Privacy Policy
Lit-Levels is committed to protecting student privacy and maintaining FERPA compliance.
Last Updated: January 6, 2026
Privacy at a Glance
What We Collect
- • Student usernames and grade levels
- • Reading performance data
- • Adventure progress and achievements
- • Optional: Student photos (with consent)
How We Protect It
- • FERPA-compliant data handling
- • Role-based access control
- • Encrypted data transmission
- • Secure AWS S3 storage
Who Has Access
- • Students: Own data only
- • Teachers: Their students only
- • Parents: Their child's data only
- • Admins: School-wide data
Your Rights
- • Request data access
- • Request data deletion
- • Opt out of photo features
- • Control data sharing
1. Introduction
Welcome to Lit-Levels, an AI-powered K-12 reading intervention platform operated by ERM Solutions ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard student information when you use our educational platform.
Commitment to Student Privacy: We are committed to protecting the privacy of students and complying with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state student privacy laws.
By using Lit-Levels, schools, teachers, parents, and students agree to the terms outlined in this Privacy Policy.
2. Information We Collect
2.1 Student Information
We collect the following information about students:
- Account Data: Username, grade level, character selection, preferred pronouns (optional), state location
- Academic Data: Reading performance metrics (Lexile scores, accuracy rates, time-on-task), adventure progress, question responses, vocabulary interactions
- Engagement Data: Achievement badges earned, reading streaks, house points, floor completion rates
- Optional Data: Student photos (with explicit parental consent), annotation notes, personal story preferences
Important: We do NOT collect student email addresses, real names, home addresses, phone numbers, or social security numbers. Student accounts use anonymous usernames.
2.2 Teacher Information
- Name, email address, school affiliation
- Class roster data (student usernames linked to teacher accounts)
- Teaching preferences (state standards selection, grading settings)
- Usage analytics (dashboard views, report generation)
2.3 Parent Information
- Name, email address (for account access)
- Parental consent records (photo upload permissions)
- Communication notes from teachers
2.4 Administrator Information
- Name, email address, role designation
- School/district information
- Admin action logs (for audit trail compliance)
2.5 Technical Information
- IP addresses (for security and rate limiting)
- Browser type and version
- Device information (for responsive design optimization)
- Session cookies (for authentication only)
3. How We Use Information
We use the information we collect for the following educational purposes:
- Personalized Learning: Generate adaptive reading passages aligned to student grade level, state standards, and performance history
- Progress Tracking: Calculate Lexile scores, track skill mastery, identify struggling areas
- Teacher Support: Provide class analytics, intervention recommendations, AI-powered coaching plans
- Parent Engagement: Share progress reports, family missions, and teacher communications
- Platform Improvement: Analyze aggregated, de-identified data to improve content quality and user experience
- Security: Detect and prevent unauthorized access, fraud, or abuse
- Compliance: Maintain audit logs for FERPA and administrative oversight
Educational Purpose Only: We do NOT use student data for marketing, advertising, or any non-educational commercial purposes.
4. Data Sharing and Disclosure
4.1 Within Your School/District
Student data is shared with:
- The student's assigned teacher(s)
- School administrators (for oversight and reporting)
- Parents/guardians (via Parent Portal)
4.2 Third-Party Service Providers
We use the following trusted service providers who are contractually obligated to protect student data:
- AWS (Amazon Web Services): Cloud hosting and secure file storage (S3) for student photos
- Abacus.AI: AI/LLM services for story generation and coaching plan analysis
- PostgreSQL Database: Secure data storage with encryption
All third-party providers:
- Sign Business Associate Agreements (BAAs) or Data Processing Agreements (DPAs)
- Are prohibited from using student data for their own purposes
- Must comply with FERPA and applicable privacy laws
4.3 Legal Compliance
We may disclose student information if required by law, such as:
- In response to valid subpoenas or court orders
- To protect the safety of students or others
- To comply with FERPA audit requirements
4.4 What We Do NOT Do
- ✓ We do NOT sell student data to third parties
- ✓ We do NOT share data with advertisers or marketers
- ✓ We do NOT use student data to build marketing profiles
- ✓ We do NOT display targeted ads to students
5. Data Security
We implement industry-standard security measures to protect student data:
- Encryption: All data transmission uses HTTPS/TLS encryption. Passwords are hashed using bcrypt.
