This document is provided for informational purposes during our pre-launch period. A comprehensive, attorney-reviewed version will be published prior to the platform processing student data.

LEGAL

Privacy Policy

How SPEDScribe collects, uses, and protects your information.

Last updated: April 2026

1. Information We Collect

We collect the following categories of information when you use SPEDScribe:

  • Account registration information: name, email address, professional role, and school district affiliation
  • Session audio recordings captured by authorized providers during clinical sessions
  • Transcribed session text generated from audio recordings
  • AI-generated clinical documentation including draft IEP sections, progress notes, and evaluation summaries
  • Usage analytics including features accessed, session duration, and workflow patterns
  • Device and browser information including device type, operating system, browser version, and IP address

2. How We Use Information

We use collected information for the following purposes:

  • Generating clinical documentation drafts from session recordings and provider input
  • Improving platform accuracy and clinical quality on an aggregate, de-identified basis
  • Providing technical support and responding to user inquiries
  • Monitoring compliance with applicable law and our contractual obligations
  • Producing aggregate analytics reports for district administrators (never individual identification)
  • Maintaining platform security and preventing unauthorized access

We do not use personal information for targeted advertising, behavioral profiling, or any purpose not authorized by the contracting school district.

3. Student Data

SPEDScribe processes student data only at the direction of, and on behalf of, the contracting school district under FERPA and California AB 1584. The formal FERPA classification of our role (including any “school official” designation under 34 CFR Part 99) is pending attorney review.

Transcript text is processed by layered, server-side redaction designed to strip personal identifiers (names, dates of birth, ID numbers, phone numbers, addresses, emails) before it reaches our AI documentation provider. The layers include our transcription subprocessor’s built-in PII redaction, applied to the returned transcript rather than the audio itself, and a server-side pass that combines pattern matching with a local proper-noun detector. This reduces exposure of student identifiers; it is not a guarantee that every identifier is removed. Student data is used solely for authorized educational purposes at the direction of the contracting school district.

We do not disclose student education records to any third party except as directed by the contracting school district or as required by applicable law.

4. Data Ownership

Per California Education Code Section 49073.1 (AB 1584), all pupil records remain the property of and are solely owned by the contracting local educational agency (LEA). SPEDScribe serves as a data processor on behalf of the district.

SPEDScribe does not own, sell, rent, or trade student data under any circumstances. Upon contract termination, all district data is returned to the district and permanently deleted from our systems on the schedule described in our Data Processing Agreement. A deletion certificate is provided upon request.

5. SOPIPA Compliance

Consistent with the Student Online Personal Information Protection Act (SOPIPA), SPEDScribe:

  • Does not use student data for targeted advertising
  • Does not create student profiles for non-educational commercial purposes
  • Does not sell student information
  • Does not use student data to amass profiles for purposes other than those authorized by the contracting school district
  • Does not use student data for any commercial purpose unrelated to educational services

6. AI Data Processing

Session transcripts are processed through our AI documentation provider (Anthropic) under their commercial terms. Anthropic does not use customer inputs or outputs to train models under those terms, and retains inputs and outputs only for a short period for abuse detection and to meet legal obligations before deletion. We have not signed a Zero Data Retention enterprise agreement with Anthropic; the standard commercial retention behavior applies.

Before transcript text reaches the AI provider, it passes through layered server-side redaction designed to strip personal identifiers. This reduces exposure of student identifiers; it is not a guarantee that every identifier is removed.

7. COPPA and FERPA Framing

SPEDScribe is used by adult education professionals and is not directed at children. The platform processes information about students as part of its educational function on behalf of, and at the direction of, the contracting school district.

The formal COPPA framing of consent and the FERPA school official exception under 34 CFR Part 99 are under attorney review and will be detailed when complete.

8. Data Security

We implement industry-standard security measures including:

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit
  • Role-based access control (RBAC) ensuring providers access only their own session data
  • Layered server-side PII redaction applied before any AI processing
  • Regular security assessments and penetration testing
  • Access logging and anomaly detection

9. Data Retention and Deletion

Account and session data is retained for the duration of the active service contract. Upon contract termination:

  • All district data is exported and delivered to the district in a portable format
  • All student data is permanently deleted on the schedule described in our Data Processing Agreement
  • A written deletion certificate is provided to the district upon request
  • Backup copies are purged on the schedule described in our Data Processing Agreement

Audio is not retained by SPEDScribe after transcription; subprocessor retention behavior is governed by their published policies and our contract terms.

10. Third-Party Services

SPEDScribe uses third-party service providers to deliver our platform. All processing partners are required to:

  • Operate under contractual data protection terms that prohibit training on customer data
  • Maintain industry-recognized security controls and audits where available
  • Comply with FERPA, SOPIPA, AB 1584, and applicable state privacy laws
  • Provide equivalent data protection standards as described in this policy

A current list of subprocessors is available at spedscribe.ai/subprocessors. We provide 30 days advance notice before adding new subprocessors.

11. California Privacy Notice

California residents: this Privacy Policy describes the categories of personal information SPEDScribe collects and how we use it. SPEDScribe does not sell personal information to any third party. SPEDScribe does not currently respond to Do Not Track or Global Privacy Control signals. Additional disclosures required under California law, including any consumer rights under the California Consumer Privacy Act as amended by the CPRA, will be provided as applicable.

12. Cookies

We use the following categories of cookies:

  • Essential cookies: required for authentication, session management, and core platform functionality. These cannot be disabled.
  • Analytics cookies: used to understand how users interact with the platform and identify areas for improvement. These are processed on aggregate, de-identified data.
  • We do not use advertising cookies, tracking pixels, or any third-party behavioral targeting technologies.

You can disable non-essential cookies through your browser settings or by contacting us at privacy@spedscribe.ai.

13. Children’s Privacy

We do not knowingly collect personal information directly from children under 13. Student data processed on our platform is provided by authorized school officials under FERPA and COPPA school consent provisions, not collected directly from students.

14. Changes to This Policy

We will provide 30 days written notice before any material changes to this Privacy Policy. For existing customers, material changes take effect at the next contract renewal period unless the district affirmatively agrees to earlier adoption.

Non-material changes (such as corrections or clarifications) may be made at any time and will be reflected in the “Last updated” date at the top of this page.

15. Contact

For privacy-related inquiries, data deletion requests, or questions about this policy:

Email: privacy@spedscribe.ai
Company: Crowned Legacy Enterprises
Address: Sacramento, CA