Privacy Policy

This Policy applies to personal information we collect from or about:

• visitors to our public marketing website at k-12.cloud;
• individuals who create or use a k-12.cloud account, including district staff, school administrators, EdTech vendor staff, and consultant users (“Authorized Users”);
• billing, procurement, and operations contacts named on purchase orders, invoices, or account profiles;
• individuals who contact us by email, web form, support request, or sales inquiry; and
• attendees at events k-12.cloud sponsors or participates in.

This Policy does not govern personal information our customers process within the environments we operate. For that processing, we act as a service provider / processor for the customer, and our handling is governed by the applicable customer agreement and the Data Processing Addendum.

The data controller for purposes of this Policy is Solo Work, Inc., a Pennsylvania corporation doing business as k-12.cloud. You can reach our privacy team at hello@k-12.cloudwith the subject line “Privacy Inquiry”; a physical correspondence address will be provided on written request.

We collect the following categories of personal information:

• Identifiers and contact information: name, email address, employer, job title, telephone number, mailing address.
• Account credentials and authentication: authentication tokens, multi-factor enrollment status, session identifiers. Passwords are handled by our identity subprocessor and are not stored in clear text by us.
• Commercial information: billing contacts, purchase orders, subscription history, invoice references, and information you submit to request a quote, proposal, or deployment review.
• Service usage information: environment identifiers, provisioning events, request metadata, timestamps, IP address of administrative actions, browser and device characteristics, error logs, and similar operational telemetry related to the k-12.cloud platform itself (not Customer Data inside environments).
• Communications: the contents of emails, support tickets, intake forms, request-for-review submissions, and waitlist or sales-inquiry submissions.
• Website analytics and device data: IP address, approximate geolocation derived from IP, browser type and version, operating system, referring URL, pages viewed, and similar information collected through standard web logs. We do not currently operate a behavioral advertising program and we do not deploy advertising cookies on our marketing site.
• Payment information: we use a PCI-DSS certified payment processor (currently Stripe, Inc.) to handle card data; we do not store full payment card numbers on our own systems.

We do not knowingly collect “sensitive personal information” as defined under the California Privacy Rights Act (e.g., precise geolocation, government-issued identifiers, health information, content of mail/email/text messages not addressed to us) from Authorized Users or website visitors. Customers may incidentally share such data in a support ticket; we ask customers not to do so, and where we receive it, we treat it as Confidential Information of the customer.

We collect personal information directly from you (e.g., when you create an account or submit a form), automatically through your use of our website and portals (e.g., through cookies and server logs), and occasionally from third-party sources such as publicly available professional listings, our authentication and payment subprocessors, and event registration platforms when you have engaged with k-12.cloud through those channels.

We use personal information to:

• provide, configure, secure, and improve the k-12.cloud platform and customer portal;
• authenticate Authorized Users, manage sessions, and detect and prevent fraud, abuse, or unauthorized access;
• invoice customers, process payments, and manage subscriptions (including with our payment subprocessor);
• respond to inquiries, deliver support, provide deployment review and onboarding assistance, and operate transactional communications such as confirmation and incident-notification emails;
• understand how the website and platform are used so that we can improve their performance, reliability, and user experience;
• send service announcements and limited, opt-out-respecting product communications relevant to active customers; we do not send unsolicited marketing email to individuals who have not requested it;
• comply with our legal obligations, including tax, accounting, and recordkeeping obligations, and to respond to lawful government requests; and
• establish, exercise, or defend legal claims.

We do not use personal information collected under this Policy for behavioral advertising and we do not use it to train or improve generative artificial intelligence models or other machine-learning models.

Where the General Data Protection Regulation, the UK GDPR, or a substantially similar law applies, our legal bases for processing personal information are: (a) performance of a contract with you or your organization; (b) compliance with a legal obligation; (c) our legitimate interests in operating, securing, and improving the Services, marketing to existing customers, and defending legal claims, where those interests are not overridden by your rights; and (d) consent, where required (for example, for certain analytics cookies in jurisdictions that require it). You may withdraw consent at any time without affecting the lawfulness of prior processing.

The k-12.cloud website and portals use a small number of first-party cookies and similar storage to:

• keep you signed in to authenticated areas of the site (session cookies set by our authentication subprocessor);
• remember UI preferences such as theme (light or dark);
• measure aggregate traffic and reliability through privacy-preserving server logs.

We do not currently use third-party advertising cookies, cross-site tracking pixels, or social-media re-targeting tags. If we add new analytics that rely on cookies, we will update this Policy and provide controls where required by law.

