Privacy Policy
Last updated: March 2026
Plain-Language Summary
This website (inclushift.com) does not collect any personal information. We use no cookies, no analytics, no tracking scripts, and no contact forms that store data. Our products process student data only on the student's device or within FERPA-compliant district-controlled environments. We never sell, share, or monetize student data.
1. What This Website Collects
Nothing. This website is a fully static site served from Vercel's CDN. It contains no analytics tools, no cookies, no session storage, no tracking pixels, no third-party scripts, and no contact forms. Standard web server logs (IP address, user agent, timestamp) may be retained by our hosting provider (Vercel) as part of normal CDN operations, but we do not access or analyze these logs.
2. What Our Products Collect
IncluShift products (IncluMath, IncluLiteracy, IncluRegulate, etc.) are used within school district environments. When deployed by a district, products may process educational records as defined by FERPA. All product data processing occurs within a Zero-PII architecture where personally identifiable information is encrypted at the edge before transmission. Districts retain full ownership and control of all student data.
3. COPPA Compliance
IncluShift products serve children under 13. We comply with the Children's Online Privacy Protection Act (COPPA) and the COPPA 2025 amendments (effective April 2026). This website does not collect data from any visitor regardless of age.
B2B (District-Deployed): Parental consent is obtained through the school district acting under COPPA's school consent exception, where the district has contracted with IncluShift on behalf of parents for educational purposes directly related to the school's mission.
B2C (Parent-Direct): When a parent purchases an IncluShift product directly, verifiable parental consent is obtained during the signup process. Children never create their own accounts — they access products through child profiles managed by their parent. All consent events are logged in an immutable consent record.
COPPA 2025 Amendments: In compliance with the updated rule effective April 2026, IncluShift maintains a written data retention policy, does not collect biometric data from children, does not engage in targeted advertising to children, and provides parents with the ability to review and delete their child's data at any time. IncluShift products that support children under 13 are compatible with Google Family Link managed accounts on mobile devices.
4. FERPA Compliance
IncluShift products process education records as a "school official" under FERPA's school official exception (34 CFR § 99.31(a)(1)). We are subject to the same conditions governing the use of education records that apply to district employees. We do not use education records for any purpose other than providing the contracted services. Districts maintain direct control over all student records through the IncluShift OS administrative dashboard.
Annual Notification: IncluShift OS generates annual FERPA rights notifications for districts to distribute to parents, with tracking for delivery and acknowledgment rates.
Record Retention: Education records are retained for 7 years per FERPA §99.32. Medicaid billing records are retained for 10 years per CMS requirements. Parents are notified before any record destruction, and may request records be transferred or retained for an extended period.
Audit Trail: Every access to student data is logged in an append-only audit trail that cannot be modified or deleted. This includes views, exports, AI-generated drafts, and Medicaid claim submissions.
4b. HIPAA Compliance (IncluClaim)
When a district activates the IncluClaim Medicaid billing module, therapy session data used for billing purposes becomes Protected Health Information (PHI) subject to HIPAA. IncluShift executes a Business Associate Agreement (BAA) with the district before any Medicaid features are unlocked. The BAA is tracked and enforced at the platform level — IncluClaim features are physically locked until the BAA is fully executed.
Medicaid billing data is stored in an isolated database schema, segregated from educational records. Only users with the Medicaid-related services role can access billing data. No clinical notes, behavioral observations, or assessment data are transmitted to the billing schema — only service type, duration, date, and provider identification are included.
5. Data Retention
Student data processed within IncluShift products is retained only as long as the district's service agreement is active. Upon termination of the agreement, all student data is deleted within 30 days unless the district requests an export. Anonymized, aggregated data that cannot be re-identified may be retained for product improvement.
6. Children's Privacy
We do not knowingly collect personal information directly from children. All student interactions with IncluShift products occur within district-controlled environments. Student-generated data (e.g., math practice responses, behavioral telemetry) is processed locally on the device or transmitted via encrypted, Zero-PII pipelines to district-controlled dashboards. No student data is used for advertising, profiling, or any purpose other than educational service delivery.
7. California Residents (CCPA/CPRA)
IncluShift does not sell personal information. We do not share personal information for cross-context behavioral advertising. California residents may contact us at privacy@inclushift.com to exercise their rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act.
8. Third-Party Services
This website uses no third-party services. No analytics (Google Analytics, Plausible, Fathom, or otherwise). No advertising networks. No social media tracking. No customer support chat widgets. No embedded content from tracking platforms. Fonts are self-hosted. All resources are served from Vercel's CDN.
9. Contact
For privacy-related inquiries, contact: privacy@inclushift.com