Privacy Policy

This Policy applies to all individuals who interact with the Service, including school administrators, teachers, staff, parents, guardians, and eligible students. Where we process personal data as a data processor on behalf of an Institution, that Institution's own policies and our Data Processing Addendum ("DPA") govern such processing, and this Policy applies to the extent it is consistent with the DPA.

3.1 Information You or Your Institution Provide

Account & Profile Information: When you register or are provisioned an account, we collect your name, email address, job title, institutional affiliation, and credentials. Administrators may also provide billing contact information.

Student & Institutional Data: Institutions upload and manage education records through the Service. These may include student names, dates of birth, addresses, enrollment information, grades, attendance, disciplinary records, health and disability accommodations, IEP/504 plans, and other data maintained for educational administration purposes. OS4Ed processes this data solely as directed by the Institution.

Content & Files: Documents, reports, images, or other files you upload or generate through the Service.

Support Communications: When you contact support, we collect your contact details, description of the issue, and any screenshots or logs you provide.

Payment Information: For paid subscriptions, we collect billing contact details. Payment card information is collected and processed directly by our payment processor (Stripe) and is not stored on our servers.

3.2 Information Collected Automatically

Usage Data: We log actions taken within the Service (e.g., pages visited, features used, search queries) to operate and improve the platform and for security monitoring.

Device & Connection Data: We collect IP address, browser type and version, operating system, device identifiers, referring/exit URLs, time zone, language settings, and crash data.

Cookies & Similar Technologies: We use cookies, web beacons, and similar tracking technologies. See Section 10 (Cookies) for details, including your opt-out rights and our compliance with Global Privacy Control (GPC) signals.

3.3 Information Received from Third Parties

Single Sign-On (SSO): If you log in using a third-party identity provider (e.g., Google Workspace for Education, Microsoft Entra ID, Clever, ClassLink), we receive the profile attributes your institution has authorized that provider to share, such as your name and email.

Integration Partners: When your Institution enables a third-party integration (e.g., an LMS, assessment platform, or state reporting system), we may receive data from those systems as necessary to provide the integration. Each integration is governed by a separate data agreement.

OS4Ed Channel Partners: Consulting, implementation, and reseller partners may provide us with contact and billing information for accounts they manage on behalf of Institutions.

3.4 Information We Do Not Collect

We do not collect the following categories of information through the Service:

• Biometric data (e.g., fingerprints, facial recognition data) unless explicitly enabled and configured by the Institution for permissible access-control purposes;
• Precise geolocation data beyond the city/region level derived from IP address;
• Behavioral advertising profiles or cross-context behavioral data;
• Information about users' activities on unaffiliated websites or online services.

To Provide and Operate the Service

• Authenticate users and manage accounts;
• Process and store education records as directed by Institutions;
• Generate reports, transcripts, and other educational documents;
• Enable integrations with third-party systems authorized by the Institution;
• Process payments and manage subscriptions.

To Maintain Safety and Security

• Detect, prevent, and investigate unauthorized access, fraud, abuse, and security incidents;
• Monitor system performance and diagnose technical problems;
• Verify user identity and activity.

To Communicate With You

• Send transactional messages (account confirmations, password resets, invoices, security alerts);
• Provide customer support responses;
• Send product updates, release notes, and administrative notices;
• Send optional marketing communications (with opt-out available at any time).

To Improve and Develop the Service

• Analyze de-identified and aggregated usage trends to improve platform features and performance;
• Conduct internal research and development;
• Test new features with consenting users prior to general release.

To Comply With Legal Obligations

• Respond to lawful government requests, court orders, and legal process;
• Enforce our Terms of Service and protect our legal rights;
• Support audits, compliance reviews, and regulatory inquiries.

4.1 Legal Bases for Processing (EEA, UK, and Swiss Users)

Where EU/UK GDPR or Swiss data protection law applies, our legal bases for processing are:

• Contract performance: Processing necessary to provide the Service to you or your Institution.
• Legitimate interests: Security monitoring, fraud prevention, service improvement, and product analytics (where not overridden by your rights).
• Legal obligation: Compliance with applicable law.
• Consent: For optional features, marketing communications, and non-essential cookies. You may withdraw consent at any time.

If you are an EEA/UK/Swiss user and wish to object to processing based on legitimate interests, please contact privacy@opensis.com.

