Privacy Policy

Last updated: April 17, 2026

Privacy questions? privacy@connected.ai

Contents

  1. Who We Are
  2. Scope
  3. Information We Collect
  4. How We Use It
  5. How We Share It
  6. FERPA
  7. COPPA — Children Under 13
  8. CCPA / CPRA (California)
  9. Other State Laws
  10. Data Security
  11. Data Retention & Deletion
  12. Your Rights & Choices
  13. Cookies & Tracking
  14. Policy Changes
  15. Contact Us

1. Who We Are

ConnectED.ai operates an AI-powered college counseling platform that helps high school students discover best-fit colleges, track applications, and connect with school counselors and advisors. The platform serves students, school counselors, college access nonprofits, and the school administrators who oversee them.

We handle sensitive student data and are committed to full compliance with the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA/CPRA), and applicable state student data privacy laws.

2. Scope of This Policy

This policy applies to all users of the ConnectED.ai platform: students, advisors, school administrators, and super administrators. It governs data collected through our web application, APIs, and email communications.

When a school or organization enters into a separate data processing agreement with ConnectED.ai, that agreement governs where it conflicts with this policy.

3. Information We Collect

We collect only what is necessary to provide the service. All student data is classified as follows:

CategoryExamplesShared externally?
Protected Educational RecordsAcademic records, test scores (SAT/ACT), GPA, application statusNo
Directory InformationName, email addressWith consent only
Non-Directory / SensitiveFinancial info, living situation, family details, economic backgroundNever
Activity & UsageIP address, browser/device info, session activity, error logsNo (security only)

Information students provide

  • Name, email address, school, and grade level
  • GPA, SAT/ACT scores, academic interests
  • Extracurricular activities and career goals
  • Onboarding responses (living situation, economic background, family circumstances)
  • College application information, deadlines, and status
  • Essay drafts and story bank entries
  • Messages exchanged with advisors
  • Resume content — the original file is never stored. AI automatically strips all PII (names, contact info, dates of birth, IDs) and retains only roles, accomplishments, and awards. User consent is required before saving the sanitized summary.

Information collected automatically

  • IP address and browser/device information (security and audit logging only)
  • Session cookies (see Section 13)
  • Error and diagnostic data (PII removed before logging)

4. How We Use Your Information

  • Generate personalized college recommendations using AI
  • Connect students with their assigned advisors and school administrators
  • Enable secure messaging between students and advisors
  • Support college application tracking and deadline management
  • Provide AI-assisted essay coaching and interview preparation
  • Send transactional emails (account verification, deadline reminders, invitation links)
  • Maintain security, prevent fraud, and comply with legal obligations
  • Improve the platform through aggregate, anonymized analysis only — individual student data is never used for this purpose

We do not use student data for advertising, behavioral profiling, or marketing. We do not sell student data to any third party.

5. How We Share Your Information

Within ConnectED.ai — Role-Based Access

Access is strictly role-scoped. No user can access data outside their permitted scope:

  • Students — can only read and update their own profile and data
  • Advisors — can view profiles of students assigned to them only; they cannot access economic situation, living situation, raw resume files, or unassigned students
  • School Administrators — can view and manage students and advisors at their school only; they cannot access other schools’ data
  • Super Administrators — have platform-wide access for system maintenance and compliance; all super admin actions are audit-logged

AI Services (OpenAI GPT-4o)

To generate college recommendations, we send a strictly limited, non-sensitive subset of student data to OpenAI’s API:

  • Sent: interests, grade level, GPA, test scores (optional), location preference
  • Never sent: economic situation, living situation, family details, profile pictures, or any non-directory sensitive PII

OpenAI processes this data under their API terms of service and does not use API inputs to train their models by default.

Infrastructure Providers

  • Supabase — database hosting (PostgreSQL, US region)
  • Vercel — application hosting and CDN
  • Nodemailer / SMTP — transactional email delivery

All infrastructure providers process data on our behalf under strict data processing agreements. They have no independent rights to use student data.

Legal Disclosures

We may disclose information when required by law, valid court order, or to protect the safety of any person. Where legally permitted, we will notify the relevant school or institution before disclosing student educational records.

We do not sell, rent, license, or trade student personal information to any third party, including data brokers, advertisers, or marketing companies. Ever.

6. FERPA — Family Educational Rights and Privacy Act

When ConnectED.ai is deployed by a school, we operate as a “school official” under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99), with a legitimate educational interest in accessing student records to provide our service.

Student and Parent Rights Under FERPA

  • Right to Inspect (§99.10): Students (or parents of students under 18) may download a complete copy of their records at any time from the Download My Data button on the student profile page.
  • Right to Amend (§99.20): Students may submit a record correction request from their profile page. We will respond within a reasonable time.
  • Right to Consent (§99.30): Student educational records are not disclosed to unauthorized parties without written consent, except as permitted by FERPA.
  • Right to Control Directory Information: Students may restrict disclosure of directory information (name, email) through their consent preferences.

Our FERPA Commitments

  • Explicit written consent is collected from students during onboarding before any data is processed
  • Consent renewal is required annually
  • All access to student educational records by advisors and administrators is logged and retained for 7 years (§99.32 disclosure log requirement)
  • Advisor access is limited to assigned students only; sensitive non-directory fields (economic situation, living situation) are withheld from advisor views
  • School admin access is scoped to their school only
  • In the event of a breach affecting student educational records, affected individuals will be notified as required by FERPA

7. COPPA — Children Under 13

Our platform is designed for high school students, typically ages 15–18. For users under 13, we require verifiable parental or guardian consent before collecting any personal information. Schools enrolling students under 13 may provide this consent on parents’ behalf under COPPA’s school official exception (16 C.F.R. § 312.5(b)(1)).

