Privacy Policy

Last updated: June 8, 2026

  • Effective date: June 8, 2026

  • Last updated: June 8, 2026

  • Previous versions: available on request at privacy@ed.ai

  • Operator: Ed AI Technologies, Inc. · 56 Broad St STE 63766, Boston, MA 02109 · Delaware corporation · EIN 38-4380655

  • Privacy contact: privacy@ed.ai

Introduction & scope

This Privacy Policy describes how Ed AI Technologies, Inc. ("Ed.ai," "we," "us," "our") collects, uses, shares, retains, and protects personal information in connection with our educational services for K-12 and higher-education institutions in the United States.

It applies to teachers, administrators, students, parents, and other users of Ed.ai products:

  • Math Grading & Feedback

  • Standards-Aligned Analytics

  • Targeted Practice Generation

  • AI Teaching Assistant

This policy reflects our obligations under FERPA (20 U.S.C. §1232g), COPPA (15 U.S.C. §§6501–6506), applicable state student privacy laws (SOPIPA, SOPPA, Ed Law §2-d, and others), and consumer privacy laws where they apply (CCPA/CPRA, VCDPA, and others).

Where Ed.ai services are used in France or the European Union, they are operated by Ed.ai SAS under its own privacy notice. This policy applies to US usage.

Our role

We act in two capacities, depending on who you are:

School Official

When a school or district contracts with Ed.ai, Ed.ai operates as a "school official with legitimate educational interest" under FERPA §99.31(a)(1)(i)(B). The school or district remains the controller of student education records; Ed.ai processes those records on the school's behalf and under its direction.

Operator

Under SOPIPA (California), SOPPA (Illinois), Ed Law §2-d (New York), and equivalent state laws, Ed.ai is an "operator" (sometimes "school service provider" or "third-party contractor"). Our obligations are detailed on /state-laws and in the NDPA on /dpa.

business

For non-student personal information (teachers, district administrators, website visitors), Ed.ai operates as a business or service provider under state consumer privacy laws (CCPA/CPRA, VCDPA, etc.), depending on the relationship.

Information we collect

From teachers and administrators

  • Name, professional email, school/district affiliation, role, grade level(s) taught

  • Authentication credentials (hashed)

  • Product usage metadata (logins, feature usage, session length)

  • Voluntary inputs (support messages, feedback, uploaded class lists)

From students

  • Identifying data: name, student ID (if provided by the school), grade level, class assignment

  • Educational records content:

  • Scanned images of handwritten math work

  • OCR transcriptions of that work

  • Teacher-assigned grades

  • AI-proposed grades (before teacher validation)

  • Mastery analytics derived from responses

  • Remediation exercises generated and submitted

Automatically collected

  • IP address, browser/device type, OS, referral URL

  • Pages visited, timestamps, error reports (via Sentry)

  • Website analytics via Google Analytics (restricted configuration: IP anonymization, no Google Signals / advertising features, consent-based)

From integrations

  • Rosters via Edlink, which connects Clever, ClassLink, Canvas, Google Workspace for Education, and more

  • SSO attributes (name, email, school affiliation)

What we do NOT collect

  • Biometric identifiers

  • Government-issued IDs

  • Health information (beyond any incidental data in student work)

  • Social Security numbers

  • Precise geolocation

  • Behavioral profiles for advertising

How we use data

  • Grade and give feedback on student math work — Student work, teacher inputs · FERPA school-official exception; school authorization under COPPA

  • Standards-aligned analytics for teachers and departments — Student performance data, standards metadata · FERPA school-official exception

  • Generate personalized practice (Remediation) — Student response patterns · FERPA school-official exception

  • Power the AI Teaching Assistant — Aggregated data + teacher queries · FERPA school-official exception

  • Operate, maintain, secure the service — All technical metadata · Legitimate operational necessity

  • Communicate with teachers/admins — Contact info · Consent or contract

  • Improve the product (excluding student work) — Aggregated usage analytics · Legitimate operational necessity

We do not use student work to train AI models. We do not use data for advertising. We do not sell or share personal information in the CCPA sense of the term.

AI processing & de-identification

Student work is processed by enterprise language models from Microsoft Azure (Azure OpenAI, Azure Claude, Azure Mistral) and Google Cloud (Gemini), hosted in US regions (Microsoft Azure US Central and Google Cloud US). Before any LLM call:

  1. The pipeline detects identifying zones (names, roster identifiers, class labels).

  2. Those zones are masked by opaque white pixels — irreversibly, before transcription.

  3. The masked image is transcribed via OCR.

  4. The transcription is sent to the LLM under contractual no-retention, no-training terms with the sub-processor.

Result: the LLM never sees who the work belongs to. Performance metrics and the full pipeline are detailed on /de-identification.

