Privacy Policy

Last Updated: November 10, 2024

Introduction

Welcome to Colleague AI, operated by Hensun Innovation LLC dba (Colleague AI, LLC.) ("Colleague AI", "we", "us", or "our"). We provide teachers and school staff with online access to generative artificial intelligence tools through our website, browser extensions, and other services (collectively our "Services"). At Colleague AI, we prioritize safety and respect your privacy.

This Privacy Policy describes how we collect, use, disclose, share, or otherwise process your personally identifiable information ("PII" or "personal data") when you visit our website or use our Services. The categories of information we collect and how it is used will depend on your interactions with us.

Scope

This Privacy Policy applies to all personal data collected through our:

  • Websites
  • Browser extensions
  • Educational tools and platforms
  • Customer support systems
  • Other related services

Please review this policy carefully to understand our practices regarding your personal data and how we treat it.

Data We Collect

1. Information We Collect via Technological Means

A. Technical Data

Our servers, which are hosted by a third-party service provider, automatically collect:

  • Browser type and version
  • Operating system
  • IP address (which may indicate your general location)
  • Domain name
  • Time stamps of your visits
  • Device information
  • Session information

This technical data is stored in log files and cannot identify you personally unless you have provided additional PII by using our Services.

B. Analytics Data

We may:

  • Directly collect analytics data
  • Use third-party analytics tools (such as Google Analytics)
  • Measure traffic and usage trends
  • Collect aggregate usage information

Analytics information is collected and used in aggregate form that cannot reasonably identify any particular individual.

2. Cookies and Tracking Technologies

A. Types of Cookies We Use

  • Performance Cookies: Count visits and traffic sources to measure and improve site performance. If not allowed, we cannot know when you've visited our site.
  • Functional Cookies: Enable enhanced functionality and personalization. If not allowed, some features may not function properly.
  • Strictly Necessary Cookies: Required for basic website function. Can be blocked but site may not work properly.

B. Important Cookie Policies

  • We may link cookie information to PII you submit
  • We use both session and persistent cookies
  • You can remove persistent cookies through your browser settings
  • Disabling cookies may limit site functionality

C. Third-Party Tracking Limitations

We explicitly:

  • Do NOT allow third-parties to use data for automated profiling
  • Do NOT permit data enhancement for personalized advertisements
  • Use third-party analytics solely to improve our Services
  • Prohibit third-party providers from using data for their own purposes

3. Information You Provide

A. Optional Account Information

When using certain Services, you may provide:

  • First and last name
  • School or organization name
  • Role or job title
  • Email address
  • Location (state/province and country)
  • User-generated password
  • Profile image (optional)

B. Communication Information

We collect information when you:

  • Provide feedback
  • Contact us via email
  • Respond to surveys
  • Apply for programs
  • Order Services
  • Request support

C. Payment Information

If you order paid Services:

  • Payment information is processed through secure third-party payment processors
  • We do not store complete payment information
  • Only necessary billing information is retained

4. Schedule of Data Elements

We maintain a comprehensive schedule of all data elements we collect, which includes:

Required Data:

  • Student Name (First and/or Last)
  • Application Technology Meta Data
  • Student Work
  • AI-Generated Content

Optional/Contextual Data:

  • Application Use Statistics
  • Communications
  • Contact Information
  • Student Identifiers
  • Parent/Guardian Information
  • Schedule Information
  • Special Indicators
  • Assessment Data
  • Enrollment Information

A detailed schedule of all data elements is available upon request at security@Colleague.ai.

5. Data Minimization

We take steps to minimize the collection of personal data to only what is necessary to provide our Services. We do not collect additional information without proper notification and, where required, consent.

How We Use and Share Data

1. Primary Uses of Your Data

We use your personal data for the following purposes as necessary and permitted by law:

  • Identify you as a user of our Services
  • Create and secure your account
  • Provide and administer the Services
  • Personalize your experience
  • Verify email ownership
  • Send administrative notifications
  • Respond to inquiries and requests
  • Deliver requested newsletters or surveys
  • Send service updates and offers
  • Comply with legal obligations
  • Respond to legal process
  • Protect our legal interests

2. Third-Party Services

A. OpenAI Integration

  • We utilize Amazon AWS and Microsoft Azure for AI functionality
  • We have opted OUT of sharing data with AWS and Azure for model training
  • API data is retained for abuse monitoring for maximum 30 days
  • You can explicitly opt-in to share data for model improvement
  • Review AWS and Azure API Privacy Policy for additional details

