Privacy Policy

1. Overview and Scope

SchoolScan, Inc. ("SchoolScan," "we," "us," or "our") provides privacy compliance monitoring software to K-12 school districts and other educational institutions. This Privacy Policy explains how we collect, use, disclose, and protect information when our customers — school districts and the individuals they authorize to use our service (collectively, "Customers") — use the SchoolScan platform.

This policy covers:

• Information collected from our public website (schoolscan.ai)
• Information collected when Customers use the SchoolScan platform
• Publicly accessible content analyzed as part of a compliance scan
• Compliance findings generated by our service

This policy does not cover the privacy practices of the school districts themselves or third-party websites linked from our service. Where SchoolScan operates as a service provider on behalf of a Customer (for example, in our role as a "school official" under FERPA), our handling of student information is also governed by the written agreement between SchoolScan and that Customer.

2. Our Core Privacy Commitments

Before explaining the details, here are the commitments we make to our Customers and the students whose data may be present in the content we analyze:

3. Information We Collect

3.1 Customer Account Information

When a Customer establishes an account, we collect information necessary to provide and secure the service, including:

• Name, work email address, job title, and district or organization name
• Authentication credentials (passwords are stored only as salted hashes; we support SSO where available)
• Billing and payment information (processed through our payment processor; SchoolScan does not store full payment card numbers)
• Technical and usage information required to operate the service, such as IP address, browser type, session timestamps, and pages visited within the platform

3.2 Publicly Accessible Content Analyzed During Scans

At a Customer's direction, SchoolScan crawls content that the Customer has identified as its own publicly accessible web presence. We access only content that is already available to anyone on the internet. We do not require, request, or use Customer credentials, internal network access, or password-protected resources.

This content may include HTML pages, PDFs, Microsoft Word and Excel documents, CSV files, images, and document metadata. Because this content is public and created by the Customer, it may contain student personally identifiable information ("Student PII"). The purpose of our service is to locate such information so that the Customer can evaluate and remediate exposures.

3.3 Customer Policy Documents

We parse Customer-provided FERPA notices, directory information designations, and related privacy policies so that our adjudication engine can classify findings in the Customer's actual policy context.

3.4 Compliance Findings

Our service produces findings, scores, and reports that reference specific content locations and PII types. These findings are the Customer's confidential data.

3.5 Information From Our Website

When you visit schoolscan.ai, we collect standard server logs (IP address, browser type, pages viewed) and use a limited set of first-party cookies that are necessary to operate the site.

We use Google Analytics 4 (GA4) to measure aggregate traffic to our marketing website (pages such as the homepage, Blog, FERPA Overview, and Compliance Guide). GA4 helps us understand which content is useful to districts and where to focus our writing. We configure GA4 with the following privacy settings:

• IP addresses are anonymized at the edge and not stored
• Google Signals and advertising features are disabled
• Data is not shared with Google for advertising personalization
• Data retention is set to the shortest available period

GA4 is used only on the public marketing site. It is not deployed inside the authenticated SchoolScan platform, on scan results, in reports, or anywhere Customer Data or Student Data is present. We do not use third-party advertising cookies, cross-site trackers, session-replay tools that record keystrokes or mouse movements, or any analytics tools inside the authenticated application.

4. How We Use Information

We use the information described above only for the following purposes:

• Providing the service — crawling Customer-designated web presences, analyzing content, adjudicating findings, generating reports, delivering dashboards, and enabling expert review.
• Customer support — responding to support requests and assisting with remediation guidance from our privacy professionals.
• Security and fraud prevention — detecting and preventing unauthorized access, abuse, or misuse of the service.
• Service operation and reliability — monitoring system performance, diagnosing errors, and maintaining backups.
• Service improvement using aggregated or de-identified information — we may analyze patterns across Customer accounts to improve detection accuracy, but only using information that cannot reasonably identify any individual, Customer, or student.
• Legal compliance — complying with applicable law, responding to lawful requests, and protecting our legal rights.

We do not use Customer information or Student PII for advertising, marketing to students, behavioral profiling, or any purpose outside the scope listed above.

5. Data Ownership and Licensing

Customers own their data. All Customer content crawled by SchoolScan, all policy documents provided to us, all findings and reports generated from scans, and all feedback provided by Customer users remain the property of the Customer.

Customers grant SchoolScan a limited, non-exclusive, non-transferable license to access, process, store, and display that content solely for the purpose of providing the service during the term of the Customer's agreement with SchoolScan. This license terminates when the agreement ends or when the Customer requests deletion.

SchoolScan does not claim and will not assert any broad, perpetual, irrevocable, sublicensable, or commercial-use license over Customer content, findings, policy documents, or feedback. We do not obtain rights to use Customer materials for marketing, case studies, or public display without separate written permission.

6. How We Share Information

We share information only in the limited circumstances described below.

6.1 With Authorized Customer Users

Findings, reports, and dashboards are shared with the users the Customer designates. The Customer controls who has access.

6.2 With Our Subprocessors

We use a small number of reputable subprocessors to operate the service — for example, cloud infrastructure providers and AI model providers. Every subprocessor is bound by a written data protection agreement that requires them to:

• Process data only to perform the service they provide to us
• Apply appropriate security safeguards
• Not use Customer content to train their own models or for their own purposes
• Maintain confidentiality obligations equivalent to ours

A current list of subprocessors is available on request and, where required by contract, at least 30 days advance notice will be provided before a new subprocessor is engaged.

6.3 For Legal Reasons

We may disclose information if we reasonably believe disclosure is required to comply with a valid legal process, to protect the safety of any person, or to defend our legal rights. If permitted by law, we will notify the affected Customer before disclosing their data so they have an opportunity to respond.

