Privacy Policy

Effective Date: March 1, 2026

How to read this policy

This is a single combined Privacy Policy for EdisonOS. It is organised into two parts:

  • Part A - General Privacy Policy: Covers Schools, Tutoring companies, CBOs, and website visitors - including how we handle business account data, payment processing via Stripe, cookies, and marketing. Applies to anyone who visits edisonos.com or signs up for an EdisonOS subscription.
  • Part B - Student Privacy Policy: Covers student personally identifiable information (Student PII) collected when Schools, tutoring companies, or CBOs use EdisonOS with students under 18. Governed by FERPA, COPPA, and applicable state student privacy laws.

Both parts are binding. If you are a school or tutoring company using EdisonOS with students, both parts apply to your use.

Part A - General Privacy Policy

This Part A applies to all visitors to edisonos.com and to all business users - tutors, tutoring companies, community-based organizations (CBOs), and school & district administrators who create an account or purchase an EdisonOS subscription.

Section A1 – About Us and Legal Entity

EdisonOS is an assessment software operated by Kalvi Software, Inc., a C-Corporation registered in Delaware, USA (the "Company," "we," "us," or "our").

Platform development and engineering support are provided by TeachEdison Solutions Pvt Ltd, a private limited company incorporated in India. It acts as an authorized sub-processor under a Data Processing Agreement with Kalvi Software, Inc. and is not the data controller for any user data.

Data Controller: Kalvi Software, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States

Privacy Contact: privacy@edisonos.com

Section A2 – Data We Collect from Business Users

A2.1 Account and Identity Data

When you register for an EdisonOS account or book a demo, we collect:

  • Full name and job title
  • Business email address
  • Orgnaization name and type (tutoring company, CBO, schools)
  • Phone number (optional, if provided)
  • Password (hashed; never stored in plaintext)

A2.2 Billing and Payment Data

EdisonOS uses Stripe, Inc. as its payment processor. When you enter payment details:

  • Your card number, CVV, and expiry date are transmitted directly to Stripe and are never stored on EdisonOS servers.
  • We store only a Stripe customer token, the last four digits of your card, card brand, and billing address for invoice and subscription management.
  • All payment processing is governed by Stripe's Privacy Policy (stripe.com/privacy) and Stripe's Terms of Service.

A2.3 Usage and Engagement Data

When you use the EdisonOS platform, we automatically collect:

  • Log data: IP address, browser type, operating system, referring URL, pages visited, session duration
  • Feature usage patterns (e.g., which tools are used, tests assigned, reports generated)

A2.4 Communications Data

  • Support: messages you send to support@edisonos.com or through the in-app help center
  • Marketing: email address for product updates and newsletters, if you opt in
  • Feedback and survey responses, if voluntarily provided

This data is used to operate the platform, diagnose issues, and improve functionality.

A2.5 Cookies and Tracking Technologies

EdisonOS uses the following types of cookies:

  • Essential cookies: Required for authentication, session management, and platform security. Cannot be disabled.
  • Analytics cookies: Used to understand how users navigate the platform (e.g., page views, feature usage). Anonymised where possible.
  • Preference cookies: Store your settings and preferences across sessions.

We do not use advertising cookies or sell data to ad networks. You can manage non-essential cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in.

Section A3 – How We Use Business User Data

  • To authenticate your account, manage your subscription, assign tests, generate reports, and deliver all platform features – Providing the service
  • To charge your subscription, issue invoices, manage billing cycles, and handle refunds - via Stripe – Processing payments
  • To respond to support requests, diagnose technical issues, and resolve billing queries – Customer support
  • ‍To analyze aggregated, anonymized usage patterns to improve platform features and user experience – Product improvement
  • To send transactional emails (account confirmation, password reset, billing receipts) and, where you have opted in, product updates and newsletters – Communications
  • To detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity – Security and fraud prevention
  • To meet our obligations under applicable law, including tax law, financial regulations, and court orders – Legal compliance

