A
AcademyBack to home

Privacy Policy

Academy — Privacy Policy (Education)

Last updated: 2026-05-23

This Privacy Policy ("Policy") describes how Andiamo Tech, Inc. ("Andiamo," "we," "us," or "our"), a Delaware Public Benefit Corporation operating from Skagit Valley, Washington, collects, uses, shares, and protects information when you use Academy, including the website at https://academy.andiamo.tech, associated APIs, and integrations (collectively, the "Service").

By using the Service, you acknowledge you have read and understand this Policy. Where a school, district, or homeschool co-op ("School") provisions Academy for students, the School's acceptance of our terms includes acknowledgment of this Policy on behalf of its students and their parents/guardians.

1. Definitions

  • "Student" means an individual enrolled in or receiving instruction through the Service, whether through a School or as a homeschooled learner.
  • "Student Record" has the meaning given to "education record" under FERPA, 20 U.S.C. § 1232g, and includes Student account data, lesson progress, assignments, quiz responses, grades, achievements, and related metadata.
  • "Parent" means a natural or adoptive parent or legal guardian of a Student, including a Student who has reached the age of majority ("eligible student") under FERPA.
  • "School Official" means a person acting on behalf of a School under FERPA with a "legitimate educational interest" (34 CFR § 99.31(a)(1)).
  • "Personal Information" has the meaning under applicable privacy law.

2. Our role

Academy serves multiple user types with different privacy frameworks:

  • When a School provisions accounts for students, we act as a School Official under FERPA (34 CFR § 99.31(a)(1)(i)(B)) with a "legitimate educational interest" and process Student Records only on the School's instructions and for educational purposes.
  • When a Parent or guardian creates a homeschool account for their child, we process Personal Information as a service provider to the family.
  • When adult users (teachers, school administrators, homeschool parents) create accounts, we are a controller of their adult Personal Information.

3. Information we collect

3.1 Student information

  • Account. Name, email (where required), role (student/parent/teacher/admin), school affiliation, authentication provider identifier.
  • Profile. Grade level or grade band, learning mode (school / homeschool / solo), learning style indicators, interests, strengths, challenges, and parent-provided notes. These fields are optional and are used to personalize instruction.
  • Learning data. Lesson progress, assignment submissions, quiz responses, time-on-task, achievements, and AI-assisted tutoring interactions.
  • Communications. Messages between a Student and a Teacher or Parent made through the Service.

We do not collect from Students: precise geolocation, biometric identifiers, advertising profiles, social-graph data, or any data that is not reasonably necessary to provide educational services.

3.2 Adult user information

  • Account. Name, email, role, school affiliation.
  • Billing. If applicable, payment information handled by Stripe (we receive only tokenized references; see Section 6).
  • Communications. Support messages, feedback, surveys.

3.3 Automatically collected information

  • Usage. Pages viewed, features used, request timestamps, session identifiers.
  • Device. IP address, browser, operating system, device type, language.
  • Cookies. First-party cookies for authentication, session persistence, CSRF protection, and preference storage. See the Cookie Policy.

We do not use third-party advertising cookies or tracking pixels. We do not permit third-party ad networks to collect information through the Service.

4. Children under 13 (COPPA)

For Students under 13, we collect only the Personal Information reasonably necessary to participate in the educational activity and we obtain verifiable parental consent before collection, except where a School provides consent as the Student's authorized agent for school-related educational purposes (FTC COPPA FAQ J.1, J.2).

Parental rights under COPPA:

  • Review. You may request to review the Personal Information we have collected from your child.
  • Refuse further collection. You may refuse further collection by directing us to delete the child's account.
  • Delete. You may request deletion of your child's Personal Information.

To exercise these rights, email [email protected] from the email address on the Parent account, or use the controls in the Parent settings area. We will verify your identity before acting on the request.

We do not condition a child's participation in the Service on providing more information than is reasonably necessary, and we do not disclose a child's Personal Information to third parties other than Sub-processors acting on our instructions (see Section 8).