5.1 FERPA

Where the Institution is subject to the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) ("FERPA"), OS4Ed operates as a "school official" with a legitimate educational interest, as permitted under 34 C.F.R. § 99.31(a)(1). We will:

• Use education records only to provide the contracted Service;
• Not re-disclose education records except as required by law or authorized by the Institution;
• Support the Institution in honoring FERPA rights, including parent/eligible student access, correction, and opt-out of directory information disclosures;
• Notify the Institution of any unauthorized access to education records without undue delay.

When a student turns 18 or enrolls in a postsecondary institution, FERPA rights transfer from parents to the eligible student. Institutions must update their access controls accordingly.

5.2 COPPA (2025 Rule — Effective April 22, 2026)

The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) ("COPPA"), as amended by the FTC's 2025 Rule (effective June 23, 2025; full compliance required by April 22, 2026), applies to our Service when used with students under age 13.

Under the revised COPPA Rule, the Service operates under the school consent exception: Institutions may consent to OS4Ed's collection and use of children's personal information on behalf of parents, solely for educational purposes and with no commercial use. Specifically:

• We will not use personal information of children under 13 for any commercial purpose, including behavioral advertising;
• We will not share personal information of children under 13 with third parties without separate verified parental consent, except as necessary to provide the Service or as required by law;
• We implement a formal written Information Security Program tailored to the sensitivity of children's data, as required by the 2025 Rule;
• We honor parental requests to review, correct, or delete their child's personal information, routed through the Institution.

5.3 PPRA

For K-12 Institutions receiving U.S. Department of Education funds, the Protection of Pupil Rights Amendment (20 U.S.C. § 1232h) ("PPRA") governs certain surveys and data collection activities. The Service does not conduct instructional surveys. Where the Service facilitates survey or assessment modules at the Institution's direction, the Institution is responsible for PPRA compliance, including obtaining required parental consent.

5.4 State Student Privacy Laws

As of 2026, more than 140 U.S. state lawsaddress student data privacy. OS4Ed maintains compliance programs covering keystate frameworks, including:

• California SOPIPA & AB 1584: We do not use student data to build commercial profiles, conduct targeted advertising, or sell student data.
• New York Education Law § 2-d: We offer supplemental data security agreements for New York institutions and honor applicable data breach notification requirements.
• Texas SCOPE Act and similar state laws: We enter into institution-specific data agreements as required by state law.

If your state imposes specific contractual or policy requirements beyond our standard DPA, please contact privacy@opensis.com.

5.5 GDPR / UK GDPR

For Institutions or users in the European Economic Area (EEA) or United Kingdom, we process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and UK GDPR. We act as:

• Data Processor: For Student Data and Authorized User data you submit to the Service. The Institution is the Data Controller.
• Data Controller: For our own operational data (e.g., account data, usage analytics, marketing contacts).

We maintain Standard Contractual Clauses (SCCs) and offer an Article 28 DPA upon request. Cross-border data transfers from the EEA/UK to the U.S. are protected by SCCs or other approved transfer mechanisms. GDPR rights are outlined in Section 9.

5.6 Health Information

Some institutions may use openSIS to manage limited student health records such as immunization records, nurse visits, or health alerts.

While openSIS is primarily designed as an educational administration system and not a healthcare system, OS4Ed applies security practices aligned with industry standards and safeguards consistent with the protection of sensitive health-related information.

6.1 We Do Not Sell Personal Information

OS4Ed does not sell personal information or Student Data to any third party. This applies to selling under CCPA/CPRA, FERPA, and all other applicable state and federal laws.

6.2 Service Providers (Subprocessors)

We share information with carefully vetted third-party vendors that provide services on our behalf, including cloud infrastructure providers (including Microsoft Azure and other trusted infrastructure providers), payment processing (Stripe), email delivery, analytics, and customer support tools. All service providers are bound by data processing agreements requiring them to:

• Process data only on our documented instructions;
• Implement appropriate security measures;
• Not use data for their own commercial purposes;
• Delete or return data upon contract termination.

A current list of our subprocessors is available upon request at privacy@opensis.com.

6.3 Institution Administrators

If your account is provisioned by an Institution (e.g., a school district), that Institution's administrators have access to your account data, including your profile information, activity logs, and the content you create or access within the Service. Your use of the Service is governed by your Institution's policies.

6.4 OS4Ed Channel Partners

We may share account and billing information with authorized implementation, support, or reseller partners who deliver services related to your account. We do not share Student Data with partners unless the Institution has explicitly authorized that sharing in writing.

6.5  Legal Requirements and Protection of Rights

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request;
• Enforce our Terms of Service or other agreements;
• Detect, prevent, or address fraud, security incidents, or technical problems;
• Protect the rights, property, or safety of OS4Ed, our users, or the public.

