Privacy Policy

iTANU Assessment Management System

---

1. Introduction

Welcome to iTANU AMS (Assessment Management System). We are committed to protecting your privacy and the privacy of students using our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational assessment platform.

In accordance with the ECNO Student Digital Privacy Standard, we communicate our privacy notices, terms of use, and contracts in clear, specific, and unambiguous language that explains to users how their personal information is being used, processed, disclosed, and retained by us and any third parties.

Easy Access to Privacy Policy: Links to this Privacy Policy and our Terms of Use are easily accessible:

• In the footer of every page on our platform
• In your account settings after account creation
• Via direct link provided during account setup
• Available upon request at daniel@itanu.ai

iTANU AMS is designed for educational institutions, teachers, and students. We comply with applicable privacy laws and standards including:

• FERPA (Family Educational Rights and Privacy Act) - U.S. federal law protecting student education records
• COPPA (Children's Online Privacy Protection Act) - U.S. federal law protecting children under 13
• GDPR (General Data Protection Regulation) - European Union regulation protecting personal data
• PIPEDA (Personal Information Protection and Electronic Documents Act) - Canadian federal law protecting personal information
• ECNO Student Digital Privacy Standard - Educational Computing Network of Ontario standard for student digital privacy
• Provincial Privacy Laws - Alberta PIPA, British Columbia PIPA, and Quebec privacy laws where applicable
• State and local privacy laws applicable to educational data

By using our platform, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

---

2. Information We Collect

In accordance with the ECNO Student Digital Privacy Standard, we explicitly state all data elements we collect and the specific purpose for collecting each element. We collect only the personal information required to operate our educational assessment service.

2.1 Information You Provide Directly

For Teachers and Administrators:

• Name, email address, and contact information
• School or institution affiliation
• Class rosters and student information you upload
• Assessment questions, rubrics, and curriculum materials
• Feedback and evaluations you provide to students

For Students:

• Name and email address (optionally provided by your teacher; email addresses are not required)
• Assessment responses, including:
  • Audio recordings of your voice responses
  • Video recordings (if enabled)
  • Text responses
  • Uploaded files (PDFs, images, documents)
• Academic level and class enrollment information

For Parents/Guardians (K-12 Students):

• Contact information (email, phone number if provided)
• Relationship to student

2.2 Information Collected Automatically

Usage Data:

• Login times and session information - Purpose: To maintain secure user sessions and prevent unauthorized access
• Assessment completion times - Purpose: To track assessment progress and provide completion status to teachers
• Platform usage patterns and features accessed - Purpose: To improve platform functionality and user experience (using aggregated, anonymized data)
• Device information (browser type, operating system) - Purpose: To ensure platform compatibility and provide technical support
• IP address and general location information - Purpose: To maintain security, prevent fraud, and comply with legal requirements

Technical Data:

• Audio transcription data (generated from your voice recordings) - Purpose: To convert audio responses to text for AI evaluation and teacher review
• System logs and error reports (anonymized) - Purpose: To maintain platform security, troubleshoot technical issues, and ensure service reliability
• Performance metrics and analytics - Purpose: To monitor platform performance and improve service quality (using aggregated, anonymized data)

What We Do NOT Collect:

In accordance with the ECNO Student Digital Privacy Standard, we explicitly do NOT collect the following information:

• Browser history
• Contact lists
• Search terms
• User preferences (beyond platform settings)
• Device identification (beyond browser/OS type for compatibility)
• Precise location data (only general location from IP address for security)
• Any information not directly related to providing the educational assessment service

Covert Collection Prohibition:

We never collect personal information covertly (without user knowledge). All audio and video recordings are made only with explicit user action (e.g., clicking a record button) and clear indication that recording is active. Users are always aware when audio/video is being captured.

