Effective Date: 05/12/2026
WhitAI.app ("WhitAI", "we", "our", or "us") is a product of School Synergy Corporation (S-Corporation). We are committed to protecting student, educator, and school data. This Privacy Policy explains what information we collect, how we use it, how we protect it, and the choices and rights available to you.
If you are a school or district evaluating WhitAI for use with students, you may also request our Data Privacy Agreement (DPA) at ccuny@whitai.app.
- WhitAI.app is used by schools for learning, writing practice, and feedback.
- We collect only the information needed to provide the service.
- We do not sell student data. We do not show ads to students. We do not build advertising profiles.
- Student work belongs to students and their school — not to us.
- We use AI (from OpenAI, Anthropic, and Google) to generate educational feedback. No student names, emails, or other identifying information are ever sent to these AI providers — only anonymous aliases. Student work is not used to train any of these companies' AI models.
- A teacher or school administrator can always review, override, or remove AI-generated feedback.
- Parents, guardians, and schools can request to access, correct, export, or delete data at any time by emailing ccuny@whitai.app.
- We host all data in the United States and serve only U.S. schools at this time.
- Definitions
- Information We Collect
- How We Use Information
- AI and Automated Processing
- Data Sharing and Sub-Processors
- Student Privacy Compliance
- Student-Created Content
- Children's Privacy (Under 13)
- Data Retention, Deletion, and De-Identification
- Security and Incident Response
- Cookies and Analytics
- State-Specific U.S. Privacy Rights
- User and Parent Rights and Requests
- Changes to This Policy
- Contact
1. Definitions
- "Student Data" means information that is directly related to a student and is provided by a school or district, or collected through student use of WhitAI (including student submissions and AI chat messages).
- "Education Records" refers to records protected under the Family Educational Rights and Privacy Act (FERPA).
- "Personal Information" includes information that identifies, or can reasonably be linked to, an individual (for example: name, email address, school-issued ID).
- "Student-Created Content" means written essays, short-answer responses, chat transcripts, debate exchanges, and other text or files generated by a student during their use of WhitAI.
- "De-Identified Data" means data that has been stripped of identifiers such that it cannot reasonably be used to identify an individual student.
- "School / District" means the educational agency (e.g., LEA) that licenses or authorizes use of WhitAI.
- "Sub-Processor" means a third-party service provider engaged by WhitAI to process data on its behalf.
2. Information We Collect
We collect the minimum information necessary to provide educational services.
A. Student Information
- First name, display name, or username (as provided by the school)
- School-issued email address or school-managed sign-in identifier (e.g., Google Workspace for Education)
- Class roster, period, and teacher assignment (as provided by the school)
- Student submissions (essays, short answers, chat messages, debate responses, exit-ticket answers)
- Usage and device data (feature usage, timestamps, basic diagnostics)
B. Teacher and Administrator Information
- Name and school-issued email address
- School and district affiliation
- Class rosters, assignments, rubrics, and instructional materials uploaded or created in the platform
- Usage logs and interactions with platform tools
C. Support and Communications
- Information you provide when contacting support (messages, attachments, screenshots)
- Operational communications (service notices, security notices, product updates)
- Home addresses or precise geolocation
- Biometric identifiers
- Social Security Numbers or government ID numbers
- Payment card data from students
- Sensitive demographic information beyond what schools voluntarily provide
Please do not submit sensitive personal information through free-form student text fields unless your school explicitly directs you to do so for educational purposes.
3. How We Use Information
We use information to operate, maintain, and improve WhitAI for educational purposes, including to:
- Provide learning activities and AI-assisted educational feedback
- Display student work and results to the student and authorized educators
- Generate class-level and school-level insights for instructional improvement
- Provide customer support, troubleshoot, and maintain platform security and reliability
- Communicate service notices, security alerts, and product updates to educators and administrators
- Comply with legal obligations and enforce our Terms of Service
We do not use Student Data for advertising. We do not sell or rent Student Data. We do not build profiles of students for any purpose other than providing the service to their school.
4. AI and Automated Processing
WhitAI uses artificial intelligence to generate educational feedback, writing coaching, debate responses, formative-assessment analysis, and instructional insights.
