Can Do Navigator

Privacy Policy

Effective Date: March 6, 2026

1. Introduction

Can Do Navigator ("the Service") is operated by IncluSend LLC ("we," "us," or "our"). We are committed to protecting the privacy and security of all users, including educators, administrators, and the student data they manage through our platform. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By using Can Do Navigator at candonav.app, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

This policy is designed to comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state privacy laws, including the Colorado Student Data Transparency and Security Act (C.R.S. §§ 22-16-101 et seq.) and the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Organization/district name
  • User role within the organization (owner, admin, school admin, teacher, or read-only)
  • Authentication credentials (managed securely via Supabase Auth; we support Google OAuth and email/password login)

2.2 Student Data

Educators may enter the following student information into the Service:

  • First and last name
  • District student ID (external identifier)
  • Grade level
  • Native/home language
  • School assignment
  • WIDA ACCESS domain proficiency scores (Listening, Speaking, Reading, Writing)
  • Computed composite scores (Overall, Oral, Literacy, Comprehension)
  • English language learner status (derived from scores)

Student data may be entered manually, uploaded via CSV file (up to 5,000 records per upload), or imported automatically through roster sync integrations (see Section 2.6). We do not independently collect data from or about students. In demo mode, no student data is stored.

2.3 Usage Data

We automatically collect:

  • AI message counts and token usage (input/output tokens, estimated cost) for billing and rate limiting
  • IP address (for demo usage tracking and security purposes)
  • Browser type and device information (via standard HTTP headers)

AI chat messages are not stored on our servers. Chat content is processed in real time and exists only within your active browser session. When you close or refresh the page, chat history is cleared.

2.4 Website Visitor Data

When you visit our marketing pages (before signing in), we collect:

  • An anonymous visitor identifier (UUID stored in your browser's localStorage as cdn_visitor_id)
  • Page paths visited and referrer URLs
  • UTM campaign parameters (source, medium, campaign) if present in the URL
  • Approximate geographic location (country, region, city) derived from Vercel edge network headers

This data is stored in our site_visits table and is used to understand how visitors find and interact with our marketing pages. It is not linked to student data or authenticated user accounts.

2.5 Cookies and Local Storage

  • Authentication cookies: Supabase session cookies are used to manage your login session. These are essential for the Service to function.
  • Demo cookie: Demo visitors receive a demo_id cookie (httpOnly, secure, sameSite=lax, 1-year expiry) to track their demo message allowance. This cookie contains only a random identifier.
  • Visitor identifier: An anonymous UUID is stored in localStorage (cdn_visitor_id) for marketing analytics. This identifier contains no personal information.

We do not use advertising cookies, third-party tracking cookies, or retargeting technologies.

Do Not Track: Some browsers offer a "Do Not Track" (DNT) signal. Because there is no widely accepted standard for how to interpret DNT signals, the Service does not currently respond to DNT browser signals. However, we do not engage in cross-site tracking, targeted advertising, or selling personal information regardless of DNT settings.

2.6 Roster Sync Data

If your organization connects a roster provider (Clever or ClassLink/OneRoster), we receive the following data through their APIs:

  • School names and identifiers
  • Student names, grade levels, and provider-assigned IDs
  • Teacher names, email addresses, and provider-assigned IDs
  • Section/course information (name, subject, grade, term)
  • Student-teacher enrollment relationships

OAuth tokens used to access roster provider APIs are encrypted at rest using AES-256-GCM encryption. Sync operations are logged in our roster_syncs table for auditing purposes.

2.7 Sensitive Information

Please do not submit sensitive personal information through the Service, including Social Security numbers, government-issued identification numbers, financial account numbers, biometric data, health or medical information, religious beliefs, or criminal background information. The Service is designed to process only the educational data categories listed above. If we become aware that sensitive information has been submitted, we will take steps to delete it.

2.8 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other financial information on our servers. We receive only a Stripe customer identifier and subscription status.

