Privacy Policy

We collect the following categories of information when you use SPEDScribe:

• Account registration information: name, email address, professional role, and school district affiliation
• Session audio recordings captured by authorized providers during clinical sessions
• Transcribed session text generated from audio recordings
• AI-generated clinical documentation including draft IEP sections, progress notes, and evaluation summaries
• Usage analytics including features accessed, session duration, and workflow patterns
• Device and browser information including device type, operating system, browser version, and IP address

We use collected information for the following purposes:

• Generating clinical documentation drafts from session recordings and provider input
• Improving platform accuracy and clinical quality on an aggregate, de-identified basis
• Providing technical support and responding to user inquiries
• Monitoring compliance with applicable law and our contractual obligations
• Producing aggregate analytics reports for district administrators (never individual identification)
• Maintaining platform security and preventing unauthorized access

We do not use personal information for targeted advertising, behavioral profiling, or any purpose not authorized by the contracting school district.

SPEDScribe processes student education records as a “school official” under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99). We perform institutional services that the contracting school would otherwise use employees to perform, and we operate under the direct control and supervision of the contracting local educational agency (LEA).

All personally identifiable information (PII) is automatically redacted from transcripts before AI processing. The AI never sees student names, dates of birth, ID numbers, or other direct identifiers. Student data is used solely for authorized educational purposes at the direction of the contracting school district.

We do not disclose student education records to any third party except as directed by the contracting school district or as required by applicable law.

Per California Education Code Section 49073.1 (AB 1584), all pupil records remain the property of and are solely owned by the contracting local educational agency (LEA). SPEDScribe serves as a data processor on behalf of the district.

SPEDScribe does not own, sell, rent, or trade student data under any circumstances. Upon contract termination, all district data is returned to the district and permanently deleted from our systems within 90 days. A deletion certificate is provided upon request.

Consistent with the Student Online Personal Information Protection Act (SOPIPA), SPEDScribe:

• Does not use student data for targeted advertising
• Does not create student profiles for non-educational commercial purposes
• Does not sell student information
• Does not use student data to amass profiles for purposes other than those authorized by the contracting school district
• Does not use student data for any commercial purpose unrelated to educational services

Session transcripts are processed by our Clinical Intelligence Engine using zero-data-retention agreements with all AI processing partners. This means that student data submitted to our AI pipeline is processed in real time and immediately discarded — it is never stored, indexed, or used for any purpose beyond generating the current session’s documentation draft.

Student data is not used to train AI models. All AI processing occurs on de-identified data only, after automated PII redaction has been applied to the transcript.

SPEDScribe is used by adult education professionals and is not directed at children. However, we recognize that the platform processes information about children as part of its educational function.

We comply with the Children’s Online Privacy Protection Act (COPPA) requirements and rely on school consent under the school official exception for educational purposes. School districts using SPEDScribe provide the appropriate consent on behalf of families in accordance with FERPA and COPPA.

We implement industry-standard security measures including:

• AES-256 encryption for all data at rest
• TLS 1.3 encryption for all data in transit
• Role-based access control (RBAC) ensuring providers access only their own session data
• Automated PII redaction applied before any AI processing
• Regular security assessments and penetration testing
• Access logging and anomaly detection

Account and session data is retained for the duration of the active service contract. Upon contract termination:

• All district data is exported and delivered to the district in a portable format
• All student data is permanently deleted from SPEDScribe systems within 90 days
• A written deletion certificate is provided to the district upon request
• Backup copies are purged on the same schedule

Session audio recordings are deleted immediately upon successful transcription.

SPEDScribe uses third-party service providers to deliver our platform. All processing partners are required to:

• Maintain SOC 2 Type II certification
• Execute zero-data-retention agreements for student data
• Comply with FERPA, SOPIPA, AB 1584, and applicable state privacy laws
• Provide equivalent data protection standards as described in this policy

A current list of subprocessors is available at spedscribe.ai/subprocessors. We provide 30 days advance notice before adding new subprocessors.

Under the California Online Privacy Protection Act, California residents have the following rights:

• Right to know what personally identifiable information is collected about them
• Right to request deletion of personal information
• Right to opt out of the sale of personal information (SPEDScribe does not sell personal information)

SPEDScribe honors Global Privacy Control (GPC) signals as a valid opt-out of personal information sales. We do not currently sell personal information to any third party.

SPEDScribe does not currently meet the annual gross revenue threshold that triggers CCPA applicability. When applicable, we will provide all required CCPA/CPRA disclosures including categories of personal information collected, purposes of collection, and consumer rights including the right to know, right to delete, right to correct, and right to limit use of sensitive personal information.

We use the following categories of cookies:

• Essential cookies: required for authentication, session management, and core platform functionality. These cannot be disabled.
• Analytics cookies: used to understand how users interact with the platform and identify areas for improvement. These are processed on aggregate, de-identified data.
• We do not use advertising cookies, tracking pixels, or any third-party behavioral targeting technologies.

You can disable non-essential cookies through your browser settings or by contacting us at privacy@spedscribe.ai.

We do not knowingly collect personal information directly from children under 13. Student data processed on our platform is provided by authorized school officials under FERPA and COPPA school consent provisions, not collected directly from students.

We will provide 30 days written notice before any material changes to this Privacy Policy. For existing customers, material changes take effect at the next contract renewal period unless the district affirmatively agrees to earlier adoption.

Non-material changes (such as corrections or clarifications) may be made at any time and will be reflected in the “Last updated” date at the top of this page.

For privacy-related inquiries, data deletion requests, or questions about this policy:

Email: privacy@spedscribe.ai
Company: Crowned Legacy Enterprises
Address: Sacramento, CA