Trust Center

1Our Approach to Privacy

Investant Academy is a classroom management and analytics platform built for teachers. Our product helps educators author interactive lessons, assign them to students, grade responses, and understand how their students are performing over time.

We designed the platform from day one with a privacy-first architecture. Rather than collecting student data and then figuring out how to protect it, we chose to collect as little as possible in the first place.

Our guiding principles:

• Minimal collection. We only collect what is necessary to deliver the educational service. For students, that means a username and their assignment responses. Nothing more.
• Purpose limitation. Student data is used exclusively to provide analytics to their teacher. We do not use it for advertising, profiling, or any purpose outside the classroom.
• Teacher control. Teachers decide what content to assign, which students are in their classroom, and how analytics are used. We provide the tools; teachers make the decisions.
• Transparency. We tell you exactly what we collect, why, and who can access it. No surprises.

2Student Privacy

Students on Investant Academy are lightweight entities. They are not traditional user accounts. Here is exactly what we collect and what we do not.

What we collect from students

• A username. Chosen by the teacher or student at enrollment. We do not require or recommend that real names be used. A nickname, initials, or student number works perfectly.
• Assignment responses. Answers to questions within lessons and quizzes assigned by their teacher. These are used to generate performance analytics for the teacher.
• Progress metadata. Timestamps for when an assignment was started, submitted, and how long it took. Used for the teacher's analytics dashboard.

What we do NOT collect from students

• No email address
• No password
• No real name (unless the teacher chooses to use one as the username)
• No date of birth or age
• No home address or phone number
• No device fingerprinting or behavioral tracking
• No photos, videos, or biometric data
• No social media accounts or external identifiers

How students authenticate

Students join a classroom by entering a class code (provided by their teacher) and a username. That's it. No account creation, no email verification, no password to remember or reset. This model is similar to how platforms like Kahoot handle student access: minimal friction, minimal data.

A session token (JWT) is issued for the duration of the student's activity and stored in the browser. When the session ends, the token expires. Students can return to their classroom at any time by re-entering their class code and username.

How student data is used

Student responses and progress data exist for one purpose: to help their teacher understand how they are performing. Our analytics surface shows teachers which questions students missed, identifies patterns across assignments, and highlights where individual students may need additional support.

We do not use student data to build advertising profiles, train AI models, sell to third parties, or for any purpose outside the educational relationship between the student and their teacher.

3Teacher & Administrator Data

Teachers and administrators are the primary users of Investant Academy. They create full accounts with the following information:

• Email address: Used for authentication, account recovery, and essential service communications (billing, trial reminders).
• Password: Hashed and salted before storage. We never store or have access to plaintext passwords.
• Payment information: Handled entirely by Stripe. We do not store credit card numbers, CVVs, or bank account details on our servers.

Teachers also create content (lesson modules, classrooms, assignments) and manage student rosters. This content belongs to the teacher's organization and is covered in our Privacy Policy under Data Ownership & Retention.

4Security Practices

We take the security of our platform seriously. Here is how we protect data at every layer:

Encryption

• In transit: All connections use TLS (HTTPS). Data moving between your browser, our application servers, and our database is encrypted using industry-standard protocols.
• At rest: Our database uses managed encryption provided by our hosting infrastructure. Data stored on disk is encrypted and inaccessible without proper authentication.

Authentication & Access Control

• Teacher/admin sessions: Authenticated via JWT tokens. Session persistence uses HTTP-only cookies that survive page reloads, while API requests use Bearer token authentication. Tokens expire and must be refreshed.
• Student sessions: Lightweight JWT tokens scoped to a specific classroom. There is no persistent account; sessions are temporary by design.
• Password storage: All passwords are hashed and salted using industry-standard algorithms before storage.
• Role-based access: Teachers can only access classrooms and students within their own organization. Students can only access assignments in classrooms they have joined.

Infrastructure

• Application hosting: AWS cloud infrastructure with automated deployments.
• Database: Managed PostgreSQL with automated backups, encryption at rest, and network isolation.
• Media assets: Delivered via CDN with access controls.
• Secrets management: Environment variables and API keys managed through a dedicated secrets platform, never hardcoded or committed to source control.

