Privacy Policy

Last Updated: February 2, 2026

Introduction

Lilypad Learning (“Lilypad,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website (www.lilypadlearning.com) or use our special education evaluation platform (the “Services”).

We provide special education evaluation services and software to school districts. Given the sensitive nature of student data in educational settings, we maintain rigorous privacy protections in compliance with applicable federal and state laws, including:

  • Family Educational Rights and Privacy Act (FERPA)
  • Children's Online Privacy Protection Act (COPPA)
  • Applicable state student privacy laws (see Section 9 for details)

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Information We Collect

We collect different types of information depending on how you interact with us.

1.1 Information from Website Visitors

When you visit our website, we may automatically collect:

  • Device Information: Browser type, operating system, device identifiers
  • Usage Data: Pages viewed, time spent on pages, click patterns, referring URLs
  • Technical Data: IP address, approximate geographic location (city/region level)
  • Cookies and Tracking Technologies: Information collected through cookies and similar technologies (see Section 8)

1.2 Information You Provide Directly

When you contact us, request information, or create an account, you may provide:

  • Contact Information: Name, email address, phone number, organization name
  • Professional Information: Job title, school district, role
  • Communication Content: Messages, inquiries, feedback you send us
  • Account Credentials: Username, password, authentication information

1.3 Student Data (Platform Users)

When school districts use our platform, we process Student Data as a “School Official” under FERPA. This data is provided by school districts and may include:

  • Student Identifiers: Name, date of birth, student ID numbers, grade level
  • Demographic Information: Age, gender, ethnicity, language information
  • Educational Records: Enrollment status, special education classification, IEP information
  • Assessment Data: Evaluation results, standardized test scores, observation data, clinical notes
  • Health/Disability Information: Medical history relevant to special education services, disability classifications
  • Contact Information: Parent/guardian names, addresses, phone numbers, email addresses

Important: We only collect Student Data necessary to provide the contracted services. All Student Data remains the property of the school district.

2. How We Use Your Information

2.1 Website Visitor Data

We use website visitor information to:

  • Operate and maintain our website
  • Improve user experience and website functionality
  • Analyze usage patterns and trends
  • Respond to inquiries and provide customer support
  • Send marketing communications (with your consent, where required)
  • Detect and prevent fraud or security incidents
  • Comply with legal obligations

2.2 Student Data

Student Data is used solely for educational purposes as contracted by school districts:

  • Delivering special education services and platform functionality
  • Generating reports, documentation, and compliance records
  • Supporting IEP development, eligibility decisions, and workflow management
  • Providing information to authorized school personnel
  • Quality assurance and clinical oversight

2.3 What We Will Never Do

Lilypad Learning commits to never:

  • Sell Student Data to any third party
  • Use Student Data for advertising or marketing purposes
  • Create student profiles for non-educational purposes
  • Share Student Data with unauthorized third parties
  • Use Student Data to train artificial intelligence models
  • Engage in targeted advertising based on Student Data

3. How We Share Information

3.1 We Do Not Sell Personal Information

We do not sell personal information, including Student Data, to any third party for any purpose.

3.2 Service Providers (Subprocessors)

We share information with trusted service providers who assist in operating our platform, including providers of cloud infrastructure, database hosting, AI-assisted tools, and business productivity services.

All service providers are contractually required to:

  • Protect data with safeguards no less stringent than our own
  • Use data only as directed by Lilypad Learning
  • Not use data for their own purposes, including AI model training
  • Delete data upon request
  • Store data within the United States

3.3 School Districts

We share Student Data with the school district that engaged our services, as they are the data owner and controller.

3.4 Legal Requirements

We may disclose information if required by law, such as:

  • In response to a valid subpoena, court order, or government request
  • To protect the rights, property, or safety of Lilypad Learning, our users, or others
  • To investigate potential violations of our terms or policies

If law enforcement requests Student Data, we will notify the school district in advance unless legally prohibited from doing so.

3.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice to affected school districts within sixty (60) days of any such transaction.

4. Data Security

We implement comprehensive security measures to protect your information:

4.1 Technical Safeguards

  • Encryption at Rest: AES-256 encryption for all stored data
  • Encryption in Transit: TLS 1.2 or higher (HTTPS) for all data transmission
  • Access Controls: Role-based access limited to authorized personnel
  • Authentication: Email with one-time passcode (OTP) or Google Single Sign-On (SSO)
  • Infrastructure: Data hosted on SOC 2 Type II certified infrastructure (AWS)
  • Data Location: All data stored exclusively within the United States

4.2 Administrative Safeguards

  • FERPA and privacy training for all personnel with data access
  • Confidentiality agreements required for all employees and contractors
  • Criminal background checks for personnel with student contact
  • Access revocation within 72 hours of termination

4.3 Compliance Framework

Our security program aligns with the NIST Cybersecurity Framework (CSF), encompassing:

  • Asset identification and inventory
  • Protective safeguards implementation
  • Security event monitoring and detection
  • Incident response procedures
  • Business continuity and recovery capabilities

For detailed information about our security practices, please contact us at privacy@lilypadlearning.com.

