Skip to main content

Privacy Policy

Effective February 18, 2025 · Last updated February 18, 2025

Introduction

Edapt Schools Incorporated ("Edapt," "we," "us," or "our") provides AI-powered compliance reporting software and strategic advisory services for K-12 school districts. We are committed to protecting the privacy of our users, the districts we serve, and the students whose data may be processed through our platform.

This Privacy Policy describes how we collect, use, disclose, and protect information in connection with:

  • Our marketing website at edapt.com (the "Website")
  • Our SaaS platform at partner.edapt.com (the "Platform")
  • Our advisory and professional services (the "Services")

If you are a school district or educational agency using our Platform, your use is also governed by any Data Processing Addendum (DPA) executed between your organization and Edapt. In the event of a conflict between this Privacy Policy and a signed DPA, the DPA controls.

Information We Collect

We collect different categories of information depending on how you interact with us.

Website Visitors

When you visit edapt.com, we may collect:

  • Contact information you voluntarily provide: name, email address, organization name, job title, and message content (via contact forms and newsletter signups)
  • Automatically collected data: IP address, browser type, device information, pages visited, and referring URL
  • Cookies and similar technologies: We use essential cookies for site functionality. We do not use third-party advertising cookies. See our Cookie section below for details.

Platform Users (District Staff)

When district administrators and staff use our Platform, we collect:

  • Account information: name, email address, role, profile picture, and district affiliation (managed via our authentication provider)
  • Content created on the Platform: compliance documents (LCAPs, DIPs, SSIPs, strategic plans), notes, comments, edits, and version history
  • Interview and intake data: responses provided through our guided interview tools, including text answers and AI-assisted interview sessions
  • Audio data: if you use our voice interview features, audio recordings are transcribed and the transcriptions are stored; raw audio is processed in real-time and not permanently stored
  • Usage data: features used, actions taken, session duration, and interaction patterns
  • AI interaction data: prompts submitted to and outputs generated by our AI tools, including chat messages and document drafting requests

Student Data

Our Platform is used by district administrators, not students, to create compliance and reporting documents. These documents may contain or reference student-level data such as demographic information, performance metrics, assessment results, and program enrollment data.

We process student data solely on behalf of and under the direction of school districts, acting as a "school official" with "legitimate educational interest" under FERPA. We do not independently collect student data.

How We Use Information

We use the information we collect for the following purposes:

To provide and improve our services:

  • Operate and maintain the Platform and Website
  • Generate AI-assisted draft documents at your direction
  • Provide customer support and respond to inquiries
  • Analyze usage patterns to improve our products

To communicate with you:

  • Send service-related notifications and updates
  • Respond to contact form submissions and support requests
  • Deliver newsletters you have subscribed to (you may unsubscribe at any time)

What we do NOT do with your information:

  • We do not sell personal information or student data to anyone
  • We do not use student data for advertising or marketing
  • We do not use student data to create profiles for non-educational purposes
  • We do not use district data or student data to train our AI models
  • We do not share personal information with third parties for their own marketing purposes

AI and Automated Processing

Edapt uses artificial intelligence, including large language models (LLMs), to help districts draft compliance documents, conduct guided interviews, and analyze data. Here is how we handle data in our AI systems:

How AI processes your data:

  • When you use our AI drafting tools, the content you provide (prompts, document sections, intake responses) is sent to our AI service provider (currently OpenAI) to generate outputs
  • AI-generated content is returned directly to you within the Platform
  • Your content is processed in real-time and is not stored by the AI provider beyond the duration of the request
  • When you use our voice interview features, audio is sent to OpenAI's transcription service (Whisper) to convert speech to text; the transcription is stored in the Platform but the raw audio is not retained
  • Our AI-assisted interview tool may suggest answers based on context you provide; you control whether to accept, edit, or reject any AI-generated suggestion

What we do NOT do with AI:

  • We do not use your district data, student data, or document content to train, fine-tune, or improve AI models
  • We do not allow our AI providers to use your data for their own model training (we use API agreements that explicitly prohibit training on customer data)
  • We do not feed data from one district into responses for another district
  • We do not retain audio recordings beyond the transcription process

Important disclaimer: AI-generated content is provided as a draft starting point and requires human review. Edapt does not guarantee that AI-generated content is accurate, complete, or compliant with any specific regulatory requirement. Districts are responsible for reviewing, editing, and approving all content before submission. See our Terms of Service for additional details.