2.3 Information from Third Parties

Learning Management Systems (LMS):

If your school uses an LMS integration (Canvas, Google Classroom, Moodle), we may receive:

• Class rosters
• Student enrollment information
• Grade information (if grade passback is enabled)

AI Services:

• We use OpenAI services (GPT models, Whisper) for assessment evaluation and transcription
• Audio recordings and transcripts are sent to OpenAI for processing
• See Section 8 (Third-Party Services) for more details

---

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Educational Services

• Assessment Administration: To create, distribute, and manage assessments
• AI-Powered Evaluation: To evaluate student responses using artificial intelligence
• Grading and Feedback: To generate scores, grades, and individualized feedback
• Progress Tracking: To track student performance over time and generate analytics
• Classroom Management: To manage class rosters, enrollments, and access

Statistical Analysis and Profiling:

• Clear Communication: Where we use data for statistical analysis and profiling, for making assessments, for predicting behavior, or as part of a decision-making process, this is clearly communicated to users along with an explanation of how such analysis is used
• Transparency: We explain:
  • What statistical analysis is performed (e.g., performance trends, learning analytics)
  • How profiling is used (e.g., adaptive question generation based on student responses)
  • How predictions are made (e.g., AI evaluation of assessment responses)
  • How decisions are made (e.g., rubric-aligned scoring)
• No Marketing Profiling: We do not profile children for marketing purposes or in ways that lead to unfair, unethical, or discriminatory treatment

3.2 Platform Operations

• Account Management: To create and manage user accounts
• Authentication: To verify your identity and control access to the platform
• Communication: To send you important updates, notifications, and support communications
• Technical Support: To provide customer support and troubleshoot issues

3.3 Improvement and Development

• Platform Improvement: To improve our services, features, and user experience
• Analytics: To analyze usage patterns and platform performance (using aggregated, anonymized data only)
• Research: To conduct educational research using de-identified or anonymized data only, and only with express consent or as authorized by statute

3.4 Legal and Compliance

• Compliance: To comply with legal obligations and standards, including FERPA, COPPA, GDPR, PIPEDA, and the ECNO Student Digital Privacy Standard
• Safety and Security: To protect the security and integrity of our platform
• Legal Requests: To respond to legal requests and protect our rights

---

4. How We Share Your Information

Use, Retention, Disclosure:

• Service-Only Use: We use, disclose, and retain personal information only for the purpose of providing the educational assessment service
• No Profit from Student Data: We do not benefit or profit from student personal information. We do not sell, rent, or monetize student data
• No Marketing Profiling: We do not profile children for marketing purposes or in ways that lead to unfair, unethical, or discriminatory treatment
• No Repurposing: We do not repurpose student data or use it for research without express consent, unless authorized by statute or the data is fully anonymized

We do not sell your personal information. We share information only in the following circumstances:

4.1 With Your Educational Institution

• Student assessment data, grades, and progress information are shared with authorized teachers and administrators at your school
• Class rosters and enrollment information are shared with teachers for their assigned classes

4.2 With Service Providers (Third-Party Vendors)

We work with trusted service providers who help us operate our platform:

• OpenAI: We use OpenAI's GPT models for assessment evaluation and Whisper for audio transcription. Audio recordings and transcripts are sent to OpenAI for processing. OpenAI is contractually required to protect your data and may not use it to train their models.
• MongoDB Atlas: Our database hosting provider (stores assessment data, user accounts)
• Amazon Web Services (AWS): Our cloud infrastructure provider (stores audio files, backups)
• Cloudflare: Content delivery and security services
• Email Services: For sending notifications and communications

All service providers are contractually required to:

• Protect your data with appropriate security measures
• Use your data only for the purposes we specify
• Comply with applicable privacy laws (FERPA, GDPR, COPPA, PIPEDA)

4.3 With Your Consent

• We may share information with third parties when you explicitly consent
• For example, if you request data to be shared with another educational tool

4.4 Legal Requirements

We may disclose information if required by law, including:

• In response to a subpoena, court order, or legal process
• To comply with FERPA, COPPA, or other applicable laws
• To protect our rights, privacy, safety, or property
• In connection with a legal investigation

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership.