A. AI Providers We Use
We send specific student inputs to the following AI providers via their paid API services:
- OpenAI (including the OpenAI Responses API)
- Anthropic (Claude)
- Google (Gemini)
B. What Is Sent to AI Providers
- Student-submitted text (essays, short answers, chat messages, debate exchanges)
- Teacher-provided instructions, prompts, rubrics, and exemplar materials needed to generate feedback
- Limited contextual metadata (grade band, assignment type, subject area) when needed to tailor feedback
Student names, school-issued email addresses, school IDs, school names, class identifiers, and any other directly identifying information are never included in requests to OpenAI, Anthropic, or Google. Where a request needs to reference a student (for example, in a chat session), WhitAI substitutes a non-identifying alias before the request leaves our systems.
C. AI Training
WhitAI does not authorize these providers to use Student Data for any purpose other than generating the requested response on our behalf.
D. How We Use AI Outputs
- AI outputs are generated automatically to support instruction; they are not a substitute for teacher judgment.
- Educators may review, edit, accept, override, or disregard AI-generated feedback and grades.
- Student-facing AI tools (such as the Elaboration Tutor and Debatotron) are scoped to the educational task assigned by the teacher.
- We apply automated safety filters and monitoring to reduce the likelihood of unsafe, inappropriate, or off-task content.
E. WhitAI Does Not Train Its Own Models on Student Data
WhitAI does not train, fine-tune, or otherwise use Student Data to build proprietary AI models.
5. Data Sharing and Sub-Processors
We do not sell or rent Personal Information or Student Data. We share data only as described below.
- With the School or District: Student work, feedback, scores, and analytics are accessible to the student's authorized teachers and school/district administrators as part of the educational service.
- With Sub-Processors: Vetted service providers that host, secure, and operate the platform (listed below). All sub-processors are contractually obligated to protect Student Data and may process data only to provide services to WhitAI.
- Legal Requirements: If required by law (subpoena, court order, regulatory request). When permitted, we will attempt to notify the affected School or District before disclosure.
- Safety and Security: To protect users, the public, and the integrity of the platform (for example, investigating abuse, threats, or security incidents).
- Business Transfers: In the event of a merger, acquisition, or sale of assets, Student Data will continue to be protected under privacy commitments materially equivalent to those in this Policy. Schools and districts will be notified before any change in ownership materially affects their data.
Google Classroom Integration (Optional, Teacher-Enabled)
When a teacher explicitly connects Google Classroom, WhitAI uses Google Workspace APIs to support classroom workflows.
The use of information received from Google Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
- Data accessed: teacher course lists, classroom rosters (including student names/emails in mapped classes), and teacher-initiated coursework posting metadata for supported assignment types.
- Purpose: course import, class mapping, roster synchronization, and posting WHIT assignments to a teacher-selected Google Classroom course.
- Storage: OAuth credentials required for this integration are stored encrypted at rest, and course/roster mapping metadata is stored in WhitAI infrastructure.
- Control: teachers can disconnect Google Classroom at any time from the Google Classroom sync interface, which stops future sync and posting actions until reconnected.
- Limits: Google Classroom data is not sold, not used for advertising, and not used for unrelated purposes outside user-facing educational features in WhitAI.
Current Sub-Processors
| Sub-Processor | Purpose | Data Categories Processed | Location |
|---|---|---|---|
| OpenAI | AI processing for feedback, tutoring, and analysis (Responses API) | Student/teacher text inputs (without identifiers); limited context metadata | United States |
| Anthropic | AI processing for feedback and analysis (Claude API) | Student/teacher text inputs (without identifiers); limited context metadata | United States |
| Google (Gemini) | AI processing for feedback and analysis | Student/teacher text inputs (without identifiers); limited context metadata | United States |
| Render | Primary application hosting and infrastructure | All account data, submissions, usage logs as stored by WhitAI | United States |
| Amazon Web Services (S3) | Media file storage (e.g., uploaded documents and images) | Files uploaded by students and teachers | United States |
| Upstash | Redis-based caching and session/queue infrastructure | Short-lived session and cache data | United States |
| Google Workspace APIs (optional, when enabled by a school) | Google Sign-In and optional Google Classroom course/roster sync and coursework posting | Google account metadata, course/roster data, and coursework metadata explicitly authorized by the teacher/school through Google permissions | United States |
The exact list of sub-processors may evolve as we improve the platform. We will maintain this section and update it when material changes occur. Schools and districts may request advance notice of new sub-processors in their DPA.
6. Student Privacy Compliance (FERPA, COPPA, SOPIPA, AB 1584)
A. FERPA: School Official Designation
WhitAI acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA) when providing services to schools and districts. We perform institutional services and functions for which schools would otherwise use their own employees, and we use Student Data solely for authorized educational purposes, under the direct control of the School or District and consistent with applicable agreements.
