Privacy Policy
Learnvelo, Inc. | Effective Date: March 29, 2026
Learnvelo, Inc. (“Learnvelo,” “we,” “us,” or “our”) operates the Learnvelo learning platform (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use the Service as a Learner, Instructor, or institutional administrator.
This Privacy Policy is incorporated by reference into our End User License Agreement (EULA). By using the Service, you agree to the practices described in this policy.
If you have questions about this policy, contact us at [email protected].
1. Information We Collect
1.1 Information You Provide
| Category | Data Collected | Purpose |
|---|---|---|
| Account Registration | Name, email address, password, role (Learner/Instructor) | Create and manage your account |
| Instructor Profile | Biography, profile photo, credentials, institution affiliation | Display on course pages; verify instructor identity |
| Payment Information (Instructors) | Revenue Share payment details are collected and managed directly via QuickBooks; Learnvelo does not store instructor banking information | Process Revenue Share payments via QuickBooks |
| Payment Information (Learners) | Payment method details (processed by Stripe) | Process course enrollments and subscriptions |
| Course Content (Instructors) | Videos, documents, quizzes, images, and other educational materials | Host and deliver courses to enrolled Learners |
| Communications | Support requests, feedback, and correspondence with us | Respond to inquiries; improve the Service |
1.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Learning Activity | Pages viewed, time spent on content, quiz responses, assessment scores, course progress | Track learning progress; generate analytics for Instructors; improve course recommendations |
| Device and Browser Information | IP address, browser type, operating system, device type | Security (rate limiting, fraud detection); optimize Service performance |
| Usage Data | Features used, navigation patterns, search queries within courses | Improve platform usability and features |
| Cookies and Similar Technologies | Session cookies, preference cookies, analytics cookies | Maintain login sessions; remember preferences; analyze usage patterns (see Section 8) |
1.3 Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| LTI Integration (Institutional LMS) | Student identifier, course enrollment, role within institution | Single sign-on from institutional learning management systems; grade passback |
| Stripe | Payment confirmation, subscription status | Confirm transactions; manage access |
2. How We Use Your Information
2.1 Service Delivery
- Create and maintain your account
- Deliver course content to enrolled Learners
- Process payments and Revenue Share for Instructors
- Track learning progress and generate completion certificates
- Provide AI-powered features (content generation, adaptive quizzes, learning recommendations, AI mentor chat)
- Send transactional communications (enrollment confirmations, password resets, payment notifications)
2.2 Platform Improvement
- Analyze usage patterns to improve features and user experience
- Monitor and improve platform performance and reliability
- Debug errors and resolve technical issues
- Develop new features based on aggregated usage data
2.3 Safety and Security
- Detect and prevent fraud, abuse, and unauthorized access
- Enforce our EULA and Acceptable Use Policy
- Rate-limit authentication endpoints to prevent brute-force attacks
- Verify bot protection via Cloudflare Turnstile
2.4 Legal and Compliance
- Comply with applicable laws, regulations, and legal processes
- Respond to lawful requests from public authorities
- Fulfill contractual obligations to institutional partners
3. How We Use Data in AI Features
Learnvelo incorporates artificial intelligence to enhance the educational experience. We are committed to transparency about how data is used in AI-powered features.
3.1 AI Features Overview
| Feature | Data Used | What the AI Receives |
|---|---|---|
| AI Content Generation | Course structure, learning objectives, textbook references | Module titles, learning objectives, and RAG-retrieved textbook passages. No student PII. |
| AI Mentor Chat | Current page content, student’s question | The page content being studied and the student’s chat message. Student name and grade data are not included in prompts. |
| Quiz Generation | Page content, learning objectives | Educational content to generate assessment questions. No student performance data. |
| Learning Recommendations | Anonymized, aggregated learning activity patterns | Statistical patterns across the platform, not individual student profiles. |
3.2 AI Data Protections
- No student PII in AI prompts. We do not send student names, email addresses, grades, or other personally identifiable information to AI service providers (OpenAI).
- No training on your data. Under our agreements with OpenAI, data submitted through the API is not used to train their models.
- Textbook embeddings only. Our vector search system (Pinecone) stores embeddings derived from textbook and course reference materials, not student data.
- Instructor review required. AI-generated course content must be reviewed by Instructors before publication, as specified in our EULA (Section 4.8).
