Trust Center
Built for students.
Trusted by families.
Plio Academy is a nonprofit. We have no advertising business model, no data to sell, and no incentive to collect more than we need. This page explains exactly how we handle student and family data.
Children's Online Privacy Protection
Children under 13 never create accounts directly on Plio Academy. Every student account is created and managed by a parent, guardian, or school administrator who provides verifiable consent. We apply COPPA protections to all users under 13 and extend similar care to all students on our platform regardless of age.
- Children never submit PII directly — guardian owns and controls all account data.
- Only first name and age range are associated with a student profile; no email, phone, or address.
- No behavioral advertising, no tracking pixels, no third-party marketing on student-facing pages.
- Any guardian may request full deletion of their child's data at any time — no questions asked.
- We do not sell, share, or rent student data to any third party for commercial purposes.
Educational Records Alignment
Plio Academy is designed to align with FERPA principles. When we partner with schools and districts, we act as a school official with a legitimate educational interest and handle education records accordingly.
- We never sell student education records or learning data to any party.
- Role-based access controls: teachers see only their students; guardians see only their children.
- Audit logs record every privileged access to student data.
- District data agreements available on request — contact privacy@plio.academy.
- Data portability: export a full copy of your student's progress at any time.
Data Retention
| Data type | Retention period |
|---|---|
| Account & profile data | Active account + 30-day grace period after deletion request, then purged |
| Student learning progress & SRS data | Deleted with the associated student profile |
| Guardian email (waitlist / contact form) | Until enrolled or removal requested |
| Server access logs | 30 days, then deleted |
| Donation records | 7 years (IRS nonprofit requirement) |
| Audit logs (privileged access) | 1 year |
Account deletion triggers a 30-day purge window. During this window your data is deactivated but not yet removed, allowing accidental-deletion recovery. After 30 days all personal data is permanently deleted.
Security Practices
Authentication
Powered by Clerk (SOC 2 Type II). Supports MFA, passkeys, and OAuth. No passwords stored by Plio.
Encryption
Database encrypted at rest (Neon/AWS AES-256). All traffic encrypted in transit (TLS 1.3). HTTPS-only — no plain HTTP.
Infrastructure
Hosted on Vercel edge network with DDoS protection. Database isolated in a private VPC. Secrets managed via environment variables, never committed to source.
Access control
Role-based permissions enforced at the database query layer. Staff access to production data requires 2FA and is fully audited.
Vulnerability management
Dependency updates automated via Dependabot. Security patches applied within 24 hours of disclosure. No unpatched critical CVEs.
Incident response
We notify affected users within 72 hours of a confirmed breach. Full post-mortems published within 30 days.
Sub-Processors
We use the following third-party services. Each is bound by a data processing agreement and may not use student data for any purpose other than providing services to Plio Academy.
| Vendor | Purpose |
|---|---|
| Clerk | Authentication & identity |
| Neon | Serverless PostgreSQL database |
| Resend | Transactional email delivery |
| Backblaze B2 | File & media storage |
| Stripe | Payment processing (donations) |
| Vercel | Edge hosting & CDN |
Last updated: May 2026. We will update this list before adding any new sub-processor.
Compliance Documentation
For district IT officers and procurement teams: E-Rate eligibility statement, state student-privacy law compliance table (IL SOPPA, CA AB 1584, NY Ed Law 2-d, TX SB 820, WA OSPI), FERPA school-official status, COPPA operator status, and CIPA notes.
Questions or concerns?
Our privacy team responds within 2 business days. For data deletion requests, use the dedicated form — we complete all deletions within 30 days.