Privacy Policy

1. Introduction

This Privacy Policy describes how SpedTree, operated by Slpbox, Inc., a Delaware corporation ("SpedTree," "we," "our," or "us"), collects, uses, discloses, retains, and protects personal information when you access or use our website, web application, and related services (collectively, the "Services").

SpedTree is an enterprise SaaS platform purpose-built for special education management. We provide our Services to schools, school districts, and private educational organizations across the United States. Our users are licensed special education professionals, including Special Education Teachers, Speech-Language Pathologists, Occupational Therapists, Applied Behavior Analysts, Case Managers, and Special Education Directors and Administrators.

Students do not directly access or create accounts on the SpedTree platform. Student records are created and managed within the platform exclusively by authorized special education professionals acting in their official capacity on behalf of their institution.

We comply with applicable federal and state student privacy laws, including FERPA and the updated COPPA rule effective April 22, 2026. By using our Services, you agree to the practices described in this Policy.

2. Our Role Under FERPA

SpedTree operates as a "school official" with a "legitimate educational interest" under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g and 34 C.F.R. Part 99. Specifically:

• SpedTree performs institutional services that schools, districts, and private organizations would otherwise perform using their own employees, specifically special education record management, IEP development, and progress monitoring.
• SpedTree is under the direct control of each contracting institution with respect to the use and maintenance of student education records.
• SpedTree uses education records only for the purposes for which each institution engaged us and does not re-disclose records except as permitted by FERPA and described in this Policy.
• Contracting institutions retain full ownership and control of all student education records stored within SpedTree. We act solely as a data processor on their behalf.

Schools, districts, and private organizations are responsible for ensuring their use of SpedTree complies with FERPA, applicable state law, and their own data governance policies before sharing student records with us.

3. Information We Collect and How We Store It

We collect only the minimum amount of information necessary to provide our Services.

3.1 Account Information

When a special education professional creates an account, we collect:

• Full name, professional email address, and securely hashed password
• School or organization name, district, and state
• Professional role and occupation (for example, Speech-Language Pathologist, Special Education Teacher)

3.2 Student Education Records

Authorized special education professionals enter student information into SpedTree for the purpose of managing special education services. This may include:

• Student name, date of birth, grade level, gender, and school enrollment information
• Individualized Education Program (IEP) goals, objectives, benchmarks, and service logs
• Progress monitoring data, assessment results, and evaluation summaries
• Disability category, related service requirements, and behavioral intervention plans
• Transition planning records for students aged 14 and older

Contracting institutions control what student data is entered and retain full ownership of all student records at all times.

3.3 Data Added by Users

We collect any data or content that authorized users submit or upload while using the Service, including documents, progress notes, attachments, and AI-assisted content reviewed and approved by the professional.

3.4 Technical Data

We collect technical data including IP address, browser type, device information, and operating system to operate and improve our Service and ensure compatibility across devices and platforms.

3.5 Analytics Information

Public website only. We use Google Analytics on our public marketing website (spedtree.com) to understand general visitor traffic and usage trends. Google Analytics is not deployed within the authenticated application where student data is stored or processed. IP anonymization is enabled. Student data and professional account data are never exposed to Google Analytics.

3.6 Data Storage

All data is stored on servers located in the United States via MongoDB Atlas, which holds SOC 2 Type II and ISO 27001 certifications. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the SpedTree platform and all its features
• To authenticate users and enforce role-based access controls, ensuring each professional accesses only the student records they are authorized to view within their institution
• To enable authorized special education professionals to create, update, manage, and transfer student IEPs and special education records on behalf of their institution
• To generate AI-assisted content such as IEP goal suggestions and progress note drafts for professional review and approval
• To generate AI-assisted images for use within the platform, reviewed and approved by the professional before use
• To analyze usage patterns and improve platform performance using aggregated, de-identified data only
• To communicate with users regarding their account, provide technical support, and notify them of Service updates
• To maintain platform security, detect unauthorized access, and prevent fraud
• To comply with applicable federal and state laws and respond to lawful legal requests

We do not use student education records for advertising, marketing, commercial profiling, model training, or any purpose unrelated to the delivery of our special education management services.

