Privacy Policy

YaizY Student Data Privacy Policy

Effective Date: May 28, 2025

Introduction

Welcome to YaizY’s digital platform with immersive STEAM pathways for digital careers. This Privacy Policy is issued by 21Skills, Inc., a Delaware corporation doing business as YaizY (“YaizY”, “we”, “us”, or “Company”).

YaizY is committed to protecting the privacy and security of student information. As a provider of digital career and technical education services to school districts, charter networks, and educational institutions, we act as a service provider, and, where applicable, a “school official” under FERPA, on behalf of our partner schools.

This Privacy Policy describes how we collect, use, store, and disclose personal information in compliance with applicable federal and state student data privacy laws. It is intended for school administrators, educators, and other institutional partners who use our services on behalf of students.

We do not own student data. All student information remains under the control of the school or district (“Customer”), and we access and process such data solely for educational purposes and only as authorized by the Customer through contractual agreements, including Data Privacy Agreements (DPAs).

Data Collected

YaizY collects minimal student information necessary to run our courses and support learning:

Student Identifiers: Student name (for login and roster purposes). We do not collect sensitive identifiers like social security numbers.
Course Performance Data: Information on course progress (e.g. lessons and modules completed, timestamps) and completion status, as well as grades, scores, and responses to quizzes and assignments. This helps teachers and students track academic progress.
Optional Contact/Age Data: In some cases, a student email address may be provided (for account access or login if permitted by the school) and the student’s age or grade level. Age is used only to ensure appropriate content and compliance with youth privacy laws (for example, identifying users under 13 for COPPA compliance).
Usage Data: Our platform may collect basic technical information and usage logs when students interact with the courses – for example, browser type, device type, pages visited, and session duration. This information is generally not personally identifiable on its own and is used to maintain service performance and security. If any usage data is linked to an individual (for troubleshooting or analytics), we treat it as personal and protect it accordingly.
No Sensitive Personal Data: YaizY does not collect any sensitive personal information such as Social Security numbers, financial account information, racial or ethnic origin, health or medical data, biometric identifiers, precise geolocation, or any data not needed for educational purposes. We intentionally avoid collecting sensitive categories of data about students.

Data Use

We use student data strictly for educational purposes in order to provide and improve our learning services to the districts and schools. This means student information is used solely to support schools and students in the context of coursework and learning activities. Key uses of the data include:

Course Delivery and Personalization: Student data is used to enable course functionality, for example, to authenticate student logins, present the correct course content, and personalize the learning experience based on a student’s progress. We track progress and responses so that students can pick up where they left off and receive tailored feedback.
Educational Feedback and Grading: We process quiz and assignment responses to provide results and feedback to the student and their teacher. Teachers and authorized school staff can access students’ grades and progress reports through our platform, allowing them to monitor performance and adjust instruction as needed.
Analytics for Improvement: YaizY may utilize aggregated, de-identified data to analyze overall course efficacy and improve our curriculum and platform if permitted by our contracts. For example, we might look at anonymous trends in quiz results to identify topics where many students struggle, and then refine those materials. Importantly, any such analytics do not use identifiable student information unless the school expressly authorizes it, and are only for the benefit of educational outcomes.

Prohibited Data Uses: YaizY will never use student personal data for commercial purposes outside the scope of the educational services we provide. In particular:

We do not sell student data to any third parties.
We do not mine or scan student content for advertising, marketing, or user profiling purposes. No student information is used to target ads, to build marketing lists, or for any kind of advertising or sales activities.
We do not use student data to develop new products or services unrelated to the contracted educational offering. (Any product development or research we conduct uses only non-student data or de-identified data, and always in line with our agreements and privacy commitments.)
We do not permit our employees to access or use student data for any reason other than supporting the school and the student (e.g. for customer support, technical troubleshooting, or as required by law). Every access is limited and for legitimate educational interests only.

