Privacy Policy — AI Innovation Index
Effective Date: September 16, 2025 Territorial Scope & Hosting: U.S. PreK–12 (student survey Grades 5–12); hosted in the United States
Who we are. AI for Equity provides the AI Innovation Index participant portal to School Systems.
Link placement. We provide a prominent link to the Student Survey Privacy Notice at the top of the Student Endpoint and in the footer of staff/admin login and portal pages; we do not publish the notice on the public web.
A. Data We Collect
Students (Grades 5–12). Students do not have accounts and do not authenticate to use Student Endpoints. We collect only four closed‑ended answers per instrument and set a first‑party session/security cookie on Student Endpoints for session integrity, Cross-Site Request Forgery (CSRF) protection, and abuse prevention. We do not use third‑party analytics, advertising tags, or cross‑site trackers on Student Endpoints. We do not collect names, emails, student IDs, demographics, device IDs, advertising IDs, or third‑party cookies on Student Endpoints. We do not intentionally store IP addresses with responses, and we configure systems so Student Endpoint responses are not associated with network identifiers.
Staff/Admin Users. Access to the participant portal requires a managed staff/admin account provisioned by the Customer. We collect business contact data (name, work email, role) and operational metadata (auth events, role assignments). If enabled by Customer, we process identifiers necessary to provide Single Sign-On (SSO) (Google/Microsoft/Clever) and Multi-Factor Authentication (MFA) (Twilio SMS) for staff/admin only.
Leadership (C‑suite). We collect self‑assessment responses as part of the twice‑yearly participation requirement. Responses are retained with staff/admin accounts for the term of participation and are reported only in aggregate.
B. How We Use Information
Students do not have accounts or logins; staff/admin access the participant portal via managed accounts provisioned by the Customer. For staff/admin surveys, we record per‑user completion status (e.g., submitted/ timestamp) to support survey operations; responses are reported only in aggregate, and access to any linkage between roster records and responses is limited to AI Innovation Index super users for operational and quality purposes.
We use information as follows: (i) to deliver the student survey, maintain integrity/availability, and generate aggregate reports; (ii) to deliver the staff pulse survey, maintain integrity, and generate aggregate reports; (iii) to deliver the leadership self‑assessment and integrate results with staff and student data to generate triangulated reporting; (iv) to allow participants to triangulate data across student, staff, and leadership perspectives; (v) to contextualize performance and progress versus national norms; (vi) to identify top‑performing systems across AI Innovation Index metrics; and (vii) to access resources, artifacts, and program supports aligned to AI Innovation Index metrics. Staff/Admin data is also used to operate the portal, provide support, and send service communications.
C. Children & COPPA
Student Endpoints may be accessed by students in Grades 5–12, including children under 13, under school authorization. We are not child‑directed. On Student Endpoints we use only a first‑party, strictly‑necessary session/security cookie for support for internal operations. We do not collect contact information and, other than that cookie, we do not collect persistent identifiers from students. Under COPPA, this design does not require verifiable parental consent; we publish the Student Survey Privacy Notice that describes the cookie and retention.
If future features would collect children's personal information beyond support for internal operations, we will first provide direct notice and implement verifiable parental consent using COPPA‑approved methods before enabling those features.
D. Protection of Pupil Rights Amendment (PPRA)
The instrument contains four closed‑ended items that do not touch PPRA's eight protected topics. If the instrument changes, we will coordinate with Customer on any required PPRA notices/consents.
E. Reporting & Disclosure‑Avoidance
We publish only aggregate results meeting k ≥ 15 with complementary suppression and additional rounding/suppression to prevent back‑calculation. We do not make any personal information publicly visible. Within the participant portal only, we will display School System names achieving 3/4 or 4/4 on scored metrics.
F. Cookies & Tracking
On Student Endpoints, we use one first‑party session/security cookie and no third‑party tags, analytics, or advertising. On staff/admin pages, we may use strictly necessary cookies and SSO‑related identifiers. Staff/admin pages use only strictly necessary cookies and SSO/MFA integrations; we do not allow third‑party advertising or analytics trackers on staff/admin pages. We do not display advertisements on Student Endpoints or staff/admin pages, and we do not conduct targeted or behavioral advertising on or off the Service for any user. We do not permit third‑party tracking technologies to collect information on our Service for their own purposes (including advertising or unrelated analytics). We also do not track users across third‑party websites or services to build profiles or target advertising.
On Student Endpoints we set a single first-party session cookie used solely for session integrity, Cross-Site Request Forgery (CSRF) protection, and abuse prevention; it expires at the end of the browser session.