Section A4 – Payment Processing and Stripe

EdisonOS integrates Stripe to process all subscription payments. By purchasing an EdisonOS subscription, you acknowledge that:

  • Payment data (card details) is processed directly by Stripe, Inc., and is subject to Stripe's Privacy Policy and PCI-DSS compliance standards.
  • Stripe may collect additional data about your device and transaction as part of its fraud-prevention services.
  • EdisonOS does not have access to your full card details at any point.
  • Stripe's use of your personal data is described at stripe.com/in/privacy

Your Stripe data is not used for any advertising or marketing purpose by EdisonOS.

Section A5 – Subscription, Cancellation, and Refund Policy

A5.1 Subscription terms

EdisonOS subscriptions are billed monthly or annually as selected at checkout. Subscriptions renew automatically at the end of each billing period unless cancelled.EdisonOS integrates Stripe to process all subscription payments. By purchasing an EdisonOS subscription, you acknowledge that:

A5.2 Cancellation

You may cancel your subscription at any time by contacting support@edisonos.com or through your account settings. Cancellation takes effect at the end of the current billing period. You will retain access to the platform until that date.EdisonOS integrates Stripe to process all subscription payments. By purchasing an EdisonOS subscription, you acknowledge that:

A5.3 Refunds

Annual subscriptions: Refund requests submitted within 14 days of the initial purchase will be honoured in full. Requests after 14 days are handled on a case-by-case basis.

Monthly subscriptions: No refunds are issued for the current billing period upon cancellation. Access continues until the period ends.

To request a refund, email support@edisonos.com with your account email and reason.

A5.4 Data after cancellation

Upon cancellation, your account data and student data are retained for 60 days to allow export, after which they are securely deleted. See Part B, Section 8 for student data retention details.

Section A6 – Data Sharing and Third Parties

We do not sell your personal data. We share business user data only in the following circumstances:

  • Stripe (payment processing) - as described in Section A4
  • Cloud infrastructure providers (AWS, Railway, Vercel) - to host and operate the platform; all are contractually bound to process data only on our instructions
  • Support tools (Sentry, SendGrid) - to monitor platform health and deliver transactional emails
  • TeachEdison Solutions Pvt Ltd - our affiliated engineering team in India, operating under a DPA with equivalent protections
  • Legal authorities - when required by law, court order, or to protect the safety of users or the public
  • Business transfer - in the event of a merger, acquisition, or sale of assets, with advance notice to affected users

All third-party sub-processors are bound by contracts that prohibit them from using your data for any purpose other than providing services to EdisonOS.

Section A7 – Data Retention

Data Type
Retention Period
Deletion Method
Business user account data
Duration of active subscription; deleted 60 days after account closure on request
Secure deletion from all systems
Payment & billing records
7 years (legal / tax requirement)
Retained by Stripe; internal records purged after legal hold period
Usage logs & analytics
Rolling 12 months; aggregated and anonymised thereafter
Automated deletion / anonymisation
Support correspondence
3 years from last interaction
Secure deletion
Marketing opt-in records
Until opt-out + 12 months
Secure deletion on request

You may request deletion of your account data at any time by emailing privacy@edisonos.com. Requests will be fulfilled within 30 calendar days, subject to legal retention requirements.

Section A8 – Your Privacy Rights

A8.1 Rights for all users

Regardless of where you are located, you have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion of your account data (subject to legal retention obligations)
  • Opt out of marketing communications at any time using the unsubscribe link in any email

A8.2 CCPA (California residents)

California residents may request disclosure of personal information collected, sold, or disclosed for a business purpose. We do not sell personal information. To exercise your rights under CCPA, email privacy@edisonos.com.

Section A9 – International Data Transfers

Kalvi Software, Inc. is based in the United States. Our platform infrastructure (Railway, Vercel, AWS, Sentry) is operated in the US. If you are accessing EdisonOS from outside the United States, your data will be transferred to and processed in the United States.

