Privacy Policy

Privacy Policy Overview

Effective Date: August 25, 2025

SwiftScore LLC ("SwiftScore," "we," "us," or "our") operates Eval by SwiftScore (the "Service"), an AI-powered platform that helps education leaders streamline teacher observation, evaluation, and coaching in the United States.

This Privacy Policy explains how we collect, use, disclose, and protect Personal Information when you use the Service. We are committed to transparency, data minimization, and industry-standard security.

Summary at a Glance

• Eval is designed for adults (18+) in educator and leadership workflows. We do not create student accounts or directly collect student records.
• We use Google Gemini (Vertex AI) as our sole AI provider and configure requests so your content is not used to train public models.
• We do not sell Personal Information and we do not share it for cross-context behavioral advertising.
• We support U.S. education privacy laws including FERPA and relevant U.S. state privacy laws, and GDPR where applicable to EU or EEA data subjects who choose to use the Service.
• U.S.-only data residency for User Content, stored primarily in AWS us-east-1 via Supabase, with AI processing in U.S. Google Cloud regions. Backups and disaster recovery are U.S.-based.
• We will execute FERPA-aligned data processing terms and provide a written COPPA commitment upon request.
• You control your User Content. You can access, correct, export, and delete Personal Information, subject to legal exceptions.

Scope, Roles, and Legal Bases

Scope: This Policy covers Personal Information processed by SwiftScore through the Service. It does not cover third-party sites or services we do not control.

Roles:
• When an organization such as a school or district uses the Service, the organization is typically the data controller or FERPA education agency, and SwiftScore acts as a data processor, service provider, or contractor under applicable laws.
• For individual accounts used for pilots or trials, SwiftScore may act as a controller for limited account, support, and billing data.

GDPR Legal Bases where applicable:
• Contract (Art. 6(1)(b)) to provide the Service you requested.
• Legitimate interests (Art. 6(1)(f)) such as security, fraud prevention, and product improvement using de-identified or aggregated data.
• Consent (Art. 6(1)(a)) where required for marketing and certain cookies.
• Legal obligation (Art. 6(1)(c)) for tax and records retention.

Definitions

Personal Information or Personal Data: Information that identifies or can reasonably be linked to an identified or identifiable natural person.

User Content: Observation notes, evaluation reports, coaching materials, framework selections, audio and transcriptions you submit to or generate through the Service. You retain ownership of your User Content.

De-identified or Aggregated Data: Data that cannot reasonably be used to identify you. We maintain de-identification measures and will not re-identify such data.

AI Provider: Google Gemini via Vertex AI, the sole third-party AI service used by the Service.

Information We Collect

Information you provide:
• Account and organization details such as name, email, professional role, school or organization, and password stored as a secure hash.
• OAuth via Google Sign-In if used, including limited profile info and tokens necessary for authentication. You can revoke access via your Google account settings.
• User Content such as observation notes, evaluations, rubrics and framework choices, coaching plans, uploaded audio, and transcriptions if you enable recording features.
• Support communications and feedback.
• Payments handled by Stripe including billing name, address, and transaction identifiers. We do not store full payment card numbers.

Information collected automatically:
• Technical and usage data such as IP address, approximate location, device and OS, browser, pages and features used, timestamps, referring URLs, and crash logs.
• Cookies and local storage for authentication, sessions, feature flags, and analytics preferences.

Sources:
• Directly from you and your organization, from your device or browser, and from integrated services you authorize such as Google OAuth.

What we do not intend to collect:
• The Service is not designed to collect student records as primary data. If your User Content incidentally references students, you represent that you have lawful authority such as FERPA compliance to do so. We do not market to or create student accounts.

How We Use Personal Information

Primary uses:
• Provide, secure, and maintain the Service; authenticate users and administer accounts.
• Generate AI-assisted evaluations, transcriptions, coaching suggestions, and reports.
• Process payments and subscriptions and send transactional notices such as receipts and feature updates.
• Respond to support requests and service communications.

Improvement and research:
• We may use de-identified or aggregated information to improve model quality, develop features, analyze usage patterns, and publish high-level product insights. We do not re-identify de-identified data.

Compliance and protection:
• To comply with law, enforce terms, detect and prevent fraud or abuse, protect rights and safety, and maintain the integrity of the Service.

Automated decisions:
• Important decisions are not made solely by automated processing. Users can review and edit AI-generated content.

AI Use and Data Handling

• We use Google Gemini via Vertex AI exclusively to enhance the Service including evaluation generation, transcription, and coaching support.
• We transmit only the minimum necessary prompts and inputs to perform the requested operation.
• Public model training is disabled for your content. Where available, we enable zero data retention for generative requests.
• We invoke U.S. regional endpoints and restrict AI processing to U.S. Google Cloud regions supported by the models.
• You remain responsible for reviewing and editing AI outputs before use.

Cookies and Similar Technologies

• Essential cookies for authentication, session, and security.
• Functional cookies for preferences, feature flags, and language.
• Analytics for adoption, performance, and experiments such as Statsig.

You may control cookies in your browser. Blocking essential cookies can impact functionality. We currently do not respond to Do Not Track signals.