Where legally permitted, we will notify the Institution before disclosing its Student Data in response to a legal process.

6.6 Business Transfers

In connection with a merger, acquisition, asset sale, or restructuring, personal information may be transferred as a business asset. We will notify affected Institutions and Authorized Users by email and/or prominent notice on the Service at least thirty (30) days before any such transfer, and will provide options to delete data if the new owner's practices materially differ from this Policy.

6.7 With Your Consent

We may share information with third parties when you or your Institution explicitly consents to such sharing for a specific purpose not covered above (e.g., participating in a featured case study or testimonial).

8.1 Security Measures

We implement a comprehensive, risk-based information security program that includes:

• Encryption: Industry-standard encryption for data at rest and in transit.
• Access controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication (MFA) for administrator accounts.
• Network security: Firewalls, intrusion detection systems (IDS), DDoS mitigation, and network segmentation.
• Vulnerability management: Periodic third-party penetration testing and vulnerability assessments, continuous vulnerability scanning, and a responsible disclosure program.
• Organizational controls: Background checks for employees with data access, annual security training, and documented incident response procedures.
• Written Information Security Program (WISP): Maintained and updated annually, satisfying COPPA 2025 Rule requirements for formal documented security programs.
• Our information security program follows industry-recognized standards and security frameworks, including controls aligned with ISO 27001.

8.2 Data Breach Notification

In the event of a confirmed security incident affecting personal information:

• We will notify affected Institutions without undue delay and, where required by law, within 72 hours of becoming aware of the breach (GDPR) or within the timeframe required by applicable state law;
• Notification will include the categories of data affected, likely consequences, and measures taken or proposed to address the breach;
• We will cooperate with Institutions in their FERPA breach notification obligations to parents and students.

8.3 Your Security Responsibilities

You are responsible for: maintaining the confidentiality of your login credentials; ensuring Authorized Users use strong passwords and enable MFA where offered; promptly revoking access for users who no longer need it; and notifying us immediately at security@opensis.com of any suspected unauthorized access.

9.1 Rights Under U.S. Laws

FERPA Rights (Students/Parents): Right to inspect and review education records; right to request amendment of inaccurate or misleading records; right to consent to disclosure of education records (with exceptions); right to file a complaint with the Family Policy Compliance Office.

CCPA/CPRA Rights (California Residents): 

• Right to know what personal information we collect, use, share, and disclose;
• Right to delete personal information (subject to exceptions);
• Right to correct inaccurate personal information;
• Right to opt out of sale or sharing of personal information (we do not sell data; our opt-out applies to any cross-context sharing);
• Right to limit use and disclosure of sensitive personal information;
• Right to data portability;
• Right to non-discrimination for exercising privacy rights;
• Right to opt out of automated decision-making technology (ADMT) for significant decisions (effective January 1, 2027, per CPRA regulations).

9.2 Rights Under GDPR / UK GDPR

• Right of access (Article 15);
• Right to rectification (Article 16);
• Right to erasure / "right to be forgotten" (Article 17);
• Right to restriction of processing (Article 18);
• Right to data portability (Article 20);
• Right to object to processing (Article 21);
• Rights related to automated decision-making (Article 22).

To exercise GDPR rights, contact privacy@opensis.com. EEA users also have the right to lodge a complaint with their national Data Protection Authority. UK users may contact the Information Commissioner's Office (ICO).

9.3 Other State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of certain data processing. We honor these rights through our standard privacy request process. Contact privacy@opensis.com for state-specific requests.

9.4 How to Submit a Request

Submit privacy rights requests by:

• Email: privacy@opensis.com (subject line: "Privacy Rights Request");
• Web form: opensis.com/contact-us (select "Privacy Request");
• For Student Data requests: Direct requests to your Institution's privacy office first. They will work with us to fulfill requests within applicable legal timeframes.

We will verify your identity before processing requests. We will respond within 45 days (CCPA/CPRA), 30 days (GDPR), or as required by applicable law. We may extend the response period by up to 45 additional days with notice. We will not discriminate against you for exercising your rights.

10.1 What We Use

We use the following categories of cookies and similar technologies:

• Strictly Necessary: Required for the Service to function (e.g., session management, security tokens). These cannot be disabled.
• Functional: Enhance usability by remembering your preferences (e.g., language, layout settings).
• Analytics: Help us understand how users interact with the Service (e.g., page views, feature usage) to improve performance. We use de-identified or pseudonymized data for analytics.
• Third-Party Integrations: Some pages may embed content from third-party services (e.g., video tutorials). These services may set their own cookies.

