Privacy Policy
Last updated: May 2026
Plain-Language Summary
This website (inclushift.com) does not collect any personal information. We use no cookies, no analytics, no tracking scripts, and no contact forms that store data. Our products process student data only on the student's device or within FERPA-compliant district-controlled environments. We never sell, share, or monetize student data.
1. What This Website Collects
Nothing. This website is a fully static site served from Vercel's CDN. It contains no analytics tools, no cookies, no session storage, no tracking pixels, no third-party scripts, and no contact forms. Standard web server logs (IP address, user agent, timestamp) may be retained by our hosting provider (Vercel) as part of normal CDN operations, but we do not access or analyze these logs.
2. What Our Products Collect
IncluShift products (IncluMath, IncluLiteracy, IncluRegulate, etc.) are used within school district environments. When deployed by a district, products may process educational records as defined by FERPA. All product data processing occurs within a Zero-PII architecture where personally identifiable information is encrypted at the edge before transmission. Districts retain full ownership and control of all student data.
3. COPPA Compliance
IncluShift products serve children under 13. We comply with the Children's Online Privacy Protection Act (COPPA) and the COPPA 2025 amendments (effective April 2026). This website does not collect data from any visitor regardless of age.
B2B (District-Deployed): Parental consent is obtained through the school district acting under COPPA's school consent exception, where the district has contracted with IncluShift on behalf of parents for educational purposes directly related to the school's mission.
B2C (Parent-Direct): When a parent purchases an IncluShift product directly, verifiable parental consent is obtained during the signup process. Children never create their own accounts — they access products through child profiles managed by their parent. All consent events are logged in an immutable consent record.
COPPA 2025 Amendments: In compliance with the updated rule effective April 2026, IncluShift maintains a written data retention policy, does not collect biometric data from children, does not engage in targeted advertising to children, and provides parents with the ability to review and delete their child's data at any time. IncluShift products that support children under 13 are compatible with Google Family Link managed accounts on mobile devices.
4. FERPA Compliance
IncluShift products process education records as a "school official" under FERPA's school official exception (34 CFR § 99.31(a)(1)). We are subject to the same conditions governing the use of education records that apply to district employees. We do not use education records for any purpose other than providing the contracted services. Districts maintain direct control over all student records through the IncluShift OS administrative dashboard.
Annual Notification: IncluShift OS generates annual FERPA rights notifications for districts to distribute to parents, with tracking for delivery and acknowledgment rates.
Record Retention: Education records are retained for 7 years per FERPA §99.32. Medicaid billing records are retained for 10 years per CMS requirements. Parents are notified before any record destruction, and may request records be transferred or retained for an extended period.
Audit Trail: Every access to student data is logged in an append-only audit trail that cannot be modified or deleted. This includes views, exports, AI-generated drafts, and Medicaid claim submissions.
4b. HIPAA Compliance (IncluClaim)
When a district activates the IncluClaim Medicaid billing module, therapy session data used for billing purposes becomes Protected Health Information (PHI) subject to HIPAA. IncluShift executes a Business Associate Agreement (BAA) with the district before any Medicaid features are unlocked. The BAA is tracked and enforced at the platform level — IncluClaim features are physically locked until the BAA is fully executed.
Medicaid billing data is stored in an isolated database schema, segregated from educational records. Only users with the Medicaid-related services role can access billing data. No clinical notes, behavioral observations, or assessment data are transmitted to the billing schema — only service type, duration, date, and provider identification are included.
5. Written Data Retention Policy
This section is the public summary of IncluShift's written data retention policy required by 16 CFR §312.10 (FTC COPPA Rule amendments published January 17, 2025; effective April 22, 2026). The canonical internal policy implements these rules through the record_retention_schedule database table and a nightly cleanup job that runs at 02:00 UTC.
Educational records (FERPA-governed): IEP documents (final, signed), 504 plans, FBA/BIP documents, and service-session records are retained for 7 years after services end. Unsigned IEP drafts are retained for 2 years. Per-product student telemetry in UUID-only form is retained for 3 years. Behavioral incident logs are retained for 5 years. FERPA-required annual rights notifications are tracked for 3 years.