Sharing and Disclosures

Service providers and subprocessors:
• We share Personal Information with vendors under contracts requiring confidentiality, security, and use only to provide services to us. We maintain U.S.-only data residency for User Content and any educator-supplied student references.

Infrastructure and AI:
• Google Cloud Platform for hosting and Vertex AI restricted to U.S. regions. Vertex AI governance is configured so your content is not used to train Google public models.

Database and authentication:
• Supabase hosted in AWS us-east-1 with Row Level Security and SOC 2 Type II controls.

Payments:
• Stripe for billing and invoicing. We share no student data with Stripe. Stripe processes business billing data for account owners and may act as an independent controller for that data.

Analytics and feature management:
• Statsig for feature flags and experiments, configured for U.S.-hosted data pipelines for our project.

Your organization:
• We share in accordance with your organization settings with authorized administrators and collaborators.

Legal and government requests:
• We may disclose information if required by law, subpoena, or valid government request. Where legally permitted, we will provide advance notice and seek to narrow requests.

Business transfers:
• In a merger, acquisition, or asset sale, Personal Information may be transferred with a commitment that the successor honors this Policy or provides materially comparable protections.

No sale or targeted advertising sharing:
• We do not sell Personal Information and we do not share it for cross-context behavioral advertising.

Security

We apply industry-standard technical and organizational measures including:
• Encryption in transit using TLS 1.2 or higher and encryption at rest such as AES-256.
• Strict access controls and least privilege permissions.
• Row Level Security at the database layer with audit logs and anomaly monitoring.
• Regular security testing, patching, and vulnerability assessments.

Breach notification:
• If a security incident affects Personal Information, we will notify affected parties without undue delay and within applicable legal timeframes such as 72 hours under GDPR where applicable, including the nature, scope, and mitigation steps.

User responsibilities:
• You are responsible for maintaining the security of your devices and credentials.

Data Retention

We retain Personal Information only as long as necessary for the purposes described or as required by law.

Typical retention periods:
• Active account data: while the account remains active.
• Evaluation reports and User Content: five years from creation unless legal hold applies or your organization configures otherwise.
• Authentication logs: one year.
• Financial and transactional records: seven years.
• Soft-deleted records: permanently removed after ninety days.
• Backups and archives: deleted on rolling cycles consistent with the above timelines.

Deletion requests:
• Upon verified deletion requests or account closure, data is marked for deletion and removed after applicable retention and backup windows subject to legal holds.

Your Privacy Rights

Core rights for all users:
• Access, correct, delete, and export Personal Information and object to or restrict certain processing, subject to legal exceptions and organizational controls.

U.S. state privacy rights:
• Depending on your state, you may have rights to know or access, correct, delete, and data portability. You may have rights to opt out of sale or targeted advertising. We do neither. You may have rights to limit use or disclosure of sensitive data which we use only as needed to provide the Service. You may appeal a rights decision and we will include appeal instructions in our response.

California disclosures under CCPA and CPRA:
• In the past twelve months, we collected identifiers, professional information, internet activity, coarse geolocation, audio if enabled, financial transaction data via Stripe, and sensitive data such as auth tokens and role permissions. We did not sell any of these categories and we did not share them for cross-context behavioral advertising. We do not have actual knowledge that we sell or share data of consumers under sixteen. We do not discriminate for exercising privacy rights.

GDPR where applicable:
• You may have rights to access, rectify, erase, restrict or object to processing and data portability, and to lodge a complaint with a supervisory authority. Where we rely on consent, you may withdraw it at any time.

How to exercise rights:
• Use in-app controls where available or email contact@swiftscore.org with your request, the email tied to your account, and any organization affiliation. We will verify your identity and authority including authorized agent requests and aim to respond within thirty to forty five days with extensions permitted by law.

Children's Privacy

The Service is intended for adults eighteen and older. We do not knowingly collect Personal Information from children under thirteen or under sixteen where that is the age of digital consent. If you believe a child provided Personal Information, contact us and we will promptly delete it.

If you as an educator include student references in User Content, you represent you have lawful authority under FERPA and appropriate consents or authorizations.

Geographic Scope, Data Location, and International Transfers

U.S.-only residency for User Content:
• Primary database and storage are in Supabase within AWS us-east-1 in Northern Virginia.
• AI processing uses Vertex AI on U.S. regional endpoints. Data at rest for generative features is stored in the selected U.S. location.
• Backups and disaster recovery for User Content remain within the United States.

No cross-border transfers of User Content:
• We do not transfer User Content outside the United States or its territories. If a specific integration requires a cross-border transfer, we will present clear controls and require explicit authorization.

Other data:
• Payment data handled by Stripe pertains to organizational account owners and administrators and never includes student data. Stripe may process such billing data under its compliance framework and regional architecture.

Third-Party Links and Integrations

The Service may link to third-party sites and services. Their privacy practices are governed by their own policies. Review those policies before interacting with them. Integrations you enable such as Google OAuth share only the minimum necessary information.

Organization Terms, FERPA, and Data Processing Addenda

FERPA:
• Where we process education records on behalf of a school or district, we do so only as a school official with a legitimate educational interest under the direction of the education agency. The agency remains the custodian of records.