5. Student Records (FERPA)

When a School provisions Academy for its Students:

  • The School is the educational agency or institution under FERPA. Andiamo acts as a School Official with a "legitimate educational interest."
  • Andiamo uses Student Records only to provide the Service and for purposes the School directs.
  • Andiamo will not re-disclose Student Records except (a) to the School and its authorized personnel, (b) to the Parent or eligible Student, (c) to Sub-processors under a written data-processing agreement, (d) as permitted under 34 CFR § 99.31, or (e) as required by law.
  • Upon a School's written request (including at account termination), we will return or destroy Student Records within thirty (30) days at the School's election.

Parents and eligible Students may request access to, correction of, or deletion of Student Records by contacting their School (or, for homeschool accounts, directly through their Parent account).

6. How we use information

  • Deliver lessons, assignments, quizzes, feedback, and progress tracking.
  • Personalize instruction to a Student's grade band, learning style, strengths, and interests.
  • Facilitate communications among Students, Teachers, and Parents.
  • Authenticate users and prevent abuse or unauthorized access.
  • Send transactional email (assignment notifications, password resets, account notices). We do not send marketing email to Students.
  • Compute aggregate, de-identified metrics to improve the Service.
  • Comply with legal obligations.

We do not:

  • Sell or rent Personal Information.
  • Use Student Personal Information to target advertising.
  • Build commercial profiles from Student Records.
  • Use Student Records to train general-purpose AI models. AI-assisted features use Student inputs only in-session to provide the immediate educational service and then discard them except for the portion stored as a Student Record (e.g., a saved quiz response).

7. AI features and automated decision-making

Academy uses AI to generate and adapt lessons and to provide interactive tutoring assistance. The following safeguards apply:

  • A Teacher or Parent can review AI-generated lessons and artifacts before they reach a Student where the School's policy requires review.
  • AI output is filtered for age-appropriateness and harmful content before delivery.
  • AI is assistive, not evaluative. We do not use AI to assign grades or make disciplinary decisions that produce legal or similarly significant effects about a Student.
  • AI-processing prompts are not shared with general-purpose model providers in a form that includes identifying Student data for model training. Our enterprise agreements with model providers (OpenAI, Azure OpenAI) prohibit use of Customer Data for model training.

7.1 AI transparency (Washington HB 2225 and related)

Consistent with the Washington AI Companion Chatbot Disclosure Act (HB 2225, effective 2027-01-01) and as an immediate best practice, Academy:

  • Displays a persistent, unambiguous indicator that the tutor is AI-generated, not a human.
  • Discloses the AI identity at the start of each tutor session, and at least every one hour of continuous minor-Student use (every three hours for adults).
  • Detects crisis language relating to suicide, self-harm, eating disorders, abuse, or neglect; surfaces relevant resources (including the 988 Suicide & Crisis Lifeline and DCYF intake 1-866-END-HARM); and interrupts the AI flow to hand off to a supervising Parent, Teacher, or licensed resource.
  • Never implements "hide from parent" modes or engagement-maximizing techniques that pressure a Student to continue a session.
  • Prohibits sexual content with any Student and prohibits AI-generated content depicting or directed at minors in a sexual context.

7.2 Crisis disclosures and mandated reporting

Academy-the-entity is not a mandated reporter under RCW 26.44.030, but individual credentialed educators employed or contracted by Academy are. Where crisis detection surfaces information suggestive of abuse or neglect, we notify the supervising Parent or Teacher and provide DCYF intake information. Parents and Teachers are responsible for deciding whether, when, and how to report to authorities.

8. Sub-processors

Sub-processor Role Location Safeguard
Microsoft Azure Hosting, databases, storage US DPA; ISO 27001; SOC 2
Postmark Transactional email US DPA
Stripe, Inc. Billing (paid adult accounts) US DPA; PCI-DSS Level 1
Microsoft Entra External ID Authentication US / EU DPA
Application Insights (Azure) Error and performance telemetry US DPA

Each Sub-processor is bound by a written agreement restricting use to our instructions, requiring confidentiality, and prohibiting onward transfer except under equivalent protections.

9. Sharing of information

We share Personal Information only as described in this Policy:

  • With the School, Parent, or eligible Student who controls the Student Record.
  • With Sub-processors under DPA.
  • As required by law, subpoena, or court order, or to protect safety or rights.
  • In connection with a corporate transaction (merger, acquisition, asset sale), subject to advance notice and continuation of this Policy's protections.
  • With your explicit consent for any other purpose.

