Privacy Policy

Effective: May 11, 2026 · Version 1.0

PrepIEP ("we," "our," "us," or "the Service") is operated by a Massachusetts-based sole proprietor preparing to form a single-member LLC. This Privacy Policy explains what personal information we collect from you, how we use it, who we share it with, how long we keep it, and the rights you have over it. Capitalized terms not defined here have the meaning given to them in our Terms of Service.

This policy applies to the PrepIEP website at prepiep.com, the PrepIEP web application, and the PrepIEP mobile applications (collectively, the "Service"). PrepIEP is offered to residents of the United States who are 18 years of age or older. We do not knowingly market to or accept users from the European Union, United Kingdom, EEA, Switzerland, or Canada.

Educational reference, not legal advice. PrepIEP surfaces patterns and questions for you to raise with your IEP team. Educational reference, not legal advice.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in with Google or with Sign in with Apple, we receive only the basic profile fields you authorize (name, email, and a stable user identifier) — we do not access your Google Drive, your contacts, your iCloud, your calendar, or any other data from those providers.

1.2 Eligibility & Compliance Attestations

At signup we collect a self-attestation that you are 18 years of age or older and that you reside in the United States. We may collect coarse IP-derived geolocation (country level only) to enforce our regional eligibility limits. We do not store precise location data.

1.3 IEP Documents and Related Education Records

When you upload an IEP, an evaluation report, a Notice of Procedural Safeguards, a Prior Written Notice, related correspondence, or any other education record, we process the document to extract goals, services, accommodations, evaluation findings, and similar structured data. The uploaded file and the extracted data are stored in your private workspace and are accessible only to you and to the limited subprocessors described below.

You upload education records as the parent or guardian of the student described in the records. We treat you (the parent) as the data controller for those records. We act as a processor on your instructions. See §4 (FERPA) for the limits this places on us.

1.4 Chat & AI Interactions

Questions you ask our AI advisor, prompts you submit to our copilots, generated meeting agendas, suggested goals, suggested requests, suggested rights questions, and the AI responses themselves are stored in your account to give you conversation history, continuity, and the ability to revisit prior sessions. They are also retained, in line with §7, as a defensive record in the event of a dispute about what the AI did or did not say.

1.5 Billing Information

If you subscribe to a paid plan, our payment processor (Stripe, Inc.) collects and stores your payment card number, expiration date, and billing postal code on its own systems. We never see or store your full card number. Stripe returns to us a non-sensitive customer identifier, the last four digits of the card, the card brand, the renewal status of your subscription, and invoice metadata (amount, date, receipt URL). See §6 (Subprocessors).

1.6 Device and Diagnostic Data

When you use the Service, we automatically collect basic device and connection information (browser type, operating system, screen size, language preference, and a coarse country derived from your IP address) for security, fraud prevention, and aggregate analytics. We collect crash reports and unhandled-error diagnostics through our error reporter (see §6). Crash payloads are scrubbed of in-app text and uploaded file content before they leave your device.

1.7 Usage Data

We use two privacy-respecting analytics tools to understand how the service is used:

You can opt out of PostHog at any time by enabling Global Privacy Control (GPC) in your browser; we honor it as a valid opt-out signal under §9 (California). Plausible is opt-out-by-default for tracking blockers.

1.8 What we do not collect

We do not collect biometric identifiers, voiceprints, faceprints, precise location, contact-list data, calendar data, or social-graph data. We do not place advertising-network cookies or pixels. We do not run social-media login providers other than the two named in §1.1. We do not buy, license, or otherwise obtain personal information about you from data brokers.

2. How We Use Your Information

We use the categories of information described in §1 for the following purposes only:

Purposes we explicitly do not use your information for. We do not sell or rent your personal information. We do not share it with advertising networks. We do not use it for targeted advertising. We do not use it to build profiles for sale to third parties. We do not use your education records, chat content, or AI prompts to train, fine-tune, evaluate, or improve any artificial-intelligence model — neither our own (we do not train models) nor any of our subprocessors' models. See §3 for our explicit "no AI training" commitment.