We share personal information only as described below:

• Subprocessors and service providers: we engage vendors that provide hosting, identity, email, payments, and similar functions strictly to operate the Services on our behalf. A current list of subprocessors is available in Appendix C of the Data Processing Addendum and is updated as those engagements change.
• Your organization: if you use the Services on behalf of an organization, administrators of that organization may have access to your account information and activity. We treat the organization as the controller of that information for internal-administration purposes.
• Legal and safety: we may disclose information if required by law, subpoena, warrant, or other valid legal process; to enforce our Terms; to investigate suspected fraud or abuse; or to protect the rights, property, or safety of k-12.cloud, our customers, or others.
• Business transfers: if we are involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, personal information may be transferred as part of that transaction, subject to customary confidentiality protections and continuing obligations consistent with this Policy.

We do not sell personal information.We do not “share” personal information for cross-context behavioral advertising as that term is defined under the California Privacy Rights Act, and we have not done so in the twelve (12) months preceding the effective date of this Policy.

We retain personal information for as long as it is necessary to provide the Services, satisfy the purposes described in this Policy, comply with our legal obligations (including tax and audit obligations, typically up to seven years for financial records), resolve disputes, and enforce our agreements. Account records for inactive accounts may be retained for up to three (3) years after the last meaningful account activity unless deletion is requested or required sooner. Aggregate, de-identified, or anonymized information may be retained indefinitely.

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and loss. These include encryption in transit, identity-bound administrative access, role-based authorization, audit logging, change-controlled deployments, and routine patching. The underlying cloud infrastructure is provided by a vendor with SOC 2 Type II and ISO 27001 certifications. No system can be guaranteed to be impenetrable; we encourage you to use strong, unique credentials and to enable multi-factor authentication where available.

Subject to applicable law and verification, you may have the right to:

• access the personal information we hold about you;
• correct inaccurate or incomplete personal information;
• delete personal information, subject to our legal-retention obligations;
• port personal information you provided to us to another controller, in a structured machine-readable format;
• object to or restrict certain processing; and
• withdraw consent where processing is based on consent.

To exercise any of these rights, email hello@k-12.cloudwith the subject line “Privacy Rights Request.” We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) days, or such shorter period as required by applicable law. We may need to verify your identity, and we will not discriminate against you for exercising your rights. If you are an Authorized User of a customer account, we may direct you to your organization’s administrator where the request relates to organization-managed data.

You may also have the right to lodge a complaint with a supervisory or regulatory authority. California residents have rights under the California Privacy Rights Act, including the right to know, delete, correct, limit the use of sensitive personal information, and opt out of sale or sharing. As stated above, we do not sell or share personal information for cross-context behavioral advertising.

The k-12.cloud website and customer portal are not directed to children under thirteen (13) years of age, and we do not knowingly collect personal information from children under thirteen through the k-12.cloud website or portal. If we learn that we have collected such information without a parent or guardian’s verifiable consent, we will delete it. If you believe a child has provided personal information to us, please contact us at hello@k-12.cloud.

Where our customers’ deployed software stores personally identifiable information of students or other education records as defined under the Family Educational Rights and Privacy Act, we process that information solely on the customer’s documented instructions and as a school official under FERPA § 99.31(a)(1) or as a service provider / school service provider under applicable U.S. state student data privacy laws (including the Illinois Student Online Personal Protection Act, New York Education Law § 2-d, California Assembly Bill 1584, Connecticut Public Act 16-189, and substantially similar laws). The relevant terms are set out in the Data Processing Addendum, which the customer accepts as part of the customer agreement. We do not use student data for advertising, profiling, or AI-model training, and we do not sell student data.

k-12.cloud is based in the United States and primarily processes information in the United States. We also offer data-residency options for Canada-based customers. If personal information is transferred from outside the United States to k-12.cloud, the transfer is necessary for the performance of a contract between you (or your organization) and k-12.cloud or otherwise based on a recognized transfer mechanism. We will work in good faith with customers to implement appropriate safeguards required by applicable law (such as standard contractual clauses or their successors) where commercially reasonable.

Because we do not sell personal information and do not share personal information for cross-context behavioral advertising, there is nothing to opt out of with respect to those activities. If we ever change this practice, we will update this Policy and provide a clear opt-out before the change takes effect. We honor Global Privacy Control signals where applicable law requires.

We may update this Policy from time to time to reflect changes to the Services, our data-handling practices, or applicable law. When we make material changes, we will update the “Effective” date at the top of this Policy and provide notice via email to active customers or through the customer portal, at least thirty (30) days before the change takes effect for changes that materially expand our use or disclosure of personal information.

Questions, requests, or complaints regarding this Policy can be directed to hello@k-12.cloudwith the subject line “Privacy Inquiry.” A physical correspondence address will be provided on written request.