How We Share Information

We share information only in the following circumstances:

Service providers (subprocessors): We use third-party service providers to help operate our business. These providers are contractually bound to protect your data and use it only for the purposes we specify. Our current subprocessors include:

ProviderPurposeData Processed
OpenAIAI document generation, transcription, and voice interviewContent submitted for AI drafting, audio for transcription, interview context
WorkOSAuthentication and organization managementEmail, name, organization membership, authentication credentials
SupabaseDatabase and authentication (reporting platform)Account data, compliance documents, platform content
RailwayApplication hostingApplication data in transit
Google WorkspaceShared Drives for document deliveryDocument files
SentryError tracking and performance monitoringError details, performance metrics (no student data)
SlackInternal team notificationsContact form submissions, lead notifications
Google reCAPTCHASpam prevention on formsIP address, browser signals

We will notify district customers at least 30 days before adding a new subprocessor that handles student data.

Legal requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation.

Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify affected users before their data becomes subject to a different privacy policy.

Aggregated and de-identified data: We may use and share aggregated, de-identified data that cannot reasonably be used to identify any individual. For example, we may publish statistics about platform usage trends without identifying any specific district.

Student Data Privacy

We take our obligations regarding student data seriously and comply with applicable federal and state student privacy laws.

FERPA (Family Educational Rights and Privacy Act):

  • We operate as a "school official" under the school official exception, performing institutional services on behalf of districts
  • We use education records only for the authorized educational purposes specified in our agreements with districts
  • We do not redisclose personally identifiable information from education records without authorization
  • Parents and eligible students may exercise their FERPA rights through their school district

COPPA (Children's Online Privacy Protection Act):

  • Our Platform is designed for use by adult district administrators, not children
  • We do not knowingly collect personal information directly from children under 13
  • When student data is included in compliance documents, schools serve as the authorized agent for parental consent, and such data is used solely for educational purposes

SOPIPA (Student Online Personal Information Protection Act, California):

  • We do not use student information for targeted advertising
  • We do not sell student information
  • We do not create student profiles except for educational purposes authorized by the district
  • We maintain reasonable security procedures to protect student information
  • We delete student data when requested by a school or district

AB 1584 (California Education Code § 49073.1):

  • School districts own and control all student data
  • We prohibit using student data for any purpose beyond what the contract permits
  • We describe our security measures in our Data Processing Addendum
  • We have established breach notification procedures
  • Student records are not retained after contract completion unless the district requests otherwise

Data Ownership

Your data belongs to you. This principle is non-negotiable.

  • District data: All content created by district users on our Platform (including compliance documents, strategic plans, reports, notes, and AI-generated drafts) is owned by the district
  • Student data: Student data is owned by the students and their parents/guardians, with the district serving as custodian under FERPA
  • Edapt's limited license: We have a limited, non-exclusive license to use your data solely to provide and improve our services to you. This license terminates when your contract ends
  • Data portability: Upon request, we will export your data in a standard, machine-readable format
  • Post-termination: When your contract ends, we will return or delete your data within 60 days, in accordance with your DPA

Data Security

We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect your information:

Technical safeguards:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Enterprise-grade authentication via WorkOS AuthKit with support for SSO, MFA, and directory sync
  • Role-based access controls with per-organization permissions limiting data access to authorized personnel
  • Organization-scoped data isolation: each district's data is logically separated at the query level
  • Regular security patching and dependency updates

Administrative safeguards:

  • Employee background checks and confidentiality agreements
  • Security awareness training for all team members
  • Principle of least privilege for internal data access
  • Documented security policies and procedures