3. How We Use Your Information

We use collected information to:

  • Provide and operate the Service, including generating WIDA Can Do Descriptor profiles and AI-powered instructional recommendations
  • Authenticate users and manage account access via role-based permissions
  • Synchronize student roster data from connected providers (Clever, ClassLink)
  • Process payments and manage subscriptions via Stripe
  • Send transactional emails (invitations, trial reminders, notifications) via Resend
  • Enforce usage limits, student capacity limits, and prevent abuse
  • Maintain audit logs of data access events for FERPA compliance
  • Improve the Service through aggregated, de-identified analytics. When we create de-identified or aggregated data, we remove information that makes the data identifiable to any individual, and we do not attempt to re-identify such data. De-identified data derived from Student Data is never shared for advertising or unrelated commercial purposes.
  • Respond to support requests

We do not use Student Data to market or advertise to students, parents, or educators. Student Data is used exclusively to provide the Service as described herein.

4. AI Processing

When you use the AI Thought Partner feature, your messages and the associated student context (proficiency levels, grade, Can Do Descriptors) are sent to Anthropic's Claude API to generate instructional recommendations. This data is transmitted securely via encrypted connections.

  • No training on your data: Anthropic does not use API inputs or outputs to train their AI models, per their API Terms of Service.
  • Zero Data Retention (ZDR): We maintain a Zero Data Retention agreement with Anthropic, meaning that all data sent to and received from Anthropic's API has a zero-day retention period—data is not stored on Anthropic's servers beyond the duration of each API request. Chat content is processed in real time and is not persistently stored by Anthropic or by CanDoNav. Chat exists only in your browser session.
  • Student names are never sent to the AI. The application automatically replaces student names with anonymous identifiers (Student A, Student B, etc.) before sending data to the AI. Additionally, our server enforces name redaction as a secondary safeguard—all student names from your organization's roster are matched and stripped from messages before they reach Anthropic.
  • No AI-driven profiling: Student data is not used to train, fine-tune, or improve any artificial intelligence or machine learning models, and is not used to create student profiles or make automated decisions about students.
  • No automated decision-making: The Service does not engage in automated decision-making or profiling that produces legal or similarly significant effects on students. All AI outputs are advisory and require educator review before implementation.
  • AI fairness: We recognize that AI-enabled features may perform differently across individuals and groups, and may produce unintended or disparate impacts. We take reasonable steps to evaluate and reduce the risk of unfair outcomes, including monitoring AI responses across diverse student populations and language backgrounds. If you observe biased or inappropriate AI outputs, please report them to [email protected].

5. FERPA Compliance

5.1 School Official Status

We operate under the "school official" exception to FERPA (34 CFR § 99.31(a)(1)), providing services that would otherwise be performed by school employees. As such:

  • We use education records only for the purposes specified in our service agreement
  • We are under the direct control of the educational institution with respect to use and maintenance of education records
  • We do not re-disclose personally identifiable information (PII) from education records without consent, except as permitted under FERPA

5.2 Data Processing Agreement

We offer a Data Processing Agreement (DPA) to all subscribing schools and districts, compatible with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement framework, including Colorado-specific supplemental terms (Exhibit "G"). Our DPA includes:

  • Specific description of data elements collected and processed (Exhibit B categories)
  • Purpose limitations for data use
  • Security safeguards and technical measures
  • Data breach notification procedures (within 72 hours, per C.R.S. § 6-1-713)
  • Data return and deletion procedures upon contract termination (60-day transfer window, 90-day destruction)
  • Subprocessor disclosure and management
  • Prohibition on using Student Data for AI model training

To request a DPA or our General Offer of Privacy Terms, contact us at [email protected].

5.3 Audit Logging

We maintain comprehensive audit logs of access to student education records and security-relevant events. Our audit trail includes:

  • User identity and timestamp for all data access events
  • Type of action performed (view, create, update, delete, export, import)
  • IP address and device information
  • Record of bulk operations (CSV imports, roster syncs, bulk assignments)
  • Authentication events (login, logout, failed attempts)
  • Administrative actions (role changes, account deletion, invitation management)

Audit logs are retained for 7 years in compliance with FERPA record-keeping requirements. Organization administrators can view audit logs through the admin dashboard. Logs are available for inspection by the educational institution upon request.

