Education Privacy Policy

FERPA, COPPA, GDPR-K and student-data handling for schools, universities and edtech customers.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. If a school, district, university or edtech uses HookPilot, this is how we treat student data: FERPA "school official" with legitimate educational interest, no advertising profiling of students, no training shared AI on student data, COPPA verifiable consent path for under-13, GDPR-K for EU students.

1. Scope

This policy applies whenever HookPilot Caption Studio LLC processes education records as defined by FERPA (20 U.S.C. § 1232g), personal information of children under 13 covered by COPPA, or personal data of children covered by GDPR Article 8 / UK GDPR. It supplements the Privacy Policy and the DPA.

2. HookPilot's FERPA Role

HookPilot acts as a "school official" with legitimate educational interest under 34 CFR 99.31(a)(1)(i)(B). We process education records only on the institution's documented instructions, use them only to provide the Service, do not redisclose them except as the institution authorises or as required by law, and return or delete them per the Data Deletion Policy at the end of the relationship.

3. COPPA

Where a HookPilot customer collects personal information from children under 13, the customer (typically the school or edtech) is responsible for verifiable parental consent under 16 CFR Part 312 — except where the FTC's "school authorisation" pathway applies for school-purpose use. HookPilot supports school-authorised collection, restricts profiling of under-13s, and disables advertising-style tracking on workspaces flagged "K-12 student data".

4. GDPR-K

For students in the EEA, UK or Switzerland, child-data processing follows Article 8 GDPR and the local age of consent set by the member state. We rely on the institution's lawful basis (typically public interest / official authority for state schools) and apply the same restrictions on profiling and shared-model training described elsewhere in this policy.

5. Bright Lines

  • No behavioural advertising profiling of students on student-data workspaces.
  • No selling of student personal information.
  • No training shared AI models on student data (see Section 8).
  • No biometric profiling, emotion inference or "affective" features unless the institution has opted in and obtained any required consents (and we discourage this for K-12).
  • No facial recognition on student images at HookPilot's initiative.

6. HookPilot Education Department Floor

Customers using the HookPilot Education department inherit a guardrail floor: framework adherence to age-appropriate communication, an additional veto held by the Statute and Shield agents specific to student-facing output, hallucination self-check tuned for citations and curriculum claims, and an audit trail accessible to the institutional administrator.

7. SOPIPA, NY Ed Law §2-D and Other State Rules

For California customers (SOPIPA), New York districts (Ed Law §2-D + Parents' Bill of Rights), Colorado, Connecticut, Florida and other states with student-data statutes, HookPilot adheres to the prohibitions on targeted advertising, profile selling and unauthorised disclosure. Customers in those jurisdictions can request a state-specific addendum to the DPA at dpo@hookpilot.co.

8. AI Training Carve-Out

HookPilot does not use student data to train HookPilot's own foundation models, and routes student-data workspaces only to AI providers whose contractual terms exclude training on the routed prompts. See Privacy §6.

9. Parent and Student Rights

Parents and eligible students exercise FERPA rights with the institution (the controller). HookPilot supports the institution by forwarding requests, providing access to records we hold on the institution's behalf, and honoring deletion within the timelines in the Data Deletion Policy.

10. Contact

Education-privacy questions: privacy@hookpilot.co. School DPAs and state addenda: dpo@hookpilot.co.