Skip to content
IEP Path
Get started

Privacy Policy

Last updated: June 10, 2026

This is the full policy, written to be read. It matches what the app actually does — and we treat your child's privacy as a safety requirement, not a feature.

We collect as little as possible, we never sell or share your family's data, and you can export or delete everything yourself, immediately, at any time.

The short version

We store the minimum we need to run the features you use. We never sell data, never run ads, and never let advertisers or data brokers near your records.

Everything you put in, you can take out: export it as one file, correct it, or delete it — child by child or all at once — without asking anyone's permission.

What we collect

Your account basics: an email address and a display name, so you can sign in.

What you choose to enter about your child: a first name or nickname, grade, school, state, plan type, and the plan or evaluation content you add.

Operational basics like timestamps and error codes that keep the service running. Document content and children's details never go into logs or analytics.

What we never collect

No Social Security numbers. No full date of birth — age or grade is enough for every feature.

No school portal logins or passwords. No payment card numbers held by us.

No precise location, no advertising identifiers, no behavioral trackers, and no session recording on screens that show your child's information.

Where your data lives

In demo mode, everything stays on your own device. Nothing is uploaded to us, because there is no server account at all.

When you connect the app to your own Supabase project, your records live in that project's database, protected by row-level security so only your signed-in account can read them.

Documents are processed, then discarded

When you add a plan, we extract the structured pieces — goals, services, accommodations, dates — and we do not keep the original file by default.

You keep your own copy of the document; we keep only the fields you reviewed and confirmed. You can delete those at any time.

How AI processing works

Some features send text to an AI provider to do their work — always from our server, never from your browser.

Those calls are configured so the provider does not train on your data and does not retain it beyond processing the request. We send only what the feature needs, and we keep no raw transcript of the exchange — only the results you choose to save, like a finished letter.

No ads. Nothing sold. Ever.

We do not sell, rent, or trade your data. We do not share it with advertisers or data brokers. There is no ad tech in this product, and there never will be.

Your rights, built in

Export: download everything as a single JSON file from Settings, instantly.

Correction: every extracted field can be edited by you, and your version always wins over ours.

Deletion: remove a document, a child's records, or your whole account yourself. It takes effect immediately, and it is irreversible. No support ticket, no waiting period, no retention tricks.

Children's data

Parents and guardians are the users of this app. Children never have accounts, never sign in, and never receive anything from us.

Your child is a person whose information you have trusted us with. We treat those records as the most sensitive data in the system, with the strictest protections we have.

Where FERPA and HIPAA actually fit

FERPA is a law that binds schools and education agencies that receive federal funding. IEP Path is not a school, so FERPA does not regulate this app — it gives you rights against your school, like the right to see your child's records, and our tools help you use those rights.

HIPAA covers health plans, clearinghouses, and most health providers. We are none of those, and records kept by a school are generally education records that sit outside HIPAA.

So we will not market this app as “FERPA compliant” or “HIPAA compliant” — that would be misleading. Our obligations come from this policy and from consumer-privacy law, and we protect your data strongly because it deserves protection, not because a label requires it.

If something ever goes wrong

If a security breach affects your data, we will notify you promptly and in plain language: what happened, what information was involved, and what you can do.

That is what state breach-notification laws require — and what you deserve regardless.

Changes to this policy

If this policy changes, the date at the top changes with it, and meaningful changes are announced in the app. We will never quietly weaken what this page promises.