---

5. Data Security

We maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks (e.g., unauthorized access or use, unintended or inappropriate disclosure) through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.

5.1 Technical Safeguards

Defined Technical Safeguards:

• Encryption in Transit: All data is encrypted in transit using TLS 1.3 (minimum TLS 1.2) to prevent interception during transmission
• Encryption at Rest: All data is encrypted at rest using AES-256 encryption to protect data stored in databases and file systems
• Access Controls: Role-based access control (RBAC) ensures users can only access data they are authorized to see based on their role (student, teacher, administrator)
• Authentication: Secure authentication using access codes and email verification to prevent unauthorized access
• Network Security:
  • Firewalls to restrict unauthorized network access
  • DDoS protection to prevent denial-of-service attacks
  • Secure network architecture with network segmentation
• Regular Security Audits: We conduct regular security assessments and vulnerability scans to identify and remediate security weaknesses
• Intrusion Detection: Monitoring systems to detect unauthorized access attempts
• Secure Session Management: Secure session tokens with automatic timeout to prevent session hijacking

5.2 Administrative Safeguards

Defined Administrative Safeguards:

• Employee Training: All employees receive privacy and security training on data handling, FERPA, COPPA, GDPR, PIPEDA, and ECNO requirements
• Access Logging: We log all access to sensitive data for audit purposes and security monitoring
• Incident Response: We have documented procedures in place to respond to security incidents
• Access Reviews: Regular review of user access permissions to ensure least privilege
• Security Policies: Comprehensive security policies and procedures documented and regularly updated
• Background Checks: Employee background checks for personnel with access to sensitive data

5.3 Physical Safeguards

Defined Physical Safeguards:

• Cloud Infrastructure: Data is stored in secure, certified data centers (AWS, MongoDB Atlas) with physical access controls
• Backup Security: All backups are encrypted and stored securely in separate geographic locations
• Data Center Security: Physical security measures including access controls, surveillance, and environmental controls at data center facilities

5.4 Vendor Security Requirements

• Same Security Standards: We ensure that all vendors we use to provide the service implement the same security safeguards as defined in this policy
• Contractual Requirements: All vendors are contractually required to:
  • Implement equivalent security safeguards
  • Comply with applicable privacy laws (FERPA, COPPA, GDPR, PIPEDA)
  • Report security incidents to us immediately
  • Undergo security assessments
• Vendor Monitoring: We regularly assess vendor security practices to ensure ongoing compliance

5.5 Successor Entity Requirements

• Ongoing Obligations: In the event of a merger, acquisition, or sale of assets, we ensure that all successor entities are contractually obligated to implement the same security safeguards for personal information previously collected
• Continuity of Protection: Student data protection standards will be maintained regardless of changes in ownership or corporate structure

5.6 Breach Protocols

• Breach Detection: 24/7 monitoring and automated systems to detect potential security breaches
• Incident Response Plan: Documented incident response procedures including:
  • Immediate containment of security incidents
  • Assessment of the scope and impact of breaches
  • Notification procedures for affected users, schools, and regulatory authorities
  • Remediation steps to prevent future incidents
• Notification Requirements:
  • FERPA: Notification within 60 days of discovery
  • GDPR: Notification within 72 hours to supervisory authority
  • PIPEDA: Notification as required by law
  • ECNO: Notification to affected schools and parents/guardians
• Post-Incident Review: Analysis of security incidents to improve security measures and prevent recurrence

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

---

6. Your Privacy Rights

6.1 FERPA Rights (U.S. Students and Parents)

Under FERPA, you have the right to:

• Access: Request to inspect and review your educational records
• Amendment: Request correction of inaccurate or misleading information
• Consent: Control disclosure of your educational records (with certain exceptions)
• Complaint: File a complaint with the U.S. Department of Education if you believe your FERPA rights have been violated

How to Exercise Your FERPA Rights:

• Contact your school's administrator or our privacy team at daniel@itanu.ai
• We will respond to your request within 45 days as required by FERPA