6.4 In a Business Transfer

If SchoolScan is involved in a merger, acquisition, or sale of assets, Customer data may be transferred as part of that transaction. Any successor entity will be bound by commitments at least as protective as those in this policy, and we will provide advance notice to affected Customers.

6.5 What We Do Not Do

We do not sell Customer data or Student PII. We do not share Customer data with data brokers, ad networks, analytics companies operating for their own purposes, or any third party for advertising or marketing.

7. Data Retention and Deletion

We retain information only as long as necessary to provide the service and meet our legal and contractual obligations.

• Crawled public content — deleted within 30 days of scan completion and report delivery, or sooner upon Customer request. Raw HTML, document bodies, and downloaded files are deleted; we do not retain copies of scanned content beyond this window.
• Findings and reports — retained for the length of the Customer's subscription so that Customers can review historical compliance posture. Customers may export their findings at any time and may request deletion of specific findings or all historical findings at any time.
• Customer account and usage data — retained for the length of the subscription and deleted within 90 days of account termination, except where retention is required by law.
• Backups — encrypted backups are retained for up to 90 days for disaster recovery and are cycled on a rolling basis.

On termination of the Customer agreement, SchoolScan will, at the Customer's election, either return or permanently delete all Customer data within 60 days, except where applicable law requires otherwise.

8. Security

We take reasonable administrative, technical, and physical safeguards to protect information, including:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Role-based access controls with the principle of least privilege
• Multi-factor authentication for privileged access
• Isolated cloud environments for scan execution that are destroyed after each scan completes
• Regular security testing, vulnerability management, and dependency patching
• Mandatory security and privacy training for all personnel with access to Customer data
• Written information security policies and incident response procedures

No system can be guaranteed fully secure. However, we continuously monitor for threats and promptly address identified vulnerabilities.

9. Student Privacy, FERPA, and State Laws

9.1 FERPA "School Official" Designation

When a school district Customer uses SchoolScan to analyze its web presence and findings contain information from education records, SchoolScan operates as a "school official" with a "legitimate educational interest" as defined under 34 CFR § 99.31(a)(1). In that capacity, we commit to:

• Use education records only to perform the services the Customer has authorized
• Remain under the Customer's direct control regarding the use and maintenance of education records
• Not re-disclose personally identifiable information from education records to any other party without appropriate consent or another FERPA-permitted basis
• Destroy or return education records in our possession when they are no longer needed for the authorized purpose or upon Customer request

9.2 State Student Privacy Laws

Many states have enacted laws that impose additional obligations on providers of K-12 educational services — including the California Student Online Personal Information Protection Act (SOPIPA) and comparable laws in other states. Consistent with these laws, SchoolScan commits that we will not:

• Engage in targeted advertising based on information acquired through the provision of the service
• Use covered information to create a profile of a student except in furtherance of the authorized educational purpose
• Sell or rent covered information
• Disclose covered information except as permitted by applicable law

9.3 Parental and Student Rights

Rights over education records under FERPA belong to parents and to eligible students. Because SchoolScan acts as a service provider to the school district, requests for access, correction, or deletion of student information should be directed to the student's school district. SchoolScan will support Customer districts in responding to such requests.

9.4 COPPA

SchoolScan is not directed to children under 13 and is not used by students. Our platform is used by district staff and authorized administrators. We do not knowingly collect personal information directly from children.

10. Artificial Intelligence and Automated Processing

SchoolScan uses AI to analyze unstructured documents and identify potential privacy exposures. We apply the following commitments to our AI processing:

• No training on Customer content. Customer content, policy documents, findings, and feedback are not used to train SchoolScan AI models or any third-party AI models. Our agreements with AI subprocessors expressly prohibit such training.
• No automated high-stakes decisions without review. Critical and high-severity findings are reviewed by our privacy professionals before being delivered.
• Transparency. Findings include citations to the source content and confidence scores so that Customer users can verify them.
• Human remediation guidance. Remediation recommendations for critical findings are validated by qualified privacy staff.

11. Your Rights

Depending on the laws that apply to you, you may have rights to access, correct, delete, or obtain a copy of personal information we hold about you. If you are an individual Customer user (for example, a district staff member with a SchoolScan account), you may exercise these rights by contacting us at privacy@schoolscan.ai.

If you are a parent or student asking about information contained in an education record, please contact your school district directly. FERPA rights are exercised through the educational agency or institution, not through SchoolScan.

12. Children's Privacy

SchoolScan's service is designed for adult professionals operating on behalf of school districts. We do not knowingly collect personal information directly from children under 13. If we learn that we have inadvertently collected personal information directly from a child under 13, we will delete it promptly.

13. Security Incident Notification

If we become aware of a security incident that has resulted in, or is reasonably likely to result in, unauthorized access to or disclosure of Customer data or Student PII, we will:

• Notify affected Customers without undue delay, and in any event within 72 hours of confirmation where feasible
• Provide information about the nature of the incident, the data involved, and the steps we are taking to contain and investigate it
• Cooperate reasonably with Customers so they can meet their own legal notification obligations

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make a material change, we will:

• Update the "Effective Date" and "Last Updated" dates at the top of this policy
• Provide at least 30 days advance notice to Customers by email and through the SchoolScan platform
• Preserve the protections of the prior policy for any information collected before the change takes effect, where required by law or contract

Material changes that reduce privacy protections will not apply retroactively to previously collected Customer data without the Customer's agreement.

15. Contact Us

If you have questions about this Privacy Policy or about how we handle information, please contact us:

• Privacy inquiries: privacy@schoolscan.ai
• General contact: hello@schoolscan.ai
• Security reports: security@schoolscan.ai

We will respond to privacy requests within 30 days, or sooner where required by applicable law.