Operational safeguards:

  • Regular security assessments and code reviews
  • Automated monitoring and alerting for anomalous activity
  • Incident response procedures with defined escalation paths
  • Secure software development practices

We are committed to achieving SOC 2 Type II certification as we scale. Our current security practices are aligned with the SOC 2 Trust Service Criteria.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Data Retention and Deletion

We retain information only as long as necessary for the purposes described in this policy:

Data CategoryRetention Period
Website contact form submissions2 years, or until you request deletion
Newsletter subscriptionsUntil you unsubscribe
Platform account dataDuration of the district's contract, plus 60 days
Compliance documents and contentDuration of the district's contract, plus 60 days
Interview responses and transcriptionsDuration of the district's contract, plus 60 days
Audio recordings (voice interviews)Not retained; processed in real-time for transcription only
Student dataOnly as long as needed for the educational purpose; deleted upon district request or contract termination
Usage analytics (aggregated)Indefinite (de-identified)
Security logs1 year

Districts may request deletion of their data at any time by contacting us at hello@edapt.com. We will complete deletion within 30 days of a verified request.

Breach Notification

In the event of a security breach affecting personal information or student data, we will:

  1. Notify affected districts within 72 hours of confirming the breach
  2. Provide details including: the nature of the breach, categories of data affected, approximate number of records involved, likely consequences, and measures taken to address the breach
  3. Cooperate fully with districts in meeting their own notification obligations to affected individuals and regulatory authorities
  4. Take immediate remediation steps to contain the breach and prevent recurrence

Breach notification timelines may be adjusted by the terms of your DPA or as required by applicable state law.

Your Rights

Depending on your location and relationship with us, you may have the following rights:

All Users

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Opt-out: Unsubscribe from marketing communications at any time using the link in any email, or by contacting us

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information (with certain exceptions)
  • Opt out of the sale or sharing of your personal information. We do not sell or share personal information as defined by the CCPA
  • Non-discrimination for exercising your privacy rights

To exercise your rights, contact us at hello@edapt.com. We will verify your identity and respond within 45 days.

Categories of personal information we collect (per CCPA): Identifiers (name, email), professional information (job title, organization), internet activity (usage data, IP address), and inferences drawn from the above.

Parents and Students (FERPA Rights)

FERPA rights with respect to student education records (including the right to access, amend, and consent to disclosure) are exercised through the school district, not directly through Edapt. If you are a parent or eligible student, please contact your school district to exercise these rights.

Cookies and Tracking

Our Website uses minimal cookies:

  • Essential cookies: Required for site functionality (form submissions, session management). These cannot be disabled.
  • Analytics: We may use privacy-respecting analytics to understand aggregate traffic patterns. We do not use Google Analytics or other advertising-linked analytics tools on our marketing website.
  • reCAPTCHA: Our forms use Google reCAPTCHA to prevent spam. This service may set cookies and collect IP addresses. See Google's privacy policy for details.

We do not use:

  • Third-party advertising cookies
  • Cross-site tracking pixels
  • Social media tracking widgets

You can manage cookies through your browser settings. Disabling essential cookies may affect site functionality.

Children's Privacy

Our Website and Platform are not directed at children under 13. We do not knowingly collect personal information directly from children. If we become aware that we have inadvertently collected personal information from a child under 13 without proper consent, we will take steps to delete that information promptly.

If student data pertaining to children under 13 is processed through our Platform, it is provided by and under the control of the school district, which serves as the authorized agent for parental consent under COPPA. Such data is used exclusively for educational purposes.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify district customers via email at least 30 days before material changes take effect
  • Post a notice on our Website

Your continued use of our services after the effective date of changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy, your data, or our privacy practices:

Email: hello@edapt.com

General inquiries: hello@edapt.com

Mail: Edapt Schools Incorporated, California, USA

For data subject access requests or privacy complaints, please email hello@edapt.com with the subject line "Privacy Request." We will acknowledge your request within 5 business days and resolve it within 45 days.