6.2 GDPR Rights (EU Residents)

If you are located in the European Union, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Request temporary restriction of data processing
• Right to Data Portability: Request your data in a machine-readable format
• Right to Object: Object to processing of your data for certain purposes
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

How to Exercise Your GDPR Rights:

• Submit a request to daniel@itanu.ai
• We will respond within 30 days (may be extended to 60 days for complex requests)
• You have the right to lodge a complaint with your local data protection authority

6.3 PIPEDA Rights (Canadian Residents)

If you are located in Canada, you have the following rights under PIPEDA (Personal Information Protection and Electronic Documents Act):

Your PIPEDA Rights:

• Right to Access: Request access to your personal information and information about how it is used
• Right to Accuracy: Request correction of inaccurate, incomplete, or outdated information
• Right to Withdraw Consent: Withdraw consent for collection, use, or disclosure of your information (subject to legal and contractual restrictions)
• Right to Challenge Compliance: Challenge our compliance with PIPEDA principles
• Right to File a Complaint: File a complaint with the Privacy Commissioner of Canada if you believe your privacy rights have been violated

PIPEDA Principles We Follow:

• Accountability: We are responsible for personal information under our control
• Identifying Purposes: We identify the purposes for collecting information before or at the time of collection
• Consent: We obtain meaningful consent for collection, use, and disclosure of personal information
• Limiting Collection: We collect only information necessary for identified purposes
• Limiting Use, Disclosure, and Retention: We use and disclose information only for identified purposes and retain it only as long as necessary
• Accuracy: We keep personal information accurate, complete, and up-to-date
• Safeguards: We protect personal information with appropriate security measures
• Openness: We make information about our privacy practices readily available
• Individual Access: We provide access to personal information upon request
• Challenging Compliance: We provide mechanisms for individuals to challenge our compliance

Provincial Privacy Laws:

• Alberta and British Columbia: If you are located in Alberta or British Columbia, provincial PIPA (Personal Information Protection Act) may also apply
• Quebec: If you are located in Quebec, Quebec's privacy law may also apply
• These provincial laws provide similar rights and protections as PIPEDA

How to Exercise Your PIPEDA Rights:

• Submit a request to daniel@itanu.ai with subject line "PIPEDA Request"
• We will respond within 30 days (may be extended with notice)
• You can file a complaint with the Office of the Privacy Commissioner of Canada at: https://www.priv.gc.ca/en/report-a-concern/

6.4 COPPA Rights (Children Under 13)

For children under 13, we comply with COPPA:

• Parental Consent: We require verifiable parental consent before collecting personal information from children under 13
• Parental Access: Parents can review, delete, or refuse further collection of their child's information
• Limited Collection: We collect only information necessary for the educational service

How Parents Can Exercise COPPA Rights:

• Contact us at daniel@itanu.ai to request access, deletion, or to revoke consent
• We will verify your identity as the parent/guardian before processing your request

6.5 General Rights (All Users)

All users have the right to:

• Account Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
• Data Export: Request a copy of your data in a portable format
• Opt-Out: Opt out of certain communications (you may still receive essential service communications)

6.6 Access and Correction Rights

We provide mechanisms for users to access, correct, erase, and download content they created in a usable format:

• Access to Content: Students can access all content they created, including:
  • Assessment responses (text, audio, video, uploaded files)
  • Their own assessment results and feedback
  • Their profile information
  • All data associated with their account
• Correction of Information: Users can request correction of inaccurate or incomplete information:
  • Contact us at daniel@itanu.ai with subject line "Data Correction Request"
  • We will respond within 30 days and correct any inaccuracies
• Erasure Rights: Users have the right to erasure of their data, including:
  • Metadata and inferences derived from their data
  • Assessment responses and submissions
  • Student profiles
  • All personal information (unless required for administrative purposes or legal retention)
• Content Download: Users can download their content in a usable format:
  • Assessment responses can be exported
  • Audio recordings can be downloaded
  • Assessment results and feedback can be exported
  • Contact us at daniel@itanu.ai with subject line "Data Export Request"
• Response Time: We respond to access and correction requests within 30 days (may be extended with notice for complex requests)