3. AI Processing & "No AI Training" Commitment

We use Google's Gemini API to analyze the documents you upload and to generate the responses you see in the chat advisor and copilots.

Our standalone, contractually backed commitment: PrepIEP does not train, fine-tune, evaluate, distill, embed-into-evaluation-sets, or otherwise use any customer-supplied content (your prompts, your uploaded documents, your generated outputs, your chat history) to develop, calibrate, or improve any artificial-intelligence model — our own or anyone else's. This commitment is binding. We update our subprocessor contracts, where renegotiable, to flow this prohibition through. We disclose this commitment here, on our subprocessors page, and as a recurring representation in our Terms of Service.

This is also one of the conditions on which we rely to qualify for the solo-developer exemption under the Colorado AI Act (SB24-205). If we ever change this practice we will (i) update this policy with at least 30 days' notice, (ii) re-prompt every active user for affirmative consent before any new use, and (iii) update our subprocessors page to disclose the change.

4. FERPA & Our Role as Processor

The Family Educational Rights and Privacy Act ("FERPA") binds schools and other educational agencies that receive federal funding. FERPA does not bind PrepIEP directly when a parent uploads records they already control. To keep that boundary clean:

5. Children's Privacy (COPPA)

PrepIEP is for parents and legal guardians who are 18 or older. PrepIEP is not directed to, and is not intended for use by, children under 13. We do not knowingly collect personal information directly from a child under 13 in connection with the Service.

The IEP documents and related records you upload typically describe a child, but they are uploaded by you, the parent or guardian, in the exercise of your own rights. You are responsible for the accuracy of those records and for the lawfulness of your possession of them.

April 22, 2026 amendments. The amended COPPA Rule expanded the definition of "personal information" to include biometric identifiers and certain persistent identifiers, and requires separate verifiable parental consent before a child's personal information is used to train an AI model. PrepIEP does not collect biometric identifiers from children, does not place persistent identifiers other than functional cookies needed to keep you logged in, and (per §3) does not train AI models on customer-supplied data of any kind, including data about children that a parent uploads. Our compliance posture under the amended COPPA Rule is therefore: parent-as-uploader, no biometric collection, no persistent identifiers for tracking, and a binding no-training commitment.

If you become aware that a person under 13 has somehow created an account, please email contact@prepiep.com and we will close the account and delete the data within seven (7) days.

6. Subprocessors

We use a small set of subprocessors to deliver the Service. The current, versioned list — including each subprocessor's name, purpose, data category, region, retention, and data-use attestation — is published at prepiep.com/subprocessors and is incorporated into this policy by reference.

The list, in summary:

We will give at least 30 days' advance notice on the subprocessors page and via in-app notice before adding a new subprocessor that processes user-uploaded education records or AI-related content.

7. Data Retention

We retain personal information only as long as we have a legitimate business or legal reason to do so. Specifically:

If you delete your account, we permanently delete account data on the schedule above. We delete it from primary stores immediately and from encrypted backups on the next backup-rotation cycle (no longer than 35 days).

8. Your Rights

Regardless of where you live in the United States, you have the right to:

To exercise any of these rights, use the in-app controls under Account → Privacy & Data or email contact@prepiep.com. We will respond within 45 days. We do not charge for these requests. We will not retaliate or downgrade your service for exercising them.

9. Notice to California Residents

This section applies to California residents and supplements the rest of this policy for purposes of the California Consumer Privacy Act (CCPA), as amended by the CPRA, and the California Privacy Rights regulations effective January 1, 2026.

9.1 Categories of personal information

In the preceding 12 months we have collected the following statutory categories of personal information from California consumers:

We use sensitive personal information solely to deliver the Service you requested, to keep it secure, and for the purposes permitted by Cal. Civ. Code §1798.121(a). We do not use it to infer characteristics about you for any other purpose.

9.2 Sale or sharing of personal information

We do not "sell" personal information for money. We do not "share" personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months and we do not plan to. Because we neither sell nor share, no opt-out from those activities is required to exercise the right not to have your data sold or shared. Nonetheless, we provide a "Do Not Sell or Share My Personal Information" link in the site footer, as required.