G. Subprocessors
We use subprocessors solely as service providers under confidentiality and data‑use restrictions. We do not sell or rent personal information. We also do not sell de‑identified or aggregate student data. We do not share personal information with third parties for their advertising or marketing purposes, and our service providers are contractually prohibited from using personal information for marketing. Current subprocessors include Heroku (Salesforce) and Heroku Postgres (Salesforce) for hosting and database; SendGrid (Twilio) for email; Google OAuth, Microsoft OAuth, Clever SSO, and Twilio for identity/MFA; and Tailwind CDN, jsDelivr, unpkg, and Google Fonts for staff/admin assets only. Our service providers act only on our instructions under their provider terms (including, where available, data processing terms) and may not use personal information for their own purposes, including advertising or analytics unrelated to our Service. Static asset providers for staff/admin pages deliver assets only, process limited request logs, receive no personal information from us, and do not act as our processors. We do not allow third parties to use our data to create advertising profiles or perform data enhancement for advertising, and we do not use automated decision‑making for ad targeting. We maintain a current Subprocessor List, and Customers may request it at any time to see the latest approved providers.
Service‑provider commitments. Each service provider that processes personal information on our behalf is subject to provider terms (and, where offered, data processing terms) that (i) limit processing to our documented instructions; (ii) require appropriate security; (iii) prohibit secondary use or onward disclosure except as required by law; (iv) provide prior notice of any new sub‑processors and flow down equivalent obligations, and, where feasible, offer a right to object or to terminate the affected component; (v) require prompt notice of incidents affecting personal information; and (vi) require deletion or return of personal information at the end of the engagement.
Categories of Personal Information Shared with Service Providers (minimum necessary): • Hosting (Heroku / Heroku Postgres): tenant configuration data, de‑identified/aggregate analytics, limited staff/admin account metadata necessary to operate the Service. • Email Delivery (SendGrid): staff/admin work email and message content for Service communications. • Identity & MFA (Google OAuth; Microsoft OAuth; Clever SSO; Twilio SMS): staff/admin identifiers necessary for SSO/MFA (e.g., name, work email, Identity Provider (IdP) subject ID; phone for MFA). • Static Asset CDNs for staff/admin pages (Tailwind CDN; jsDelivr; unpkg; Google Fonts): no personal information; providers may process limited request logs.
These disclosures are strictly necessary to provide the Service, are not sales or 'sharing' for cross‑context behavioral advertising, and do not authorize providers to build advertising profiles.
H. Security
We align with the NIST Privacy Framework and employ encryption in transit and at rest, RBAC/least‑privilege access, and MFA for administrative accounts, with MFA required for super‑admin accounts. Quarterly external vulnerability scans and an annual third‑party penetration test are on our roadmap. We enforce password complexity and account lockouts after repeated failed logins for staff/admin accounts, support multi‑factor authentication, and notify users of unusual account activity. Users can view recent login activity in their account.
I. Data Retention & Deletion
For purposes of this policy, "participation" means the period during which the Customer maintains an active account and uses the Service; participation ends when the Customer's access is terminated or the account is cancelled.
Student responses. Stored as individual, non‑identifying records (no names/emails/IDs; no IP addresses or device identifiers) and reported only in aggregate. We retain student response records for the term of participation to support longitudinal reporting; upon termination of participation by a Customer, we will de‑identify or delete student response records within 180 days, unless a longer period is required by law.
QA artifacts. Non‑identifying QA records are retained ≤ 6 months and then de‑identified and/or deleted.
Student session/security cookie. Session‑lifetime only.
Staff/admin contact data. Retained for the term of participation and deleted or de‑identified within 180 days after termination.
Leadership self‑assessment. Retained with staff/admin accounts for the term of participation to support reporting and program services, then deleted or de‑identified within 180 days after participation ends.
Rosters/config files. Retained for the term of participation to administer access and survey operations (including completion tracking). Upon termination of participation, we delete within 180 days (or earlier upon Customer request), unless a longer period is required by law.
Upon termination of participation, we will complete deletion or de‑identification of staff/admin data within 180 days unless a longer period is required by law.
See §K (Privacy Rights & Requests) for how access, correction, and deletion requests are processed.
J. Incident Response
We will notify Customer of a confirmed breach without undue delay and no later than 72 hours after confirmation and will cooperate on notifications and remediation.
K. Privacy Rights & Requests (Staff/Admin; Students/Parents)
Staff/Admin. We assist the Customer (employer/school system) in responding to requests to access, correct, or delete staff/admin personal information, consistent with the California Privacy Rights Act (CPRA) and similar state laws, and we will complete deletion or de‑identification within 30 days unless a longer period is required by law. Provider does not host or maintain district email systems and is not a records custodian for district email.
Students/Parents. We do not maintain student personal information; Student Endpoint responses are collected without identifiers and reported only in de‑identified aggregates. If a district receives a parent/eligible‑student request under FERPA, we will support the district to confirm the absence of student‑level records in our systems and to address the request.
L. Changes to this Policy
We may update this policy to reflect operational or legal changes. We will notify Customer administrators when material changes take effect.
M. Business Transfers
In the event of a merger, acquisition, reorganization, or bankruptcy, Customer data may be transferred to a successor subject to the same commitments in this Privacy Policy. We will notify Customer administrators prior to any transfer where feasible, and the successor will honor existing privacy, security, and deletion commitments.
N. Social Features (N/A)
The Service provides no social networking or public posting features. Users cannot interact with other users within the Service. Because there are no public postings, content filtering and interaction moderation are not applicable.