---

7. Children's Privacy (COPPA Compliance)

iTANU AMS is designed for educational use and may be used by children under 13. We take special care to protect children's privacy:

7.1 Parental Consent

• Students Under 18: In accordance with the ECNO Student Digital Privacy Standard, we require verifiable parental consent for the collection, use, and disclosure of personal information of children under 18, unless there is a legal basis for using the application as determined by law or established by regulators
• Students Under 13: We also comply with COPPA, requiring verifiable parental consent before collecting personal information from children under 13
• Consent Process: Consent is typically obtained through your school or educational institution, which acts as the authorized representative
• Granular Consent Options: We offer granular consent options so that users (or parents/guardians) can:
  • Consent to the collection and use of personal information necessary to provide the educational service
  • Choose NOT to consent to the use or disclosure of that information to third parties for other purposes (e.g., marketing)
  • Withdraw consent at any time by contacting us
• Consent Withdrawal: Parents can withdraw consent at any time by contacting us at daniel@itanu.ai

7.2 Limited Data Collection

• We collect only information necessary for the educational service
• We do not collect information from children for marketing purposes
• We do not share children's information with third parties except as necessary for the educational service

7.3 Student Content Ownership and Control

• Student Ownership: Unless explicit consent is obtained, students maintain ownership of and are in control of the content they create and upload to the platform (including assessment responses, audio recordings, video recordings, and uploaded files)
• Content Control: Students have the right to:
  • Access their content at any time
  • Download their content in a usable format
  • Request deletion of their content (subject to legal retention requirements)
  • Control how their content is used and shared

7.4 Generic Accounts and Minimal Information

• Generic Accounts: Educators are allowed to create generic accounts for children (e.g., "Student 1", "Student 2", etc.) to minimize personal information collection
• Minimal Profiles: Educators can create student profiles using as little personal information as possible to avoid excessive collection of personal information
• Email Optional: Student email addresses are optional and not required for account creation

7.5 Student Privacy and Profile Protection

• Private Profiles: Student profiles and activity within the platform are kept private and cannot be seen or collected by others unless the platform feature itself is collaborative and requires this type of sharing (e.g., classroom presence features where students can see who is online)
• Access Control: Only authorized teachers and administrators at the student's school can access the student's profile and assessment data
• No Public Sharing: Student information is never made publicly available or shared with other students unless explicitly required for a collaborative educational feature

7.6 Parental Rights

Parents have the right to:

• Review their child's personal information
• Request deletion of their child's information
• Refuse further collection of their child's information
• Revoke consent at any time
• Access and download their child's content

Contact Information for Parents:

• Email: daniel@itanu.ai
• Subject Line: "COPPA Request - [Your Child's Name]" or "ECNO Request - [Your Child's Name]"

---

8. Third-Party Services

We use the following third-party services that may process your data:

8.1 OpenAI

• Purpose: AI-powered assessment evaluation and audio transcription
• Data Shared: Audio recordings, transcripts, assessment responses, rubrics
• Privacy: OpenAI is contractually required to protect your data and may not use it to train their models
• Location: United States
• Privacy Policy: https://openai.com/policies/privacy-policy

8.2 MongoDB Atlas

• Purpose: Database hosting and data storage
• Data Shared: All platform data (assessments, user accounts, etc.)
• Privacy: MongoDB Atlas is certified for SOC 2, GDPR, FERPA, and PIPEDA compliance
• Location: Canada
• Privacy Policy: https://www.mongodb.com/legal/privacy-policy

8.3 Amazon Web Services (AWS)

• Purpose: Cloud infrastructure, file storage (audio recordings), backups
• Data Shared: Audio files, backups, system logs
• Privacy: AWS is certified for SOC 2, GDPR, FERPA, and PIPEDA compliance
• Location: Canada
• Privacy Policy: https://aws.amazon.com/privacy/

