Privacy Policy

1. Introduction

AskK12 (“AskK12,” “we,” “our,” or “us”) is a product of Sunflower, LLC, an education technology company specializing in data intelligence for K-12 school districts. AskK12 provides school districts with an embeddable AI chatbot that answers parent and community questions using district-approved content.

This Privacy Policy explains how we collect, use, and protect information in connection with the AskK12 chatbot product, the AskK12 website (askk12.com), and the AskK12 administrative dashboard.

2. Chatbot Visitors: Privacy and Data Protection

If you interact with an AskK12 chatbot on a school district website, please note the following:

• We do not collect, store, or sell any personally identifiable information (PII) from chatbot conversations.
• All chatbot interactions are fully anonymous. Conversations are identified by a randomly generated session ID stored in your browser’s local storage — not linked to any personal identity, account, or login.
• We do not use cookies for chatbot interactions. The anonymous session ID is stored locally on your device and is never transmitted to third parties.
• Chatbot conversations are stored temporarily for session continuity (default: 24 hours) and for aggregate analytics visible only to the district’s administrators. Individual conversations are not reviewed, shared, or sold.
• Student data is never used to train, fine-tune, or improve AI models. This is an explicit, non-negotiable policy — not fine print.

3. Information We Collect

3.1 District Administrator Accounts

When a district administrator creates an account on askk12.com, we collect:

• Name
• Email address
• Password (hashed using bcrypt — we never store plaintext passwords)
• District affiliation and role

3.2 Chatbot Configuration Data

District administrators provide the following data to configure their chatbot:

• Q&A entries (trigger phrases and answers)
• Website URLs for crawling and indexing
• Branding settings (colors, logos, display names)
• Welcome messages and fallback responses

3.3 Chatbot Conversation Data

When visitors use an AskK12 chatbot, we collect:

• The question asked and the answer provided
• An anonymous, randomly generated visitor ID (not linked to any personal identity)
• The language selected by the visitor
• Feedback ratings (helpful / not helpful) if the visitor chooses to provide them
• Timestamp of the interaction

We do not collect IP addresses, browser fingerprints, device identifiers, or any other data that could identify individual visitors.

3.4 Demo Request and Contact Information

If you submit a demo request or contact form on askk12.com, we collect the information you provide (name, email, district name, role, state, and any optional message). This information is used solely to respond to your inquiry.

4. How We Use Information

• Provide, maintain, and improve the AskK12 chatbot service
• Generate aggregate analytics for district administrators (top questions, unanswered rate, engagement trends)
• Authenticate administrator accounts and manage sessions
• Send transactional emails (account creation, password reset, feedback notifications)
• Respond to demo requests and support inquiries
• Comply with legal and contractual requirements

5. AI and Third-Party Services

AskK12 uses OpenAI’s API to generate AI-assisted responses when a visitor’s question is not covered by a district’s curated Q&A entries. When this occurs:

• Only the visitor’s question and relevant crawled website content are sent to OpenAI
• No personally identifiable information is transmitted
• No student data is ever sent to OpenAI or any other AI provider
• OpenAI does not use API inputs to train their models (per OpenAI’s API data usage policy)
• District-curated Q&A answers are returned directly from our database without any AI processing

5.1 Subprocessors

• Neon PostgreSQL — Encrypted database hosting
• OpenAI — AI-assisted response generation (text-embedding-3-small for semantic search, GPT-4o-mini for response synthesis)
• Zoho Mail — Transactional email delivery
• Replit — Application hosting and deployment

6. Data Sharing

• We do not sell data. District data, conversation data, and visitor data are never sold to third parties under any circumstances.
• We do not share data between districts. Each district’s chatbot data is completely isolated through multi-tenant architecture with strict access controls.
• We do not use data to train AI models. Conversation data is never used to train, fine-tune, or improve any machine learning model.
• We may disclose information if required by law or to protect the safety or security of users.

7. Data Security

We implement the following security controls:

• TLS 1.2+ encryption for all data in transit (HTTPS)
• Database encryption at rest via Neon PostgreSQL
• bcrypt password hashing for administrator accounts
• Role-based access controls with multi-tenant data isolation
• Secure session management with httpOnly, secure cookies
• Rate limiting on public chatbot endpoints (15 requests per minute per IP)
• Daily message limits per chatbot to prevent abuse
• Prompt injection guards on AI-generated responses

8. FERPA Compliance

AskK12 is designed with FERPA (Family Educational Rights and Privacy Act) alignment at its core:

• AskK12 chatbots do not collect, store, or process student education records
• No personally identifiable student information is used in any AI processing
• Chatbot responses are generated from publicly available district website content and administrator-curated Q&A entries
• All data is isolated per district with strict access controls
• Districts retain full control over what content is available through their chatbot

9. Data Retention

• Chatbot conversations: Retained for the session timeout period configured by the district (default: 24 hours). Aggregate analytics data (question counts, categories, feedback) is retained while the district’s service agreement is active.
• Administrator accounts: Retained while accounts are active. Districts may request account deletion at any time.
• Crawled website content: Re-crawled on a schedule configured by the district (manual, daily, or weekly). Previous content is replaced upon re-crawl.
• Q&A entries: Retained until deleted by a district administrator or until the service agreement ends.

10. Children’s Privacy

AskK12 is intended for use by district administrators and community members (parents, guardians, and the public). We do not knowingly collect personal information from children under 13. The chatbot does not require login, does not ask for personal information, and does not identify users.

11. Cookies

The AskK12 administrative dashboard uses essential cookies for authentication and session management. The public-facing chatbot widget does not use cookies — it uses browser localStorage for an anonymous session ID only. We do not use analytics, advertising, or third-party tracking cookies.

12. Your Rights

District administrators may:

• Access, correct, or delete their account information at any time
• Delete Q&A entries, crawl sources, and conversation history through the admin dashboard
• Request complete data deletion by contacting us at support@askk12.com
• Disable their chatbot at any time through the admin settings

Chatbot visitors may clear their anonymous session at any time by clearing their browser’s localStorage. No account or personal data is associated with chatbot usage.

13. Security Incident Notification

If a confirmed security incident impacts district data, we will notify affected districts without unreasonable delay in accordance with applicable state and federal requirements.

14. Business Transfers

If Sunflower, LLC is involved in a merger, acquisition, or asset sale, data may transfer to the successor entity under equivalent privacy protections. Affected districts will be notified.

15. Contact Information

For privacy inquiries, data requests, or questions about this policy:

• Email: support@askk12.com
• Website: askk12.com

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material updates will be communicated to district administrators via email. The “Last Updated” date at the top of this policy will be revised accordingly.