Privacy Policy
Last updated: April 2026
IEP Ally is operated by Tinker Labs LLC. We understand that the information you share with us is deeply personal. It involves your family, your child, and their educational needs. We take that responsibility seriously. This Privacy Policy explains what data we collect, how we use it, and the steps we take to keep it safe.
1. Information We Collect
1.1 Account Information
When you create an IEP Ally account, we collect your name and email address. If you sign up using a third-party authentication provider, we receive the basic profile information they share (such as your name and email). This information is used to establish and manage your account.
1.2 Child Information (Sensitive Personal Information)
When you upload your child's IEP or related educational documents, we collect and store information about your child. This includes but is not limited to:
- Child's name, age, and date of birth
- Disability category and classification
- Educational performance data
- Health and medical information (when included in documents)
- Service recommendations and accommodations
This information is classified as Sensitive Personal Information. We treat all child-related data with elevated care and implement additional protections as detailed in Section 5.
1.3 Documents
When you upload IEP documents, evaluation reports, correspondence from schools, or related educational files, we store the document content securely so our service can analyze it and provide actionable insights.
1.4 AI Interaction Data
When you use IEP Ally's chat feature, meeting prep tools, letter generation, or document analysis, we collect and store your prompts, questions, and the AI-generated responses. This allows us to provide continuity in your conversations and improve the service.
1.5 Payment Information (via Stripe)
If you subscribe to IEP Ally Premium, payment is processed by Stripe. IEP Ally does not receive or store your full credit card number, CVV, or routing information. Stripe provides us only with: payment confirmation, last four digits of your card, card type, and expiration date for subscription management purposes.
1.6 Usage Data
We collect information about how you interact with IEP Ally, including pages visited, features used, time spent in the app, device type, browser information, and general usage patterns. This data helps us understand product usage, identify bugs, and develop new features.
2. How We Use Your Information
We use the information we collect to:
- Provide our core service: Analyze your uploaded IEP documents, generate meeting prep packages, create template letters, and power AI-assisted chat conversations about your child's IEP.
- Process payments: Manage subscriptions, process billing, issue invoices, and handle refunds through Stripe.
- Improve IEP Ally: Understand usage patterns, identify bugs and performance issues, and develop new features that better serve families navigating the IEP process.
- Communicate with you: Send account-related notifications (subscription changes, password resets), respond to support requests, and (with your consent) share product updates or educational resources.
- Maintain security: Detect, investigate, and prevent fraud, unauthorized access, and other security incidents.
- Comply with legal obligations: Meet our obligations under applicable laws, regulations, and legal processes.
What We Do NOT Do:
- We do NOT use your data to train AI models or large language models.
- We do NOT sell or share your data with advertisers or marketing platforms.
- We do NOT use your data for behavioral targeting or interest-based advertising.
- We do NOT rent, lease, or otherwise transfer your data to third parties for their marketing purposes.
3. Children's Privacy and COPPA Compliance
3.1 Designed for Parents, Not Children
IEP Ally is designed for parents, guardians, and caregivers of children with special needs. We do not knowingly collect personal information directly from children under the age of 13. Our service is not intended for children to use independently.
3.2 Children's Data We Collect
When you upload your child's IEP and related documents, we collect information about your child through your actions as a parent or guardian. This is distinct from collecting information directly from the child and is permitted under COPPA with parental consent (which you provide by using our service and uploading documents).
3.3 Verifiable Parental Consent
Your use of IEP Ally constitutes verifiable parental consent. By creating an account and uploading documents containing your child's information, you affirm that:
- You are a parent, legal guardian, or authorized caregiver of the child whose information is being uploaded.
- You have the legal authority to provide personal information about the child to IEP Ally.
- You consent to our collection and use of that information as described in this policy.
- You understand that child-related data is treated as Sensitive Personal Information with elevated protections.
3.4 Limited Use of Children's Data
Children's information collected through IEP documents is used solely to:
- Analyze and summarize the child's IEP and educational records.
- Generate meeting preparation materials tailored to the child's needs.
- Create template letters and correspondence specific to the child's situation.
- Provide personalized chat assistance to the parent about the child's IEP.
Children's information is never:
- Sold or shared with third parties for any reason.
- Used for advertising or marketing purposes.
- Shared with schools or other entities without your explicit consent.
- Used to build profiles or predictive models about the child.
3.5 Parental Rights and Control
You have the right to:
- Review: Access and review all information we hold about your child at any time.
- Request deletion: Ask us to delete your child's information from our systems.
- Withdraw consent: Revoke your consent to our use of your child's information, which will result in deletion of the information and termination of service.
- Opt out of future collection: Delete documents or stop using the service to prevent future collection.
To exercise any of these rights, contact us at privacy@iep-ally.com.
3.6 Data Retention for Children's Information
We retain your child's information only for as long as your account is active or as needed to provide services. When you delete your account or request deletion of child data, we remove it from active systems immediately upon account deletion. We understand the sensitivity of this information and do not retain it longer than necessary.
