Privacy Policy & Data Governance

1. Our Commitment to Educator Privacy

BacPacAI is built for educators across all settings — K-12 schools, higher education, corporate training, and professional coaching. We recognize that educators, administrators, trainers, and organizations entrust us with sensitive professional and educational data. For users in K-12 environments, we adhere to the Student Privacy Pledge and maintain compliance with COPPA, FERPA, and state-specific laws (such as California’s SOPIPA and New York’s Ed Law 2-d).

2. Information We Collect & Its Purpose

We categorize data into two types to ensure appropriate handling:

3. AI Data Governance & “The No-Training Guarantee”

A primary concern for educators is whether their data is used to “teach” an AI that might later leak information to other users.

• No Training on Student PII: We do not use Student Personally Identifiable Information (PII) or confidential school records to train, retrain, or improve our foundational Large Language Models (LLMs).
• Zero Retention for Sub-Processors: When we use third-party AI providers (e.g., OpenAI API or Anthropic API), we utilize enterprise-tier agreements that ensure your data is not used for their model training and is deleted from their servers within 30 days.
• De-identification: Before any data is used for internal analytics to improve BacPacAI’s features, it is stripped of all identifiers (names, IDs, school names).

4. COPPA and FERPA Compliance

COPPA (Children’s Online Privacy Protection Act)

• Target Audience: Our services are for users 18+. We do not knowingly collect information from children under 13.
• Educator Responsibility: Educators using BacPacAI to generate student-facing materials (like feedback) must ensure they are not inputting sensitive student identifiers without district authorization.

FERPA (Family Educational Rights and Privacy Act)

• School Official Status: BacPacAI acts as a “School Official” under 34 CFR § 99.31(a)(1)(i). We operate under the direct control of the educator/school/district regarding the use and maintenance of education records.
• Data Return/Destruction: Upon written request from a school or district, we will return or destroy all student records in our possession within 45 days.

5. Data Security Architecture

We employ a “Defense in Depth” strategy to protect your data:

• Encryption: Data is encrypted at rest using AES-256 and in transit using TLS 1.2+.
• Access Control: Access to our production database is restricted to a “need-to-know” basis for essential engineering staff only, protected by Multi-Factor Authentication (MFA).
• Data Residency: All data is stored on secure servers located within the United States.

6. Third-Party Disclosures

We never sell, rent, or trade your data. We only share data with:

• Cloud Infrastructure: (e.g., AWS) for hosting.
• AI APIs: Only to process the specific prompt you submit.
• District Admins: If you are on a school-paid plan, your district admin may have access to usage metrics (e.g., “Number of lesson plans generated”) but not necessarily your private drafts, depending on district settings.

7. Your Rights (CCPA/CPRA/GDPR)

Depending on your location, you may have:

• The Right to Know: Request a list of what data we have on you.
• The Right to Delete: Request that we erase your professional account.
• The Right to Opt-Out: Object to de-identified data being used for feature optimization.

8. Breach Notification

In the unlikely event of a data breach, BacPacAI will notify affected users and/or District partners within 72 hours of discovery, or as required by applicable state law.

9. Contact & Legal

For inquiries regarding our Data Processing Addendum (DPA) or specific state compliance (e.g., Texas HB 1212), please contact:

Privacy Office:
Email: Legal@bacpacai.com
Data Privacy Officer: Alexis@bacpacai.com

BacPac Technologies, Inc.
4730 University Way NE.
Suite 104 PMB 5424
Seattle, Washington, 98105
United States