Who we share data with

We share personal information only with:

  • The school or district that contracted Ed.ai (that's their data).

  • Sub-processors listed and kept up to date on /sub-processors — each under a DPA requiring confidentiality, security, and no secondary use.

  • Roster integrations via Edlink (Clever, ClassLink, Canvas, Google Workspace for Education, and more) — only when the school enables them.

  • Legal requests: we comply with valid subpoenas, court orders, and government requests, narrowly and with notification to the school when legally permitted.

We do not share data with advertisers, data brokers, or for any commercial purpose unrelated to the service.

Data residency — student data stays in the United States

All student-related data is stored in Microsoft Azure US Central. AI processing is performed by US-hosted enterprise models (Microsoft Azure US Central and Google Cloud US) under no-retention terms. We do not transfer student data outside the United States. Disaster recovery, backups, and redundancy all occur within US regions.

Non-student operational data (marketing via Mailchimp, HubSpot CRM for teacher accounts, Google Analytics, support tools) may be processed outside the US under the vendor's standard terms. These do not contain student records.

Retention & deletion

  • Student work (scans, transcriptions, grades, analytics) — Duration of the school's contract. On deletion request: production within 30 days. At contract end: production within 90 days. Backups within 12 months in both cases.

  • Teacher account data — Duration of the account + 12 months inactivity

  • Audit logs — Duration of the contract + 1 year

  • Website analytics — 12 months

  • Backups — Rolling 12 months

  • Support tickets — Duration of the account + 12 months

On request by the school or the teacher:

  • Account deletion (on request): removed from production systems within 30 days; backups and archival systems fully purged within 12 months.

  • Data export: available in open formats (CSV, PDF, standard image) directly from product settings; on termination, a 30-day export window applies before deletion begins.

  • Contract termination: all student data deleted from production within 90 days; backups and archival systems within 12 months. We never delete student work while a contract is in force.

Security

Summary (full detail on /security):

  • Encryption: TLS 1.3 in transit, AES-256 at rest.

  • Access control: least-privilege, MFA for administrators, role-based access.

  • Hosting: Microsoft Azure US Central, VPC isolation, DDoS protection.

  • Application security: OWASP Top 10 controls, code review, CI/CD with no direct server access.

  • Passwords: SHA-512 hashing.

  • Incident response: notification to the school within 72 hours of confirming an incident, or sooner where a contract or state law requires it.

We do not currently hold SOC 2 Type II certification. We will publish our status transparently if and when that changes.

Your rights

Under FERPA

Right to inspect, review, amend, and consent to disclosure of education records. These rights are exercised through the school per the FERPA framework.

Under COPPA

Right to review, delete, and refuse further collection. Exercised through the school under the school-authorization model, or directly via privacy@ed.ai.

Under California law

California residents have the right to:

  • Know what personal information we collect and why

  • Access and delete their information

  • Correct inaccurate information

  • Opt out of "sale" or "sharing" (Ed.ai does neither)

  • Limit the use of sensitive personal information (Ed.ai collects none)

  • Non-discrimination for exercising rights

Student information is governed by SOPIPA, which is stricter than CCPA/CPRA — see /state-laws.

Under other state consumer laws

Residents of US states with consumer privacy laws have analogous rights (access, delete, correct, portability, and opt out of targeted advertising — which Ed.ai doesn't conduct).

How to exercise your rights

  • In-product: account settings (access, export, delete)

  • By email: privacy@ed.ai

  • By mail: Ed AI Technologies, Inc. · 56 Broad St STE 63766, Boston, MA 02109

  • Through your school or district (required for FERPA/COPPA)

We respond within 30 days (or the shorter period required by applicable state law).

Cookies & tracking

Ed.ai uses:

  • Strictly necessary cookies for authentication, session management, CSRF protection

  • Functional cookies to remember preferences

  • Analytics via Google Analytics, configured with IP anonymization and consent, with no Google advertising or remarketing features enabled

  • Error tracking via Sentry (PII scrubbing enabled; no personal data in stack traces)

No advertising networks and no remarketing pixels. Analytics cookies are set only with consent.

Contact & complaint channels

Primary contact

  • Email: privacy@ed.ai

  • Mail: Ed AI Technologies, Inc. · 56 Broad St STE 63766 · Boston, MA 02109

  • Phone: +1 617 545 7366

Regulatory complaint channels

  • FTC (COPPA): https://www.ftc.gov/coppa

  • U.S. Department of Education (FERPA): https://studentprivacy.ed.gov

  • Your State Attorney General for state-specific issues

  • Your school district's data privacy officer for FERPA rights

Changes to this policy

We update this policy when laws, products, or sub-processors change. The current version is always posted on this page with its effective date, and previous versions are archived and available on request at privacy@ed.ai.