5.4 Parent and Eligible Student Rights

We support educational institutions in fulfilling their FERPA obligations regarding parent and eligible student rights:

  • Right to Inspect: Parents and eligible students may request access to education records through their school or district
  • Right to Request Amendment: Corrections to student data should be submitted through the educational institution
  • Right to Consent: We do not disclose PII from education records without prior written consent from the parent or eligible student, except as permitted under FERPA

5.5 Data Isolation and Access Control

  • Each organization's student data is logically separated using database row-level security (RLS) policies, ensuring complete data isolation between districts
  • Users can only access data belonging to their organization
  • Role-based access control limits data visibility:
    • Owner/Admin: Full access to all organizational data and settings
    • School Admin: Access limited to assigned schools
    • Teacher: Access limited to assigned students within assigned schools
    • Read-Only: View-only access to assigned data
  • Teachers may be assigned specific students, restricting their view to only those students

6. Data Sharing and Third-Party Services

We share information only with the following service providers, solely as needed to operate the Service:

  • Supabase (Supabase Inc.) — Authentication and database hosting. All student data is stored on AWS infrastructure in the us-east-1 (Virginia) region. Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Anthropic (Anthropic PBC) — AI language model API for generating instructional recommendations. Processes only redacted prompts under a Zero Data Retention (ZDR) agreement—no data is stored on Anthropic's servers beyond the duration of each request. Located in the United States.
  • Vercel (Vercel Inc.) — Application hosting and serverless functions. Processes requests in transit only; no Student Data is persisted. Located in the United States.
  • Stripe (Stripe Inc.) — Payment processing. Handles only organizational billing data; no Student Data is shared with Stripe. PCI DSS Level 1 certified.
  • Resend (Plus Five Five Inc.) — Transactional email delivery for invitations, trial reminders, and notifications. Receives only organization admin/teacher email addresses; no Student Data is included in emails.
  • Google (Google LLC) — OAuth authentication when users choose to sign in with Google. We receive only name and email from Google; no Student Data is shared.

If your organization uses roster sync, the following providers may also process data:

  • Clever (Clever Inc.) — Roster data synchronization. Student and teacher data flows from Clever to CanDoNav based on your district's Clever configuration.
  • ClassLink (ClassLink Inc.) — OneRoster-compatible roster data synchronization. Data flows from ClassLink to CanDoNav based on your district's configuration.

Data Storage Location: All student data is stored within the United States. Our primary database is hosted on AWS infrastructure in the us-east-1 (Virginia) region via Supabase. Application hosting is provided by Vercel on US-based infrastructure. AI processing occurs on Anthropic's US-based infrastructure under a Zero Data Retention agreement (zero-day retention). A complete list of subprocessors and their DPAs is available at [email protected] upon request.

We do not sell, rent, or trade personal information or student data to any third party. We do not use Student Data for advertising, marketing, or any purpose other than providing the Service. We may disclose information if required by law, regulation, or valid legal process.

7. Data Security

We implement the following security measures to protect your data:

  • All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • Data at rest is encrypted in our database (AES-256)
  • Roster sync OAuth tokens are encrypted using AES-256-GCM before storage
  • Database access is controlled through row-level security (RLS) policies, ensuring strict organizational data isolation
  • Authentication is managed through industry-standard protocols (OAuth 2.0, secure session management)
  • Security headers enforced on all pages: HSTS, X-Frame-Options (DENY), X-Content-Type-Options, strict Referrer-Policy, and Permissions-Policy restricting camera, microphone, and geolocation access
  • Administrative access to production systems is restricted and logged
  • Server-side PII redaction provides defense-in-depth protection before data reaches third-party AI services

We maintain a written Incident Response Plan that defines procedures for detecting, containing, and remediating security incidents. In the event of a data breach involving Student Data, we will notify affected educational institutions within 72 hours, as required by C.R.S. § 6-1-713 and our DPA obligations.

