Skip to main content
← Back to PsyFlow

Privacy Policy

Last updated: March 24, 2026

1. Introduction

PsyFlow ("we," "our," "us") is committed to protecting your privacy and the privacy of students whose education records you enter into our platform. This Privacy Policy describes what information we collect, how we use it, how we protect it, who we share it with, and your rights regarding that information. This policy applies to all users of the PsyFlow web application and related services. By using PsyFlow, you agree to the collection and use of information as described in this policy. Please also review our Terms of Service, which governs your use of the Service.

2. Data Controller and Data Processor

For the purposes of data protection law, the roles are as follows:

  • You (the school psychologist) are the data controller for student education records. You determine which student data to enter into PsyFlow, the purpose for which it is processed, and the lawful basis for entering that data into a third-party platform.
  • PsyFlow is a data processor that processes student education records on your behalf and at your direction, solely for the purpose of providing the Service.
  • For your own account information (email, name, credentials), PsyFlow acts as both controller and processor.

You are responsible for the accuracy of the data you enter and for ensuring that you have a lawful basis for entering student education records into PsyFlow.

3. Information We Collect

We collect only the information necessary to provide the Service. We organize the data we collect into the following categories:

a. Account Information

When you create an account, we collect:

  • Email address
  • Full name
  • Professional credentials and title
  • School and district information
  • Account preferences and settings

b. Student Education Records

You may enter the following student data into PsyFlow in the course of your professional duties:

  • Student names, dates of birth, grades, and schools
  • Assessment scores, behavioral ratings, and cognitive profiles
  • IEP evaluation data (due dates, forms status, observation notes, meeting information)
  • SST request data (referral information, response timelines, outcomes)
  • 504 plan data (renewal dates, meeting dates, accommodations)
  • Counseling group records and session notes
  • Interview notes, observation data, and clinical notes
  • Family history, health and development information, and educational history as reported by parents, teachers, or other sources

c. Assessment Data

When you upload assessment PDF documents (e.g., WIAT-4, BASC-3, Conners 4, ASRS), PsyFlow extracts standardized scores, percentiles, descriptive ranges, and other assessment data from those documents. This extracted data is stored in your account and used to populate reports.

d. Report Content

PsyFlow stores all data related to reports you create, including: input data you provide for each section, AI-generated draft text, your edits and revisions, and final report content. This data is necessary to provide the report generation and export features.

e. Usage and Error Data

We collect minimal technical data for error tracking and reliability purposes only. Specifically, we use Sentry for error monitoring, which captures: page errors, stack traces, browser type, and technical metadata needed to diagnose bugs. We do NOT collect behavioral analytics, page views, click tracking, user journeys, heatmaps, or any other usage profiling data. We have no analytics scripts running on PsyFlow.

f. Uploaded Files

PDF assessment reports and other documents you upload are stored in cloud storage (Supabase Storage) with per-user access controls. These files are used solely for score extraction and report generation within your account.

4. How We Use Your Information

Each type of data we collect is used for a specific, limited purpose:

  • Account information: To authenticate your identity, populate report defaults (your name, credentials, school, district), and communicate with you about your account and the Service.
  • Student education records: To populate reports and report sections, track evaluation timelines and compliance deadlines, display caseload information and dashboard alerts, and manage SST/504/counseling workflows.
  • Assessment data: To perform deterministic (rule-based) score interpretation, populate score tables in reports, and provide descriptive ranges and classifications.
  • Report content: To generate AI-assisted narrative sections, store and display your report drafts, enable editing and revision, and export professional .docx documents.
  • Usage and error data: To diagnose bugs, fix errors, and improve the reliability and performance of the Service.
  • Uploaded files: To extract assessment scores and populate reports.

We do NOT use your data for any of the following purposes:

  • Advertising or marketing to third parties
  • User profiling or behavioral analytics
  • Selling, renting, or leasing to any third party
  • Training AI models (see Section 5 for details)
  • Any purpose unrelated to providing and maintaining the Service

5. AI Data Processing

PsyFlow uses the Anthropic Claude API to generate narrative sections of psychoeducational reports. This section explains exactly how student data is handled in connection with AI processing.

What Data Is Sent to Anthropic

When you generate a report section that uses AI assistance, PsyFlow sends only the data relevant to that specific section to the Anthropic API. Depending on the section, this may include: student demographics (name, age, grade), assessment scores and results, interview notes and responses, observation data, behavioral rating summaries, and family/health/educational history information. Only the minimum data necessary for the specific section being generated is transmitted.

