Legal

Privacy Policy

Last updated: May 18, 2026 · v2.1

Introduction

EdPilot, Inc. ("we," "our," or "us") operates an AI-powered educational platform that gives students a course-specific AI Teaching Assistant and gives professors the tools to manage, distribute, and track their curriculum.

This Privacy Policy explains what personal information we collect when you use EdPilot, how we use and protect that information, and what choices you have. It applies to all users — students, professors, and demo visitors.

By accessing or using EdPilot you agree to this policy. If you do not agree, please stop using the platform.

Information we collect

Account information

When you register we collect your name, email address, encrypted password, role (student or professor), and institutional affiliation. Professors may provide additional verification during the approval process.

Academic content

Professors upload course materials — syllabi, lecture slides, assignments, and practice exams — which form the knowledge base for each course's AI Teaching Assistant. Students generate content through their interactions with the assistant: questions asked, responses received, and study sessions created.

LTI launch data

When you access EdPilot through an LMS integration (Canvas, Blackboard, Moodle, etc.), we receive a signed LTI launch payload from your institution. This payload includes your institution-assigned user ID, course context ID, role (student or instructor), LMS platform identifier, and — where enabled — NRPS roster data and AGS grade passback configuration. This data is processed exclusively to authenticate you, provision your account, and scope the correct course context. LTI launch data is treated as student education records under FERPA.

Platform usage data

We log how you interact with EdPilot: features accessed, time on platform, chat session history, practice quiz attempts, course enrollments, and message frequency. This data drives the engagement analytics professors see in their dashboard.

Session tokens

EdPilot uses server-side session tokens (stored in HTTP-only, Secure cookies) solely to authenticate your logged-in session. We do not use third-party advertising cookies, behavioral tracking pixels, or cross-site tracking technologies. We do not use Google Analytics or any advertising network.

Technical information

We collect IP addresses, browser type, device identifiers, operating system, and access timestamps to maintain platform security and optimize performance.

How we use your information

Deliver the AI Teaching Assistant

Your course enrollment and the materials your professor uploaded let us scope the AI to your specific curriculum — no generic web results.

Personalized learning

Usage patterns power the learning profile dashboard: study streak, accuracy trends, topic strengths, and Socratic-mode recommendations.

Professor analytics

Aggregated, course-level engagement data (messages sent, session length, practice performance) gives professors visibility into class-wide learning trends.

Platform communications

We send account verification, course invitation, and important security emails. Non-essential communications can be opted out of in your account settings.

Academic integrity monitoring

We flag unusual usage patterns (e.g., high-volume prompting around exam windows) in the professor analytics dashboard. This supports — not replaces — human academic integrity review.

Platform improvement

Aggregated, anonymized data helps us improve AI response quality and develop new features. Individual conversations are never used to train AI models.

FERPA and educational records

EdPilot is subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, with respect to student education records maintained on behalf of educational institutions.

What counts as an education record in EdPilot

Student chat history within a course, help request submissions, engagement analytics associated with a named student, LTI launch data, and any documents a student uploads to a course.

Who can access student education records

  • The student themselves (via their account)
  • Professors and TAs enrolled in the same course, for the purpose of supporting learning
  • Authorized administrators of the student's institution
  • EdPilot personnel, only as needed to operate and support the Services

What we do NOT do with education records

  • Share student education records with third parties for commercial purposes
  • Use student education records to train AI models
  • Disclose student records to parents (unless the student is a dependent minor and the institution has authorized disclosure)

Your FERPA rights:Students have the right to inspect their education records, request amendments to inaccurate records, and consent to disclosures not permitted by FERPA. Exercise these rights through your institution's registrar — EdPilot will respond to all valid institutional FERPA requests within five (5) business days.

How we use AI and what data AI systems see

When you interact with EdPilot's AI chat or ask for help, your message and relevant course context (syllabus excerpts, course documents, course description) are sent to AI model providers (Google Vertex AI and Anthropic) to generate a response.

What AI providers see ✓

  • Your question or message text
  • Excerpts from course materials relevant to your question
  • Your selected course name and subject

What AI providers do NOT see ✗

  • Your full name or email address
  • Your grade history or performance data
  • Documents from other students
  • Content from other courses

No training on your data. Ever.

Neither Google Vertex AI nor Anthropic use EdPilot API inputs or outputs to train their models. EdPilot does not use student conversation data to fine-tune any model. Conversation history is stored in EdPilot's database and is accessible to you and your course instructors.

