Last updated: February 2026
SparkPath, Inc. (“SparkPath,” “we,” “us,” or “our”) is committed to protecting the privacy of students, educators, and all users of our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered adaptive learning platform.
SparkPath provides an AI-powered adaptive learning platform for K-12 students with special needs. Our platform is designed to be used within schools and educational institutions, where authorized school personnel create and manage student profiles and learning experiences.
We take student privacy extremely seriously. As a platform handling education records of children, we are subject to and comply with the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and applicable state student privacy laws.
This Privacy Policy applies to all users of SparkPath, including Coordinators, Team Members, and the children who access the platform via school-issued access tokens.
We collect different types of data depending on the user category. The following sections describe each data type in detail.
All child profile data is provided by Coordinators, NOT by children directly.
Observations submitted by Team Members about a child’s learning characteristics.
Note: The full content of AI-generated lessons is not stored beyond the active session unless explicitly saved by an educator.
Analytics data is collected in aggregate form and cannot be used to identify individual students.
SparkPath does not collect any personal information directly from children. Children access the platform using pre-generated access tokens provided by their school. They do not enter email addresses, passwords, names, or any other personally identifiable information. All child profile data is entered and managed by authorized school personnel (Coordinators).
We use the data we collect solely for the following educational purposes:
We do NOT use Student Data for advertising, marketing, behavioral profiling, or any non-educational purpose.
Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)
SparkPath operates as a “school official” with a “legitimate educational interest” under FERPA’s school official exception (34 CFR § 99.31(a)(1)). This means we handle education records under the direct control of the educational institution, subject to the following commitments:
All student data within SparkPath constitutes education records under FERPA. We treat all Student Data with the protections required by FERPA, regardless of whether a specific data element technically qualifies as an education record.
Data access is limited to authorized school personnel through role-based access control (RBAC). Coordinators control which Team Members can access which students’ data. The principle of least privilege is applied throughout the platform.
Parents and eligible students have the right to inspect and review education records maintained by SparkPath. Requests should be directed to the student’s school, which can provide access through the Coordinator dashboard or request a data export from SparkPath.
Complete data deletion is available via the Coordinator dashboard (DELETE /api/children/:childId). This operation performs a comprehensive cascade deletion across all 23 related database tables, ensuring no residual student data remains.
SparkPath does not re-disclose education records to third parties, except as permitted under FERPA or as directed by the Institution. We do not share Student Data with advertising networks, data brokers, or any non-educational service providers.
SparkPath does NOT treat any Student Data as “directory information” under FERPA. No student information is publicly available or disclosed without explicit authorization.
We acknowledge that educational institutions are required to provide annual notification to parents regarding their FERPA rights. SparkPath will cooperate with institutions in fulfilling this requirement and will provide information about our data practices upon request.
Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6506; 16 CFR Part 312)
SparkPath is designed from the ground up to comply with COPPA. Our architecture ensures that no personal information is collected directly from children under 13 (or any age).
Children access SparkPath through pre-generated access tokens. They are never asked to provide an email address, password, name, or any other personally identifiable information. The platform does not include account creation, registration forms, or any data entry mechanisms for children.
Under COPPA’s school exception (16 CFR § 312.5(c)(3)), schools may consent on behalf of parents for the collection of student information when used solely for educational purposes. SparkPath relies on this exception: the school’s decision to use SparkPath for a student constitutes consent for the collection and use of that student’s information for educational purposes only.
SparkPath does not engage in behavioral advertising. We do not use cookies or tracking technologies to build profiles of children for advertising purposes. We do not serve ads of any kind. We do not use any third-party advertising networks or social media tracking pixels.
Children’s information is never shared with third parties for commercial purposes. The only third-party service that receives any child-related data is our AI content generation provider (Anthropic), which receives only anonymized profile data (age, interests, abstraction level, accommodation needs) with no names or identifying information.
Parents have the right to review their child’s information and request its deletion. Parents should contact their child’s school to exercise these rights, and the school’s Coordinator can provide access to or delete the child’s data through the platform.
