Privacy Policy

Last Updated: December 1, 2025

Our Commitment: HeuriSight is committed to protecting student privacy and complying with the Family Educational Rights and Privacy Act (FERPA) and other applicable data protection laws.

1. Information We Collect

1.1 Student Educational Records (FERPA-Protected)

When providing services to educational institutions, we process:

Student identification: Name, email, student ID (as provided by institution)
Learning data: Assessment conversations, uploaded assignments, heuristics extracted
Performance data: Competency scores, mastery levels, learning patterns
Interaction data: Chat conversations, document uploads, dashboard usage

1.2 Institutional Contact Information

Administrator, faculty, and staff contact details
Institution name, department, program information

1.3 Technical Information

IP addresses, browser type, device information
Usage analytics, operational logs, and assessment analytics
Error logs and system performance data

2. How We Use Information

We use collected information ONLY to:

Provide our services: Generate heuristics, assess competencies, create analytics
Improve our platform: Enhance AI models, optimize user experience
Support institutions: Technical support, training, customer success
Ensure security: Detect fraud, prevent abuse, maintain system integrity
Comply with law: Meet legal and regulatory requirements

We DO NOT:

❌ Sell student data to third parties
❌ Use student data for advertising or marketing
❌ Share data across institutions without authorization
❌ Retain data longer than educationally necessary

3. FERPA Compliance

HeuriSight operates as a "School Official" with "legitimate educational interest" under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99).

Our FERPA Obligations:

Use student data ONLY for authorized institutional purposes
Maintain security and confidentiality of educational records
Not re-disclose personally identifiable information without consent
Return or destroy data upon contract termination

Student Rights:

Access their educational records through their institution
Request correction of inaccurate records
Consent to disclosures (except where FERPA allows)
File complaints with the U.S. Department of Education

4. Data Security

We implement industry-standard security measures:

Encryption: All data is encrypted in transit using TLS and encrypted at rest using industry‑standard encryption (e.g., AES‑256) provided by our cloud providers.
Access controls: Role-based permissions, with support for multi-factor authentication via Auth0
Infrastructure: SOC 2-compliant cloud providers (AWS, Auth0)
Monitoring: Logging and monitoring appropriate for our scale, with documented incident response procedures
Audits: Periodic security and privacy assessments, including third-party reviews as we grow

5. Data Sharing and Disclosure

We Share Data Only With:

Authorized institutional users: Faculty, staff, and students with appropriate permissions
Service providers: Cloud infrastructure (AWS), authentication (Auth0), databases (Neo4j, Pinecone) - all under strict data processing agreements
Legal requirements: When required by law, court order, or to protect rights and safety

We Never Share With:

❌ Advertising or marketing companies
❌ Data brokers or aggregators
❌ Other educational institutions (without explicit authorization)

6. Data Retention

Active accounts: Data retained while the institution's subscription is active and as needed for educational purposes
After termination: We work with institutions to provide a grace period for data export and then schedule data for secure deletion
Backup copies: Deleted in accordance with our backup rotation policies, which are designed to keep retention periods as short as practical (typically not more than 90 days)
Anonymized analytics: May be retained for platform improvement (no personally identifiable information)

7. Student Rights and Parental Consent

For students under 18, institutions must obtain appropriate parental consent before using HeuriSight services, as required by FERPA and applicable state laws.

8. Third-Party Services

HeuriSight integrates with:

OpenAI: Large language model processing (data processing agreement in place)
AWS: Cloud infrastructure and storage
Auth0: Authentication and user management
Neo4j, Pinecone: Database services

All third-party providers are contractually obligated to maintain data security and privacy.

9. Cookies and Tracking

We do not use third‑party advertising cookies; cookies are limited to authentication, preferences, and internal analytics:

Authentication and session management
User preferences and settings
Analytics to improve our service

You can control cookies through your browser settings. Disabling cookies may limit platform functionality.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

11. Your Rights

Depending on your location, you may have rights including:

Access to your personal data
Correction of inaccurate data
Deletion of data (subject to institutional retention policies)
Data portability
Objection to certain processing

To exercise these rights, contact your institution's administrator or HeuriSight support.

12. Children's Privacy

HeuriSight is designed for use by educational institutions serving students of all ages. We comply with FERPA and do not knowingly collect personal information from children under 13 except through institutional authorization for educational purposes.

13. Contact Us

For privacy questions or concerns:

HeuriSight by Xopolis Inc.
Virginia C-Corporation
Email: LokeshDani@xopol.is
Website: www.heurisight.com
Privacy Officer: Lokesh Dani

For FERPA-related inquiries, contact your institution's registrar or educational records office.