Privacy Policy
Last updated: March 2026
1. Information We Collect
We collect the following categories of information:
- Account information: email address, name, and state of residence
- Child profile information: child's name, grade level, disability categories, and school name — provided by you, the parent or guardian
- Uploaded documents: IEP documents (PDF or photo) that you upload for analysis
- Usage data: pages visited, features used, and interaction patterns to improve the Service
- Payment information: payment card details are collected and processed directly by Stripe; we never see or store your full card number
- Cookies: authentication tokens and analytics cookies (see Section 8)
2. How We Use Your Information
- Provide analysis: process your uploaded IEP documents and generate reports, scores, and recommendations
- Improve the Service: analyze usage patterns and feedback to enhance features and accuracy
- Communicate: send transactional emails (purchase confirmations, account updates) and, with your consent, product updates
- Process payments: facilitate one-time purchases through our payment processor
- Security: detect and prevent fraud, abuse, and unauthorized access
3. AI Processing Disclosure
Your uploaded documents are processed by Anthropic's Claude API to generate analysis, summaries, and recommendations. Anthropic maintains a zero-retention data policy for API usage, meaning your document content is not stored by Anthropic after processing and is never used to train AI models. By uploading a document to IEP Says, you consent to your document being processed by AI for the purpose of generating your analysis report.
4. Third-Party Services
We use the following third-party services to operate IEP Says. Each receives only the minimum data necessary for its function:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing | Payment details, email | stripe.com/privacy |
| Google Analytics | Usage analytics | Anonymized pageview and interaction data | policies.google.com/privacy |
| Supabase | Database & authentication (US-hosted) | Account data, child profiles, analysis results | supabase.com/privacy |
| Anthropic Claude | AI document analysis | Document content (zero-retention) | anthropic.com/policies/privacy |
| Sentry | Error tracking | Error logs, anonymized session data | sentry.io/privacy |
| Cloudflare R2 | Document storage | Uploaded IEP documents | cloudflare.com/privacypolicy |
| Resend | Transactional email | Email address, email content | resend.com/legal/privacy-policy |
5. Data Sharing
We never sell, rent, or share your personal information or document contents for marketing purposes. We share data only with: (a) the third-party service providers listed above, solely to operate the Service; and (b) as required by law, valid legal process, or to protect the rights, property, or safety of IEP Says, our users, or the public.
6. Children's Privacy & COPPA
IEP Says is designed for use by parents and legal guardians — not children. Children never create accounts, log in, or interact with the Service directly. Child information (name, grade level, disability categories, school name) is collected exclusively from parents and guardians for the purpose of tailoring IEP analysis and recommendations. Parents have full control over their child's data and can view, edit, or delete it at any time from their account. Our collection of child data from parents is compliant with COPPA's parent-directed exception.
7. FERPA Awareness
IEP documents contain educational records that may be protected under the Family Educational Rights and Privacy Act (FERPA). IEP Says is not a school vendor, school official, or FERPA business associate. Parents voluntarily upload their own copy of their child's educational records to our platform. We do not receive records from schools or districts, and we do not share uploaded documents or analysis results with schools, school districts, or any educational agency. We process your documents solely to provide you with analysis and plain-language summaries.
8. Cookies & Tracking
IEP Says uses the following cookies:
- Google Analytics cookies (
_ga,_ga_*,_gid): track anonymized pageview and interaction data to help us understand how parents use the Service. These cookies expire after 2 years, 2 years, and 24 hours respectively. - Supabase auth cookies: maintain your logged-in session. These are essential for the Service to function.
We do not use any third-party advertising or remarketing cookies. To opt out of Google Analytics, you can install the Google Analytics Opt-out Browser Add-on.
9. Data Storage & Security
All data is encrypted at rest and in transit using industry-standard encryption. Documents are stored in Cloudflare R2 with access restricted to your account. Our database uses Supabase with Row-Level Security (RLS) policies, ensuring that each user can only access their own data. Access to production infrastructure is restricted to authorized personnel only. We regularly review our security practices and update them as needed.
10. Data Retention
- Active accounts: your data is retained for as long as your account remains active
- Deleted accounts: all data (documents, analysis results, child profiles, and account information) is permanently deleted within 30 days of account deletion
- AI provider: Anthropic maintains a zero-retention policy — document content is not stored after processing
11. Your Rights
You have the right to:
- Access your personal data and your child's stored information
- Correct any inaccurate information in your account or child profiles
- Delete individual documents, child profiles, or your entire account
- Export your data in a portable format
- Withdraw consent for data processing at any time
Most of these actions can be performed self-service from your Settings page. For complex requests, contact privacy@iepsays.com.
12. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). IEP Says does not sell personal information. You have the right to:
- Know what personal information we collect about you and your child
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your CCPA rights
Categories of personal information we collect include: identifiers (name, email), child educational profile information, uploaded documents, and internet activity information (usage analytics).
13. Data Breach Notification
In the event of a confirmed data breach that affects your personal information, we will notify affected users within 72 hours via email. The notification will include the nature of the breach, the types of data affected, and the steps we are taking to address it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or through the platform before the changes take effect. Your continued use of IEP Says after the effective date constitutes your acceptance of the updated policy.
Contact
For privacy-related questions or concerns, contact us at privacy@iepsays.com.