While we take extensive precautions, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at [email protected].

8. Data Retention

  • Account data is retained for as long as your account is active.
  • Student data is retained for as long as the subscribing organization maintains an active account. Organizations may export their student data (CSV or JSON format) and request deletion of student records at any time.
  • AI chat messages are not stored on our servers. Chat history exists only within your active browser session and is cleared when you close or refresh the page.
  • Usage logs (AI message counts, token usage, estimated costs) are retained for billing and analytics purposes and are automatically purged after 12 months.
  • Demo usage data (cookie identifier, message count, IP address) is automatically purged after 12 months.
  • Canceled accounts are retained for 90 days to allow reactivation, after which all associated data (users, students, schools, sections, enrollments, usage logs, and audit logs) is permanently and automatically deleted.
  • Audit logs are retained for 7 years in compliance with FERPA record-keeping requirements.
  • Site visit data (anonymous visitor analytics) is retained for 12 months.
  • Roster sync logs are retained for the duration of the organization's active account and deleted upon account termination.

Upon contract termination, educational institutions have 60 days to request transfer of their data in a machine-readable format (CSV or JSON). After 90 days, all data is permanently destroyed and we will provide written confirmation of destruction upon request.

9. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information in your account
  • Delete your account and all associated data (organization owners can do this from account settings)
  • Export your data in a portable format (CSV or JSON) via the admin dashboard
  • Withdraw consent for optional data processing
  • Disconnect roster sync integrations at any time
  • Opt out of marketing emails by clicking the "unsubscribe" link included in any marketing or trial reminder email, or by contacting us directly

To exercise any of these rights, contact us at [email protected].

Colorado residents may have additional rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), including the right to opt out of the processing of personal data for targeted advertising and the right to appeal a denial of a privacy request.

10. Children's Privacy

Can Do Navigator is designed for use by educators and administrators, not by students. Students do not create accounts, log into the Service, or interact with it directly. We do not knowingly collect personal information directly from children under the age of 13.

Student data is entered into the Service by authorized educators solely for the purpose of instructional planning. We comply with COPPA by ensuring that the educational institution has obtained any necessary parental consent for the disclosure of student education records to us as a school official under FERPA.

If you believe we have inadvertently collected information directly from a child, please contact us immediately at [email protected].

11. Accessibility

We are committed to making CanDoNav accessible to all users, including those with disabilities. We target conformance with the Web Content Accessibility Guidelines (WCAG) 2.2 at Level AA, consistent with Colorado HB 21-1110 and ADA requirements. Our Accessibility Statement and Voluntary Product Accessibility Template (VPAT v2.5) are available upon request.

12. Business Transfers

In the event that IncluSend LLC is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information and Student Data may be transferred as part of that transaction. In such an event:

  • We will notify affected users and subscribing organizations within 30 days via email and/or a prominent notice on the Service
  • This Privacy Policy will continue to apply to your data unless and until you are notified of a new policy and given the opportunity to opt out
  • The acquiring entity will be bound by the same data protection obligations described in this policy and any active Data Processing Agreements
  • We will not sell Student Data to any third party as part of a business transaction

In the unlikely event that IncluSend LLC ceases operations, we will protect your personal information and Student Data, provide reasonable notice and opportunity to export data, and securely delete all data in accordance with our retention policies and any active DPA obligations.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will provide at least fifteen (15) days' advance notice to subscribing organizations before making material changes to this policy. Notification will be sent via email to organization administrators. Continued use of the Service after changes take effect constitutes acceptance of the revised policy. The "Effective Date" at the top of this page indicates when the policy was last updated.

14. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or to request a Data Processing Agreement, please contact us:

IncluSend LLC

453 E Wonderview Ave, Unit 3, PMB #263

Estes Park, CO 80517-8926

Email: [email protected]

Website: candonav.app