5. Information Sharing and Disclosure

We do not sell or rent your personal information or student education records to third parties. We share information only in the following circumstances.

5.1 Authorized Sub-processors

We engage the following carefully vetted vendors who process data solely as directed by SpedTree. Each vendor is bound by a Data Processing Agreement and subject to regular review:

5.2 Artificial Intelligence Features

SpedTree uses OpenAI and Google Gemini API to power AI-assisted features within the platform. SpedTree data is never used to train any AI model. Our agreements with both providers expressly prohibit model training on any data submitted through our platform.

All AI-generated content is presented as a suggestion only. The professional is responsible for reviewing and approving any AI-generated content before it is saved to a student record.

5.3 Error Monitoring

SpedTree uses Sentry (Functional Technologies Inc.) to monitor application errors. Sentry receives only technical error context such as stack traces and environment identifiers. No student records, personally identifiable information, or education data is transmitted to Sentry.

5.4 Legal Compliance

We may disclose information if required by applicable law, court order, subpoena, or other lawful governmental process. Where legally permitted, we will notify the relevant institution before disclosing student education records in response to legal process.

5.5 Business Transfers

If SpedTree is involved in a merger, acquisition, consolidation, or sale of assets, student records and personal information may be transferred to the successor entity, subject to the following conditions:

• The successor entity will be bound by this Policy and all existing Data Processing Agreements
• The successor must maintain the same or greater level of data protection required under FERPA, COPPA, and applicable state laws
• Affected institutions will receive at least 30 days written notice before any such transfer occurs
• Institutions may request deletion of their student data prior to any such transfer

6. Security

We employ industry-standard administrative, technical, and physical safeguards to protect personal information and student education records, including:

• Encryption of all data in transit using TLS 1.3
• Encryption of all data at rest using AES-256 within MongoDB Atlas
• Secure password hashing and salting. Passwords are never stored in plain text
• Role-based access controls ensuring each professional accesses only the records they are authorized to view
• Machine-to-machine authentication via Auth0 for all API communications
• Platform-level audit logging of all student record access, creation, modification, transfer, and deletion
• Infrastructure hosted on SOC 2 Type II certified cloud providers, MongoDB Atlas and Render

In the event of a security breach involving student education records, we will notify affected institutions within 72 hours of confirming a breach and will cooperate with institutions to notify affected families as required by applicable state breach notification laws.

7. Data Retention and Deletion

We retain student education records and personal information only as long as necessary to provide our Services or as required by applicable law:

• Active student records are retained for the duration of the institution's active subscription with SpedTree
• Upon subscription termination, student records remain available for export for 60 days, after which they are permanently deleted from all active systems
• Professional user account data is deleted within 90 days of account closure upon request
• Backup copies of data are retained for up to 30 days following deletion from active systems, then permanently purged
• Platform audit logs of record access and modifications are retained for a minimum of 5 years to comply with IDEA recordkeeping requirements

Institutions may request earlier deletion of student data at any time by contacting privacy@spedtree.com. Deletion requests are processed within 30 days of verification.

8. Access and Control

Parents or guardians have the right to review their child's personal information maintained within SpedTree, request correction of inaccuracies, and request deletion of information that violates applicable privacy laws. Under FERPA, these requests must be responded to within 45 days.

Because institutions control student records within SpedTree, parents and guardians should direct record-related requests to their child's school or district. SpedTree will cooperate fully with institutions in fulfilling such requests. Parents may also contact us directly at privacy@spedtree.com and we will work with the relevant institution to respond within the required timeframe.