In summary, all student information is used only to support teaching and learning. We will not use or disclose it for any secondary purpose such as advertising, external data mining, or monetization. Our role is to serve the district and its students, and we use their data only as an educational tool and never as an asset for our own gain.

Data Security

YaizY maintains a comprehensive security program to safeguard student data. We implement administrative, physical, and technical measures aligned with industry best practices to protect against unauthorized access, disclosure, or alteration of personal information. Key security practices include:

Secure Cloud Infrastructure: Our platform is hosted on Amazon Web Services (AWS), within a dedicated and secure environment. AWS data centers employ robust physical security controls, and our servers reside in an isolated network with firewall protection (including AWS Network Firewall) to prevent unauthorized external access.
Encryption in Transit and At Rest: All connections between users (students, teachers, administrators) and the YaizY platform are encrypted using SSL/TLS (HTTPS) protocols. This means data is securely transmitted and cannot be intercepted in transit. Additionally, all personal data stored in our PostgreSQL database is encrypted at rest. We utilize strong encryption standards (e.g., AES-256) to protect the database content and any backups or snapshots. For example, database backups are encrypted with industry-standard AES-256 encryption and stored securely.
Access Control and Authentication: We enforce strict access controls to limit who can access student information. Only authorized YaizY personnel with a legitimate need (for example, to provide technical support) can access student data, and such access is protected by secure authentication (strong passwords and, for administrative access, multi-factor authentication). Each staff member’s access is role-based, granting the minimum level of data access required for their job. We also keep logs of administrative access to student data and regularly review them to ensure compliance.
Employee Training and Policies: All employees of YaizY who handle or have potential access to student data undergo privacy and security training. We educate our staff on their obligations under FERPA, COPPA, and other relevant laws, as well as on best practices for data protection. Employees are required to adhere to strict confidentiality policies. We also conduct background checks on employees who will have administrative access to student records, consistent with district requirements, to further ensure student data is handled by trusted individuals.
Data Minimization and Segmentation: We collect only the data we need, as described above, and in our systems student data is segmented (logically separated) so that each school’s data is isolated. Where feasible, we use single-tenant data storage for each district, meaning each district’s information is stored separately, adding an extra layer of protection.
Monitoring and Testing: Our technical team utilizes security monitoring tools to detect and prevent intrusions or anomalies in our systems. We conduct periodic security audits, vulnerability assessments, and penetration testing on our platform to identify and fix potential weaknesses. The platform’s code is developed following secure coding guidelines to mitigate common security risks.
Backups and Recovery: We perform regular encrypted backups of our database and critical systems to ensure we can recover data in the event of a hardware failure or disaster. Backup files are protected with encryption (AES-256) and are stored in secure, access-controlled locations. Backup retention is limited (e.g., rolling backups for a certain number of days) and backups are automatically deleted on schedule, they are not kept longer than necessary. In the event of an incident, these backups allow us to restore services while preserving data integrity.
Certification and Standards: Our cloud provider (AWS) maintains industry certifications such as SOC 2 and ISO 27001. While using these certified infrastructures, YaizY also aligns its internal security policies with standards like the NIST Cybersecurity Framework for risk management. We regularly review and update our security practices to keep pace with evolving threats and to ensure compliance with applicable state and federal data protection requirements.

By employing these measures, YaizY strives to ensure that student data is stored and processed in a secure environment. We understand the trust that schools place in us as custodians of student information, and we work continuously to prevent unauthorized access or breaches of any kind. (Please note that while we take robust precautions, no internet or storage system can be 100% secure; however, we are committed to doing everything reasonably possible to protect student information.)