Data processed by TeachEdison Solutions Pvt Ltd, in India is subject to a Data Processing Agreement with Kalvi Software, Inc. that provides equivalent protections and ensures compliance with US federal and applicable state privacy laws.

Section A10 – Security

EdisonOS implements industry-standard technical and organizational security measures to protect business user data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • HTTPS enforced across all web properties
  • Role-based access control (RBAC) limiting internal access to authorized personnel
  • Multi-factor authentication available for all accounts
  • PCI-DSS compliant payment processing via Stripe
  • Regular security reviews and penetration testing

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact security@edisonos.com immediately.

Section A11 – Contact

For any privacy-related questions, data access or deletion requests, or to exercise your rights:

  • Email: privacy@edisonos.com
  • Security incidents: security@edisonos.com
  • Mailing address: 131 Continental Dr, Suite 305, Newark, DE 19713, United States

We acknowledge all inquiries within 48 hours and provide a substantive response within 7 business days.

Section A12 – Governing Law (Part A)

This Part A is governed by the laws of the State of Delaware, without regard to conflict of law principles. Any disputes arising under this Part A shall be subject to the exclusive jurisdiction of the state and federal courts located in New Castle County, Delaware, and both parties consent to personal jurisdiction in such courts.

Part B - Student Privacy Policy

This Part B is issued by EdisonOS, a product of Kalvi Software, Inc., a registered C-Corp in Delaware, USA. EdisonOS is an assessment software serving schools & districts, tutoring companies, and community-based organizations (CBOs) to run, scale, and deliver high-quality test prep programs.

This Policy governs how EdisonOS collects, uses, stores, discloses, and disposes Student Personally Identifiable Information ("Student PII") when providing services to Schools and their students. EdisonOS is committed to the responsible stewardship of student data and to full compliance with applicable federal and state student privacy laws.

When EdisonOS enters into a contract with a School, it operates as a "School Official" with a "legitimate educational interest" as defined under the Family Educational Rights and Privacy Act (FERPA). In this capacity, EdisonOS acts under the direct control of the School with respect to all Student PII and may not use such data for any purpose beyond those specified in the executed agreement.

Legal Entity Clarification

Data Controller & Contracting Entity:

Kalvi Software, Inc. (Delaware C-Corp), the entity that enters into service agreements and Data Privacy Agreements with Schools and is legally responsible for Student PII under FERPA and applicable state law.

Authorized Sub-Processor:

TeachEdison Solutions Pvt Ltd, incorporated in India, provides platform engineering and technical support under a DPA with Kalvi Software, Inc. and is contractually required to comply with FERPA, COPPA, and applicable U.S. state student privacy laws. TeachEdison Solutions Pvt Ltd, does not control Student PII and may not use it for any purpose beyond supporting EdisonOS platform operations.

Section B1 – Definitions

Student PII / Student Data – Personally identifiable information from the education records of a student, as defined under FERPA and applicable state law.

Education Records – Records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency or institution, or by a party acting for or on its behalf.

FERPA – The Family Educational Rights and Privacy Act, and implementing regulations at 34 CFR Part 99.

COPPA – The Children's Online Privacy Protection Act, and implementing regulations at 16 CFR Part 312.

School / Educational Agency / LEA – Any school, school district, charter school, tutoring organization, or Local Education Agency that has entered into a service agreement with EdisonOS.

Parent – A parent, legal guardian, or person in parental relation to a student. Rights transfer to the student upon reaching age 18 or attending a postsecondary institution ("Eligible Student").

Breach – Any unauthorized acquisition, access, use, or disclosure of Student PII not authorized by law, this Policy, or the applicable service agreement.

De-identified Data Data from which all direct and indirect personally identifiable elements have been permanently removed so the information cannot reasonably be linked to a specific individual.