We do not share Student Records with advertisers, data brokers, social networks, or for marketing.

10. Data retention and deletion

  • Active accounts: retained while active.
  • Inactive Student accounts: retained until the controlling Parent, guardian, or School requests deletion, or twelve (12) months after last activity, whichever is sooner.
  • Deleted accounts: personal information purged within thirty (30) days; de-identified aggregate data may be retained.
  • Financial records: retained seven (7) years as required for tax.
  • Safety and abuse records: retained up to two (2) years for investigation and defense of claims.
  • School-termination: Student Records returned or destroyed within thirty (30) days of written request.

11. Your rights

In addition to the COPPA (Section 4) and FERPA (Section 5) rights, depending on your jurisdiction you may have rights of access, correction, deletion, restriction, portability, objection, and withdrawal of consent. To exercise any of these, email [email protected]. We will respond within the period required by applicable law (generally 30–45 days).

11.1 California (CCPA / CPRA, SOPIPA)

We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA. California students and their parents have additional rights under SOPIPA (Cal. Bus. & Prof. Code § 22584), which we honor.

11.2 Other state student-data laws

We honor the substantive requirements of state pupil-privacy laws where applicable, including Colorado HB 16-1423, Connecticut P.A. 16-189, New York Ed. Law § 2-d, Washington RCW 28A.604 (SUPER Act), and equivalent statutes in other states.

11.3 Washington My Health My Data Act (RCW 19.373)

Where Academy processes Washington users' information outside the FERPA-covered educational context (Homeschool mode and Solo adult mode), information drawn from AI-tutor interactions that reveals or allows inference of physical or mental health status may qualify as "consumer health data" under RCW 19.373. For those users:

  • We obtain opt-in consent for collection through the registration flow.
  • We do not sell consumer health data. We will not do so without obtaining a separate written authorization meeting RCW 19.373.070.
  • We do not geofence healthcare facilities.
  • We honor deletion of consumer health data within 30 days of verified request.

FERPA-covered Student Records created through a School account are excluded from MHMDA under RCW 19.373.020.

11.4 Federal COPPA (2025 amendments)

We are in compliance with the 2025 amendments to the FTC COPPA Rule (effective compliance 2026-04-22), including expanded "personal information" scope (persistent identifiers, geolocation, biometrics), tightened retention, and the requirement that school-authorized consent not substitute for verifiable parental consent except for school-related educational purposes.

11.3 EU / UK / EEA (GDPR)

Our lawful bases for processing are primarily (a) performance of contract with the School or Parent, (b) compliance with legal obligations, (c) legitimate interests in operating and securing the Service, and (d) consent where specifically requested. You may lodge a complaint with your supervisory authority.

12. Security

  • TLS 1.2+ for data in transit.
  • Encryption at rest for primary databases.
  • Role-based access, least privilege, periodic access reviews.
  • Multi-factor authentication for administrative access.
  • Audit logging of privileged actions.
  • Annual security reviews; periodic penetration testing.
  • Breach notification as required by applicable law.

13. Marketing communications

We do not send marketing email to Students. We may send transactional and educational notices relating to the Student's use of the Service. Adult users may opt in to Andiamo product updates and may unsubscribe from the footer of any marketing email.

14. International transfers

We host primarily in the United States. Transfers from the EEA/UK rely on Standard Contractual Clauses and supplementary measures where required.

15. Children's Online Privacy — direct notice to parents

If you are a Parent and have not provided verifiable consent for your child's use of Academy (and the School is not acting as your agent), please do not allow your child to use the Service. If you believe we have collected information from your child without proper consent, email [email protected] and we will promptly delete it.

16. Changes to this Policy

We will post any updated Policy here with a new "Last updated" date. Material changes will be announced at least thirty (30) days in advance via email (to the address on your account) or conspicuous in-product notice. For Schools subject to a signed Data Processing Addendum, changes are also governed by that DPA.

17. Contact

  • Privacy, FERPA, COPPA inquiries and data-subject requests: [email protected]
  • Postal: Andiamo Tech, Inc., Skagit Valley, Washington, USA

If you are not satisfied with our response, you may contact your local data-protection authority or, for FERPA matters, the U.S. Department of Education's Family Policy Compliance Office.

PrivacyTermsCookiesContact