4. Education Records
While IEP Ally is not subject to the Family Educational Rights and Privacy Act (FERPA), as we are not a school or educational institution, we voluntarily commit to protecting IEP documents and education records you upload with equivalent care and diligence. We treat these documents as highly confidential and apply:
- Encryption at rest and in transit
- Strict access controls limiting who can view the documents
- Audit logging of all access to education records
- Regular security assessments specific to sensitive document handling
- No sharing with third parties without your explicit consent
5. Sensitive Personal Information
IEP Ally collects certain categories of sensitive personal information, including:
- Disability categories: Such as autism spectrum disorder, ADHD, learning disabilities, physical disabilities, etc.
- Health information: Medical diagnoses, treatment plans, medication information (when included in IEP documents).
- Child personal information: Name, age, and other details about a minor.
Explicit Opt-In: By uploading documents containing sensitive personal information, you explicitly consent to our collection and use of this information for the purposes described in this policy. You can withdraw consent at any time by contacting us at privacy@iep-ally.com.
California CCPA “Limit Use”: Under California's CPRA, you have the right to limit our use of sensitive personal information. We use your sensitive data only for the service purposes you authorized. For instructions on how to request a “Limit Use” restriction, see Section 12 or contact us directly.
6. Third-Party Data Sharing
IEP Ally integrates with third-party services to operate. Below is a detailed breakdown of the providers we share data with, the purposes, and what data is shared:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Anthropic (Claude) | AI-powered document analysis, chat assistance, letter generation, meeting prep | Document content, chat prompts, IEP data (to generate responses) | Anthropic Privacy |
| Supabase | Data storage, user authentication, database management | Account info, documents, child data, chat history, usage data | Supabase Privacy |
| Stripe | Payment processing, subscription management, billing | Billing name, email, last 4 digits of card, card type, expiration date | Stripe Privacy |
| Resend | Transactional email delivery (confirmations, notifications, password resets) | Email address, account notifications, transactional messages | Resend Privacy |
| Vercel | Application hosting and deployment infrastructure | Usage logs, performance data, error logs (no personal data) | Vercel Privacy |
AI Data Processing: When you use IEP Ally's AI features, your document content and prompts are transmitted to Anthropic's servers for processing. Anthropic's terms specify that they do not use data for training (under their standard commercial terms). We recommend reviewing Anthropic's privacy policy for full details on how they handle this data.
We only share the minimum data necessary for each service to function. All third-party providers are contractually obligated to use your data solely for the purposes specified above and to maintain appropriate security measures.
7. Data Retention
We retain different categories of data for different periods based on business necessity and legal requirements:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Information | Immediately upon deletion; up to 90 days in encrypted backups | Service operation; backup and recovery |
| Child Profiles & Sensitive Data | Immediately upon deletion; up to 90 days in encrypted backups | Service operation; minimal retention after deletion |
| Uploaded Documents | Immediately upon deletion; up to 90 days in encrypted backups | Service operation; user reference |
| Chat History & AI Interactions | 12 months from last activity | User reference; conversation continuity |
| AI Analysis Results | Immediately upon deletion; up to 90 days in encrypted backups | Service operation; user reference |
| Generated Letters & Meeting Prep | Immediately upon deletion; up to 90 days in encrypted backups | User reference; backup |
| Billing Records | 7 years | Tax compliance; legal requirement |
| Audit Logs | 12 months | Security, incident investigation |
| Encrypted Backups | Immediately upon deletion; up to 90 days in encrypted backups | Disaster recovery; data preservation |
| Usage Analytics (Aggregated) | Indefinitely | Product improvement (anonymized/aggregated only) |
You can request deletion of your data at any time. When you delete your account, personal information is removed from active systems immediately. Some information may be retained in encrypted backups for up to 90 days before permanent deletion. Billing records and legal audit logs are retained as required by law.
8. Data Security
We implement comprehensive security measures to protect your information:
- Encryption at Rest: Data is encrypted using AES-256 encryption when stored in our database.
- Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher.
- Row-Level Security: Database access is controlled at the row level, ensuring users can only access their own data.
- Access Controls: Only authorized personnel have access to user data, and access is logged and monitored.
- Audit Logging: All access to sensitive data is logged for security review and incident investigation.
- Regular Security Reviews: We conduct periodic security assessments, penetration testing, and vulnerability scanning.
- Incident Response Plan: We have documented procedures for responding to security incidents and data breaches.
While no system can guarantee absolute security, we are committed to protecting your data using industry best practices and continuously improving our security posture.
9. Cookies and Tracking
9.1 Essential Cookies
IEP Ally uses essential cookies that are necessary for the service to function:
- Authentication cookies: Keep you signed in and maintain your secure session.
- Session cookies: Track your activity within a session to prevent unauthorized access.
- Preference cookies: Remember your theme settings and language preferences.