Section B2 – Scope and Applicability

This Policy applies to:

  • All Student PII received by EdisonOS from Schools or entered by students, educators, or administrators in connection with EdisonOS services
  • All EdisonOS employees, contractors, subcontractors, agents, and service providers who access or process Student PII
  • All products, modules, integrations, and services operated under the EdisonOS brand, including the digital SAT/ACT/AP/SHSAT/ISEE test-preparation platform, adaptive assessments, analytics dashboards, and teaching/tutoring management tools

This Policy applies to all Schools, including public school districts, charter school networks, private schools, and tutoring organizations, that use EdisonOS services with students under the age of 18 or that share Student PII with EdisonOS.

Section B3 – Student Data We Collect

B3.1 Categories of Data Collected

EdisonOS collects only the minimum data necessary to provide its educational services.

  • Account / Identity Data – First name, last name, email address, username, school/organization affiliation. Purpose: Authentication; class roster management
  • Academic Performance Data – Practice test scores, question responses, skill gap analysis, progress metrics. Purpose: Adaptive learning; tutor/teacher analytics; reporting
  • Usage & Engagement Data – Login timestamps, session duration, features used, device type, browser type, IP address. Purpose: Platform improvement; support; aggregate analytics
  • Parental Contact Data (students under 13) – Parent or guardian email address. Purpose: COPPA compliance; parental consent workflows
  • Roster / Enrollment Data – Student ID, grade, assigned teacher, enrolled classes (provided via Clever, ClassLink, or import). Purpose: Class management; report delivery to educators
  • Derived Analytics Data – Configured performance metrics, progress indicators, and skill-level breakdowns as agreed upon during implementation. Purpose: Progress monitoring; educator reporting; analytics dashboards

B3.2 Data EdisonOS Does NOT Collect

EdisonOS expressly does not collect or request:

  • Social Security Numbers or government-issued ID numbers
  • Student physical addresses or telephone numbers (unless voluntarily provided for support purposes)
  • Biometric information of any kind (fingerprints, facial recognition data, voiceprints)
  • Medical, health, or disability records
  • Juvenile delinquency or criminal records
  • Financial account information or family income data
  • Student geolocation beyond city/region level derived from IP address

Section B4 – Permitted Use of Student Data

EdisonOS uses Student PII exclusively for the following authorized purposes:

  • Providing and supporting the platform – authentication, class rostering, assignment delivery, test administration, and analytics reporting
  • Personalizing learning – delivering adaptive question sets and skill-gap diagnostics tailored to each student's performance
  • Reporting to authorized school staff – sharing performance dashboards and progress reports with assigned teachers/tutors, and school administrators
  • Responding to support requests – using account data to diagnose and resolve technical issues reported by students, parents, or school staff
  • Legal and regulatory compliance – maintaining records as required by FERPA, COPPA, applicable state law, and executed service agreements
  • Aggregate, de-identified product improvement – analyzing anonymized usage trends to improve platform features; no individual student is identifiable in such analysis

B4.1 Prohibited Uses

EdisonOS will NEVER use Student PII for any of the following:

  • Targeted or behavioral advertising directed at students, parents, or any third parties
  • Sale, rental, lease, or exchange of Student PII to any third party for commercial purposes
  • Building individual or aggregated student profiles for non-educational purposes
  • Sharing Student PII with any third party not authorized in writing by the School
  • Using Student PII to develop or market products or services beyond the scope of the service agreement
  • Collecting, using, or disclosing Student PII for any commercial, marketing, or advertising purpose

Section B5 – Data Sharing and Disclosure

B5.1 Authorized Disclosures

EdisonOS may disclose Student PII only to the following categories of authorized recipients:

  • School administrators, teachers, and designated staff as needed to deliver contracted services
  • Authorized subcontractors and service providers solely to support EdisonOS platform operations (see Section B5.2)
  • The School and its designated Data Protection Officer upon request, for audit, oversight, or compliance purposes
  • Legal or regulatory authorities when required by applicable law, court order, or legal process, with prior written notice to the School to the extent permitted by law

B5.2 Sub-Processors

EdisonOS engages a limited number of Sub-Processors to operate the Platform. Each Sub-Processor is bound by contractual obligations that provide the same level of data protection as this Policy.