Data Retention and Deletion

YaizY retains student data only for as long as necessary to fulfill our educational services or as required by our agreement with each school district. We do not keep personal data indefinitely or for longer than needed. Our retention and deletion practices are as follows:

During the Contract: For active partner schools, we retain student information throughout the course or school year so that students and teachers can access historical coursework, grades, and progress. This ensures continuity in learning and record-keeping as expected by the school.
Contract Expiration or Termination: When a school’s contract with YaizY ends, or if a student is no longer using our platform, we will work with the district to either return or delete the student data. Typically, we will permanently delete or de-identify personal information within a set period (for example, 30 or 60 days) after contract termination, unless the district requests a different handling. We can securely export and return data to the district prior to deletion, if the district desires to retain a copy.
Deletion Requests: We honor requests to delete student data when they are authorized by the school. Because we operate as a processor for the school, a parent or eligible student who wants their data removed should send the request through their school or district. Upon receiving a verified deletion request from the district (or directly from an eligible individual, if permitted by law), YaizY will promptly delete the student’s personal data from our systems, except any information we are required to keep by law or for legitimate internal compliance (e.g. audit logs), as allowed under the contract. We will confirm with the district once deletion is completed.
Limited Back-up Retention: Residual copies of data may persist in encrypted backups for a short period after deletion (due to automated backup cycles). However, any such backups are maintained securely and are subject to strict access controls. We have procedures to expire or destroy backups on a regular schedule. We will not restore deleted personal data back into active systems except as may be required for security or legal compliance. In any case, we will continue to safeguard any data in backups and will ensure it is completely purged in the normal course of our backup rotation.
De-Identified Data Use: In some cases, and only if permitted by our contract or applicable law, YaizY may retain de-identified, aggregated data after deletion of personal data. “De-identified” means all direct and indirect personal identifiers have been removed or obfuscated, so that no student or individual can reasonably be identified. We might use such de-identified data to improve our educational content and services (for example, analyzing overall learning outcomes across schools). Any de-identified data is used solely for internal purposes to enhance our offerings and never for marketing or external monetization. We will not attempt to re-identify any anonymized data, and we contractually prohibit any third-party we work with from doing so. If our agreement with a district disallows even de-identified data use, then we will abide by that agreement fully.

YaizY’s policy is to ensure that we only keep student data for as long as it serves an educational purpose or is required by the school. We aim to give districts full control over their data life cycle. Upon request, we will certify the destruction of student records to the district. Our data retention and deletion processes are designed to meet or exceed the requirements of FERPA, state student privacy laws, and district data privacy addenda.

Breach Notification

YaizY has a detailed Incident Response Plan in place to address any security incidents or data breaches swiftly and effectively. Despite robust protections, if an unauthorized access, disclosure, or other security breach involving student data were to occur, we are prepared to respond in the following manner:

Immediate Assessment: Upon detecting or being notified of a potential security incident, our security team will promptly investigate to determine the nature and scope of the issue. We work to quickly contain the incident and prevent further unauthorized access. If an incident is minor and can be resolved before any data compromise (for example, a suspicious activity that is stopped in time), we document it and continue monitoring. If we determine that a Security Breach (i.e., actual unauthorized acquisition or disclosure of student personal information) has occurred or is likely, we escalate our response.
District Notification: We will notify the affected school district(s) without undue delay as soon as a data breach is confirmed. Our standard practice is to inform the district’s designated contact immediately or within 24 hours of discovering a confirmed breach. This notification will include available details about the nature of the breach, the data impacted (to the extent known), and the steps we are taking to address it. We believe the district should be the first to know, so that we can coordinate on informing any other parties (such as affected students and parents) in accordance with the law and district policies.
Cooperation with District Procedures: YaizY will fully cooperate with the district’s investigation and response efforts. We understand that schools have legal obligations (under state breach laws, FERPA, etc.) to notify parents or regulatory authorities in the event of certain breaches. We will assist the district in gathering information needed for such notifications, and will follow the district’s directions regarding communications. We do not directly notify individual students or families unless instructed to by the district or required by law; we defer to the district’s preferred process to avoid confusion and ensure accuracy and safety.
Containment and Remediation: Upon a breach, our team works to immediately contain the issue, for example, shutting down or isolating affected systems, revoking compromised credentials, and otherwise preventing further data loss. We then remediate the situation: this may involve applying security patches, changing configurations, or other fixes to eliminate the vulnerability that led to the breach. We also review and mitigate any harm to affected individuals (e.g., ensuring stolen data is recovered or confirming unauthorized recipients delete it, if possible).
Investigation and Reporting: YaizY will investigate the root cause of the breach and document the full details. We typically provide the district with a written breach report within a reasonable time (e.g., within 7 business days of the incident). This report outlines what happened, what data was involved, what we have done to remediate, and what we plan to do to prevent a recurrence. We welcome the district’s input and will amend our action plan as needed to address any concerns.
Future Prevention: After managing the immediate incident, we perform a post-mortem analysis to learn from the event. We will implement enhancements to our security program to prevent similar incidents in the future, such as improved monitoring, additional staff training, or new technical safeguards. If the breach was caused by a subcontractor, we will re-evaluate that relationship and ensure they also take corrective action (up to and including termination of the relationship if necessary).