B. Analytics Services

  • We use Google Analytics and similar tools
  • Analytics data is used to evaluate service usage
  • For Google Analytics practices, visit: policies.google.com/technologies/partner-sites
  • Analytics tools are prohibited from using data for their own purposes

C. Service Providers

  • We share information with trusted partners to process it on our behalf
  • All providers must comply with our privacy and security requirements
  • Providers only access information needed for specific services
  • Current list of subprocessors available in our DPA
  • We regularly update and monitor our service providers

3. Information Sharing and Disclosure

We may disclose your PII in the following circumstances:

A. Service Providers

  • To support our service operations
  • For hosting services
  • For payment processing
  • For subcontracted services

B. Law Enforcement

  • In response to legal requirements
  • For litigation purposes
  • To comply with governmental requests
  • To protect our operations or users
  • When required by law or legal process

C. Business Transfers

  • During merger or acquisition
  • In bankruptcy proceedings
  • During reorganization
  • In asset sales
  • In similar business transactions

D. With Consent

  • When you provide prior informed consent
  • For specifically agreed purposes
  • Under defined sharing conditions

4. De-Identified Data Usage

We may use de-identified information for:

  • Adaptive learning purposes
  • Customized student learning
  • Educational content recommendations
  • Research and development
  • Service effectiveness demonstration
  • Educational technology improvement

"De-identified information" means data that:

  • Has all personally identifiable information removed
  • Cannot reasonably identify specific individuals
  • Has no reasonable basis for re-identification

5. Data Security Measures

A. Technical Safeguards

  • All customer data encrypted at rest (AES-256)
  • Data in transit protected via TLS
  • Secure access controls
  • Regular security audits
  • Monitoring systems

B. Administrative Controls

  • Staff training requirements
  • Access limitation policies
  • Security procedure documentation
  • Regular policy reviews
  • Incident response plans

C. Physical Security

  • Secure data center facilities
  • Access control systems
  • Environmental safeguards
  • Disaster recovery plans
  • Business continuity measures

6. Data Breach Response

In the event of a data breach, we will:

  1. Notify affected customers within 72 hours of confirmation
  2. Provide incident details including:
    • Affected data types
    • Breach timeline
    • Impact assessment
    • Remediation steps
  3. Follow state and federal requirements
  4. Implement incident response procedures
  5. Support customer notification obligations
  6. Cooperate with investigations

7. Automated Decision-Making

Colleague AI does not use automated decision-making or profiling that:

  • Produces legal effects
  • Similarly significantly affects users
  • Creates automated profiles
  • Makes automated determinations

All significant decisions involving personal data include human review and consideration.

Student Data Protection

1. Definition and Scope of Student Data

A. Student Data Includes:

Personal information that is directly related to an identifiable student that is:

  • Provided by an Educational Institution
  • Provided by students, parents, or guardians
  • Collected through our Services
  • Generated during service usage

B. Protected Information Types:

  • Educational records (as defined by FERPA)
  • Covered information (under SOPIPA)
  • Personal information (under COPPA)
  • Student-generated content
  • Assignment responses
  • AI-generated content from student prompts

2. Fundamental Principles

A. Ownership and Control

  • Student Data is owned and controlled by the Educational Institution
  • We act as a "School Official" under FERPA
  • We operate under direct control of Educational Institutions
  • We comply with applicable student privacy laws

B. Limited Use

We collect and use Student Data:

  • Only for educational purposes
  • As authorized by the Educational Institution
  • Under student data privacy agreements
  • As directed by the applicable institution

3. Protection Measures

A. Access Controls

  • No student profiles are public-facing
  • No direct student-to-student communication
  • Educator-controlled sharing permissions
  • Restricted administrative access

B. Prohibited Activities

We explicitly prohibit:

  • Targeted advertising using Student Data
  • Sale of Student Data
  • Building non-educational student profiles
  • Unauthorized data sharing
  • Commercial use of Student Data

4. Student Data Privacy Commitments

A. Collection Limitations

We commit to:

  • Minimizing data collection
  • Collecting only necessary information
  • Maintaining transparency about collection
  • Obtaining appropriate consents

B. Usage Restrictions

We will:

  • Only use data for educational purposes
  • Process data under institution direction
  • Maintain confidentiality
  • Follow security best practices

