EdCertly
Privacy Policy

How we collect, use, and protect your data.

This Privacy Policy applies to all users of EdCertly. Read it together with the Terms of Service. The most important thing to know: EdCertly does not own School Partner data — schools and CMOs own and control their own data. EdCertly is a data processor that handles data only as the School Partner directs.

Effective Date
May 1, 2026
Governing Entity
A12 Labs LLC (Delaware)
Product
EdCertly · edcertly.com · app.edcertly.com
Privacy Contact
privacy@edcertly.com
Applicable Laws
FERPA · NY Ed Law §2-d · Part 121 · COPPA
Last Updated
May 1, 2026
Section 1

Who We Are

EdCertly is a certification tracking and workforce analytics platform for K-12 charter schools and CMOs, built and operated by A12 Labs LLC, a Delaware limited liability company authorized to do business in New York.

Under FERPA, EdCertly operates as a "school official" of any School Partner that authorizes us to process education records. Under NY Education Law §2-d, EdCertly is a "third-party contractor." In all cases, we are bound by the same data privacy obligations that apply to the schools we serve.

Section 2

Data Ownership and Our Role

Read this section first. It defines the entire data relationship between EdCertly and our School Partners.

2.1Schools and CMOs Own Their Data

EdCertly does not own — and does not claim ownership of — any data uploaded to or processed through the Platform by a School Partner or by any individual acting on behalf of a School Partner. This includes teacher names, certification status, expiration dates, uploaded documents, performance data, and any reports or analytics derived from that data.

All such data remains the sole property of the School Partner. CMOs that upload data on behalf of their affiliated schools own that data on those schools' behalf, consistent with their internal arrangements. Each School Partner is at all times the data controller — the party that determines what data is processed, why it is processed, and with whom it may be shared.

2.2EdCertly Is a Data Processor

EdCertly serves only as a data processor. We process School Partner data only on the instructions of the School Partner and only as necessary to deliver the contracted services. We do not exercise independent judgment over what data should be processed or shared, except as needed to maintain the security, integrity, and operation of the Platform.

2.3We Do Not Pull Data from State Certification Systems

EdCertly does not independently access, query, or extract data from any state teacher certification system — including the New York State Education Department's TEACH system or any equivalent system in other states. All certification data within the Platform comes from one of three authorized sources: (a) the School Partner uploading the data; (b) the individual teacher entering it through the Teacher Portal; or (c) an integration the School Partner has explicitly authorized in writing and that operates under the School Partner's credentials and consent.

2.4Schools Manage Their Own Data

EdCertly provides the tools — but the School Partner is responsible for what the data contains, who can access it, when it is updated, and how it is used. Specifically, each School Partner is responsible for:

  • Determining what data is uploaded
  • Verifying data accuracy and currency
  • Managing user access and permissions for their staff and teachers
  • Deciding when and how data is shared with their HRIS or other systems
  • Responding to record access, correction, or deletion requests from teachers or other individuals
  • Ensuring their use of the Platform complies with applicable law
Section 3

What Data We Process

3.1School Administrator and HR Staff Data

When an institution registers, we collect information about the authorized administrator:

  • Name, job title, and contact information
  • School or organization name and address
  • Login credentials (passwords stored in hashed, non-reversible form)
  • Subscription and billing information (processed through a PCI-compliant third-party processor; we do not store full payment card details)
  • Platform usage data (login timestamps, features accessed)

3.2Teacher Data

Teacher data processed on the Platform may include:

  • Name, employee ID, contact information, and date of hire
  • Certification type, status, and expiration dates
  • Pathway progress and gap analysis data
  • Documents uploaded for certification (transcripts, scores, verification forms)
  • Subject area, grade level, and assignment information as provided by the school
  • Performance review data, to the extent provided by the school and required by NY Ed Law §2-d

3.3Student Data

EdCertly is primarily a teacher workforce platform. We do not directly collect, solicit, or process student data as part of our core service. To the extent any student PII is incidentally included in documents uploaded by a School Partner, we treat it under the protections of FERPA and Ed Law §2-d, and notify the School Partner immediately.

3.4Technical Data

  • IP address and general location (not street-level)
  • Browser type, operating system, device type
  • Pages visited and navigation paths
  • Error logs and performance data
Section 4

How We Use Data

PurposeDescription
Service DeliveryProcessing and displaying certification data, generating pathways, producing analytics, document workflows, and authorized HRIS integrations.
Account ManagementCreating and managing user accounts, billing, subscription management.
NotificationsAutomated certification renewal alerts, compliance notifications, service updates.
SupportInvestigating and resolving technical issues, responding to support requests.
SecurityMaintaining platform security, preventing unauthorized access, fraud prevention.
Legal ComplianceComplying with applicable law and lawful legal process.
Platform ImprovementUsing only aggregated, irreversibly de-identified data — no PII is used.
EdCertly will NEVER: sell School Partner data; use it for advertising or marketing; create profiles of individuals for non-educational purposes; train AI models for general use on School Partner data; or share data with any third party except as expressly described in Section 5.
Section 5

When We Share Data (Limited Exceptions)

EdCertly does not share School Partner data with any third party except in the following narrowly defined and operationally necessary circumstances:

5.1Service-Delivery Subcontractors

To deliver the Platform, EdCertly uses subcontractors such as cloud infrastructure providers, security monitoring services, and PCI-compliant payment processors. All subcontractors are bound by written agreements imposing data protection obligations materially equivalent to those EdCertly owes to the School Partner. Subcontractors may not use data for any purpose other than supporting EdCertly's services. A current list is available on request.

