Skip to main content

Privacy Policy

Last updated: February 14, 2026

IRIS IEP ("we," "our," or "the System") is committed to protecting the privacy of students, families, and educators who use our platform. This Privacy Policy explains how we collect, use, store, and protect information in compliance with the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and Washington State privacy regulations.

1. Information We Collect

We collect and process the following categories of information:

  • Student Education Records: Names, dates of birth, student IDs, disability categories, IEP documents, goals, progress data, service records, evaluation results, and meeting notes.
  • Account Information: Names, email addresses, roles, and district affiliations of educators, administrators, and family members.
  • Authentication Data: Hashed passwords and session tokens. We never store plaintext passwords.
  • Usage Data: Server logs including IP addresses, timestamps, and pages accessed, retained for security monitoring and auditing.

2. How We Use Information

Information is used exclusively for:

  • Creating, managing, and tracking Individualized Education Programs
  • Facilitating communication between IEP team members
  • Generating compliance reports required by federal and state regulations
  • Providing families with secure access to their child's IEP information
  • System administration, security monitoring, and auditing

3. FERPA Compliance

IRIS IEP operates as a "school official" under FERPA, processing education records on behalf of school districts under legitimate educational interest. We:

  • Only access education records as directed by the school district
  • Do not use education records for any purpose other than the contracted service
  • Do not disclose personally identifiable information from education records to third parties without proper authorization
  • Maintain strict access controls so users only see data appropriate for their role
  • Provide audit trails of all data access

4. Data Storage & Security

All data is stored and processed using the following infrastructure:

  • Database: Neon PostgreSQL (SOC 2 Type II compliant), hosted in the US (AWS us-west-2)
  • Application Hosting: Vercel, deployed within the United States
  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Control: Role-based access control (RBAC) enforced at the application and database layers

5. Third-Party Services

We use the following third-party services, each bound by data processing agreements:

  • Neon (neon.tech): Database hosting and management
  • Vercel: Application hosting and deployment

We do not use any third-party analytics, advertising, or tracking services.

6. Data Retention

Education records are retained in accordance with each district's records retention schedule and applicable state law. Washington State requires IEP records be retained for a minimum of six years after the student exits special education services. Districts may request deletion of their data at any time, subject to legal retention requirements.

7. Parental & Student Rights

Under FERPA and IDEA, parents (and eligible students aged 18+) have the right to:

  • Inspect and review their child's education records
  • Request correction of inaccurate or misleading records
  • Consent to disclosures of personally identifiable information
  • File a complaint with the U.S. Department of Education

To exercise these rights, contact your child's school district directly.

8. Data Breach Procedures

In the event of a security breach involving education records, we will notify affected school districts within 72 hours. Districts are responsible for notifying affected families in accordance with Washington State breach notification law (RCW 19.255.010) and FERPA requirements.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to district administrators and posted on this page with an updated revision date.

10. Contact Us

For questions about this Privacy Policy or our data practices, contact us at: privacy@irisiep.com