Infrastructure & security

In transit

TLS 1.2+

At rest

AES-256

Infrastructure

GCP (US)

Google Cloud Platform sub-processors

  • Google Firebase: User authentication and real-time data
  • Google Cloud Firestore: Database — accounts, courses, sessions
  • Google Cloud Storage: Secure file storage for course materials
  • Google Vertex AI: AI model inference and grounding
  • Anthropic (Claude API): Large language model responses
  • Google BigQuery: Usage analytics and reporting
  • Stripe: Payment processing and subscription management

Role-based access controls

Students can only access courses they're enrolled in. Professors can only manage their own courses and see data from enrolled students. Administrative access is limited to essential personnel.

Data retention schedule

Data typeRetention period
Active course chat historyDuration of enrollment + 1 year
LTI launch records90 days after last launch
Usage analytics (aggregated)3 years
Help request records2 years
Account data after deletionDeleted within 30 days
Backup snapshotsOverwritten within 90 days
Security / audit logs1 year

Retention may be extended where required by applicable law or institutional policy.

Your rights & controls

  • Access your data: View your account information, course enrollments, and AI chat history at any time through your dashboard.
  • Correct your information: Update your profile, email address, or account settings directly from your account page.
  • Delete your account: Email support@edpilot.ai to request account deletion. All personal data is permanently removed within 30 days.
  • Export your data: Request a copy of your data in JSON or CSV format by contacting support@edpilot.ai.
  • Opt out of emails: Non-essential email communications can be disabled in your account settings. Security and verification emails cannot be disabled.

California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the third parties with whom we share it.
  • Right to Delete: Request deletion of personal information we have collected, subject to exceptions for legal compliance, fraud prevention, and completing transactions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale: EdPilot does not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a California privacy request, email legal@edpilot.ai with subject line "California Privacy Request." We will respond within 45 days as required by law.

Virginia & Colorado privacy rights

Residents of Virginia (VCDPA) and Colorado (CPA) have substantially similar privacy rights regarding personal data we control:

  • Right to Access: Confirm whether we process your personal data and obtain a copy.
  • Right to Correct: Request correction of inaccurate personal data.
  • Right to Delete: Request deletion of personal data we hold about you.
  • Right to Data Portability: Obtain a copy of your personal data in a portable, machine-readable format.
  • Right to Opt-Out: Opt out of targeted advertising, sale of personal data, or profiling for significant decisions. EdPilot does not engage in any of these activities.
  • Right to Appeal: If we decline to act on your request, you may appeal by emailing us and we will respond within 60 days.

Submit Virginia or Colorado privacy requests to legal@edpilot.ai. We will respond within 45 days (extendable by an additional 45 days with notice).

European users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and its local implementations give you additional rights regarding your personal data.

Legal bases for processing

  • Contract: To deliver the Services you signed up for
  • Legitimate interests: Platform security, fraud prevention, and product improvement (with appropriate safeguards)
  • Legal obligation: Compliance with FERPA, tax laws, and court orders
  • Consent: For any processing beyond these bases — you may withdraw consent at any time

Your GDPR rights

  • Access, rectification, and erasure of your personal data
  • Restriction of processing and the right to object
  • Data portability in a machine-readable format
  • Withdraw consent at any time without affecting prior lawful processing
  • Lodge a complaint with your national data protection authority

International transfers

EdPilot's infrastructure is hosted in the United States (Google Cloud Platform, us-central1). Transfers of personal data from the EEA to the US are conducted under Standard Contractual Clauses (SCCs) incorporated into our data processing agreements with sub-processors.

Submit GDPR requests to legal@edpilot.ai. We will respond within 30 days as required by GDPR Article 12.

Data breach notification

In the event of a security incident involving unauthorized access to or disclosure of personal data, EdPilot will:

  • Notify affected educational institutions within 72 hours of confirming a breach involving student education records, consistent with FERPA and applicable state breach notification laws
  • Notify affected individual users via email without undue delay where required by applicable law
  • Provide information about the nature of the incident, data categories affected, likely consequences, and remediation measures taken
  • Cooperate with institutional data protection officers and regulatory authorities as required

To report a security vulnerability or suspected breach, contact security@edpilot.ai immediately.

Children's privacy

EdPilot is built for higher education — college and university students, typically 18 years or older. We do not knowingly collect personal information from anyone under 13.

If we discover that we have inadvertently collected data from a child under 13 without verifiable parental consent, we will delete it from our systems immediately.

Policy changes

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we do, we'll update the "Last Updated" date at the top of this page.

For material changes that affect your rights we'll also send an email notification to all registered users. We encourage you to review this page periodically.

Questions about this policy?

Privacy & legal inquiries: legal@edpilot.ai

Security concerns: security@edpilot.ai

General support: support@edpilot.ai

Contact Us