Our goal is to handle any security incident transparently, quickly, and thoroughly. By notifying our school partners promptly and working hand-in-hand on response, we strive to minimize any potential harm from a breach. YaizY also complies with all applicable data breach notification laws that may require additional reporting. We value the trust that schools place in us, and in the event of a breach we will do everything in our power to make things right and prevent future issues.

Student Privacy Law Compliance

YaizY’s practices are designed to comply with all relevant student data privacy laws, including federal laws like FERPA, COPPA, CIPA, and PPRA, as well as applicable state laws. Below we explain our compliance with these key laws:

Family Educational Rights and Privacy Act (FERPA)

As many of our partner schools are subject to FERPA, YaizY handles education records in accordance with FERPA requirements. Under FERPA, we operate as a “school official” with a legitimate educational interest in student records, on behalf of the district. This designation is established through our contracts: the school or district appoints YaizY as a school official to provide the online educational service. We thereby agree to be under the direct control of the district with regard to use and maintenance of education records. In practice, this means:

We only use student education records for purposes authorized by the school, i.e., to deliver the YaizY educational program and support the students’ learning. We will not use or disclose those records for any other purpose.
We do not disclose education records to third parties except as permitted by FERPA. Allowable disclosures might include our authorized subprocessors who assist in delivering the service (similar to a teacher’s aide, performing a service for the school), but even in those cases, the data is used only for school purposes and the third party is bound to FERPA-level confidentiality. Any such subcontractors are considered “school officials” under FERPA as well and are subject to the same use restrictions.
If we ever receive a subpoena, court order, or other legal demand for a student’s education records, we will promptly notify the district (unless legally prohibited) and work together on a response, in accordance with FERPA’s requirements for such disclosures.
FERPA also gives parents and eligible students the right to access and request amendment of education records. Since we are not the educational agency, we will direct any such requests to the school, and assist the school in fulfilling them as needed. For example, if a parent asks us for their child’s data, we will coordinate with the district to ensure the request is handled under FERPA guidelines.
YaizY has never had a FERPA violation and we are committed to abiding by FERPA’s privacy provisions. We agree, as part of our contracts, that we will follow FERPA regulations just as a school district does, to protect the confidentiality of student records.

In summary, FERPA compliance is fundamental to our data practices. We treat all student records as confidential and under school control. We use them only to fulfill our educational services for the district and for no other purpose. We rely on FERPA’s “school official” exception to receive and use student data, and in doing so we adhere strictly to FERPA’s limits on use and re-disclosure.

