Leap LogSign In
Student Data Privacy

Privacy Policy

How Leap Log IEP collects, uses, and protects student information

Last updated: March 11, 2026

Leap Log IEP LLC · Kansas City, Missouri

Leap Log IEP is a Special Education progress monitoring platform built for K-12 school districts. This policy explains how we collect, use, and protect student data — including education records protected under FERPA, IDEA, and COPPA. If you have questions, contact our Privacy Officer at support@leaplogiep.com.

Our Student Data Privacy Commitment

We built Leap Log IEP for one purpose: helping Special Education teams spend less time on paperwork and more time with students. Our data practices reflect that:

  • We never sell student data — to anyone, for any reason
  • We never use student data for advertising — not for targeting, not for profiling
  • We never share student data with data brokers or third-party researchers
  • We never train commercial AI models on identifiable student information
  • Student data is used only to deliver the service your school contracted for

These are absolute commitments, not subject to business-case exceptions. We are a signatory to the Student Privacy Pledge.

Who This Policy Covers

School staff and administrators using the platform under their school's Leap Log IEP subscription. Governed by your school's agreement with us and applicable law, including FERPA.

Parents and guardians accessing the parent portal to view their child's IEP progress. Parents see only their own child's data — never another student's.

Students whose Special Education records are entered and managed by school staff. Student data is used solely for IEP tracking and progress monitoring purposes.

What Information We Collect

School Staff Accounts

  • Name, email address, and assigned role (teacher, para, administrator, etc.)
  • Hashed passwords — never stored in plaintext
  • Audit logs of platform actions (required by FERPA)
  • Login timestamps and session activity

Student Education Records

Student data is submitted by school staff at the direction of the school. It may include:

  • Name, grade, date of birth, disability category
  • IEP goals, baselines, targets, and progress data entries
  • Service logs: type, duration, date, setting
  • Behavioral observations (A-B-C logs, frequency, interval recordings)
  • Accommodations and modifications
  • Parent-teacher messages tied to the student record
  • IEP dates, reevaluation deadlines, compliance timelines

This data constitutes education records under FERPA and is processed under our Data Processing Agreement with your school.

Parent Portal Accounts

  • Name and email address (provided by the school)
  • Hashed password
  • Messages sent through the portal
  • Notification preferences (digest frequency, language)

Technical and Security Data

  • IP address and device type (security monitoring and fraud prevention)
  • Session identifiers (to maintain your login)
  • Cloudflare Turnstile bot-prevention signals on login pages

How We Use Student and Staff Information

PurposeHow We Use It
Deliver the ServiceIEP goal tracking, progress monitoring, service logging, compliance reports, parent portal, messaging
Account securityAuthentication, session management, role-based access enforcement
FERPA audit trailEvery access to and modification of student records is logged — who, what, when
Transactional notificationsEmail alerts for new messages and IEP reminders — no student PII in email bodies
Service improvementAggregated, de-identified usage data only — cannot identify any individual student
Legal complianceDisclosure when required by law, with advance notice to the school where permitted

Our Subprocessors — Who Handles Your Data

We share student data only with the following service providers, each bound by written data protection agreements:

ProviderRoleStudent PII?Location
SupabaseManaged database and authenticationYes — primary data storeUnited States
VercelApplication hostingTransient request processing onlyUnited States
ResendTransactional emailFirst name + login link onlyUnited States
CloudflareDNS, DDoS protection, CAPTCHANo student PIIGlobal CDN

We will notify schools at least 30 days before adding any new subprocessor that processes student PII.

Data Retention

Data TypeRetention Period
Student education recordsDuration of subscription + 30-day export window, then securely deleted
Audit logs5 years (supports IDEA dispute resolution timelines)
Staff accountsActive employment; deleted within 30 days of deactivation
Parent accountsDuration of child's enrollment; deleted within 30 days of deactivation
Security logs90 days

After your contract ends, all student data remains available for export for 30 days, then is securely deleted. Written confirmation of deletion is available on request.

Security Overview

We protect student data with AES-256 encryption at rest, TLS 1.2+ in transit, database-level row security, automatic 30-minute session timeouts, full audit logging, and Cloudflare bot protection on all login pages.

In the event of a breach affecting student data, we notify the affected school within 72 hours of discovery. See our full Security page for technical details.

FERPA Rights

Rights to inspect, correct, or delete education records belong to the school and — where applicable — to eligible students and their parents. To exercise FERPA rights, contact your school or district directly. We cooperate with school-directed FERPA requests within 10 business days.

COPPA — Students Under 13

Leap Log IEP processes information about students under 13 under the COPPA school consent exception (16 C.F.R. § 312.5(b)(1), including 2024 amendments with full compliance effective April 22, 2026). By executing our Data Processing Agreement, the school represents it has authority to consent on behalf of parents for this educational service. We collect only the data necessary to deliver the service — never for commercial purposes.

State-Specific Privacy Protections

Texas School Districts

Designed to support compliance with the Texas Student Data Privacy Act (HB 18, 2023 SCOPE Act) and the Texas Data Privacy and Security Act (HB 4390, effective July 1, 2024). We do not sell student data or build profiles for non-educational purposes. We respond to district vendor security questionnaires as required by Texas SB 1792.

Kansas School Districts

Compliant with the Kansas Student Online Personal Protection Act (K.S.A. 72-6331) and the Kansas Student Data Privacy Act (K.S.A. 72-6312), including breach notification requirements and data deletion on request.

Missouri School Districts

Registered with the Student Data Privacy Consortium (SDPC). Missouri districts requiring a DPA on the SDPC National DPA template — we support that. See our Data Processing Agreement for details.

Changes to This Policy

We provide at least 30 days' advance notice of material changes via email to school administrators. The current version is always posted at leaplogiep.com/privacy with a revision date.

Frequently Asked Questions

Contact

Privacy Officer — Leap Log IEP LLC
support@leaplogiep.com
Kansas City, Missouri

SecurityTerms of ServiceData Processing AgreementFAQ