Short version: IEPvocate is built by parents, for parents. We collect only what we need to run the service. We never store your child's IEP document. We never sell your data. We never share it except with the service providers that power IEPvocate (listed below).
IEPvocate ("IEPvocate," "we," "our," or "us") is operated by Paul and Julia Scalia, based in New Jersey. We provide an AI-powered tool to help parents of children with disabilities understand their child's Individualized Education Program (IEP) and communicate more effectively with their child's school team.
You can reach us at any time at privacy@iepvocate.com.
| Data | How it's used |
|---|---|
| Email address | Account creation, magic-link sign-in, and (if you opt in) occasional product updates. Never sold. |
| IEP document content | Analyzed in real time by AI to generate your resource guide and premium outputs. Never stored after processing. |
| IP address | Rate limiting to prevent abuse. Not linked to your account or IEP data. |
| Payment data | Subscription management via Stripe. IEPvocate never stores payment card data. |
| Usage counts | Enforcing monthly AI generation quotas for subscribers. |
IEPvocate uses trusted service providers to operate. When you upload an IEP and use our features, your data is processed by these companies on our behalf. They are contractually prohibited from using your data for their own purposes.
Your IEP document content is transmitted to Anthropic's API for AI analysis — this generates your resource guide, meeting-prep questions, advocacy letters, and other AI-powered features. Per Anthropic's commercial data retention policy effective September 14, 2025, API inputs and outputs are automatically deleted after 7 days and are never used to train AI models. We are actively pursuing a Zero Data Retention agreement with Anthropic for stronger protection. See Anthropic's Privacy Policy for details.
Supabase stores your email address, subscription status, and account information in a PostgreSQL database hosted in the United States. Supabase is SOC 2 Type II certified.
Stripe processes all payments. Stripe receives your email address and payment card details. IEPvocate never sees or stores your payment card information. See Stripe's Privacy Policy.
Resend delivers our magic-link sign-in emails. Your email address is transmitted to Resend solely for the purpose of delivering your access link.
Vercel hosts IEPvocate's web application and serverless functions in the United States. Vercel may retain server access logs (including IP addresses) for up to 14 days.
IEPvocate is a tool for parents and legal guardians, not for children. We do not knowingly collect personal information directly from children under 13. When you upload your child's IEP, you are acting as their parent or legal guardian and authorizing the processing of their educational records for your own use.
IEP documents are FERPA-protected education records. As the parent of a minor child, you have the right under FERPA to access, inspect, and share those records. By uploading an IEP to IEPvocate, you are exercising that right on your own behalf. IEPvocate is not an educational institution and is not subject to FERPA obligations; those obligations rest with your child's school.
We process IEP content solely to provide the service you requested. We do not retain the document, create profiles of your child, or use your child's information for any other purpose.
| Data type | How long we keep it |
|---|---|
| IEP document content | Never stored — discarded immediately after processing |
| Email address (subscriber) | For the life of your account, plus 90 days after cancellation, then deleted |
| Email address (free lead capture) | Until you request deletion |
| Subscription and payment records | 7 years (required for financial record-keeping) |
| Magic-link tokens | 15 minutes (expire automatically); purged periodically |
| Monthly usage counts | 12 months |
| Server logs (IP addresses) | Up to 14 days via Vercel |
Depending on where you live, you may have the following rights with respect to your personal information:
To exercise any of these rights, email us at privacy@iepvocate.com. We will respond within 30 days.
Self-service (immediate): If you're a signed-in subscriber, visit /delete-account and confirm. Your email, subscription record, and usage history are deleted immediately — this is the same code path as the email request below, just without the wait.
By email (up to 30 days): Email hello@iepvocate.com with subject Delete My Account, from the email address on the account. We verify the request matches an existing account, delete the account, magic-link, and usage-history rows, and confirm back to you by email — within 30 days, though in practice same-day is typical. One-time (single-report) purchases have no persistent account to delete; nothing beyond a Stripe payment record exists for those.
Do Not Sell/Share requests follow a separate, faster path — see Do Not Sell or Share My Info (10 business days).
We take reasonable technical measures to protect your information, including:
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to privacy@iepvocate.com.
IEPvocate uses one functional session cookie (iep_session) to keep you signed in across browser sessions. This cookie is strictly necessary for the service to function — it does not track you across other websites and is not used for advertising. We do not use third-party cookies or tracking pixels.
We use your browser's sessionStorage to temporarily hold your IEP analysis results during your session. This data is stored locally in your browser and cleared when you close the browser tab.
IEPvocate is intended for use by parents and legal guardians (adults). We do not knowingly collect personal information directly from children under 13. The IEP documents you upload may contain information about your minor child; this information is processed on your behalf as their parent or legal guardian and is not used to build a profile of your child.
If you believe a child under 13 has directly submitted personal information to us without parental consent, please contact us at privacy@iepvocate.com and we will promptly delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of IEPvocate after changes are posted constitutes your acceptance of the updated policy.
If you have questions, concerns, or requests related to this Privacy Policy, please contact us:
IEPvocate
Email: privacy@iepvocate.com
Location: New Jersey, United States