Children’s Online Privacy Protection Act (COPPA)

COPPA governs online collection of personal information from children under 13. YaizY does not knowingly collect personal data directly from any child under 13 without proper consent. Our platform is provided to students through their schools, and in COPPA terms the school may act as an agent of the parent to consent to the collection of student data for educational purposes. Here is how we address COPPA:

School Obtained Consent: We require that our partner schools obtain any necessary parental consent for students under 13 to use the YaizY platform. When a district enrolls students in our courses, we assume that the district has either obtained parent consent or has the authority under COPPA to consent on the parents’ behalf for the use of the educational program. Our terms with the school make clear that the school is responsible for COPPA compliance in this regard.
No Direct Signup by Children: We do not allow children under 13 to sign up for YaizY services on their own. Accounts for young students are created in coordination with the school, or by a teacher or administrator. If a parent or student (under 13) comes to our website to request access, we will involve the school or obtain parental consent before proceeding.
Limited Information Collection: The information we collect from students (name, coursework, etc., as described above in Data Collected) is used only for the educational context. We do not collect more data than needed for the child’s learning experience. Importantly, we do not condition participation on providing more personal data than is reasonably necessary for that activity (which is a COPPA requirement).
No Marketing to Children: We comply with COPPA’s prohibition on using children’s data for marketing. We do not send promotional messages to students, and we certainly do not allow any third-party advertising on our student platform. Our website and platform might have general informational pages, but student-facing areas are free of commercial ads and tracking beyond what’s needed for functionality.
Parental Rights: If a parent of a child under 13 contacts us to review or delete their child’s personal information, we will support the school in fulfilling that request (since typically the request would be routed to the school). If a parent comes to us directly, we will either facilitate the request with the district or, if appropriate, obtain proof of the parent’s identity/consent and honor the request to the extent consistent with providing the service. If a parent revokes consent for further use of a child’s personal data, we will delete the child’s account information after consultation with the school.
COPPA Assurance: In summary, YaizY operates in compliance with COPPA. We never knowingly exploit or share data from children for any non-educational purpose. Should we discover that we have inadvertently collected personal information from a child under 13 in a manner inconsistent with COPPA (for instance, if a child misrepresented their age to gain access), we will delete that information promptly and take steps to prevent a recurrence.

Children’s Internet Protection Act (CIPA)

CIPA is a law that requires schools and libraries receiving certain federal funds (E-rate) to implement internet safety policies and filtering to protect children from harmful online content. While CIPA obligations apply primarily to the educational institutions’ use of technology, YaizY is committed to supporting our schools’ compliance with CIPA by providing a safe online environment within our platform:

No Objectionable Content: All content in YaizY courses is carefully curated for educational appropriateness. We do not include any obscene or harmful content in our curriculum. Our courses focus on career skills, STEM, digital arts, and other academic/career topics, all content is reviewed to ensure it is child-friendly and suitable for K-12 students. This helps schools meet the requirement of blocking harmful content; nothing in our service should be subject to blocking as inappropriate material.
Student Interaction Safety: YaizY’s platform may include interactive elements (for example, student project submissions, or forums if any). We ensure these are monitored and moderated in accordance with school policies. We also design our platform such that students cannot access external links or outside communications that are not approved as part of the curriculum. This closed environment approach assists schools in preventing access to inappropriate material outside the platform while students are engaged in YaizY courses.
No Advertising: CIPA also addresses the concern of commercial exploitation. As noted, we have no advertisements or commercial pop-ups on the student portions of our platform. Students focus on learning without exposure to external ads or tracking.
Collaboration with School Filters: We assume that schools implement network-level filters as required by CIPA. Our platform’s content is delivered via standard web protocols (HTTPS) and should be fully compatible with district filtering systems. If any YaizY content or tools ever trigger an issue with a school’s filter, we will gladly work with the school’s IT department to resolve it (for example, whitelisting our educational content servers).