9.2 Conversion Tracking Cookies
IEP Ally uses the following third-party conversion tracking tools to measure the effectiveness of our advertising:
- Meta (Facebook) Pixel: Tracks conversion events such as account signups and subscription upgrades. This helps us understand which ads lead to signups. Meta may place cookies on your browser to attribute these events.
- Google Ads Conversion Tracking: Tracks conversion events such as account signups and subscription upgrades. Google may place cookies on your browser to attribute these events.
These tools track page views and conversion events (such as signups and upgrades) to measure advertising effectiveness. We do not use them for behavioral retargeting or interest-based advertising. We do not sell your data to advertisers.
9.3 Your Cookie Choices
You can manage or disable cookies through your browser settings at any time. Disabling essential cookies may limit your ability to use IEP Ally (you will need to sign in again). To opt out of conversion tracking specifically, you can use Meta's ad preferences or Google's ad settings.
9.4 Do Not Track and Global Privacy Control
IEP Ally respects your browser's “Do Not Track” (DNT) signal and honors Global Privacy Control (GPC) settings. We do not engage in cross-site tracking or behavioral profiling regardless of your browser settings.
10. Data Breach Notification
In the event of a data breach that compromises your personal information, we will notify you according to the following process:
- Detection & Investigation (within 24 hours): We investigate the breach to determine what information was accessed and who may be affected.
- Notification to You (without unreasonable delay): We notify affected users via email at the address associated with your account. If email is not feasible, we will post a notice on our website.
- Information Provided: Our notification includes details about the breach, the types of information affected, steps we are taking to respond, and recommended actions you should take.
- Regulatory Notification: We notify relevant regulatory authorities as required by applicable laws (e.g., state attorneys general under state data breach laws).
- Ongoing Support: We provide resources and support (such as credit monitoring information, if applicable) to affected users.
11. Your Rights
You have rights regarding your personal information. The specific rights available depend on your location, but generally include:
| Right | Description | How to Request |
|---|---|---|
| Access | Receive a copy of the personal data we hold about you | Email privacy@iep-ally.com with “Data Access Request” in the subject |
| Correction | Update or correct inaccurate information in your account | Update directly in account settings or contact privacy@iep-ally.com |
| Deletion | Request deletion of your account and associated data | Email privacy@iep-ally.com with “Deletion Request” in the subject |
| Data Portability | Receive your data in a portable, machine-readable format | Email privacy@iep-ally.com with “Portability Request” in the subject |
| Opt-Out of Marketing | Stop receiving promotional emails | Click “Unsubscribe” in any marketing email or contact us |
| Limit Use of Sensitive Data | Restrict use of sensitive personal information (California CPRA) | Email privacy@iep-ally.com with “Limit Use Request” in the subject |
| Non-Discrimination | Exercise your rights without penalty or service degradation | We do not discriminate for exercising legal rights |
Response Timeline
We will respond to all data rights requests within 30 days. If your request is complex, we may extend the deadline by an additional 30 days and will notify you of the extension.
Verification
To protect your privacy and prevent unauthorized access, we may verify your identity before processing your request. This may include confirming your email address or asking security questions.
Authorized Agents
You may authorize another person or business to submit requests on your behalf. We will require written authorization and verification of the authorized agent's identity.
12. State-Specific Rights
12.1 California (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what personal information is collected, used, and shared
- Right to correct inaccurate personal information
- Right to delete your personal information (with exceptions)
- Right to opt-out of the “sale” or “sharing” of personal information
- Right to limit our use of sensitive personal information (health, disability, financial data)
- Right to non-discrimination for exercising CCPA/CPRA rights
- Right to appeal our decisions regarding your requests
Important Note: IEP Ally does not “sell” or “share” your personal information as defined by CCPA/CPRA. We do not sell data to data brokers or share data with advertisers for behavioral advertising.
12.2 Colorado, Connecticut, Texas, and Virginia
If you reside in Colorado, Connecticut, Texas, or Virginia, you have similar rights under your state's consumer privacy laws (CPA, CTDPA, TDPSA, VCDPA):
- Right to access your personal information
- Right to correct inaccurate information
- Right to delete your personal information (with exceptions)
- Right to data portability
- Right to opt-out of targeted advertising
- Right to non-discrimination for exercising these rights
To submit a request under your state's law, please contact us at privacy@iep-ally.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by one or more of the following methods:
- Email notification to the address associated with your account
- Prominent notice on our website or within the app
- Request for your explicit consent (if required by law)
We encourage you to review this page periodically. Your continued use of IEP Ally after changes are posted constitutes your acceptance of the updated policy. If you do not agree with material changes, you may delete your account.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, have concerns about how your information is handled, or wish to report a security issue, please contact us:
General Inquiries:
hello@iep-ally.com
Privacy & Data Rights Requests:
privacy@iep-ally.com
We aim to respond to all inquiries within 5 business days, and to all formal data rights requests within 30 days.