Category
Provider
Purpose
Cloud Infrastructure
Railway
Application hosting for backend API, background task processing, and Redis caching
Frontend Hosting
Vercel
Static frontend application hosting and CDN delivery
Database
PlanetScale
Secure file and asset storage
File Storage
Amazon Web Services (S3)
Secure deletion
Email Delivery
SendGrid (Twilio)
Transactional email delivery (enrollment, password reset, OTP)
Error Monitoring
Sentry
Application error tracking and performance monitoring (PII sending disabled)
Authentication
Google OAuth / Clever
Optional single sign-on, only when enabled by the School
Affiliated Engineering & Support
TeachEdison Solutions Pvt Ltd
Platform development and technical support; authorized personnel may access application systems and Student Data solely for these purposes. Bound by a Data Processing Agreement with Kalvi Software, Inc.; contractually required to comply with FERPA, COPPA, and applicable U.S. state student privacy laws.
Individual Tutors
$999
One-Time setup fee
$500
Talk To Us
Assessment Attempts
200
Platform Validity
120 Days
Cost Per Test Attempt
$4.99
Number of Admins
1
Growing Academies
$1999
One-Time setup fee
$500
Talk To Us
Assessment Attempts
500
Platform Validity
180 Days
Cost Per Test Attempt
$3.99
Number of Admins
2
Large Institutes
$4999
One-Time setup fee
$500
Talk To Us
Assessment Attempts
1500
Platform Validity
365 Days
Cost Per Test Attempt
$2.99
Number of Admins
3

B5.3 Conditions for Data Sharing

Student Data is shared with Sub-Processors only when:

  • The sharing is necessary to operate the Platform and provide the educational service
  • The Sub-Processor is bound by a data processing agreement with equivalent privacy protections
  • The Sub-Processor is prohibited from using the data for any purpose other than providing its service to EdisonOS
  • The School is notified of material changes to our Sub-Processor list

Section B6 – Data Security Standards

EdisonOS aligns its information security program with the NIST Cybersecurity Framework (Version 2.0) and maintains the following safeguards:

B6.1 Technical Safeguards

  • Encryption: Encryption in transit (TLS 1.2+) and at rest (AES-256) for all Student Data
  • Authentication: Secure session management with HTTP-only, Secure, SameSite cookies; bcrypt password hashing with salt; optional SSO integration
  • Access Control: Role-based access control (RBAC) with over 40 granular permissions ensuring users can only access data appropriate to their role
  • Input Validation: Comprehensive server-side validation on all API inputs to prevent injection attacks
  • Session Security: Time-limited sessions (configurable, default 7 days) with IP and User-Agent tracking for anomaly detection
  • OTP Security: Cryptographically secure one-time passwords with rate limiting (3 attempts), short expiry (10 minutes), and secure Redis-backed storage
  • Multi-Tenant Isolation: Strict data isolation between Schools through academy-level scoping on all database queries
  • File Security: Strict file type allowlist, 5 MB size limits, SHA-256 integrity verification, and authenticated access via signed URLs
  • Soft Delete Architecture: All data deletions are audited with user attribution and timestamps before permanent removal
  • Error Handling: PII transmission disabled in error monitoring (Sentry send_default_pii=False)

Section B7 – Parental Rights and Student Rights

EdisonOS is committed to supporting Schools in upholding all parental and student rights under FERPA, COPPA, and applicable state law. The School serves as the primary point of contact for parents and students exercising these rights. EdisonOS will fully cooperate with and assist Schools in fulfilling all such requests in a timely manner.

B7.1 Right to Inspect and Review

Parents (or Eligible Students age 18 and over) have the right to inspect and review their child's education records held by EdisonOS. Requests should be directed to the School, which will facilitate access in accordance with its procedures. EdisonOS will provide the School with access to all relevant Student PII within a reasonable time, not to exceed 30 calendar days of a properly submitted request.