Protection of Pupil Rights Amendment (PPRA)

PPRA protects students (and parents) by requiring parental consent before students are required to participate in certain surveys, analyses, or evaluations funded by the U.S. Department of Education that reveal sensitive information. It also gives families rights regarding marketing surveys and the collection of certain information. YaizY does not conduct any activities that would trigger PPRA’s parental consent requirements. Specifically:

No Protected Information Surveys: We do not administer surveys or questionnaires to students that ask about any of the eight protected areas under PPRA (political affiliations or beliefs of the student or parent; mental or psychological problems of the student or family; sex behavior or attitudes; illegal, anti-social, self-incriminating, or demeaning behavior; critical appraisals of close family members; legally recognized privileged relationships; religious practices or beliefs; or income other than as required by law). Our platform is focused on course instruction in academic and career subjects, and we steer clear of intrusive surveys.
No Marketing Collection: We do not collect information from students for the purpose of marketing or selling to others, nor do we conduct any non-educational analysis of personal information. Any data collection is strictly for educational use as described in this policy.
Curriculum Content: In the normal course of learning activities, students might create projects or reflect on their interests (for example, a career exploration course might ask what jobs a student finds interesting). However, we do not ask students to submit any sensitive personal reflections that would fall under PPRA’s protected categories.
Parental Access: If a parent requests to inspect any instructional material or survey question (another right under PPRA for certain activities), we will facilitate that through the school.

State Student Privacy Laws

In addition to federal laws, YaizY complies with all applicable state student privacy laws and regulations. Many states have enacted laws to protect student data (for example, California’s Student Online Personal Information Protection Act (SOPIPA), Illinois’ Student Online Personal Protection Act (SOPPA), New York Education Law 2-d, and others). While the specifics of these laws vary, we have implemented policies and practices that meet the common requirements across these statutes:

No Commercial Use of Data: State laws like SOPIPA prohibit vendors from using student data for targeted advertising or selling student information. YaizY fully adheres to this, as stated above, we do not sell student data or use it for any kind of advertisement or profiling beyond the educational context. This holds true in every state.
Data Privacy Addenda: We are willing to sign state-specific Data Privacy Agreements (DPAs) with our partner districts to formally document our compliance with state requirements. We have, for instance, signed the California Student Data Privacy Agreement and similar contracts in other states that incorporate state law mandates. These agreements typically include provisions on data security, breach notification timelines, and data deletion commitments, all of which we uphold.
Security Controls: Some states require particular security measures (like encryption or specific audit logging) when handling student data. Our security program (described earlier) meets or exceeds these requirements. For example, Illinois SOPPA and other laws require encryption for data in transit and at rest, which we already implement via SSL/TLS and AES-256 encryption. We continuously review new state laws to ensure our technical controls remain in compliance.
Parental and District Rights: Under certain state laws, parents and students have rights to inspect, correct, or download student data held by vendors. YaizY supports these rights by facilitating access and correction requests through the school. If a state law grants a student (or parent) the right to obtain a copy of their data from us or request corrections directly, we will honor that in coordination with the school district. We have processes to export a student’s data in a readable format upon authorized request.
Breach Notification Timelines: Some states impose specific deadlines for notifying districts or state authorities in the event of a data breach. YaizY is aware of these (for example, California and Illinois law often require notice within 30 days or without unreasonable delay). Our breach response policy is designed to meet the most stringent applicable requirement, and as noted we strive to notify immediately and certainly within any legal deadlines. We also agree to any additional state-mandated post-breach steps (such as credit monitoring for affected individuals, if required, though our data doesn’t include financial info typically).
Training and Compliance Program: State laws like New York’s Ed Law 2-d require that those handling student data receive training on privacy laws. As described, we do provide regular privacy and security training to employees, covering both federal and state law obligations. We consider compliance with state privacy laws a company-wide responsibility and maintain an internal compliance program to track and implement these requirements.

By following these practices, YaizY ensures that we are in full compliance with state-specific student privacy protections. If there is ever any difference between a state law and our standard policy, we will adjust our practices for that state accordingly (and usually our baseline is already to the higher standard). Our commitment is that no matter the jurisdiction, student data in YaizY’s care receives strong and lawful privacy protections.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us. We are here to help our school partners, parents, and students feel confident in how we handle data.

Contact YaizY at:

Email: hello@yaizy.io