B. COPPA: Children Under 13
For students under 13, schools may provide consent on behalf of parents and guardians where permitted by law and consistent with the Children's Online Privacy Protection Act (COPPA) — specifically, when WhitAI is used solely for educational purposes within the school context and not for commercial marketing. See Section 8 for our full Children's Privacy practices.
C. California SOPIPA (Student Online Personal Information Protection Act)
In compliance with SOPIPA, WhitAI does not:
- Engage in targeted advertising to students
- Create advertising profiles about students
- Sell student personal information
- Disclose student information except as permitted for educational purposes, legal compliance, or to protect safety and security
- Use Student Data for any purpose unrelated to K–12 school purposes
D. California AB 1584: Student Data Ownership and Control
All Student Data and Education Records remain the property of the student and/or the School or District. WhitAI does not claim ownership over student submissions, education records, or related content. Upon request by a School or District, and consistent with applicable agreements and law, WhitAI will:
- Return or export Student Data in a reasonable and usable format
- Delete Student Data when it is no longer needed for educational purposes, subject to legal retention requirements
- Maintain Student Data confidentiality and security
E. Other State Student-Privacy Laws
WhitAI is designed to support compliance with comparable state student-privacy laws, including (but not limited to) New York Education Law §2-d, Texas SB 820, Colorado HB 16-1423, Connecticut Public Act 16-189, and Illinois SOPPA. Schools and districts in these states may request a state-specific addendum to our DPA.
7. Student-Created Content
Essays, short-answer responses, chat transcripts, debate exchanges, and other text or files generated by a student during their use of WhitAI ("Student-Created Content") are FERPA Education Records and are treated as such.
- Student-Created Content is visible only to the student, the student's authorized teachers, and authorized school/district administrators.
- Student-Created Content is not sold, rented, used for advertising, or shared with third parties for commercial purposes.
- Student-Created Content is not used to train any AI model — neither WhitAI's systems nor the underlying AI providers'. When Student-Created Content is processed by an AI provider to generate feedback, it is sent without any identifying information attached.
- A school, district, parent, or eligible student may request export or deletion of Student-Created Content at any time, subject to verification and applicable law.
- When de-identified and aggregated such that individual students cannot reasonably be re-identified, content excerpts may be used internally to evaluate and improve our service. We do not attempt to re-identify de-identified data.
8. Children's Privacy (Under 13)
WhitAI is designed for use within a school setting, where the school directs the educational use of the service and provides COPPA-compliant consent on behalf of parents and guardians for students under 13. This is consistent with FTC guidance on COPPA in the school context.
For students under 13:
- We collect only what is necessary to provide the educational service requested by the school.
- We do not show ads, build marketing profiles, or send marketing communications to students.
- Parents and guardians retain the right to review their child's Personal Information, request corrections, and request deletion. Requests should be directed to the school first; if the school is unable to assist, parents may contact us directly at ccuny@whitai.app and we will work with the school to fulfill the request.
- If we learn we have collected Personal Information from a child under 13 outside of a school-authorized context, we will take prompt steps to delete that information.
9. Data Retention, Deletion, and De-Identification
We retain data only as long as necessary to provide the service, meet contractual obligations with schools and districts, and comply with legal requirements.
- Active Account Data: Retained while the student or teacher account is active and the school continues to license WhitAI.
- Account Termination Default: When a school account is terminated, associated Student Data will be deleted or de-identified within 60 days, unless the School or District requests a different retention or export window in writing.
- School/District Requests: Schools and districts may request export or deletion of Student Data at any time by contacting ccuny@whitai.app. We will fulfill verified deletion requests within 30 days of receipt.
- Backup Retention: Data may persist in routine encrypted backups for up to an additional 30 days after deletion from active systems, after which it is purged through standard backup rotation.
- De-Identified and Aggregated Data: We may create and use de-identified and aggregated data to improve educational features, reliability, and reporting. We do not attempt to re-identify de-identified data, and we do not allow recipients of de-identified data to do so.
10. Security and Incident Response
A. Safeguards
We use administrative, technical, and physical safeguards designed to protect information, including:
- Encryption in transit (TLS 1.2+) and at rest where appropriate
- Role-based access controls and least-privilege access for our personnel
- Multi-factor authentication for administrative systems
- Monitoring, logging, and alerting to help detect and prevent abuse
- Secure development practices, dependency review, and routine security updates
- Periodic review of sub-processor security posture
No method of transmission or storage is 100% secure. If you believe an account has been compromised, please contact us promptly at ccuny@whitai.app.