Medicaid billing records (HIPAA-governed): When a district activates IncluClaim, CPT-coded service records are retained for 10 years per federal Medicaid recordkeeping rules. Business Associate Agreements (BAAs) are retained for 6 years post-termination per HIPAA Part 160. HIPAA breach notifications and HIPAA training records are retained for 6 years.
B2C parent-side records (COPPA-governed): Parental consent records in the immutable consent log are retained for 7 years after account closure (matches FERPA windows for cross-tenant migration). Account and billing data are retained for 3 years post-account-closure. Student-usage telemetry in UUID-only form is retained for 2 years post-account-closure — the tightest window in the system. Stripe subscription history is retained for 7 years for tax and financial recordkeeping.
Audit and compliance records: The data-access audit log is append-only by design and is never deleted — this supports indefinite FERPA §99.32 disclosure-tracking. Data-subject-request records (CCPA, GDPR, state-equivalent) are retained for 3 years post-resolution.
System and operational records: Server logs from Vercel and Supabase are retained for 30 days for operational debugging only. Session cookies expire in 24 hours; refresh tokens expire in 7 days. Email-delivery logs are retained for 6 months by our email provider. Error reports are retained for 90 days.
Deletion process: Records past their retention window are first soft-deleted (marked deleted_at); after a 30-day grace period they are hard-deleted from the table. The deletion itself generates an entry in the audit log. Backups follow the same schedule — point-in-time recovery is configured for 7 days only; long-term backups expire on the same windows as live data.
Litigation hold and data-subject requests: Records under a litigation hold are flagged with an explicit hold-until date and are not deleted regardless of retention window. Parents and students of majority age may request deletion under CCPA, GDPR, and state-equivalent laws — such requests are tracked with a 45-day SLA. Records that must be retained for compliance (e.g., billing records during the 10-year Medicaid window) are anonymized rather than deleted, and the requester is notified.
Audit cadence: Retention-policy review is conducted annually (every April, ahead of the COPPA effective-date anniversary). The nightly cleanup job is monitored for failure with daily alerts. Random-sample deletion verification and cross-table consistency checks are performed quarterly.
5b. Written Information Security Program
This section is the public summary of IncluShift's written information security program required by 16 CFR §312.8 (FTC COPPA Rule amendments published January 17, 2025; effective April 22, 2026). The program addresses four threat categories: cross-tenant data leakage, external breach, PII transmission to third-party providers, and denial-of-service. Each category is addressed by an architectural commitment, not a policy document alone.
Administrative safeguards: Role-based access control (RBAC) with one canonical role per tenant, enforced at three layers (JWT claim, row-level security policy, application middleware) so that bypassing one layer does not bypass the others. Principle of least privilege for service-role keys (Supabase service-role keys are scoped only to the auth gateway). Annual security training for all personnel with production-credential access — covering COPPA, FERPA, HIPAA (for IncluClaim-touching personnel), and general secure-coding practices. Quarterly access review; inactive credentials (≥ 90 days) are revoked.
Technical safeguards: AES-256-GCM encryption at rest for all sensitive content (per NIST FIPS 197 and SP 800-38D). TLS 1.3 enforced across all surfaces with HSTS preload at 2-year max-age. Strict Content Security Policy on every public surface (no 'unsafe-inline', no 'unsafe-eval'; frame-ancestors 'none'). Standard security headers on every response: X-Frame-Options DENY, X-Content-Type-Options nosniff, strict referrer policy, restrictive permissions policy. Rate limiting tuned per endpoint type — auth (5 req/60s per IP), LLM calls (10 req/60s per user), telemetry (30 req/60s per user). MFA mandatory for all district administrative roles (Superintendent, SPED Director, Data Analyst, Medicaid Biller, 504 Coordinator, IEP Case Manager) and internal staff (with hardware key). Server-side input validation via Zod schemas at every API boundary; client-side validation is UX only. Append-only audit logging for every read of a PII-bearing field.
