Privacy Policy

1. Who We Are

IEP Desk ("we," "our," or "us") operates the website located at iepdesk.com and the web application located at app.iepdesk.com (collectively, the "Service"). IEP Desk is the data controller for the purposes of this Privacy Policy.

For any privacy-related questions or requests, please contact us at the email address provided in Section 12 of this policy.

2. Information We Collect

Information you provide directly

• Account information: email address and password when you register for an account.
• Child profile information: your child's first name (or a nickname of your choice), disability category, school district, and grade level — only what you choose to enter.
• IEP data: IEP documents you upload (PDF), goals, progress notes, diary entries, meeting records, and communications you log within the application.
• Communications: messages you send to us through support channels.

Information collected automatically

• Usage data: pages visited, features used, session duration, and error logs, for the purpose of improving the Service.
• Device and technical data: browser type, operating system, and IP address, used solely for security monitoring and technical support.
• Cookies: session authentication cookies necessary for the Service to function, and optional analytics cookies. See our Cookie Policy for full details.

Information from third-party services

If you access the Service through a third-party subscription platform (currently Skool), we receive confirmation of your subscription status only. We do not receive any payment card data — payments are processed entirely by the subscription platform.

3. How We Use Your Information

• To create and manage your account and provide the Service.
• To process IEP documents you upload using AI document analysis. Documents are sent to a third-party AI provider (currently Anthropic) solely for analysis; they are not used to train AI models and are not retained by the AI provider beyond the duration of the API request.
• To generate legal letters and documents based on the information you provide.
• To send transactional communications (account confirmation, security alerts). We do not send marketing emails without your explicit opt-in consent.
• To monitor for and respond to security incidents.
• To improve and maintain the Service using aggregated, anonymized usage data.

4. Data Storage and Security

All user data is stored on Supabase infrastructure hosted in the United States (East US region). We implement the following technical and organizational security measures:

• Encryption at rest: all data is encrypted at rest using AES-256 encryption.
• Encryption in transit: all data is transmitted over TLS 1.3 encrypted connections.
• Row-Level Security (RLS): our database enforces row-level security policies that prevent any user from accessing another user's data — even in the event of an application-layer error.
• Document storage: uploaded IEP documents are stored in a private, access-controlled storage bucket. Documents are not publicly accessible and cannot be retrieved without authenticated credentials.
• Access controls: access to production systems is restricted to authorized personnel only and governed by least-privilege principles.

No security system is impenetrable. In the event of a data breach that creates a material risk to your rights, we will notify affected users within 72 hours of becoming aware of the incident.

5. Children's Privacy and COPPA

IEP Desk is a tool designed for parents and guardians of children with IEPs — not for direct use by minors. We do not knowingly collect personal information directly from children under the age of 13.

When you enter information about your child within the Service, you are doing so as the parent or legal guardian and in that capacity you authorize the processing of that information to provide the Service to you. Information about your child is used exclusively to help you manage their IEP process and is never shared with third parties except as described in Section 6.

If you believe a minor under 13 has independently created an account on the Service, please contact us immediately using the contact information in Section 12 and we will delete that account and associated data promptly.

6. Third-Party Service Providers

We share data with the following categories of third-party service providers, solely as necessary to provide the Service:

• Supabase: database and file storage provider (United States). Supabase processes data on our behalf under a data processing agreement and does not use your data for its own purposes.
• Anthropic: AI API provider used for IEP document analysis and AI Legal Assistant features. Data submitted to the Anthropic API is processed under Anthropic's API terms, which include a prohibition on using API data to train models. No personally identifiable data is included in prompts beyond what is necessary for the specific analysis requested.
• Subscription platform: your subscription and payment are managed by a third-party platform (currently Skool). We receive only a subscription status signal; we have no access to payment card data.

We do not share your data with any analytics companies, advertising networks, data brokers, or other third parties beyond those listed above.

7. Data Retention

We retain your account data and associated child and IEP information for as long as your account remains active. If you delete your account, all personal data associated with your account — including child profile information, uploaded documents, and diary/progress entries — is permanently deleted from our systems within 30 days, with the exception of data that must be retained to comply with legal obligations or to resolve disputes.

Automated usage logs are retained for up to 90 days for security monitoring purposes before being permanently deleted.

8. Your Rights and Choices

You have the following rights with respect to your personal data:

• Access: you can request a copy of all personal data we hold about you.
• Correction: you can update or correct your account information at any time within the application settings.
• Deletion: you can request deletion of your account and all associated data. An account deletion option is available in the application settings. Alternatively, contact us directly using the information in Section 12.
• Data portability: you can request an export of your data in a machine-readable format.
• Opt-out of marketing: if you have consented to marketing communications, you can withdraw that consent at any time using the unsubscribe mechanism in any marketing email.

To exercise any of these rights, contact us using the information in Section 12. We will respond to all requests within 30 days.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information), and the right to non-discrimination for exercising your privacy rights. To exercise these rights, contact us using the information in Section 12.

10. Links to Third-Party Websites

The Service may contain links to external websites, including government resources (such as idea.ed.gov and parentcenterhub.org) and third-party information sources. This Privacy Policy applies only to the IEP Desk Service. We have no control over and accept no responsibility for the privacy practices of any third-party websites.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify active users by email or through a prominent notice within the application at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

12. Contact

For all privacy-related questions, requests to exercise your rights, or to report a privacy concern, please contact us at:

IEP Desk
Email:

We aim to respond to all privacy requests within 5 business days.