  • No behavioral advertising, tracking, or profiling for any user under 13
  • Data minimization — we collect only what is necessary for the educational service
  • Parents may review, correct, or request deletion of their child’s data at any time
  • If we discover an account for a child under 13 was created without proper consent, we will delete the data immediately

To report a COPPA concern or request deletion of a child’s data, contact us at privacy@connected.ai.

8. CCPA / CPRA — California Residents

California residents have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of personal information we hold about you
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out of Sale: We do not sell personal information — this right is already honored by default
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights
  • Right to Limit Sensitive Data Use: We use sensitive personal information (economic situation, living situation) only for the educational purpose for which it was collected

To submit a CCPA/CPRA request, email privacy@connected.ai with “California Privacy Request” in the subject line. We will respond within 45 days.

9. Other State Student Data Privacy Laws

Many states have enacted specific student data privacy laws that apply to ed-tech platforms. ConnectED.ai complies with applicable state laws and will execute required data processing agreements with schools upon request, including:

  • New York — Education Law § 2-d (Parents’ Bill of Rights for Data Privacy)
  • Illinois — Student Online Personal Protection Act (SOPPA)
  • Colorado — Student Data Transparency and Security Act
  • Texas — Student Data Privacy Consortium requirements
  • Other states — Requirements vary by jurisdiction; contact us to discuss your state’s requirements

10. Data Security

Encryption

  • All data in transit is encrypted with TLS 1.3; HTTP is automatically redirected to HTTPS
  • Database data is encrypted at rest (PostgreSQL on Supabase)
  • Environment variables and backup files are encrypted

Authentication

  • Passwords are hashed using bcrypt (10 rounds, unique salt per password) — never stored or logged in plain text
  • Sessions use HTTP-only, Secure, SameSite=Strict cookies with 7-day expiration
  • Logout, password change, and role changes immediately invalidate all active sessions
  • Password requirements: minimum 8 characters, mixed case, at least one number

Access Controls

  • Role-based access control (RBAC) on every endpoint
  • All access to student educational records is audit-logged with timestamp, user, action, and IP address
  • Audit logs are retained for 7 years and are accessible only to super administrators
  • Failed login attempts exceeding 5 in 10 minutes trigger security alerts

Incident Response

  • Critical security vulnerabilities are patched within 48 hours of discovery
  • In the event of a data breach, affected schools and individuals will be notified within 72 hours
  • Our breach response process: Assess → Contain → Eradicate → Recover → Document → Notify

11. Data Retention & Deletion

Data TypeRetention Period
Active student accountsWhile account is active
Post-graduation / inactive accounts2 years (notification sent before deletion)
Deleted accounts (soft)30-day recovery window, then permanent deletion
Resume summaries90 days after account deletion (or immediate on request)
FERPA audit logs7 years (§99.32 requirement)
Application/server logs90 days
Performance logs30 days

Right to Be Forgotten

You may request full deletion of your personal data at any time. The process:

  1. Submit a deletion request through your school administrator or email us
  2. We verify your identity
  3. A 7-day cancellation window begins (you may cancel the request during this period)
  4. All personal data is permanently deleted within 30 days of confirmation
  5. You receive a confirmation email

What is deleted: personal information, profile data, messages, resume summaries, application data, and essay drafts.

What is retained (anonymized): aggregate analytics (no individual identifiers), system logs (IP addresses removed), and audit trail records (user IDs pseudonymized) as required by law.

12. Your Rights & Choices

All users — regardless of state — have the following rights:

  • Access your data: Download a complete copy of all your records from the Download My Data button on your profile page
  • Correct your data: Submit a correction request from your profile page; we will respond within a reasonable time
  • Delete your data: Contact your school administrator or email privacy@connected.ai
  • Withdraw consent: Contact your school administrator at any time; note that withdrawal will limit AI recommendation features
  • Opt out of AI processing: Contact your school administrator; AI chat and recommendation features will be unavailable after opting out
  • Control directory information: Manage what “directory” fields (name, email) are visible through your consent preferences

13. Cookies & Tracking

We use session cookies only (HTTP-only, Secure, SameSite=Strict) to maintain your authenticated session. These cookies expire after 7 days or when you log out.

We do not use:

  • Third-party advertising or tracking cookies
  • Behavioral profiling pixels or fingerprinting
  • Cross-site tracking technologies

Any analytics we conduct use only aggregate, anonymized, non-identifiable data.

14. Changes to This Policy

We will notify schools and users of material changes to this policy at least 30 days before they take effect — via email and an in-app notice. Continued use of the platform after that date constitutes acceptance of the updated policy. The current version is always available at this URL. We will not retroactively apply changes that reduce privacy protections to data already collected.

15. Contact Us

For privacy questions, to exercise your rights, or to report a concern:

ConnectED.ai — Privacy Team

Email: privacy@connected.ai

We will acknowledge your request within 2 business days and respond fully within the timeframe required by applicable law (45 days for CCPA, reasonable time for FERPA).

← Back to HomeAbout ConnectED.ai