8.4 Cloudflare

• Purpose: Content delivery, DDoS protection, security services
• Data Shared: Network traffic, IP addresses, usage data
• Privacy: Cloudflare is GDPR compliant
• Location: Global (with data processing in various regions)
• Privacy Policy: https://www.cloudflare.com/privacy/

Third-Party Disclosure:

We identify all third parties to which we disclose personal information for processing, the specific data elements involved, and a summary of protections/assurances in place:

Third Party	Data Elements Disclosed	Purpose	Protections/Assurances
OpenAI	Audio recordings, transcripts, assessment responses, rubrics	AI-powered evaluation and transcription	Contractual requirement: No training on data, data protection standards, encryption, deletion after processing
MongoDB Atlas	All platform data (assessments, user accounts, profiles)	Database hosting and storage	SOC 2, GDPR, FERPA, PIPEDA certified; Encryption at rest and in transit; Located in Canada
AWS	Audio files, backups, system logs	Cloud infrastructure and file storage	SOC 2, GDPR, FERPA, PIPEDA certified; Encryption at rest and in transit; Located in Canada
Cloudflare	Network traffic, IP addresses, usage data	CDN and security services	GDPR compliant; DDoS protection; No storage of personal data

All third-party service providers are contractually required to:

• Protect your data with appropriate security measures equivalent to our own
• Use your data only for the purposes we specify
• Comply with applicable privacy laws (FERPA, COPPA, GDPR, PIPEDA, ECNO)
• Notify us of any data breaches immediately
• Implement the same security safeguards as defined in our security program

---

9. Data Retention

We retain your information only as long as necessary for educational and legal purposes:

9.1 Student Educational Records

• Assessment Data: 7 years after student graduation or account closure (FERPA requirement)
• Audio Recordings: 7 years after student graduation or account closure
• Grades and Evaluations: 7 years after student graduation or account closure
• Student Profile Data: 7 years after student graduation or account closure

9.2 User Account Data

• Active Accounts: Retained while your account is active
• Inactive Accounts: Deleted 2 years after last login (unless legal retention requirements apply)
• Access Codes: Deleted 90 days after expiration

9.3 System Data

• System Logs: Retained for 90 days (anonymized after 30 days)
• Backup Data: Retained for 7 years in tiered retention schedule

9.4 Deletion Process

When data is deleted:

• Immediate (0-7 days): Access is revoked, account is disabled
• 30 days: Soft delete (recoverable for accidental deletions)
• 90 days: Permanent deletion from active databases
• 180 days: Deletion from backup systems

Secure Destruction and Anonymization:

• Timely Destruction: We securely destroy or make anonymous in a timely manner all personal information that is no longer required to provide the educational assessment service
• Explicit Retention Timelines: All retention periods are explicitly identified in this policy (see Section 9.1-9.3 above)
• Secure Deletion Methods:
  • Database records: Cryptographic erasure and secure deletion
  • Files: Secure file deletion with overwriting
  • Backups: Secure deletion from all backup systems
• Anonymization: When data is anonymized (all identifiers removed), it may be retained for research purposes with appropriate safeguards

Note: Some data may be retained longer if required by law (e.g., FERPA requires 7-year retention of educational records) or if there is a legal hold.

---

10. International Data Transfers

iTANU AMS stores your data primarily in Canada. Our primary data storage providers (MongoDB Atlas and AWS) are located in Canada. However, some data processing may occur in other jurisdictions:

10.1 Data Transfers

• Primary Data Storage: Your data is primarily stored in Canada (MongoDB Atlas and AWS)
• AI Processing: Audio recordings and transcripts are sent to OpenAI (United States) for AI-powered evaluation and transcription
• Safeguards: We use standard contractual clauses and other safeguards to protect your data during transfer
• Service Provider Locations:
  • MongoDB Atlas: Canada
  • AWS: Canada
  • OpenAI: United States

10.2 GDPR Compliance

• For EU residents, we comply with GDPR requirements for international data transfers
• We use appropriate safeguards (standard contractual clauses, adequacy decisions) as required

