Privacy Policy

2WAI Education Suite ("2WAI," "we," "us," or "our") is committed to protecting the privacy and security of students, teachers, parents, and school administrators who use our AI-powered educational platform. This Privacy Policy describes how we collect, use, store, and protect personal information in compliance with applicable federal and state privacy laws, including the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and the Student Online Personal Information Protection Act (SOPIPA).

This policy applies to all users of the 2WAI Education Suite, including the web application, mobile interfaces, and all associated services. By using our platform, you acknowledge that you have read and understood this Privacy Policy.

1. FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. 2WAI operates as a "school official" under FERPA, meaning we access student data solely to provide educational services as directed by schools and districts.

• Legitimate Educational Interest: We access and process student education records only to fulfill our contractual obligations to provide AI-powered tutoring and educational analytics.
• No Unauthorized Disclosure: We do not disclose personally identifiable information (PII) from student education records to any third party without prior written consent from the parent/guardian or eligible student, except as permitted under FERPA.
• Directory Information: We do not treat any student data as "directory information" that can be freely shared. All student data is treated as protected education records.
• Annual Notification Support: We support schools in providing annual notifications to parents about their FERPA rights and will cooperate with any parent requests to inspect or amend records.

2. COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) imposes requirements on operators of websites and online services directed at children under 13. 2WAI fully complies with COPPA requirements.

• School Consent: For students under 13, we rely on the school or district to provide consent on behalf of parents for the collection of student data, as permitted under COPPA's school consent exception. Schools must have appropriate parental consent mechanisms in place.
• Limited Data Collection: We collect only the minimum information necessary to provide educational services. We do not collect data beyond what is needed for the platform to function.
• No Behavioral Advertising: We do not use student data for behavioral or targeted advertising of any kind. Student data is used exclusively for educational purposes.
• Parental Rights: Parents have the right to review their child's personal information, request its deletion, and refuse further collection. These requests can be made through the school or by contacting us directly.
• Data Minimization: Student accounts created for children under 13 collect only a username, grade level, and class assignment. No personal email addresses are required for student accounts.

3. SOPIPA Compliance

The Student Online Personal Information Protection Act (SOPIPA) provides additional protections for student data collected by educational technology providers. We adhere to the following SOPIPA requirements:

• No Sale of Student Data: We will never sell, lease, or rent student personal information to any third party, under any circumstances.
• No Targeted Advertising: We do not use student data to target advertisements to students, parents, or teachers. The platform contains no advertising.
• No Student Profiles for Non-Educational Purposes: We do not create or maintain profiles of students for purposes other than supporting their educational experience on our platform.
• Security Program: We maintain a comprehensive information security program designed to protect student data, including regular security assessments, employee training, and incident response procedures.
• Data Deletion: Upon request from a school or district, or upon termination of services, we will delete all student data within 60 days, unless retention is required by applicable law.

4. AI Transparency and Data Processing

2WAI uses artificial intelligence to power its tutoring features. We believe in full transparency about how AI processes student data.

AI Technology Used

Our platform uses Google's Gemini API to generate personalized tutoring responses, provide homework assistance, and create educational content. The AI acts as a virtual tutor that can explain concepts, answer questions, and guide students through problem-solving.

Data Sent to AI Services

When a student interacts with the AI tutor, the following data may be sent to Google's Gemini API for processing:

• The student's current message or question
• Recent conversation history within the current session (to maintain context)
• The student's grade level and subject area (to calibrate response difficulty)
• Homework or assignment content that the student submits for help

We do not send the following to AI services: student names, email addresses, school names, demographic information, or any personally identifiable information beyond what is necessary for the tutoring interaction.

AI Data Handling by Google

We use the Google Gemini API under enterprise terms. Under these terms, Google does not use data sent through the API to train or improve its models. Data sent to the Gemini API is processed for the sole purpose of generating a response and is not retained by Google beyond the processing window.