- Opt-out available. Instructors can disable AI features for their courses. Students can choose not to use the AI mentor chat.
4. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
4.1 Service Providers
We share data with third-party service providers who process it on our behalf under contractual obligations to protect your data:
| Provider | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| Upsun (Platform.sh) | All application data | Infrastructure hosting | SOC 2 Type II; ISO 27001; Data Processing Agreement |
| AWS | Uploaded course materials | File storage | SOC 2; ISO 27001; server-side encryption; Data Processing Agreement |
| Stripe | Learner payment details (tokenized) | Learner payment processing | PCI DSS Level 1; Data Processing Agreement |
| QuickBooks (Intuit) | Instructor name, email, banking details for Revenue Share | Instructor payout processing | SOC 2 Type II; Intuit Data Processing Agreement |
| OpenAI | Course content for AI features (no PII) | AI content generation | SOC 2 Type II; zero data retention API terms; Data Processing Agreement |
| Pinecone | Textbook content embeddings (no PII) | Vector search for RAG | SOC 2 Type II; Data Processing Agreement |
| SendGrid | Email addresses, notification content | Transactional email | SOC 2 Type II; ISO 27001; Data Processing Agreement |
| Sentry | Application error data (PII excluded) | Error monitoring | SOC 2 Type II; send_default_pii=False configured |
| Cloudflare | Client-side tokens, IP addresses | Bot protection | SOC 2; ISO 27001; Data Processing Agreement |
4.2 Instructors
Instructors can view the following data for Learners enrolled in their courses:
- Learner name and enrollment status
- Course progress and completion percentage
- Quiz and assessment scores
- Learning activity timestamps
Instructors cannot access: Learner email addresses (unless the Learner initiates contact), payment information, activity on other Instructors’ courses, or data from other platform features.
4.3 Institutional Partners (LTI Integration)
When the Service is accessed through an institutional LMS via LTI 1.3 integration:
- Grade data is shared back with the institution’s LMS (grade passback) for courses accessed via LTI
- The institution acts as the data controller for their students’ educational records
- Data sharing is governed by the institution’s agreement with Learnvelo
4.4 Legal Requirements
We may disclose information when required by law, subpoena, court order, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity. We will notify users of any such transfer and any changes to this Privacy Policy.
5. Educational Privacy (FERPA)
5.1 Our Role Under FERPA
When Learnvelo is used by students at institutions subject to the Family Educational Rights and Privacy Act (FERPA), we operate as a school official with a legitimate educational interest as defined by 34 CFR 99.31(a)(1). This means:
- We access student educational records only to provide the educational services specified in our agreements with institutions
- We are subject to the same conditions governing the use and redisclosure of education records that apply to other school officials
- We do not disclose student educational records to third parties except as permitted by FERPA or as directed by the institution
5.2 Student Rights Under FERPA
Students at FERPA-covered institutions have the right to:
- Inspect and review their educational records maintained by Learnvelo
- Request amendments to records they believe are inaccurate
- Consent to disclosure of personally identifiable information (with certain exceptions)
To exercise these rights, students should contact their institution’s registrar or FERPA compliance officer. Learnvelo will cooperate with institutional requests to fulfill these rights.
5.3 De-identified and Aggregated Data
We may use de-identified or aggregated data derived from educational records for platform improvement and research purposes. De-identified data has all personally identifiable information removed and cannot be used to identify individual students. This use is permitted under FERPA (34 CFR 99.31(b)).
6. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply.
6.1 Legal Bases for Processing
| Processing Activity | Legal Basis | Justification |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide the Service |
| Payment processing | Contract (Art. 6(1)(b)) | Necessary to fulfill purchase agreements |
| Learning activity tracking | Contract (Art. 6(1)(b)) | Core functionality of the educational Service |
| AI-powered features | Legitimate Interest (Art. 6(1)(f)) | Enhance educational experience; balanced against minimal data use (no PII in AI prompts) |
| Security and fraud prevention | Legitimate Interest (Art. 6(1)(f)) | Protect users and platform integrity |
| Platform analytics (aggregated) | Legitimate Interest (Art. 6(1)(f)) | Improve Service quality for all users |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with explicit opt-in |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | Tax, anti-fraud, and other legal requirements |
6.2 Your Rights
You have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase your data (“right to be forgotten”), subject to legal retention obligations
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time for consent-based processing
- Lodge a complaint with your local data protection authority
To exercise these rights, email [email protected]. We will respond within 30 days.
