InFocus

Legal

Privacy Policy

Effective date: May 21, 2026

1. Who We Are

InFocus Pathways (“InFocus,” “we,” “us,” or “our”) operates the InFocus Career Assessment Platform, a web application that helps K–12 schools and districts administer career interest, work values, and aptitude assessments and deliver results to students and counselors. Our registered address is available upon request. You can reach us at [email protected].

2. Scope and Applicability

This Privacy Policy applies to all information collected through the InFocus platform, including our website at infocuspathways.com and all associated web application routes. It applies to School Administrators, Counselors, Evaluators, and Students who access the platform under a school or district subscription.

Student data is governed primarily by the Family Educational Rights and Privacy Act (FERPA) and, where applicable, the Children’s Online Privacy Protection Act (COPPA). InFocus processes student data solely as a school official and subprocessor acting under the direction of the school or district with which we have a signed Data Processing Agreement (DPA).

3. Information We Collect

3.1 School and Administrator Information

When a school or district creates an account, we collect: school name, district name, billing contact name and email address, and billing information processed through Stripe. Stripe is PCI-DSS compliant and no payment card data is stored on InFocus servers.

3.2 User Account Information

For all account holders (School Admins, Counselors, Evaluators), we collect: full name, work email address, hashed password, role designation, and multi-factor authentication (MFA) configuration data. Passwords are hashed using bcrypt (cost factor 12) and are never stored in plaintext.

3.3 Student Data

Student data is entered by authorized school personnel and includes: student name, grade level, date of birth (for COPPA verification), and assessment responses and scores. Student data is scoped to the school that created the record and is never shared across schools or used for any advertising purpose.

3.4 Assessment Data

We collect responses to the Career Interest Battery (48 items), the Work Values Survey, and manually-entered scores for the InFocus Aptitudes battery. All scoring is performed server-side. No assessment logic executes in the user’s browser.

3.5 Automatically Collected Data

We collect server-side logs including IP addresses, timestamps, and actions taken — stored in an append-only audit log for FERPA compliance and security purposes. We do not use third-party analytics services, advertising pixels, or behavioral tracking technologies on any page of the platform.

4. How We Use Information

We use collected information to:

  • Operate and deliver the InFocus platform under the school’s subscription
  • Generate career assessment results, Sweet Spot profiles, and PDF reports
  • Authenticate users and enforce role-based access controls
  • Maintain security audit logs required by FERPA and our SOC2 commitments
  • Send transactional emails (password resets, MFA codes, report delivery) via Resend
  • Process subscription billing via Stripe
  • Respond to support requests and legal inquiries

Student data is never used for advertising, behavioral targeting, data mining for commercial purposes, or sold to any third party.

5. Data Sharing and Subprocessors

We share data only with the following subprocessors, all of which have signed Data Processing Agreements and are listed in the school DPA:

VendorPurposeTouches Student Data
SupabaseDatabase, file storageYes
VercelApplication hostingYes (in transit only)
ResendTransactional emailReport delivery only
StripeSubscription billingNo
Upstash RedisRate limitingNo

No new subprocessor that touches student personally identifiable information (PII) may be added without updating the school DPA and notifying existing schools in advance.

6. FERPA

InFocus operates as a “school official” under FERPA, meaning we access student education records only to the extent necessary to perform services on behalf of the school. Schools retain ownership and control of all student records. We do not disclose student records to third parties without explicit written consent from the school, except as required by law.

7. COPPA

InFocus does not permit direct student account creation. All student records are created and managed by authorized school personnel. Schools attest in the DPA that they have the authority to consent on behalf of parents under COPPA. Student-facing pages do not contain advertising, behavioral tracking, or third-party analytics.

8. Data Retention

Student records are retained for a minimum of 7 years from the date of last activity, consistent with FERPA records guidance. Schools may request a shorter retention period, but may not extend the default. Audit logs are append-only and retained for a minimum of 7 years. No hard deletes are performed on student or user records — deletion requests are fulfilled through a soft-delete process with a full audit trail.

9. Security

InFocus implements the following security controls:

  • MFA required for all School Admin and Counselor accounts
  • Passwords hashed with bcrypt (cost factor 12)
  • Account lockout after 5 consecutive failed login attempts
  • 90-day password expiry for admin and counselor roles
  • Append-only audit log with 28+ tracked action types
  • HTTPS enforced; HSTS header with one-year max-age
  • Content Security Policy (CSP) and X-Frame-Options headers on all responses
  • Signed URLs for all file access (15-minute expiry); no public storage buckets
  • Row-level security on the database; no cross-school data access

10. Data Rights

Schools may, at any time, request a full JSON export of all student data associated with their account or submit a data deletion request through the platform’s Data Rights panel. Deletion requests are logged, reviewed, and fulfilled within 30 days. Individual student records may also be deleted upon written request from the school.

11. Cookies

InFocus uses session cookies strictly for authentication. No advertising cookies, behavioral tracking cookies, or third-party analytics cookies are set. Marketing pages (this page included) do not set any cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify schools via email at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

13. Contact

Questions about this Privacy Policy or our data practices should be directed to: [email protected].