5.2School Partner-Authorized Integrations

Where a School Partner explicitly authorizes EdCertly to transmit data to a third-party system (such as their HRIS, EIS, payroll provider, or a state certification system the School Partner has chosen to integrate with), EdCertly will transmit data solely as directed by that authorization. The integration partner is selected by the School Partner.

5.3Legally Compelled Disclosure

EdCertly will only disclose data to third parties when compelled by a legally binding order from a court of competent jurisdiction, a valid subpoena, a lawfully issued government request, or as otherwise required by applicable law. In any such case, EdCertly will:

  • Promptly notify the affected School Partner unless legally prohibited
  • Disclose only the minimum data required to comply
  • Cooperate with the School Partner in seeking, where appropriate, a protective order or other legal mechanism to limit disclosure
  • Provide a full disclosure account to the School Partner as soon as legally permissible

5.4Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets involving A12 Labs LLC, School Partner data may be transferred to the successor entity, which will be bound by this Privacy Policy and applicable law. School Partners will receive at least sixty (60) days' advance notice and the opportunity to export data and terminate before any transfer.

5.5No Sale, No Advertising, No Profiling

EdCertly does not and will not sell, rent, trade, or monetize School Partner data. We do not use data for advertising, marketing, behavioral profiling, or AI model training for general use. This commitment is binding regardless of any change in ownership.

Section 6

Data Security

EdCertly implements a comprehensive security program consistent with the NIST Cybersecurity Framework and NY Ed Law §2-d Part 121:

LayerControls
EncryptionAES-256 at rest; TLS 1.3 in transit. Credentials hashed with industry-standard algorithms.
Access ControlRole-based access; multi-factor authentication for admin accounts; least-privilege principle.
InfrastructureSOC 2-compliant cloud hosting; regular vulnerability scanning and penetration testing.
MonitoringContinuous monitoring; anomaly detection; 72-hour breach notification capability.
PersonnelMandatory privacy and security training; background checks for staff with data access.
Vendor ManagementAll subcontractors security-assessed before data access.
Section 7

Data Retention and Deletion

Because School Partners own their data, retention is determined primarily by the School Partner's instructions and the duration of their subscription:

  • Active subscription data is retained for the duration of the subscription, plus thirty (30) days following termination to allow for export
  • After thirty (30) days, all data is securely deleted or destroyed using industry-standard methods
  • Technical logs (de-identified) may be retained up to twelve (12) months for security purposes
  • Billing records may be retained up to seven (7) years for financial and tax compliance

School Partners may request deletion at any time at datarequests@edcertly.com. Requests are processed within thirty (30) days. Written confirmation is provided on request, consistent with NY Ed Law §2-d.

Section 8

Cookies and Tracking

EdCertly uses only essential, functional, and aggregate analytics cookies. We do not use advertising or third-party behavioral analytics cookies. We do not partner with advertising networks or data brokers.

Section 9

Your Rights

9.1School Partner Rights

  • Access — request a copy of data we hold about your school
  • Correction — request correction of inaccurate information
  • Deletion — request deletion subject to legal retention requirements
  • Portability — export your data in a standard format anytime during your subscription
  • Restriction — request limitation of processing in certain circumstances

9.2Individual Teacher Rights

Teachers may access and export their own certification records through the Teacher Portal. Requests regarding data held under a School Partner's account should first be directed to the School Partner, as the School Partner is the data controller. EdCertly will cooperate in responding.

9.3FERPA Rights

Parents and eligible students retain all rights under FERPA. The School Partner is responsible for fulfilling FERPA rights requests; EdCertly will cooperate.

Section 10

COPPA

EdCertly is designed for adult users (school administrators and teachers) and does not knowingly collect personal information directly from children under 13. The Teacher Portal is intended for adult teachers. To the extent EdCertly processes any student data on behalf of a School Partner, the School Partner serves as the operator under applicable K-12 COPPA exceptions, with EdCertly acting as the school's agent.

Section 11

State-Specific Provisions

11.1New York (Primary Jurisdiction)

EdCertly fully complies with NY Education Law §2-d and 8 NYCRR Part 121. School Partners receive the full protections of Ed Law §2-d, including the Parents' Bill of Rights, breach notification within seven calendar days, and the prohibition on selling protected data.

11.2Expansion States

As EdCertly expands to other states, our New York-level protections serve as the baseline. Additional state-specific provisions will be added as required by the laws of each state we operate in.

Section 12

Changes to This Policy

EdCertly will notify School Partners of material changes at least thirty (30) days before they take effect, via email and in-Platform notification. The current Policy is at edcertly.com/privacy.

Section 13

Contact

PurposeContact
Privacy questionsprivacy@edcertly.com
Data access / deletiondatarequests@edcertly.com
Security incidentssecurity@edcertly.com (24-hour response)
Legallegal@edcertly.com

A12 Labs LLC (d/b/a EdCertly) — Delaware · Authorized in New York. edcertly.com

These documents were prepared specifically for EdCertly (a product of A12 Labs LLC) based on FERPA, COPPA, NY Education Law §2-d, Part 121, and industry best practices for K-12 EdTech vendors as of 2026. They do not constitute legal advice. EdCertly strongly recommends review by qualified legal counsel licensed in the applicable jurisdiction before publication.