B7.2 Right to Correct Inaccurate Data

Parents and Eligible Students may request correction of inaccurate or misleading data in the student's records. Requests should be submitted to the School. EdisonOS will cooperate to make corrections within 30 calendar days of the School's notification.

B7.3 Right to Request Deletion

Upon written request from a School, EdisonOS will delete specified Student PII within 30 calendar days, unless retention is required by law or would prevent the student from receiving contracted services. Deletion requests from parents should be directed to the School, which will determine eligibility and instruct EdisonOS accordingly.

B7.4 COPPA Protections for Students Under 13

EdisonOS does not knowingly collect personal information from students under age 13 without verifiable parental consent. When a School creates accounts for students under 13, EdisonOS relies on the School's certification that it has obtained appropriate parental consent in accordance with COPPA and applicable state law.

For students under 13 who attempt to register independently, EdisonOS will collect the parent or guardian's email address, deliver a COPPA-compliant notice, and will not activate the account until required consent is confirmed.

Section B8 – Data Retention and Deletion

EdisonOS retains Student PII only for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal obligations, or as directed by the School.

  • Active student account data (PII) – Duration of active service agreement; deleted within 60 days of contract termination unless otherwise instructed
  • Performance and assessment records – Duration of contract; available for School export on request; deleted within 60 days of contract end
  • Usage logs and technical data – Rolling 12-month window; aggregated and de-identified thereafter in accordance with FERPA's de-identification standard (34 CFR § 99.3). De-identified data is retained solely for aggregate platform improvement and cannot be re-linked to any individual student.
  • Backup copies – Overwritten within 90 days of deletion of live data. During this window, backup copies are logically isolated and inaccessible for any operational use.
  • Data required by applicable law – Retained for the legally mandated period; the School will be notified

Upon expiration or termination of a service agreement, EdisonOS will: (a) provide the School with a complete export of Student PII in a mutually agreed format; (b) securely delete all remaining copies of Student PII within 60 calendar days; and (c) provide written certification of deletion to the School upon request.

Section B9 – Breach Notification and Incident Response

B9.1 Incident Response Program

EdisonOS maintains a written Incident Response Plan covering detection, containment, eradication, recovery, and notification for security incidents involving Student PII. The plan is reviewed and tested at least annually.

B9.2 Notification to Schools

In the event of a confirmed or reasonably suspected breach or unauthorized release of Student PII, EdisonOS will notify the School's designated contact:

  • Within 48 hours of initial discovery via verbal or preliminary written notice
  • Within 7 calendar days with a formal written incident report including: the nature of the breach; categories and approximate number of records affected; likely cause; immediate remediation steps taken; and EdisonOS's incident response contact

EdisonOS will cooperate fully with the School's investigation and provide complete transparency regarding the incident and all remediation steps.

B9.3 Parent and Regulatory Notification

EdisonOS acknowledges that the School is responsible for notifying affected parents, Eligible Students, and applicable state regulatory authorities in accordance with law. EdisonOS will provide the School with all information necessary to fulfill such notifications within required timeframes and will cover reasonable notification costs where the breach is attributable to EdisonOS's actions or omissions.

B9.4 Remediation and Post-Incident Report

Following a breach, EdisonOS will immediately contain and remediate the incident, including patching vulnerabilities, rotating credentials, and implementing additional security controls as appropriate. A final written post-incident report including root cause analysis and permanent remediation measures will be provided to the School within 30 calendar days of the breach's discovery.