5. Data Retention and Deletion

A. Retention Policies

  • Retain data only for educational purposes
  • Follow institution-specified retention periods
  • Delete inactive accounts per policy
  • Maintain data only as needed for service

B. Deletion Procedures

  • Honor deletion requests within 30 days
  • Provide data portability options
  • Allow export of student-generated content
  • Implement secure deletion methods

6. De-Identified Student Data

A. De-Identification Process

We may de-identify Student Data by:

  • Removing all direct identifiers
  • Removing indirect identifiers
  • Ensuring no reasonable re-identification possibility
  • Following industry best practices

B. Permitted Uses of De-Identified Data

May be used for:

  • Adaptive learning development
  • Service improvement
  • Educational research
  • Effectiveness demonstration
  • Product development

7. Parent and Student Rights

A. Access Rights

Parents and eligible students can:

  • Review Student Data
  • Request corrections
  • Export student-generated content
  • Transfer content to personal accounts

B. Exercise of Rights

  • Submit requests through Educational Institutions
  • Receive responses within 45 days
  • Obtain data in usable format
  • Challenge accuracy of records

8. Additional Protections

A. Security Measures

  • Encryption of Student Data
  • Secure data transmission
  • Regular security assessments
  • Employee training requirements

B. Contractual Protections

  • Data privacy agreements with institutions
  • Subprocessor restrictions
  • Confidentiality requirements
  • Security obligations

9. Incident Response for Student Data

A. Breach Notification

In case of unauthorized disclosure:

  • Notify institutions within 72 hours of confirmation
  • Provide detailed incident reports
  • Support notification requirements
  • Implement remediation measures

B. Investigation and Remediation

We will:

  • Investigate all incidents
  • Document findings
  • Implement corrective actions
  • Update security measures
  • Share non-confidential findings upon request

10. Compliance and Oversight

A. Legal Compliance

We comply with:

  • FERPA requirements
  • COPPA regulations
  • SOPIPA provisions
  • State student privacy laws

B. Regular Audits

We conduct:

  • Regular compliance reviews
  • Security assessments
  • Privacy impact analyses
  • Third-party audits

Your Rights and Choices

1. General Data Rights

A. Access and Control

You may:

  • Edit your account information
  • Update contact information
  • Modify notification settings
  • Access your personal data
  • Request data corrections
  • Request data deletion
  • Export your data

B. Communication Preferences

You can:

  • Opt-out of marketing communications
  • Modify email preferences
  • Choose notification types
  • Continue receiving essential service communications

2. California Residents' Rights

A. CCPA Rights

California residents have the right to:

  • Know what personal information we collect
  • Access specific personal information
  • Request deletion of personal information
  • Receive information about data sharing
  • Non-discrimination for exercising rights

B. Categories of Personal Information

We collect and share for business purposes:

  1. Contact Information
    • Source: Directly from you
    • Purpose: Service provision, communication
    • Disclosure: Service providers, legal requirements
  2. Financial/Transactional Information
    • Source: You, payment processors
    • Purpose: Process payments, compliance
    • Disclosure: Payment processors, legal requirements
  3. Login Information
    • Source: Directly from you
    • Purpose: Account security, service provision
    • Disclosure: Service providers
  4. Device/Online Identifiers
    • Source: Your device
    • Purpose: Service improvement, security
    • Disclosure: Analytics providers
  5. Service Usage Information
    • Source: Your interactions
    • Purpose: Service improvement, personalization
    • Disclosure: Service providers

C. Additional California Rights

  • Shine the Light Law disclosure
  • Do Not Track signal response
  • Annual information requests
  • Authorized agent provisions

3. European Privacy Rights (GDPR)

A. Legal Basis for Processing

We process data under:

  • Contract performance (Article 6(1)(b))
  • Legitimate interests (Article 6(1)(f))
  • Legal obligations
  • Your consent

B. Additional Rights

EU/EEA residents have the right to:

  • Access personal data
  • Rectify inaccurate data
  • Erase personal data
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent
  • Lodge supervisory complaints

C. International Transfers

For transfers outside the EEA:

  • Standard Contractual Clauses
  • Adequate safeguards
  • Privacy Shield compliance
  • Transfer impact assessments

**D. EU and UK Representation.
**If you are in the European Union/EEA, you may address privacy-related inquiries to our EU representative pursuant to Article 27 GDPR:

privacy-eu@colleague.ai

If you are in the United Kingdom, you may address privacy-related inquiries to our UK representative pursuant to Article 27 GDPR: UK:

privacy-uk@colleague.ai

4. Exercise Your Rights

A. Request Procedures

To exercise your rights:

  1. Email: security@colleague.ai
  2. Provide necessary verification information
  3. Specify your request
  4. Allow 15-30 days for response

B. Verification Requirements

We may request:

  • Account information
  • Identity verification
  • Request clarification
  • Additional documentation

C. Response Timeline

  • Initial response: Within 10 days
  • Complete response: Within 45 days
  • Extension if needed: Up to 90 days
  • Notification of extension

5. Organizational Users

A. Information Processed Under Customer Direction

If your data was collected through an organization's use of our Services:

  • Contact your organization first
  • We assist organizations with requests
  • Organization policies may apply
  • Additional verification may be required

B. Educational Institution Users

For school-related data:

  • Contact your educational institution
  • FERPA rights apply
  • Institution policies govern
  • Joint response procedures

6. Limitations and Exceptions

A. Legal Requirements

We may limit rights due to:

  • Legal obligations
  • Contractual requirements
  • Technical limitations
  • Privacy rights of others

B. Request Denials

We may deny requests that:

  • Risk others' privacy
  • Are excessive or unfounded
  • Require disproportionate effort
  • Conflict with legal obligations

7. Additional Choices

A. Cookie Controls

Manage cookies through:

  • Browser settings
  • Our cookie preferences tool
  • Third-party opt-out tools

B. Device Settings

Control:

  • Location services
  • Device identifiers
  • Push notifications
  • App permissions

8. Updates to Rights

We will:

  • Monitor legal changes
  • Update procedures
  • Notify of material changes
  • Maintain current documentation

Changes, Governance, and Contact Information

1. Changes to Our Privacy Policy

A. Policy Updates

Colleague AI reserves the right to change this Privacy Policy and will:

  • Provide notice of material changes
  • Notify users 30 days before changes take effect
  • Post updates on our website
  • Send email notifications when appropriate
  • Notify during account login

B. Notification Methods

You will be informed through:

  • Website announcements
  • Email notifications
  • Account alerts
  • Direct communications
  • Login notifications

C. Prior Versions

  • Access to previous versions upon request
  • Documentation of material changes
  • Comparison of changes available
  • Archive of prior policies maintained

2. Business Transfers and Change of Control

A. Business Transfers

We may share your data if Colleague AI:

  • Merges with another company
  • Is acquired by another company
  • Goes through bankruptcy
  • Sells assets
  • Reorganizes

B. Your Rights During Transfer

  • Notice within 30 days of transaction
  • Option to delete your data
  • Continued policy protections
  • Choice to terminate service
  • Data portability options

C. Bankruptcy Protection

In the event of bankruptcy:

  • Your data cannot be sold separately
  • Privacy protections continue
  • Notice of proceedings provided
  • Rights preservation guaranteed

3. Legal Framework

A. Governing Law

  • Washington law governs this policy
  • Exclusive jurisdiction: King County, Washington
  • Federal laws where applicable
  • International laws as required

B. Dispute Resolution

  • Good faith resolution attempts
  • Mandatory mediation process
  • Jurisdiction requirements
  • Class action limitations

C. Severability

If any provision is found unenforceable:

  • Remaining terms stay in effect
  • Modifications preserve intent
  • Reasonable alternatives applied
  • Core protections maintained

4. Contact Information

A. Primary Contacts

General Privacy Inquiries:

  • Email: security@colleague.ai
  • Mail: Colleague AI Attn: Legal Department 522 W RIVERSIDE AVE STE N, SPOKANE, WA, 99201-0580, UNITED STATES

B. Specific Contact Points

For Student Data Concerns:

  • Educational Institutions: Contact your account representative
  • Parents/Students: Contact your Educational Institution
  • Privacy Complaints: security@colleague.ai

5. Additional Commitments

A. Data Protection

We commit to:

  • Regular security assessments
  • Employee training
  • Policy reviews
  • Technology updates
  • Compliance monitoring

B. Transparency

We provide:

  • Regular updates
  • Clear notifications
  • Detailed documentation
  • Prompt responses
  • Open communication

C. Continuous Improvement

We maintain:

  • Updated procedures
  • Enhanced security
  • Best practices
  • Industry standards
  • User feedback incorporation

This Privacy Policy was last updated on November 10, 2024.

© 2024 Colleague AI