We do not use advertising or behavioral targeting cookies.

10.2 Cookie Consent and Opt-Out

In compliance with CCPA 2026 regulations and applicable state laws:

• Consent banners require an affirmative "Accept" action. Closing or navigating away from the banner does not constitute consent for non-essential cookies;
• "Accept" and "Reject" options are presented with equal visual prominence (no dark patterns);
• You can manage or withdraw cookie consent at any time through our Cookie Preferences center in the footer of our website;
• We honor Global Privacy Control (GPC) browser signals as an opt-out of non-essential cookies and cross-context data sharing.

Disabling certain cookies may affect some Service features. Strictly necessary cookies cannot be disabled.

The Service is designed for use by Institutions to manage student information, including records pertaining to children under age 13. We process children's information solely under the school-consent exception to COPPA, for educational purposes, and subject to the restrictions in Section 5.2.

We do not knowingly allow children to create independent accounts or interact with the Service outside of Institution-managed accounts. If we discover that a child under 13 has independently provided personal information without institutional or parental consent, we will promptly delete it.

Parents or guardians who believe their child's information has been improperly collected or disclosed should contact their Institution first, and may then contact us at privacy@opensis.com.

If you access the Service through an Institution (school, district, or university), that Institution is the administrator of your account and the controller of your data within the Service. OS4Ed processes data as the Institution's processor.

Your Institution may have additional privacy policies, acceptable use policies, or data governance practices that apply to your use. Please review your Institution's policies. Your Institution's administrators can:

• Create, modify, suspend, or terminate your account;
• Access, review, and export your account data and content;
• Configure privacy and security settings for all accounts in the Institution;
• Install or disable third-party integrations;
• Transfer account administration if your employment or enrollment status changes.

Questions about your Institution's data practices should be directed to your Institution's privacy or data officer.

OS4Ed is headquartered in the United States. If you or your Institution are located outside the United States, personal data may be transferred to and processed in the U.S. and other countries that may not provide the same level of data protection as your home jurisdiction.

We use the following safeguards for international transfers:

• EEA/UK/Switzerland: Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO, supplemented by Transfer Impact Assessments where required.
• Other jurisdictions: We comply with applicable local data transfer requirements and implement appropriate contractual and technical safeguards.

To obtain a copy of our SCCs or DPA, contact privacy@opensis.com.

As of the effective date of this Policy:

• Global Privacy Control (GPC): We detect and honor GPC signals as an opt-out of sale/sharing of personal information, as required by CCPA 2026 regulations. A visible confirmation is displayed when a GPC signal is detected and honored.
• Do Not Track (DNT): There is no universally accepted standard for responding to DNT browser signals. We do not currently alter our data collection practices in response to DNT signals, but we provide the above rights and controls as alternatives.

As of the effective date of this Policy, Automation tools may provide recommendations, but all final decisions remain under human control and review, staff, or other individuals that substantially replace human judgment — such as determining academic eligibility, employment decisions, or access to benefits.

We use automation for:

• Generating standard reports and transcripts from data you provide;
• Scheduling optimization tools that produce recommendations subject to human review and approval;
• Anomaly detection for security monitoring.

If we introduce ADMT that meets the CPRA definition of "significant decisions" in the future, we will provide advance notice to affected users and Institutions, implement opt-out mechanisms, and update this Policy no later than January 1, 2027, in compliance with CPRA ADMT regulations.

The Service may contain links to third-party websites or integrate with third-party platforms. We are not responsible for the privacy practices of these third parties. When you leave the Service or enable a third-party integration, the third party's own privacy policy governs the data they collect. We encourage you to review third-party privacy policies before sharing information with them.

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Service. We will:

• Post the updated Policy on opensis.com/privacy-policy with a new effective date;
• Send email notice to account administrators at least 30 days before material changes take effect;
• Display a prominent notice within the Service for significant changes;
• Maintain a versioned archive of prior policies available upon request.

If you disagree with material changes to this Policy, you may terminate your account before the effective date. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

For privacy questions, rights requests, or concerns about this Policy, please contact our Privacy Team:

Open Solutions for Education, Inc. (OS4Ed)
Attn: Privacy Officer
Email: privacy@opensis.com
Security incidents: security@opensis.com
Legal matters: legal@opensis.com
Web: opensis.com/contact-us

For GDPR/UK GDPR inquiries, you may also contact our EU/UK representative (details available upon request) or file a complaint with your local Data Protection Authority.

For FERPA complaints, contact the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Avenue SW, Washington, DC 20202.