B. Incident Response
If we determine that a security incident has resulted in unauthorized access to Student Data or other Personal Information, we will:
- Notify affected School and District administrators without undue delay, and in any case within 72 hours of confirming a reportable incident, by email and (where appropriate) in-product notification.
- Provide available information about the nature and scope of the incident, the data involved, the remediation steps taken, and recommended actions for affected individuals.
- Cooperate with the School or District in fulfilling any further notification obligations they may have under applicable law (e.g., state breach-notification statutes, FERPA, or local district policy).
- Document the incident and post-incident review for our own records and for audit by Schools or Districts upon request.
11. Cookies and Analytics
WhitAI uses cookies and similar technologies for the following purposes:
- Strictly Necessary: Authentication, session management, security, load balancing, and CSRF protection. These cookies are required for the service to function.
- Functional: Remembering preferences (e.g., view settings) so the experience persists across sessions.
- Basic Analytics: Aggregate, privacy-respecting analytics to understand feature usage and improve reliability. We do not use analytics cookies for cross-site tracking.
We do not use cookies for targeted advertising. We do not use cookies to track students across other websites or services.
You may manage or block cookies through your browser settings. Strictly necessary cookies cannot be disabled without breaking core functionality (such as the ability to log in).
12. State-Specific U.S. Privacy Rights
WhitAI currently serves users in the United States only. Depending on your state of residence, you may have additional rights under your state's privacy law. These rights apply to teachers, administrators, and adult users; for student records, requests should generally be made through the School or District in accordance with FERPA.
A. California (CCPA / CPRA)
California residents have the right to:
- Know what categories of Personal Information we collect and how it is used
- Request access to and a copy of their Personal Information
- Request correction of inaccurate Personal Information
- Request deletion of their Personal Information
- Opt out of the "sale" or "sharing" of Personal Information — WhitAI does not sell or share Personal Information for cross-context behavioral advertising
- Limit use of sensitive personal information — WhitAI does not collect sensitive personal information beyond what is described in this Policy
- Be free from retaliation for exercising these rights
To exercise these rights, email ccuny@whitai.app. We will verify your identity before fulfilling requests involving Personal Information.
B. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA)
Residents of these states have rights to access, correct, delete, and (where applicable) port their Personal Information, and to opt out of targeted advertising and the sale of Personal Information. WhitAI does not engage in targeted advertising and does not sell Personal Information. To exercise these rights, email ccuny@whitai.app.
C. Other States
Residents of states with comparable consumer-privacy laws may exercise rights consistent with those laws by contacting ccuny@whitai.app.
D. Appeals
If we deny a privacy request, you may appeal by replying to our denial email with the subject line "Privacy Request Appeal." We will respond within the timeframes required by your state's law (typically 45–60 days).
13. User and Parent Rights and Requests
Depending on your role and applicable law, you (or your school/district, or a parent on behalf of a student) may have the right to:
- Access or receive a copy of information (including Student Data and Education Records)
- Correct inaccurate information
- Request deletion of information (subject to legal and contractual requirements)
- Request export or return of Student Data for school- or district-controlled accounts
- Withdraw consent or opt out of optional features
How to submit a request: Email ccuny@whitai.app.
For Student Data and Education Records, we will generally route the request through the School or District to verify authorization, in accordance with FERPA and AB 1584. Parents who are unable to obtain assistance from their school may contact us directly and we will work with the school to fulfill the request.
We will acknowledge requests within 10 business days and complete verified requests within 30 days, unless a longer period is permitted or required by law.
Filing a Complaint with a Regulator
If you believe we have not adequately responded to a privacy concern, you may also contact:
- The U.S. Federal Trade Commission at https://www.ftc.gov
- Your state Attorney General's office
- The U.S. Department of Education's Student Privacy Policy Office (for FERPA matters): https://studentprivacy.ed.gov
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, regulations, or sub-processors. When we do:
- We will post the updated Policy on this page and update the "Effective Date."
- For material changes affecting Student Data, we will provide advance notice to School and District administrators (typically by email and in-product notification) before the changes take effect, and provide a reasonable opportunity to review.
- Schools and districts may request continued operation under the prior Policy until any contractual review period required under their DPA has elapsed.
15. Contact
School Synergy Corporation
27160 Baxard Place
Valencia, CA 91354
United States
General privacy inquiries: ccuny@whitai.app
Security concerns or suspected incidents: ccuny@whitai.app (please use subject line "Security")
Data Privacy Agreement (DPA) requests: ccuny@whitai.app (please use subject line "DPA Request")