Privacy Policy

Effective Date: August 2025
Uprooted Academy

Uprooted Academy ("we," "our," "us") is committed to protecting the privacy and security of our students, advisors, and partners. This Privacy Policy explains how we collect, use, and safeguard your personal information when you use our website, platform, and related services ("Services").

1. Who Can Use Our Services

Our Services are intended for students 13 years and older, their advisors, and authorized school staff. We do not knowingly collect information from children under 13.

2. Information We Collect

We may collect the following types of information:

Personal Data: Information such as your name, email, school affiliation, and login details.
Educational Data: Student records and advising information provided by schools, counselors, or students themselves.
Usage Data: Information about how you interact with our Services, including login history, support requests, and technical data such as IP address, browser type, and device.

3. How We Use Your Information

We use your information to provide and improve our Services, support students and counselors in the college planning process, respond to support requests through Zendesk, maintain security and compliance with legal obligations, and conduct de-identified analysis and reporting to improve user experience.

4. Legal and Data Protection Compliance

We are committed to meeting or exceeding the highest standards of data protection. This includes FERPA (Family Educational Rights and Privacy Act), which protects student education records. We have achieved SOC 2 Type I certification which demonstrates that our security, availability, and confidentiality controls have been independently reviewed. We also comply with applicable United States federal, state, and local data protection laws. When schools provide student information, they remain the data controller. Uprooted Academy acts as a data processor, handling data only as directed by schools or advisors.

5. Data Security

We maintain a comprehensive security program that includes encryption of data at rest using AES-256 and in transit using TLS 1.2 or higher, role-based access controls with multi-factor authentication for administrative accounts, continuous monitoring, logging, and risk assessments, compliance with SOC 2 Type I controls, and disaster recovery and resiliency planning.

6. Data Sharing

We only share information in limited circumstances. These include approved service providers such as Zendesk for support ticketing, Atlassian Statuspage for uptime and outage notifications, and AWS for hosting and data encryption. We may also share data with your school, counselor, or advisor to provide Services, or as required by law or valid legal request, or with your consent for specific purposes. We do not sell or rent personal data.

7. Service Status and Incident Communication

We use Statuspage to share real-time updates about platform availability and outages. All support and troubleshooting requests are managed through Zendesk. In the event of a confirmed security incident involving your personal data, we will notify your school or organization as required by law, email affected individuals directly where applicable, and provide timely updates on the steps taken to address and mitigate the breach.

8. Data Retention

Personal data is retained only as long as necessary for educational or support purposes. Identifiable information is not stored in analytic datasets. Temporary data is securely deleted in compliance with NIST 800-88 data destruction standards.

9. Cookies and Analytics

We use cookies and analytics tools to help operate, secure, and improve our Services. A cookie is a small text file stored on your device when you visit our website. We use cookies to remember your preferences, keep you logged in, and understand how you use our platform. You can set your browser to refuse cookies or alert you when cookies are being sent. Please note that disabling cookies may limit certain features of our Services. We also use analytics tools such as Google Analytics to understand how users interact with our Services and to improve functionality. Analytics data is aggregated and does not identify individual users. We do not use cookies or analytics for advertising, tracking, or marketing purposes, and we do not allow third parties to collect personal information for advertising through our Services.

10. Information We Do Not Collect

We do not need or want to collect any sensitive personal information through the Website. Similarly, minors under the age of 18 should not provide any personal information to us through the Website without parental consent. We do not sell personal information to third parties, and do not share personal information with third parties, except with users’ consent or as set forth in this Privacy Policy. Under the Children’s Online Privacy Protection Act (“COPPA”) there must be verifiable parental consent to collect, use, or disclose personal information from Children under the age of 13.

11. Your Rights

Depending on your role as a student, parent, advisor, or school representative, you may have rights to access, correct, or request deletion of your data. Students and families should contact their school directly. We will assist schools in fulfilling FERPA and other data protection obligations.