We collect only the minimum amount of data necessary to provide our educational service. Child profiles contain only educationally relevant information needed to generate appropriate, personalized content. We do not collect geolocation data, photographs, audio/video recordings, or social media information from children.
We implement industry-standard technical and organizational measures to protect Student Data against unauthorized access, alteration, disclosure, or destruction.
| Measure | Implementation |
|---|---|
| Password Security | Hashed with bcrypt (industry-standard adaptive hashing) |
| Session Management | JWT tokens with HttpOnly, Secure, and SameSite cookie attributes |
| Data in Transit | All data transmitted over HTTPS with TLS 1.2 or higher |
| Data at Rest | Database hosted on managed PostgreSQL with encryption at rest |
| Access Tokens | Child access tokens are SHA-256 hashed before storage; plaintext tokens are never persisted |
| Access Control | Role-based access control (RBAC) with least-privilege principle |
| Audit Logging | Access logging for all child data access operations |
| Infrastructure | Planning: AWS deployment with SOC 2 and FedRAMP considerations |
While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuously improving our security posture and promptly addressing any vulnerabilities.
Our data retention practices are designed to retain data only as long as necessary for educational purposes and compliance obligations.
Student Data is retained while the Institution’s account is active and the student profile exists on the platform.
When a child profile is deleted (via the Coordinator dashboard), all associated data is permanently deleted through a comprehensive cascade deletion across all 23 related database tables. This deletion is immediate and irreversible.
Learning session data is retained for the duration of the student’s active profile to support learning analytics, progress tracking, and longitudinal educational insights.
Metadata about AI content generation (token counts, model used, cost, quality scores) is retained for quality assurance, cost tracking, and platform improvement. These logs do not contain the full generated content or Student Data.
Records related to consent, data access, and compliance activities are retained for audit trail purposes as required by applicable law.
Upon termination of an Institution’s account, all Student Data is available for export for 30 days, after which it is permanently deleted within 60 days unless retention is required by law.
SparkPath uses a minimal set of third-party services, selected with student privacy as the primary consideration.
Purpose: AI content generation engine for personalized educational content.
Data Shared: Anonymized child profile data is included in AI prompts. This includes age, interests, abstraction level, and accommodation needs. No names, email addresses, or other directly identifying information is sent to Anthropic.
Data Policy: Anthropic’s data usage policies apply to data processed by their API. SparkPath uses Anthropic’s API tier that does not use customer data for model training.
We respect your rights regarding your personal information and Student Data. The following rights are available to Institutions, educators, parents, and eligible students:
View all data associated with a child or account via the Coordinator dashboard. Parents may request access to their child’s data through the school.
Complete and permanent data deletion is available via the Coordinator dashboard. Deletion cascades across all related data tables.
Data export is available upon request. Student Data can be exported in a standard, machine-readable format.
Update child profiles, signals, accommodations, and other data at any time through the platform interface.
Remove a child from the platform at any time. All associated data will be permanently deleted upon removal.
Protecting children’s privacy is central to SparkPath’s mission and architecture. Our platform is specifically designed to serve children with special needs while minimizing privacy risks:
In addition to federal requirements, SparkPath is committed to complying with applicable state student privacy laws, including but not limited to:
If your state has specific student privacy requirements not listed above, please contact us and we will work with you to ensure compliance.
SparkPath is currently designed for use within the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States. By using the Service, you consent to such transfer and processing. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, please contact us before using the Service to discuss applicable data protection requirements.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify Institutions of material changes at least 30 days before they take effect by sending notice to the email address associated with the Coordinator account. The “Last updated” date at the top of this policy indicates when the most recent revisions were made. Continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised policy.
If you have questions about this Privacy Policy, our data practices, or wish to exercise any of your rights, please contact us:
SparkPath, Inc.
Privacy inquiries: [email protected]
Legal inquiries: [email protected]
Compliance inquiries: [email protected]
For urgent data privacy concerns (e.g., suspected data breach or unauthorized access), please email [email protected] with “URGENT” in the subject line.
© 2026 SparkPath, Inc. All rights reserved.