5. Data Retention and Deletion

5.1 Website Visitor Data

  • Analytics Data: Retained for up to 26 months
  • Contact Inquiries: Retained as long as necessary for business purposes
  • Marketing Preferences: Retained until you withdraw consent

5.2 Student Data

  • During Active Contract: Retained for the duration of the service agreement
  • After Contract Termination: Retained for one (1) year to allow for data transfer requests or questions
  • After Retention Period: Securely deleted

5.3 Deletion Requests

School districts may request deletion of Student Data at any time. Upon written request:

  • Data will be deleted within sixty (60) days
  • Written confirmation of deletion will be provided
  • Deletion includes all student records, associated files, and backup copies

6. Your Rights and Choices

6.1 For Website Visitors

You have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Opt-Out: Unsubscribe from marketing communications at any time
  • Cookie Preferences: Manage cookie settings through your browser

To exercise these rights, contact us at privacy@lilypadlearning.com.

6.2 For Parents and Students (FERPA Rights)

Parents and eligible students retain all rights under FERPA, including the right to:

  • Access: Inspect and review their student's education records
  • Amendment: Request correction of inaccurate or misleading records
  • Consent: Control certain disclosures of student information

To exercise FERPA rights: Contact your school district directly. Lilypad Learning will cooperate with school districts in responding to such requests within forty-five (45) days.

6.3 For School Districts

School districts may:

  • Request access to all Student Data we hold
  • Request correction or deletion of Student Data
  • Transfer Student Data to another provider
  • Conduct annual security audits (with 10 business days' notice)
  • Receive notification of any security incidents within 72 hours

7. Children's Privacy

7.1 COPPA Compliance

Our Services are designed for use by school districts and their authorized personnel—not for direct use by children. We do not knowingly collect personal information directly from children under 13.

7.2 School Consent

When school districts use our platform, they act as the agent of parents for purposes of providing consent under COPPA. School districts are responsible for:

  • Obtaining necessary parental consents where required
  • Providing parents with notice of our data practices
  • Ensuring appropriate authorization for student participation

7.3 Parental Access

Parents who wish to review, correct, or delete their child's information should contact their school district, who will work with us to address such requests.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide a better experience and understand how visitors use our site.

8.2 Types of Cookies We Use

  • Essential: Enable basic website functionality (login, security) — Session duration
  • Analytics: Help us understand how visitors interact with our site — Up to 2 years
  • Functional: Remember your preferences and settings — Up to 1 year

8.3 Third-Party Cookies

We may use third-party analytics services (such as Google Analytics) that place cookies on your device. These services help us analyze website traffic and usage patterns.

8.4 Managing Cookies

You can control cookies through your browser settings:

  • Block All Cookies: May limit website functionality
  • Block Third-Party Cookies: Allows essential cookies while limiting tracking
  • Clear Cookies: Remove existing cookies from your device

Most browsers accept cookies by default. Refer to your browser's help documentation for instructions on managing cookie preferences.

8.5 Do Not Track

Some browsers offer a “Do Not Track” (DNT) feature. We currently do not respond to DNT signals, but we respect your privacy choices through the cookie management options described above.

9. State-Specific Privacy Rights

9.1 California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

  • Right to know what personal information we collect
  • Right to delete personal information
  • Right to opt-out of sale of personal information (note: we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

9.2 Other State Laws

We comply with applicable state student privacy laws in all states where we operate.

10. Data Processing Agreements

When providing services to school districts, we enter into Data Processing Agreements (DPAs) that establish:

  • Our role as a “School Official” under FERPA
  • Data ownership (remains with the school district)
  • Permitted uses of Student Data
  • Security requirements and safeguards
  • Incident response procedures
  • Data retention and deletion obligations

Our standard DPA covers privacy requirements for multiple states and is aligned with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement framework.

11. Security Incident Response

11.1 Definition

A security incident includes any unauthorized access, disclosure, acquisition, or loss of personal information or Student Data.

11.2 Our Response

In the event of a security incident involving Student Data:

  • Immediate (0-4 hours): Contain the incident and begin investigation
  • Notification (within 72 hours): Notify affected school districts with a description of the incident, types of data involved, date or estimated date of breach, steps taken to remediate, and contact information for questions
  • Ongoing: Complete investigation, implement remediation, provide final report

11.3 Insurance

We maintain comprehensive cyber liability insurance with coverage appropriate for the nature and volume of data we process.

12. International Users

Our Services are intended for use within the United States. All data is stored and processed within the United States. If you access our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the “Last Updated” date at the top of this policy
  • For significant changes affecting Student Data, we will notify school districts directly
  • We encourage you to review this policy periodically

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Contact:
Lily Tech, Inc. d/b/a Lilypad Learning
169 Madison Ave, STE 11255
New York, NY 10016

Email: privacy@lilypadlearning.com