9.3 Global Privacy Control

We treat the Sec-GPC: 1 browser signal as a valid opt-out signal under California law (Cal. Code Regs. tit. 11, §7025). When we detect Sec-GPC: 1 from your browser, we will (i) not enable optional analytics that pass identifiers, (ii) suppress any future "sale or share" mechanic by default, and (iii) record your preference at signup so the preference persists across sessions. You may also turn this opt-out on or off at any time from Account → Privacy & Data.

9.4 Sensitive PI category — education records

Education records uploaded by parents (IEPs, evaluations, related correspondence) are sensitive personal information. We process them only as needed to deliver the features you have requested, retain them only as described in §7, and never use them to infer demographic, health, religious, sexual-orientation, biometric, or precise-location characteristics about you or your child.

9.5 No financial incentive

We do not offer financial incentives, loyalty programs, price differences, or service-level differences in exchange for personal information. Pricing is set by plan tier and applies to all users equally regardless of any privacy choices you exercise.

9.6 California rights

California residents may exercise the rights of access, deletion, correction, portability, opt-out, and limitation of use of sensitive PI described in §8 above. You may submit a request through Account → Privacy & Data or by emailing contact@prepiep.com. You may designate an authorized agent to act on your behalf; we will require written, signed authorization and a verification step with you before acting.

9.7 California "Shine the Light"

We do not share personal information with third parties for those parties' direct-marketing purposes. We do not need a Shine the Light disclosure on that ground.

9.8 California postal-equivalent contact

The California-required second contact channel for privacy questions is contact@prepiep.com. We will treat email to this address as the equivalent of a designated postal address until our LLC formation, at which point we will publish a registered postal address here.

Our designated primary and California second-channel privacy contact is the same address, contact@prepiep.com. We use a single inbox to simplify contacting us and route internally by topic.

10. AI Records — Defensive Retention

For 90 days after each AI-mediated interaction, we retain a defensive record consisting of: your user identifier, the prompt you sent, the model version that responded, the prompt-template version that wrapped your prompt, the response that was returned, and the timestamp. This record exists so that, if a parent later disputes what the AI did or did not say, we have a faithful record. After 90 days the record is automatically deleted.

11. International Transfers

Our infrastructure runs in the United States. If you access the Service from outside the United States, your information is necessarily transferred to and processed in the United States. We do not target, market to, or knowingly accept users from the European Union, the United Kingdom, the European Economic Area, Switzerland, or Canada, and we use a coarse country geofence at signup to enforce that. If you reside in one of those jurisdictions, please do not use the Service.

12. Security

The Service runs on Google Firebase, which provides:

No system is perfectly secure. You are responsible for keeping your account credentials confidential. If you believe your account has been compromised, contact contact@prepiep.com immediately.

13. Data Breach Notification

If we determine that an incident has resulted in unauthorized access to or acquisition of your personal information, we will notify affected users by email without unreasonable delay, and in any case within 72 hours of confirming the scope of the incident, consistent with applicable state breach-notification laws and Massachusetts G.L. c. 93H. The notice will describe the categories of information involved, the steps we have taken in response, and any actions you can take to protect yourself. Where required, we will also notify the relevant Attorneys General and other regulators.

14. Changes to This Policy

We may update this policy from time to time. If we make a material change, we will (i) update the "Effective" date and version number at the top, (ii) post the prior version at prepiep.com/privacy/v<previous-version> for archival purposes, (iii) provide at least 30 days' advance notice via email and an in-app notice before the new version takes effect, and (iv) for changes that meaningfully expand the categories of data we collect or the purposes for which we use them, ask you to re-acknowledge the policy at next sign-in.

Non-material changes (typos, clarifications, link fixes, the addition of a new subprocessor of the same kind as an existing one) take effect on posting and are reflected in the version number's minor digit.

15. Contact

For privacy questions, data-subject requests, or to exercise any right described in this policy:

Effective: May 11, 2026 · Version 1.0. Prior versions are archived at prepiep.com/privacy/v<version>.