AI Content Disclaimer

AI-generated content is provided for educational purposes only. While we strive for accuracy, AI outputs may contain errors or inaccuracies. Teachers are encouraged to review AI-generated materials, and students should verify important information with their teachers or other authoritative sources.

5. Data We Collect

Account Information

• Teachers: Full name, email address, username, password (hashed), school/organization name, profile avatar
• Students: Username, password (hashed), grade level, class/section assignment, profile avatar
• Administrators: Full name, email address, school/district affiliation

Educational Data

• Homework submissions and responses
• AI tutoring conversation logs
• Assignment completion status and scores
• Learning progress metrics
• Time spent on activities

Technical Data

• Browser type and version
• Device type (desktop, tablet, mobile)
• IP address (used for security and access logging only)
• Usage analytics (pages visited, features used, session duration)

6. Data Storage and Security

• Hosting: Our application is hosted on Vercel's infrastructure, which maintains SOC 2 Type II compliance and operates data centers within the United States.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at Rest: All stored data, including database records and file uploads, is encrypted at rest using AES-256 encryption.
• Password Security: User passwords are never stored in plain text. Passwords are hashed using industry-standard algorithms before storage.
• Access Controls: Access to production systems and student data is limited to authorized personnel on a need-to-know basis, with all access logged and audited.
• Incident Response: We maintain an incident response plan and will notify affected schools, districts, and users within 72 hours of discovering a data breach, in compliance with applicable state breach notification laws.

7. Data Retention and Deletion

• Active Accounts: We retain user data for the duration of the account's active status and the term of the school/district's service agreement.
• Account Deletion: When a user deletes their account, all associated personal data is permanently removed within 30 days. Anonymized, aggregated analytics data may be retained.
• End of Service: When a school or district terminates its agreement with 2WAI, all student and teacher data associated with that school/district is deleted within 60 days, unless the school requests a data export.
• AI Conversation Logs: AI tutoring conversation logs are retained for the duration of the school year in which they were created. At the end of each school year, conversation logs older than 12 months are automatically purged, unless a school requests earlier deletion.
• Backup Retention: Encrypted backups may be retained for up to 90 days for disaster recovery purposes, after which they are securely destroyed.

8. Third-Party Services

We use a limited number of third-party services to operate the platform. Each service is vetted for privacy and security compliance. We do not share student data with third parties for their own commercial purposes.

9. Student and Parent Rights

Students and their parents/guardians have the following rights regarding personal data:

• Right to Access: Request a copy of all personal data we hold about the student. We will respond within 30 days.
• Right to Correction: Request that inaccurate or incomplete personal data be corrected.
• Right to Deletion: Request the deletion of a student's personal data. Upon verification, data will be deleted within 30 days.
• Right to Data Portability: Request that student data be exported in a commonly used, machine-readable format (CSV or JSON).
• Right to Restrict Processing: Request that we limit how the student's data is processed.
• Right to Object: Object to specific uses of the student's data.

To exercise any of these rights, contact your school administration or reach out to us directly at privacy@2wai.com.

10. School and District Rights

• Data Processing Agreements (DPAs): We enter into Data Processing Agreements with schools and districts upon request. Our DPA template is aligned with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement.
• Data Ownership: Schools and districts retain ownership of all student education records. 2WAI acts as a data processor on behalf of the school.
• Data Portability: Schools may request a full export of all data associated with their accounts at any time during or after the service term.
• Audit Rights: Schools and districts have the right to audit our data handling practices upon reasonable notice.
• Breach Notification: We will notify the affected school or district within 72 hours of discovering any data breach that may affect student records.
• Compliance Documentation: We provide compliance documentation, including security certifications and assessment reports, upon request.

11. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

For urgent data privacy concerns, such as suspected unauthorized access to student data, please email privacy@2wai.com with "URGENT" in the subject line. We will respond within 24 hours.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify schools and districts at least 30 days in advance via email. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Service after changes take effect constitutes acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.