What Anthropic Does With the Data

  • Anthropic processes the API request and returns generated narrative text.
  • Anthropic does NOT retain your data or use it for model training. PsyFlow uses Anthropic's commercial API, which operates under a zero-retention data policy. API inputs and outputs are not stored by Anthropic after processing and are not used to train, improve, or develop AI models.
  • Data sent to Anthropic is encrypted in transit (TLS 1.2+) and processed in the United States.
  • Anthropic does not share API data with any third parties.

What PsyFlow Does With AI Output

AI-generated text is stored as a draft within your PsyFlow account. You then review, edit, and finalize the text before it becomes part of your report. PsyFlow stores the generated text, your edits, and the final version.

For more information about Anthropic's data handling practices, see Anthropic's Privacy Policy.

6. Data Storage and Security

PsyFlow takes the security of your data seriously. The following measures are in place to protect your information:

Infrastructure

  • Database: Supabase (PostgreSQL) hosted in the US-West region on Amazon Web Services (AWS) infrastructure.
  • Application hosting: Vercel (United States), serverless architecture with no persistent local storage.
  • File storage: Supabase Storage with per-user access controls, hosted on AWS.

Encryption

  • In transit:All data transmitted between your browser and PsyFlow's servers is encrypted using TLS 1.2 or higher.
  • At rest: All data stored in the database and file storage is encrypted using AES-256 encryption.

Authentication and Access Control

  • Authentication is handled via Supabase Auth with bcrypt password hashing.
  • Row-Level Security (RLS) policies enforce data isolation so that each user can only access their own organization's data.
  • Uploaded files are protected by per-user storage access controls.

Error Monitoring

  • Sentry is used for error monitoring. Sentry captures error traces and technical metadata only — no personally identifiable information (PII) or student data is sent to Sentry.

Additional Measures

  • No customer data is stored on local devices, personal computers, or employee machines.
  • Security measures are reviewed and updated regularly to address emerging threats.
  • While we implement industry-standard security practices, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we take all reasonable measures to protect your data.

7. Data Retention

  • Account data: Retained for as long as your account is active.
  • Student data: Retained for as long as your account is active. You may delete individual student records at any time through the application.
  • Uploaded PDFs: Retained for as long as your account is active. You may delete individual files at any time.
  • Report content: Retained for as long as your account is active or until you delete a report.
  • Error logs (Sentry): Retained for 90 days and then automatically deleted.
  • Upon account deletion: All data associated with your account — including student records, reports, uploaded files, and account information — will be permanently deleted within 30 days of your deletion request.
  • Backup systems: Encrypted backups may retain copies of your data for up to 90 days after deletion for disaster recovery purposes. After 90 days, backup copies are purged.
  • Anonymized data: We may retain anonymized, aggregated statistics that cannot identify any individual user or student (e.g., total number of reports generated across all users). This data cannot be linked back to you or any student.

8. Data Sharing and Third Parties

We do not sell, rent, lease, or trade your data to anyone. The following is a complete list of third parties that may receive or process any of your data in connection with the Service:

  • Anthropic (AI narrative generation) — Receives limited student data solely for generating report text via API. Operates under a zero-retention policy; does not store, retain, or use data for model training.
  • Supabase (database and file hosting) — Infrastructure provider that stores and processes your data. Operates under their terms of service and data processing agreement. Does not independently access or use your data.
  • Vercel (application hosting) — Hosts the PsyFlow web application. Serverless architecture with no persistent storage of user data. Does not access stored database content.
  • Sentry (error monitoring) — Receives error traces and technical metadata only. Does not receive student data or personally identifiable information.

We do NOT share your data with:

  • Advertisers or ad networks
  • Data brokers or data aggregators
  • Analytics companies or behavioral tracking services
  • Social media platforms
  • Marketing or email list companies
  • Any other third party not listed above

Legal Disclosure. We may disclose your data only if required to do so by law, such as in response to a valid subpoena, court order, or government investigation. If we receive such a request, we will notify you as promptly as possible unless we are legally prohibited from doing so, so that you may seek a protective order or other remedy.

9. FERPA Compliance

Important

PsyFlow processes student education records as a service provider to authorized school officials. This section describes how PsyFlow supports FERPA compliance, but compliance with FERPA is ultimately your responsibility as the authorized school official.