- Access Controls: Role-based permissions ensure users can only access appropriate data (teachers see their students, parents see their children, etc.)
- Authentication: Secure session-based authentication with NextAuth.js
- Rate Limiting: Protection against brute-force attacks on login and signup endpoints
- Audit Logging: All administrative actions are logged for compliance and security monitoring
- Regular Updates: We maintain current security patches and monitor for vulnerabilities
- Secure Storage: Student photos stored in AWS S3 with private access controls
Note: While we implement robust security measures, no system is 100% secure. We continuously monitor and improve our security practices.
6. Student Rights and Parental Consent
6.1 FERPA Rights
Under FERPA, parents and eligible students (18+) have the right to:
- Inspect and review student education records
- Request correction of inaccurate or misleading data
- Control disclosure of personally identifiable information
- File a complaint with the U.S. Department of Education
6.2 Parental Consent for Photos
Student photo uploads require explicit parental consent:
- Students cannot upload photos without parental approval
- Consent can be granted via the Parent Portal
- Consent can be revoked at any time
- Photos are used only for student avatars (not shared externally)
6.3 Data Access Requests
To request access to or deletion of student data, contact your school administrator or email us at [email protected].
6.4 Account Deletion
When a student account is deleted:
- All personally identifiable information is permanently removed
- Academic data may be retained in de-identified, aggregated form for research
- Photos are deleted from AWS S3 storage
- Process typically completed within 30 days
7. Data Retention
- Active Accounts: Data retained as long as the student account is active
- Inactive Accounts: After 2 years of inactivity, we may delete student accounts (with notice to school)
- School Termination: When a school ends its subscription, all student data is deleted within 60 days unless the school requests data export
- Audit Logs: Admin action logs retained for 7 years for compliance
- De-identified Data: Aggregated, anonymized data may be retained indefinitely for research and platform improvement
8. COPPA Compliance (Children Under 13)
For students under 13 years old:
- Schools act as the parent's agent in providing consent for educational use
- We collect only information necessary for educational purposes
- Parents can review their child's data via the Parent Portal
- Parents can request deletion of their child's account at any time
- We do not require students to provide more information than necessary to use the platform
9. State-Specific Privacy Laws
We comply with student privacy laws in all states where we operate, including:
- California: SOPIPA (Student Online Personal Information Protection Act)
- New York: Education Law § 2-d
- Georgia: Student Data Privacy, Accessibility, and Transparency Act
- All Southeast States: Compliance with state-specific student privacy requirements
If your state has specific student data privacy requirements, please contact us at [email protected].
10. Cookies and Tracking Technologies
Cookies We Use:
- Authentication Cookies: NextAuth.js session cookies (required for login)
- Preference Cookies: Theme settings (dark mode), dashboard preferences
We Do NOT Use:
- ✓ Third-party advertising cookies
- ✓ Behavioral tracking cookies
- ✓ Social media tracking pixels
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will notify schools via email at least 30 days in advance
- We will update the "Last Updated" date at the top of this policy
- We will provide a summary of key changes
- Continued use of the platform after notification constitutes acceptance of the updated policy
12. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or student data:
Privacy Officer
Email: [email protected]
Compliance Team
Email: [email protected]
Mailing Address:
ERM Solutions - Lit-Levels Privacy Department
[Your Company Address]
[City, State ZIP]
United States
Response Time: We aim to respond to all privacy inquiries within 10 business days.
13. Additional Resources
For more information about student privacy laws:
- FERPA: U.S. Department of Education - Family Educational Rights and Privacy Act
- COPPA: Federal Trade Commission - Children's Online Privacy Protection Act
- Student Privacy Pledge: Future of Privacy Forum
Questions About Privacy?
We're here to help. Contact our Privacy Team for any questions about how we protect student data.