiring a Data Processing Addendum may contact andrew@rationarium.org.

Children’s Privacy (COPPA)

Rationarium licenses its service to educational institutions, not directly to individuals, and does not knowingly collect personal information from children under the age of 13. Where an institution’s use of WeBWorK involves users under 13, parental consent is the responsibility of the institution under its own COPPA compliance program.

If you believe a child under 13 has provided personal information directly to Rationarium, please contact us at support@rationarium.org and we will delete the information promptly.

Your Rights

Because Rationarium operates as a data processor on behalf of institutional customers, users should direct data access, correction, and deletion requests to their institution in the first instance. Rationarium will honor and facilitate any valid request forwarded by an institutional customer.

Individuals with questions about this policy may contact andrew@rationarium.org.

Changes to This Policy

Rationarium reviews this Privacy Policy at least annually. Material changes affecting institutional customers — including any change to data sharing, retention, or security practices — will be communicated to customer administrators by email at least thirty (30) days before taking effect. The Effective Date above indicates when the current version took effect.

Contact

Rationarium Inc. 131 Fairfax Dr Massapequa, NY 11758

General inquiries: support@rationarium.org Security and privacy inquiries: andrew@rationarium.org