Data Privacy Policy

Scalable Learning LLC
Effective Date: March 30, 2026
Updated: May 7, 2026

1. Overview

Scalable Learning LLC ("Scalable Learning," "we," "us," or "our") provides AI-assisted case-based learning modules for higher education institutions. This policy describes how we collect, use, store, and protect data in connection with our platform, and how we fulfill our obligations as a technology service provider to educational institutions under applicable law.

This policy applies to data processed through our learning platform, whether accessed via Learning Tools Interoperability (LTI 1.3) integration from an institution's learning management system (LMS) or via direct access through institution-distributed access links.

2. Our Role and Institutional Relationships

Scalable Learning operates as a technology service provider to higher education institutions ("Institutions"). Institutions retain ownership and control of all student and institutional data. Scalable Learning processes data solely on behalf of, and under the direction of, the contracting Institution.

Where student data constitutes "education records" as defined under the Family Educational Rights and Privacy Act (FERPA), Scalable Learning acts as a "school official" with a legitimate educational interest, as authorized by the Institution, and is subject to the same restrictions on use and disclosure that apply to institutional school officials.

3. Data We Collect

For pilots and deployments using institution-distributed direct access links, no identity or context data is received from the institution. Learners are assigned anonymous identifiers and no personally identifiable information is collected or processed.

When a learner accesses our platform through an Institution's LMS via LTI 1.3, we may receive the following identity and context data from the LMS. Display name and email address, even if transmitted by the institution's LMS, are not stored or processed by Scalable Learning.

Identity and context data (received from the LMS via LTI 1.3):

  • LTI user identifier (an institution-assigned pseudonymous ID)
  • Course name, section, and enrollment role (e.g., learner, instructor)
  • Institution name and LMS context identifiers

Learning activity data (generated by platform use):

  • Learner responses to case study prompts and simulation exercises
  • AI coaching exchanges and feedback interactions
  • Completion status, scores, and progress records
  • Timestamps of platform activity

What we do not collect:

  • Display names or email addresses (even if transmitted by the LMS, these are discarded and not stored)
  • Social Security numbers or government-issued ID numbers
  • Financial account information or payment card data
  • Health or medical records
  • Biometric data
  • Data from minors under 13 (our platform is designed for post-secondary learners)
  • Any data outside of the institutional LTI session context

4. How We Use Data

We use learner and institutional data exclusively for the following purposes:

  • Delivering the learning experience to enrolled learners within the contracting Institution
  • Generating AI-assisted coaching responses and feedback within active sessions
  • Providing completion and performance data to instructors and institutional administrators via LTI grade passback
  • Diagnosing and resolving platform issues
  • Fulfilling our contractual obligations to the Institution

We may use anonymized, aggregate usage data (such as completion rates and navigation patterns) to analyze and improve platform performance. Individual learner data is not used for this purpose.

We do not:

  • Sell, rent, or share learner data with third parties for any commercial purpose
  • Use learner data for advertising or marketing
  • Use learner data to train, fine-tune, or otherwise improve AI or machine learning models
  • Disclose learner data to any party other than the contracting Institution without explicit written authorization, except as required by law

5. AI Features and Third-Party Inference

Our platform uses third-party AI inference services to generate coaching responses. When a learner submits a response, relevant session content is transmitted to our AI provider's API for inference (response generation) only. Our AI provider does not retain submitted data for model training purposes. No learner personally identifiable information is transmitted beyond what is necessary to generate a contextually appropriate coaching response.

Our current AI inference provider is listed in Section 11 (Subprocessors). Any AI inference provider we engage is required to operate under a Data Processing Agreement that restricts use of submitted data to inference only. We will notify contracting Institutions of any change in AI inference provider with at least 30 days' written notice.

6. Data Storage and Infrastructure

All platform data is stored and processed using Amazon Web Services (AWS) infrastructure located in the United States (us-east-1 region). No learner data is transferred outside the United States except as explicitly authorized in writing by the Institution.

AWS is a sub-processor subject to AWS's Data Processing Addendum and AWS's FERPA-eligible service commitments.

7. Data Retention and Deletion

Data Type Retention Period
Active learner data Duration of the institution's contract
Post-contract data 30 days following contract termination
Anonymized aggregate usage data Up to 24 months for platform improvement

Following the 30-day post-termination period, all institution-identifiable and learner-identifiable data is permanently deleted from production systems and backups.

Data export: Institutions may request a complete export of their learner data at any time during the contract term. Exports will be provided in a standard machine-readable format (CSV or JSON) within 10 business days of a written request.

8. Security Practices

Scalable Learning implements the following security controls to protect learner and institutional data:

  • Encryption in transit: All data transmitted between learners, the platform, and our infrastructure is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All stored data is encrypted at rest using AES-256.
  • Access control: Administrative access to platform systems is restricted to authorized Scalable Learning personnel and requires multi-factor authentication (MFA).
  • Least privilege: Access to learner data is limited to personnel with a documented operational need.
  • Infrastructure security: Platform infrastructure is fully hosted on AWS. We leverage the AWS shared responsibility model; AWS maintains physical and hypervisor-layer security.
  • Network security: AWS WAF is enabled with managed rule groups covering OWASP Top 10 and known malicious inputs. API Gateway provides additional request authentication, rate limiting, and input validation.
  • Vulnerability management: We monitor and apply security patches to application dependencies on a regular basis. Infrastructure-level vulnerability management is handled by AWS as part of the shared responsibility model.

9. FERPA Compliance

Scalable Learning acknowledges that student education records are protected under FERPA (20 U.S.C. § 1232g). As a service provider acting on behalf of educational institutions:

  • We process student education records only as directed by and for the benefit of the contracting Institution.
  • We do not disclose education records to any third party without the written consent of the Institution, except as permitted by FERPA.
  • We support the Institution's obligations to respond to student requests for access, correction, or deletion of their education records.
  • We will promptly notify the Institution of any confirmed or suspected unauthorized disclosure of education records.

10. Breach Notification

In the event of a confirmed security incident involving unauthorized access to or disclosure of learner or institutional data, Scalable Learning will:

  1. Notify the affected Institution within 72 hours of confirming the breach
  2. Provide a written incident report describing the nature of the breach, data affected, and steps taken to contain it
  3. Cooperate with the Institution's response and any required regulatory notifications
  4. Conduct a post-incident review and share findings with the Institution upon request

11. Subprocessors

Subprocessor Purpose Location
Amazon Web Services (AWS) Cloud infrastructure and data storage United States
Anthropic, PBC AI inference (response generation only) United States

We will notify contracting Institutions of any material changes to our subprocessor list with at least 30 days' written notice.

12. Institutional Rights and Responsibilities

Institutions that contract with Scalable Learning retain:

  • Ownership of all student and institutional data processed through the platform
  • The right to access, export, or delete their data at any time during the contract term
  • The right to audit Scalable Learning's data handling practices upon reasonable written notice
  • Responsibility for obtaining any required consents from learners as required by applicable law or institutional policy

13. Contact

Questions about this policy, data handling practices, data export requests, or security concerns should be directed to:

Scalable Learning LLC
Privacy Contact: Chip Cleary, Co-Founder
Email: ccleary@scalablelearning.net
Phone: 312-274-0330
Address: 401 S LaSalle St, Suite 800F, Chicago, IL 60605

14. Policy Updates

We will notify contracting Institutions of material changes to this policy with at least 30 days' written notice prior to the effective date of the change. The current version of this policy is maintained at https://www.scalablelearning.net/privacy-policy and will be provided upon request.