10.3 PIPEDA Compliance (Canada)

• For Canadian residents, your data is primarily stored in Canada (MongoDB Atlas and AWS)
• Audio recordings and transcripts are sent to OpenAI (United States) for AI processing, but are not stored there permanently
• We use appropriate safeguards (contractual clauses, data processing agreements) to protect your data when transferred to OpenAI
• We ensure that all service providers processing Canadian data meet PIPEDA standards
• You have the right to know where your data is processed and stored

10.4 Your Rights

• You have the right to know where your data is processed
• You can request information about data transfers by contacting us

---

11. Cookies and Tracking Technologies

11.1 Cookies We Use

• Essential Cookies: Required for platform functionality (authentication, session management)
• Analytics Cookies: Used to analyze platform usage (aggregated, anonymized data)
• Preference Cookies: Remember your preferences and settings

11.2 Cookie Management

• You can control cookies through your browser settings
• Disabling certain cookies may affect platform functionality
• We do not use cookies for advertising or tracking across other websites

---

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements:

12.1 Notification of Changes

• Material Changes: We will notify you of material changes via email or platform notification
• Updated Date: The "Last Updated" date at the top of this policy will be revised
• Review: We encourage you to review this policy periodically

12.2 Continued Use

• Your continued use of the platform after changes indicates acceptance of the updated policy
• If you do not agree with changes, you may discontinue use and request account deletion

---

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your privacy rights, please contact us:

Privacy Officer / Data Protection Officer:

• Email: daniel@itanu.ai
• Subject Line: "Privacy Inquiry" or "Privacy Request"

For FERPA Requests:

• Email: daniel@itanu.ai
• Subject Line: "FERPA Request"

For GDPR Requests:

• Email: daniel@itanu.ai
• Subject Line: "GDPR Request"

For PIPEDA Requests (Canadian Residents):

• Email: daniel@itanu.ai
• Subject Line: "PIPEDA Request"
• Alternative: You may also file a complaint with the Office of the Privacy Commissioner of Canada at: https://www.priv.gc.ca/en/report-a-concern/

For COPPA Requests (Parents):

• Email: daniel@itanu.ai
• Subject Line: "COPPA Request - [Child's Name]"

For Security Incidents:

• Email: daniel@itanu.ai
• Subject Line: "Security Incident"

Response Times:

• General Inquiries: Within 5 business days
• Privacy Rights Requests:
  • FERPA: Within 45 days (as required by FERPA)
  • GDPR: Within 30 days (may be extended to 60 days for complex requests)
  • PIPEDA: Within 30 days (may be extended with notice)
• Security Incidents: Immediate acknowledgment, investigation within 24 hours

---

14. Additional Information

14.1 School District Policies

• Your school or educational institution may have additional privacy policies
• Please review your school's policies in addition to this Privacy Policy
• Your school may have additional rights or procedures for accessing student records

14.2 Links to Other Websites

• Our platform may contain links to other websites (e.g., YouTube for curriculum content)
• We are not responsible for the privacy practices of other websites
• We encourage you to review the privacy policies of any third-party websites you visit

14.3 California Privacy Rights

• If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA)
• Contact us at daniel@itanu.ai to exercise your California privacy rights

14.4 Canadian Privacy Rights

• If you are a Canadian resident, you have rights under PIPEDA and applicable provincial privacy laws
• You can file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated
• For Alberta and British Columbia residents, provincial PIPA may also apply
• For Quebec residents, Quebec's privacy law may also apply
• Contact us at daniel@itanu.ai to exercise your Canadian privacy rights

---

15. Definitions

Educational Records: Records directly related to a student and maintained by an educational institution (as defined by FERPA).

Personal Information (PII): Information that can be used to identify an individual, including name, email, student ID, and assessment responses.

Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

Data Controller: The entity that determines the purposes and means of processing personal data (iTANU).

Data Processor: An entity that processes personal data on behalf of the data controller (e.g., OpenAI, AWS).

---