Section B10 – Regulatory Compliance

EdisonOS is committed to complying with all applicable federal and state student privacy laws, including:

  • FERPA – Protect education records; operate as School Official under LEA control; honor parental access rights
  • COPPA – Parental consent for children under 13; data minimization; deletion on request
  • NIST CSF – Industry-standard cybersecurity framework for safeguarding student data
  • NY Education Law §2-d – Parents' Bill of Rights; third-party contractor requirements; breach notification
  • IL SOPPA – No targeted advertising; no student profiling; data deletion on School request
  • CA SOPIPA – No targeted advertising; no sale of student information
  • TX Education Code – Safe technology use; no excessive data collection on student devices

EdisonOS recognizes that more than 40 states have enacted student privacy laws imposing additional obligations on edtech vendors, and commits to complying with all applicable state-specific requirements in the jurisdictions it serves.
Upon request, EdisonOS will execute a state-specific or district-specific Data Privacy Agreement (DPA) to confirm compliance with local requirements.

Section B11 – Data Sharing Agreements

EdisonOS is prepared to enter into a formal Data Sharing Agreement (DSA) or Data Privacy Agreement (DPA) with any School that requires one. Such agreements will specify at minimum:

  • The exclusive purposes for which Student PII will be used by EdisonOS
  • The categories of Student PII to be shared
  • Data security safeguards in place
  • Duration of data retention and procedures for return or destruction upon contract termination
  • Breach notification timelines and procedures
  • Subcontractor management obligations

To request a Data Sharing Agreement, contact EdisonOS at privacy@edisonos.com. EdisonOS will acknowledge the request within 2 business days and provide a draft agreement within 10 business days

Section B12 – AI and Automated Processing

EdisonOS uses automated processing to generate analytics, performance classifications, and progress insights from Student Data. Specific metrics, categories, and thresholds are configured in agreement with the School/CBO/Tutoring company during implementation and are used solely to support educators and school administrators in identifying students who may need additional attention. These classifications are not used for any non-educational purpose, not shared with third parties outside the scope of the service agreement, and not used to make automated decisions that have legal or significant effects on students without human review.

EdisonOS does not use Student Data to train general-purpose artificial intelligence or machine learning models. Any AI-assisted tools within the platform operate on anonymized or non-student-PII data only and are not trained on individual student performance records.

Section B13 – Staff Training and Accountability

All EdisonOS employees and contractors with access to Student PII are required to:

  • Complete data privacy and security training before receiving access to Student PII
  • Complete annual refresher training covering applicable federal and state laws, EdisonOS policies, and current security practices
  • Acknowledge their personal responsibility to protect Student PII in writing
  • Be subject to disciplinary action, up to and including termination, for any unauthorized use or disclosure of Student PII

EdisonOS will provide written confirmation of employee training compliance to any School upon request.

Section B14 – Policy Review and Updates

EdisonOS reviews this Policy at least annually and updates it as needed to reflect changes in law, regulation, technology, or business practices. When material changes are made:

  • Schools under active service agreements will receive at least 30 days' advance written notice of material changes
  • The updated Policy will be published on the EdisonOS website with a revised effective date
  • Changes that would reduce student privacy protections below those in an existing Data Sharing Agreement will not take effect without the School's prior written consent

Section B15 – Governing Law (Part B)

This Part B is governed by the laws of the State of Delaware, without regard to conflict of law principles. Any disputes arising under this Part B between EdisonOS and a School shall be subject to the exclusive jurisdiction of the state and federal courts located in New Castle County, Delaware, unless a separately executed Data Sharing Agreement specifies a different jurisdiction to accommodate state-specific legal requirements. Nothing in this section limits a School's rights under applicable federal or state student privacy laws.

Section B16 – Contact and Complaint Procedures

Schools & Districts, Tutoring businesses, Parents, and Students who have questions about this Policy or wish to exercise their privacy rights may contact EdisonOS:

  • Privacy Inquiries: privacy@edisonos.com
  • Security Incidents: security@edisonos.com
  • Mailing Address: 131 Continental Dr, Suite 305, Newark, DE 19713, United States

Response Commitment: EdisonOS acknowledges all privacy inquiries within 48 hours and provides a substantive response within 7 business days.