  • PsyFlow processes student education records as a "school official" service provider under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99.
  • Under FERPA (34 CFR § 99.31(a)(1)), a school may disclose education records without consent to a school official with a legitimate educational interest. PsyFlow operates as a service that you use in the exercise of your legitimate educational interest.
  • You must ensure that PsyFlow meets your school district's criteria for an authorized service provider or "school official" as defined in the district's annual FERPA notification.
  • We strongly recommend establishing a written agreement (such as a Data Processing Agreement or Memorandum of Understanding) with your school district regarding your use of PsyFlow before entering student data.
  • PsyFlow does not: independently access, collect, or solicit student education records; share student records with unauthorized parties; use student records for any purpose other than providing the Service at your direction; or allow access to student data by PsyFlow employees except as necessary for technical support and maintenance.
  • If a parent or eligible student requests access to their education records, that request should be directed to the school district — not to PsyFlow. PsyFlow can assist you in exporting data from your account to help fulfill records requests made through your district.
  • If your district determines that PsyFlow does not meet its requirements for a FERPA-compliant service provider, you must discontinue use of PsyFlow for student data and may request export and deletion of all student data from your account.

10. Children's Privacy (COPPA)

PsyFlow is designed for use by adult professionals (school psychologists and authorized school personnel). PsyFlow is not directed at children under the age of 13, and we do not knowingly collect personal information directly from children.

  • Student education records are entered by authorized school professionals — not by students themselves.
  • Students do not create accounts on or directly interact with PsyFlow.
  • If we become aware that student data has been entered by an unauthorized person or that personal information has been collected directly from a child under 13, we will take prompt steps to delete that information.
  • If you believe that a child has directly provided personal information to PsyFlow, please contact us immediately at support@psyflow.io.

11. Your Rights

You have the following rights regarding your data:

  • Right of Access: You may request a complete copy of all data we hold about you, including account information, student records, reports, and uploaded files.
  • Right to Export: You can export your reports as .docx files at any time through the application. You may also request a full data export in a structured, machine-readable format (JSON or CSV).
  • Right to Correction: You can update or correct inaccurate data at any time through the application. If you cannot make a correction through the app, contact us for assistance.
  • Right to Deletion: You may request complete deletion of your account and all associated data. Deletion will be completed within 30 days of your request.
  • Right to Data Portability: You may request to receive your data in a structured, commonly used, machine-readable format so that it can be transferred to another service.
  • Right to Object: You may object to the processing of your data for any reason. If you object, we will cease processing unless we have compelling legitimate grounds.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of personal information we have collected.
  • Right to Opt-Out of Sale: We do not sell your personal information to anyone. There is nothing to opt out of.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at support@psyflow.io. We will respond to your request within 30 days, or 45 days if the request is complex (we will notify you if additional time is needed).

12. Cookies and Local Storage

PsyFlow uses minimal browser storage, limited to what is necessary for the Service to function:

  • Session cookies: Required for authentication. Supabase Auth uses cookies to maintain your login session. These are strictly necessary and cannot be disabled without breaking the Service.
  • localStorage: Used to store UI preferences only, such as sidebar state, selected theme, column preferences, and FERPA notice dismissal status. This data is stored entirely in your browser and is never sent to our servers.

PsyFlow does NOT use:

  • Third-party cookies of any kind
  • Tracking pixels or web beacons
  • Analytics scripts (no Google Analytics, no Mixpanel, no Amplitude, no Hotjar)
  • Browser fingerprinting
  • Advertising cookies or retargeting technology

13. International Data Transfers

All data collected and processed by PsyFlow is stored and processed in the United States. Our database, file storage, application hosting, and AI processing infrastructure are all located in the United States. If you access PsyFlow from outside the United States, your data will be transferred to and processed in the United States. By using PsyFlow, you consent to this transfer and acknowledge that US data protection laws may differ from those in your jurisdiction.

14. Data Breach Notification

In the event that we become aware of a data breach that affects your personal information or student education records, we will take the following steps:

  • Notification to you: We will notify you via email within 72 hours of becoming aware of the breach.
  • Notification to authorities: We will notify relevant regulatory authorities as required by applicable law, including state data breach notification laws.
  • Content of notification: Our notification will include: a description of the nature of the breach; the types of data that were or may have been affected; the steps we are taking to investigate and remediate the breach; and recommended steps you should take to protect yourself and the students whose data may have been affected.
  • Remediation: We will take immediate steps to contain and remediate the breach, including securing affected systems, investigating the scope and cause, and implementing measures to prevent recurrence.

We encourage you to also notify your school district of any data breach so that they can take appropriate action under their own breach notification policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes to this policy, we will notify you via email to the address associated with your account at least fifteen (15) days before the changes take effect. The "Last updated" date at the top of this policy will always reflect the most recent revision. Prior versions of this policy are available upon request by contacting us at support@psyflow.io. Your continued use of PsyFlow after the effective date of a revised policy constitutes your acceptance of the changes.

16. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or PsyFlow's data practices, please contact us at:

support@psyflow.io

For FERPA-related inquiries, student data privacy concerns, or Data Processing Agreement requests, please include "FERPA" in your email subject line so we can prioritize your request.