6.3 International Data Transfers
Your data may be transferred to and processed in the United States, where our infrastructure providers operate. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission, executed with all relevant service providers
- Supplementary measures including encryption in transit and at rest, access controls, and contractual commitments from sub-processors
6.4 Data Protection Officer
For GDPR inquiries, contact our designated privacy contact at [email protected].
7. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
7.1 Your Rights
- Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information, subject to legal exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
7.2 Categories of Information
For CCPA disclosure purposes, the categories of personal information we collect are:
| CCPA Category | Examples | Collected | Sold | Shared for Advertising |
|---|---|---|---|---|
| Identifiers | Name, email, IP address | Yes | No | No |
| Financial Information | Revenue Share data (Instructors, managed via QuickBooks), payment method (Learners via Stripe) | Yes | No | No |
| Internet Activity | Browsing history, search history, interaction with Service | Yes | No | No |
| Education Information | Grades, course progress, assessment scores | Yes | No | No |
| Professional Information | Instructor credentials, biography | Yes | No | No |
| Inferences | Learning recommendations based on activity | Yes | No | No |
7.3 Exercising Your Rights
Submit requests to [email protected] or by mail to Learnvelo, Inc., 841 E. Fort Avenue, Suite 239, Baltimore, MD 21230. We will verify your identity before processing requests. You may also designate an authorized agent to submit requests on your behalf.
8. Cookies and Tracking Technologies
8.1 Cookies We Use
| Cookie Type | Purpose | Duration | Can Be Disabled |
|---|---|---|---|
| Essential | Authentication, CSRF protection, session management | Session / short-lived | No (required for Service operation) |
| Functional | User preferences, language settings | Persistent (up to 1 year) | Yes (may affect functionality) |
| Analytics | Aggregated usage statistics to improve the platform | Persistent (up to 2 years) | Yes |
8.2 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service. Disabling analytics cookies will not affect your ability to use the platform.
We do not use cookies for cross-site tracking or third-party advertising.
9. Data Security
We implement technical and organizational measures to protect your personal information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 for stored files; database encryption)
- Password hashing with PBKDF2-SHA256 (never stored in plaintext)
- Role-based access controls at the API level
- Rate limiting and bot protection on authentication endpoints
- Regular security assessments and dependency scanning
- Incident response procedures with defined notification timelines
- No PII sent to error monitoring services
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].
10. Data Retention
| Data Type | Retention Period | After Retention |
|---|---|---|
| Active account data | Duration of account | Deleted or anonymized within 90 days of account deletion |
| Student educational records | Per institutional agreement, or 7 years | Secure deletion |
| Payment records | 7 years (tax/financial compliance) | Anonymized |
| Learning activity data | Duration of account + 90 days | Anonymized or deleted |
| Application logs | 30–90 days | Automatically rotated |
| Backup data | Per infrastructure provider retention | Automatically expired |
Upon account deletion, we delete or anonymize your personal data within 90 days, except where retention is required by law or contractual obligation. Anonymized data that cannot identify you may be retained indefinitely for platform improvement.
11. Children’s Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent.
Minors aged 13–17 may use the Service as Learners with verified parental or guardian consent, as specified in our EULA (Section 2.1). Institutional use by minors is governed by the institution’s agreements with Learnvelo and applicable law (including COPPA and FERPA).
If we learn that we have collected personal information from a child under 13 without appropriate consent, we will delete it promptly. Contact [email protected] to report concerns.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by:
- Email notification to the address associated with your account
- Prominent notice within the Service
- At least 14 days before the changes take effect
The “Last Updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
13. Contact Us
For questions, concerns, or requests related to this Privacy Policy:
- Privacy Inquiries: [email protected]
- Security Reports: [email protected]
- General Support: [email protected]
- Mailing Address: Learnvelo, Inc., 841 E. Fort Avenue, Suite 239, Baltimore, MD 21230
For FERPA-related requests, students should contact their institution’s registrar or FERPA compliance officer. Learnvelo will cooperate with institutional requests.
This Privacy Policy is effective as of the date listed above and applies to all users of the Learnvelo Service.