Privacy Policy

1. Introduction

ERM Solutions ("we," "us," or "our") operates the Lit-Level™ K-12 reading intervention platform ("Service"). We are committed to protecting the privacy and security of our users, especially students. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service.

We comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state student privacy laws.

2. Information We Collect

2.1 Student Information (Provided by Schools/Teachers)

When schools or teachers create student accounts, we may collect:

• Basic Information: First name, username, grade level, and optionally last name
• Progress Data: Reading level (Lexile), quiz scores, question responses, time spent on activities
• Learning Data: Skills mastered, areas of struggle, adaptive difficulty settings, vocabulary progress
• MVPA Scores: External assessment data imported by teachers
• Optional Photos: Student-uploaded photos for avatar customization (with parental consent)
• Usage Data: Login times, features used, session duration

Important: We do NOT collect student email addresses, home addresses, phone numbers, social security numbers, or other sensitive personal information unless explicitly required and authorized by the school.

2.2 Teacher and Administrator Information

• Name, email address, school/district affiliation
• Account credentials (securely hashed passwords)
• Professional usage data and preferences

2.3 Technical Information

• IP address, browser type, device information
• Cookies and similar tracking technologies (see Section 9)
• Error logs and diagnostic data

3. How We Use Information

We use collected information ONLY for educational purposes:

• Personalized Learning: Adapt content difficulty, generate individualized learning plans, provide targeted interventions
• Progress Tracking: Monitor student growth, identify skill gaps, track mastery of standards
• Teacher Support: Provide analytics dashboards, generate reports, alert teachers to struggling students
• Service Improvement: Analyze aggregated, de-identified data to improve AI algorithms and educational effectiveness
• Platform Operations: Authenticate users, prevent fraud, ensure security, provide customer support
• Communication: Send service updates, respond to inquiries (teachers/administrators only)

We DO NOT use student data for:

• Targeted advertising or marketing
• Creating personal profiles for non-educational purposes
• Selling or renting to third parties
• Any purpose not authorized by the school or parent/guardian

4. Information Sharing and Disclosure

4.1 Within Educational Context

Student data is shared with authorized users in the student's school:

• Teachers can view data for students in their classes
• School administrators can view data for students in their schools
• Parents/guardians can access their child's data (upon request to the school)

4.2 Service Providers

We may share data with trusted third-party service providers who assist in operating the Service:

• AbacusAI: AI/LLM services for semantic grading, hint generation, and learning plan creation
• AWS S3: Secure cloud storage for uploaded photos and files
• Database Hosting: Secure data storage infrastructure

All service providers are contractually obligated to protect student data and use it only as directed by us for educational purposes.

4.3 Legal Requirements

We may disclose information if required by law, such as to comply with a subpoena, court order, or legal process, or to protect the rights, property, or safety of ERM Solutions, our users, or others.

4.4 School Transfer or Merger

In the event of a merger, acquisition, or sale of assets, student data will be transferred only to an entity that agrees to uphold these privacy commitments.

5. FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. We comply with FERPA by:

• Treating student data as "education records" under the school's control
• Acting as a "school official" with legitimate educational interest when authorized by schools
• Not disclosing personally identifiable information without consent, except as permitted by FERPA
• Allowing schools to retain ownership and control of student data
• Providing data access, correction, and deletion rights to schools and parents as required by FERPA

6. COPPA Compliance (Children Under 13)

The Children's Online Privacy Protection Act (COPPA) requires parental consent for collecting personal information from children under 13. We comply with COPPA through the "school exception":

• We collect information from students only at the direction of schools and teachers
• Schools obtain parental consent as required by COPPA before directing us to collect student information
• We use student information only for educational purposes authorized by the school
• We do not require children to provide more information than necessary for participation
• Parents can review, correct, or delete their child's information by contacting the school

For photo uploads (avatar customization), we require explicit parental consent documented by the school or teacher before allowing students to upload images.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data in transit is encrypted using TLS/SSL; data at rest is encrypted in our databases
• Access Controls: Role-based access ensures users can only view data they are authorized to see
• Password Security: Passwords are hashed using bcrypt with salt
• Regular Audits: We conduct security reviews and vulnerability assessments
• Limited Access: Only authorized personnel have access to student data, and only as necessary
• Monitoring: We monitor for unauthorized access and suspicious activity

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention and Deletion

8.1 Retention Period

We retain student data only as long as necessary for educational purposes or as required by law:

• Active Students: Data is retained while the student is enrolled and using the Service
• Inactive Accounts: Data for inactive accounts is retained for 2 years after the last login, then automatically deleted
• School/Teacher Requests: Data is deleted within 30 days of a school's written request

8.2 Deletion Process

When student data is deleted:

• All personally identifiable information is permanently erased
• De-identified, aggregated data may be retained for research and service improvement
• Backup copies are deleted within 90 days

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Authentication: Keeping users logged in securely
• Preferences: Remembering user settings and customizations
• Analytics: Understanding how users interact with the Service (aggregated, de-identified data only)

We DO NOT use cookies for targeted advertising or behavioral tracking for marketing purposes.

10. Your Rights and Choices

10.1 Access and Correction

You have the right to:

• Access student data
• Request correction of inaccurate information
• Request deletion of data
• Export data in a portable format

Schools and teachers can exercise these rights through their admin dashboards. Parents/guardians should contact their child's school to exercise these rights.

10.2 Opt-Out Options

• Schools can opt students out of optional features like photo uploads
• Parents can request that their child not use certain features by contacting the school

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States. By using the Service, you consent to such transfer.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify schools and teachers of material changes by email or through the Service at least 30 days before the changes take effect. Schools are responsible for notifying parents/guardians of changes as required by law.

14. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

For FERPA-related concerns, parents/guardians should contact their child's school directly, as the school maintains primary responsibility for student education records under FERPA.