Mobile-specific safeguards: Background-state guard shows a blur overlay when the app is backgrounded. Re-authentication required after a configurable inactivity timeout. Cache purge after a failure threshold (e.g., 3 failed PIN attempts in IncluVoice settings). Tokens stored in hardware-backed secure storage (iOS Keychain / Android Keystore via expo-secure-store). Certificate pinning for Supabase and AI-provider domains.
Physical safeguards: Vercel (hosting) carries SOC 2 Type II. Supabase (database) carries SOC 2 Type II. No IncluShift personnel have physical access to the underlying infrastructure. IncluClaim Medicaid billing data is stored in a single-tenant Postgres database (separate Neon project) segregated from the multi-tenant educational-records database.
Network safeguards: All public traffic terminates at the Vercel edge. Database connections pool through Supabase's connection pooler — no direct Postgres exposure to the public internet. AI-provider API calls originate only from Vercel serverless functions, never from the client browser or mobile app, so AI keys never reach end-user devices.
Incident response: When a security incident is suspected: (1) immediate triage per the internal incident-response runbook; (2) containment — affected credentials are revoked immediately and the affected feature surface is disabled; (3) forensics via the audit log plus Vercel and Supabase log preservation for the affected window; (4) notification per HIPAA Breach Notification Rule (when PHI is involved) or COPPA, FERPA, and applicable state-law requirements; (5) post-mortem and root-cause analysis within 14 days, documented in a private incident archive.
6. Children's Privacy
We do not knowingly collect personal information directly from children. All student interactions with IncluShift products occur within district-controlled environments. Student-generated data (e.g., math practice responses, behavioral telemetry) is processed locally on the device or transmitted via encrypted, Zero-PII pipelines to district-controlled dashboards. No student data is used for advertising, profiling, or any purpose other than educational service delivery.
7. California Residents (CCPA/CPRA)
IncluShift does not sell personal information. We do not share personal information for cross-context behavioral advertising. California residents may exercise their rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, by contacting privacy@inclushift.com. We acknowledge requests within 10 business days and complete them within 45 days of receipt (extensible to a total of 90 days for complex requests, per §1798.130(a)(2)(B)). We apply the same response timeline to data-subject access requests submitted under Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Delaware (DPDPA), Maryland (MODPA), and other applicable state privacy frameworks.
8. Third-Party Services on This Website
This website uses no third-party services. No analytics (Google Analytics, Plausible, Fathom, or otherwise). No advertising networks. No social media tracking. No customer support chat widgets. No embedded content from tracking platforms. Fonts are self-hosted. All resources are served from Vercel's CDN.
8b. Subprocessors and Service Providers
When a district or parent uses an IncluShift product (separate from this marketing website), a small set of vendors process data on our behalf. Each is bound by a written contract that meets COPPA's third-party-recipient requirements (16 CFR §312.4(d)) and, where applicable, FERPA's school-official obligations and HIPAA Business Associate terms.
Vercel — hosts our web applications and serves CDN content. SOC 2 Type II. Carries our written data-processing terms.
Supabase — provides the authentication gateway and the multi-tenant Postgres database for educational records. SOC 2 Type II. Hosted in us-east-1. Carries our written data-processing terms.
Stripe — processes B2C parent-direct subscription payments. PCI DSS Level 1 service provider. Stripe receives only billing-relevant data (email, payment method, subscription status) — never student-record content.
Resend — sends transactional email (account verification, invitation magic links, district demo-request acknowledgments). Resend receives only the recipient address and the message body — never student-record content.
Neon — provides the single-tenant Postgres database for IncluClaim Medicaid billing, isolated from the multi-tenant educational-records database. Carries our HIPAA Business Associate Agreement. Used only when a district has executed a BAA and activated IncluClaim.
AI providers — for the small subset of features that use AI (the IEP drafter in IncluShift OS, the jargon translator in IncluBridge, decodable-passage generation in IncluLiteracy, the scenario evaluator in IncluTrain, and the AAC prediction-bar in IncluVoice), all prompts pass through a deterministic PII sanitizer before transmission. Student names, school names, dates of birth, addresses, and diagnostic terminology are tokenized and re-mapped device-locally on response. AI providers never receive identifiable student-record content.
9. Contact
For privacy-related inquiries, contact: privacy@inclushift.com