Data Processing Addendum:
• A DPA reflecting processor or service-provider obligations including security, subprocessing, audit cooperation, and deletion or return is available upon request.

State education privacy laws:
• We execute required addenda such as New York Education Law 2-d and Parents' Bill of Rights attachments consistent with our processing model and security measures.

Government and Law-Enforcement Requests

We scrutinize all requests to ensure legal validity and scope. If legally permitted, we will provide prior notice to the organization or user so they can seek protection. We seek to narrow requests and disclose only the minimum necessary.

Your Choices

AI and data use for improvement:
• You may opt out of our use of de-identified derivatives of your content for internal model or feature improvement by emailing us. When enabled by Google, we also set zero data retention for Vertex AI generative requests.

Communications:
• You can opt out of non-essential emails. Transactional emails are required for service delivery.

Cookies:
• Manage via browser settings and in-app preferences.

Data Accuracy and Your Responsibilities

You agree to keep your account and organization information accurate and current, to maintain the confidentiality of credentials, and to ensure you have the right to input any Personal Information into the Service including incidental student references.

Changes to This Policy

We may update this Policy from time to time. We will post the updated Policy with a new Effective Date, provide notice of material changes such as email or in-app notice, and obtain consent where required by law. Your continued use after changes become effective constitutes acceptance.

Contact Us

Privacy Officer

SwiftScore LLC (Eval by SwiftScore)
12 Dogwood Rd
Bedford, NY 10506
Email: contact@swiftscore.org

We aim to respond to privacy inquiries within five days.

Comprehensive Service Provider List

Cloud and hosting:
• Google Cloud Platform for compute, storage, and security in U.S. regions only.

Database and authentication:
• Supabase for Postgres, Auth, and Row Level Security in AWS us-east-1 in Northern Virginia.

AI:
• Google Vertex AI and Gemini for prompt processing, generation, transcription, and embedding creation in U.S. regions only with training disabled and zero data retention where available.

Payments:
• Stripe for billing, invoicing, and receipts for organization account owners and administrators.

Analytics and feature flags:
• Statsig for experiments and feature management configured for U.S.-hosted data pipelines.

We may update subprocessors as our Service evolves. Material changes will be notified consistent with this Policy.

Technical Security Snapshot

Transport security:
• TLS 1.2 or higher.

Encryption at rest:
• AES-256 with provider-managed keys.

Authentication:
• Short-lived JWTs with refresh tokens and HTTP-only secure cookies with SameSite attributes.

Access controls:
• Principle of least privilege, role-based access, audit logging.

Application security:
• Input validation, rate limiting, CSRF protections, and dependency patching.

Database:
• Row Level Security to partition tenant data, periodic backups, and restore testing.

Reviews:
• Periodic security audits and vulnerability assessments.

State-Specific Addendum

California CPRA:
• We act as a service provider or contractor. No sale or cross-context advertising sharing. Consumer rights are honored per the rights section.

Colorado, Connecticut, Virginia, Oregon, Texas, and Utah:
• We process only for specified purposes. We honor access, correction, deletion, portability, and applicable opt-out rights. We provide an appeals process.

Student privacy statutes such as SOPIPA and New York Education Law 2-d:
• We do not use education information for targeted advertising or create profiles unrelated to educational purposes. We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of data.

HIPAA Notice

We are not a HIPAA Covered Entity and generally do not act as a Business Associate. Do not submit protected health information to the Service. If a Business Associate arrangement is required for a specific use case, contact us before using the Service.

Additional Commitments

Data minimization:
• We collect only what we need to provide the Service.

Privacy by design:
• Privacy and security are integrated into development lifecycles and reviews.

Record of processing:
• Maintained internally and available to enterprise customers upon reasonable request under a nondisclosure agreement.

Audit cooperation:
• For enterprise customers under a DPA, we provide reasonable audit cooperation regarding our security controls and subprocessors.

Reference:
• COPPA Compliance Statement is available upon request.

U.S. Student Data Residency and COPPA Commitment

Residency:
• We store and process all User Content and any educator-supplied references to students exclusively within the United States or its territories. Primary storage is in AWS us-east-1 via Supabase. Vertex AI processing is restricted to U.S. Google Cloud regions. Backups and disaster recovery are U.S.-based.

COPPA:
• We do not create student accounts or knowingly collect Personal Information from children under thirteen.
• When educators input student-related information as part of their professional duties, SwiftScore acts as a school official under FERPA and may rely on the COPPA school exception where applicable. We process such information solely to provide the Service on behalf of the education agency and for no other commercial purpose.
• We do not sell, share for targeted advertising, or use student-related information to train public AI models.
• Upon contract execution, we provide a written COPPA compliance confirmation and incorporate these commitments into the DPA and required state addenda.

Deletion, access, and security:
• On verified request from the education agency, we delete student-related information consistent with our retention section and provide confirmation after backup windows elapse.
• We maintain Row Level Security, encryption in transit and at rest, access controls, and audit logging to safeguard student-related information.

Point of contact:
• contact@swiftscore.org

Last reviewed and updated: August 25, 2025