Development Practices

• Input validation and parameterized queries to prevent injection attacks
• Rate limiting on authentication and sensitive API endpoints
• Automated CI/CD pipeline with build verification before deployment
• Dependency monitoring for known vulnerabilities

5FERPA & COPPA Posture

FERPA (Family Educational Rights and Privacy Act)

FERPA protects the privacy of student education records and applies to educational institutions that receive federal funding. When an edtech platform processes student data on behalf of a school, it operates under the "school official" exception and must handle data in accordance with FERPA requirements.

Our position: Investant Academy is architecturally designed to minimize FERPA exposure. Because we do not collect personally identifiable information (PII) from students (no names are required, no emails, no addresses, no dates of birth), the data we hold does not constitute "education records" under FERPA in most interpretations, provided teachers use non-identifying usernames.

That said, we recognize that if a teacher chooses to use a student's real name as their username, that data point combined with assignment responses could constitute an education record. For this reason:

• We recommend teachers use non-identifying usernames (initials, student numbers, or nicknames) when possible.
• We treat all student data as if it were protected under FERPA regardless of whether real names are used.
• We do not disclose student data to any third party for non-educational purposes.
• We provide data deletion capabilities so teachers and administrators can remove student records at any time.

We have not undergone a formal FERPA compliance audit. FERPA compliance is technically the responsibility of the educational institution, not the vendor. However, we are committed to supporting schools in meeting their FERPA obligations by maintaining a minimal-data architecture and providing the controls schools need.

COPPA (Children's Online Privacy Protection Act)

COPPA applies to online services that collect personal information from children under 13. Because Investant Academy does not collect personal information from students (no email, no name requirement, no account creation), and because access is mediated entirely through the teacher (who provides the class code), our exposure under COPPA is minimal.

Teachers act as the gatekeepers for student access. A student cannot discover or join a classroom without the teacher-provided class code, and no personal information is requested during the join process.

Data Processing Agreements (DPAs)

For schools or districts that require a formal Data Processing Agreement, we are happy to work with you. Please contact us to discuss your requirements. We are also open to participating in the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement framework as our school customer base grows.

6Third-Party Services

We use a limited number of third-party services to operate Investant Academy. Here is who they are, what they access, and why:

What we do not do:

• We do not sell data to any third party.
• We do not run third-party advertisements.
• We do not share student data with advertisers or data brokers.
• We do not use student data to train AI or machine learning models.
• We do not build behavioral profiles of students.

7Data Ownership & Retention

Who owns the data?

• Teacher content (lesson modules, assignments, classroom configurations) belongs to the teacher's organization. We do not claim ownership of content you create.
• Student data (usernames, responses, progress) is held on behalf of the teacher's organization and exists solely to provide the educational service.

Data retention

• Active accounts: Data is retained for the duration of the subscription. Teachers can delete individual students, classrooms, or assignments at any time.
• Canceled subscriptions: After subscription cancellation, account data is retained for a reasonable period to allow reactivation, then permanently deleted.
• Student records: Teachers and administrators can delete student records at any time. Deletion is permanent and removes all associated response and progress data.

Data deletion

All deletion is fully self-service. Teachers and administrators can delete student records, classrooms, assignments, and their own account directly from the dashboard at any time. No support ticket or waiting period required. If you have any questions about data deletion or retention, feel free to contact us.

8Compliance Roadmap

We believe in being transparent about where we are today and where we are headed. Here is our honest assessment:

What we have today

• Privacy-first architecture with minimal student data collection
• Encryption in transit (TLS) and at rest (managed database encryption)
• Role-based access control with organization-scoped data isolation
• Secure authentication with HTTP-only cookies and hashed passwords
• No third-party advertising or data sales
• Published Privacy Policy and Terms of Service
• Data deletion capabilities for teachers and administrators

What we are working toward

We are a small, focused team building alongside real educators. Our compliance posture will grow with our customer base, but our commitment to minimal data collection and student privacy is foundational and will not change.

9Questions & Contact

We welcome questions about our privacy and security practices. Whether you are a solo teacher evaluating the platform, a school administrator conducting a vendor review, or a parent with questions about how your child's data is handled, we are happy to help.

You can also reach us through our contact form.

For schools or districts requiring a Data Processing Agreement, vendor security questionnaire, or other formal documentation, please reach out and we will work with you directly.