Special education professionals and institutional administrators have the following controls over their information and records:

• Profile Updates: Account information can be updated directly within account settings at any time
• Student Records: Authorized professionals can create, edit, or delete student records within their permitted scope at any time
• Communication Preferences: Users may opt out of promotional emails by clicking unsubscribe. Service-related communications including security alerts, account notices, and platform updates cannot be opted out of while an account is active
• Account Deletion: To request deletion of a professional account and associated data, contact support@spedtree.com. Requests are processed within 30 days
• Data Export: Institutions may request a full export of their student data at any time by contacting privacy@spedtree.com. Exports are provided in a standard machine-readable format within 10 business days

9. Compliance with Student Privacy Laws

SpedTree is committed to complying with all applicable federal and state student privacy laws. If you believe we have not complied with any of these laws, please contact us at privacy@spedtree.com.

9.1 FERPA

We comply with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g. As described in Section 2, we operate as a school official under the school official exception and process student education records only as directed by contracting institutions.

To file a FERPA complaint: Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Avenue SW, Washington, DC 20202.

9.2 COPPA

We comply with the Children's Online Privacy Protection Act (COPPA), including the updated FTC rule effective April 22, 2026. SpedTree is used exclusively by licensed special education professionals. Students do not access the platform directly. When institutions use SpedTree to manage records of students under 13, the school or organization acts as the agent of parents in authorizing data collection, consistent with FTC guidance on the school exception under COPPA.

We do not knowingly collect personal information directly from children under 13. If we become aware of any such collection without proper institutional authorization, we will promptly delete that information and notify the relevant institution.

9.3 California

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the right to access, correct, and request deletion of your personal information. Since we do not sell personal information, the right to opt out of sale does not apply. To exercise your California privacy rights, contact privacy@spedtree.com. We will respond within 45 days.

We also comply with California's Student Online Personal Information Protection Act (SOPIPA, Education Code Section 49073.1). We do not sell student information, use it for targeted advertising, or build student profiles for any purpose other than delivering our special education management services.

9.4 Illinois

We comply with the Illinois Student Online Personal Protection Act (SOPPA). We maintain data processing agreements with Illinois institutions, support annual compliance reviews, and provide breach notification within required timelines.

9.5 New York

We execute Data Privacy and Security Agreements (DPSAs) with New York institutions and implement security protocols required under New York Education Law 2-d. Institutions in New York should contact privacy@spedtree.com to request the applicable agreement.

10. Children's Privacy

Our Service is designed for use by licensed special education professionals and institutional administrators, not by children. Students do not access SpedTree directly. If we become aware that we have inadvertently collected personal information from a child under the age of 13 without proper institutional authorization, we will promptly delete that information and notify the relevant institution.

Parents or guardians who believe their child's information has been collected without proper authorization should contact us at privacy@spedtree.com or contact their child's school, district, or organization directly.

11. Third-Party Vendors

We do not sell, trade, or otherwise share personal information with third parties except as described in Section 5. All authorized sub-processors are listed in Section 5.1. Each vendor is contractually required to process data only as directed by SpedTree and to maintain appropriate data protection and security standards consistent with their certifications.

12. Third-Party Links

Our Service may contain links to third-party websites, products, or services. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policy of any third-party service before providing personal information to them.

13. Data Processing Agreements

SpedTree makes Data Processing Agreements (DPAs) available to all contracting schools, districts, and private organizations. As a member of the Access 4 Learning (A4L) Community and the Student Data Privacy Consortium (SDPC), SpedTree participates in the National Data Privacy Agreement (NDPA) framework. To request a DPA or locate our agreement in the SDPC Registry, contact privacy@spedtree.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will notify active institutional accounts by email at least 30 days before the effective date and post the updated Policy on our website with a revised Last Updated date.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:

• Mailing Address: Slpbox, Inc. | 490 Post St, Ste 500 PMB 2292 | San Francisco, CA 94102
• Privacy Email: privacy@spedtree.com
• Support Email: support@spedtree.com
• Response Time: Privacy inquiries within 5 business days. FERPA record requests within 45 days.