Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, and the institution you attend.

Degree Audit Data: When you upload your degree audit, we process the academic requirements, completed courses, grades, and degree progress contained in that document. You voluntarily share this information with us, as is your right under FERPA.

Plan and Simulation Data: When you build academic plans, run what-if simulations, or interact with our AI assistant, we collect the inputs, queries, and selections you make.

Communications: If you contact us for support, we collect the content of those communications.

1.2 Information Collected Automatically

Usage Data: We collect information about how you interact with the Service, including features used, pages viewed, simulations run, plans created, and time spent on the platform.

Device and Log Data: We collect standard log information such as IP address, browser type, device type, operating system, and referring URLs.

1.3 Information We Do NOT Collect

We do not collect Social Security numbers, financial aid information, billing or payment information from students, health records, disciplinary records, or any information beyond what is contained in the degree audit you voluntarily upload.

2. How We Use Your Information

Provide the Service: To generate your personalized degree plan, run what-if simulations, power AI assistant responses, and deliver course recommendations based on your specific academic requirements.

Improve the Platform: To understand how students use Ardvarq, identify bugs, improve features, and develop new functionality.

Aggregate Research and Reporting: To produce de-identified, aggregate insights about student academic planning behavior. These aggregate reports never identify individual students. See Section 4 for details.

Communicate With You: To send service-related notifications, respond to support requests, and (with your consent) share product updates.

3. How We Store and Protect Your Data

Infrastructure: Your data is stored on Neon, a managed PostgreSQL platform that uses Amazon Web Services (AWS) infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+).

Access Controls: Access to student data is restricted to authorized Ardvarq team members who need it to operate and improve the Service. We maintain role-based access controls and audit logs.

Data Retention: We retain your data for as long as your account is active or as needed to provide the Service. You may request deletion at any time (see Section 6).

Breach Notification: In the event of a data breach affecting your personal information, we will notify affected users and any relevant institutions within 72 hours of discovery, consistent with applicable law.

4. How We Share Your Information

We do not sell your personal information. We will never sell individually identifiable student data to any third party, including advertisers, data brokers, or other commercial entities.

4.1 Aggregate and De-Identified Data

We may share aggregate, de-identified data that cannot reasonably be used to identify any individual student. For example, we may report that “43% of Biology students at a given institution explored switching to Public Health” without identifying which students did so. Aggregate reports are subject to minimum cohort sizes (no reporting on groups smaller than 10 students) to prevent re-identification.

4.2 Institutional Partners

When Ardvarq operates under a formal agreement with your institution (e.g., as part of a pilot program), we may share aggregate usage reports with that institution. These reports contain only de-identified, aggregate data unless you have provided explicit consent for individual-level sharing. We will clearly notify you if your institution has a formal partnership with Ardvarq and what data, if any, is shared under that agreement.

4.3 Service Providers

We use third-party service providers to help operate the Service (e.g., cloud hosting, AI model providers, analytics). These providers are contractually obligated to use your data only to perform services on our behalf and to maintain appropriate security measures. Current providers include Neon (database), Google and Microsoft (authentication), Anthropic and DeepSeek (AI model providers), Google (document parsing), and Vercel (hosting).

4.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Ardvarq, our users, or the public.

5. FERPA Compliance

Student-Initiated Sharing: When you upload your degree audit to Ardvarq, you are exercising your right under FERPA to access and share your own education records. Ardvarq does not access institutional systems or receive student data from institutions without appropriate agreements in place.

Institutional Agreements: When Ardvarq partners with an educational institution, we enter into a FERPA-compliant agreement that designates Ardvarq as a “school official” with a “legitimate educational interest” under 34 CFR §99.31(a)(1). These agreements specify the data we may access, the purposes for which it may be used, and our obligations regarding re-disclosure and security.

No Re-Disclosure: We do not re-disclose personally identifiable information from education records to any third party except as permitted by FERPA and authorized under our agreements with institutions, or with your explicit consent.

6. Your Rights and Choices

Access Your Data: You may request a copy of the personal information we hold about you at any time by contacting us at brad@bannrsystems.com.

Correct Your Data: You may request correction of any inaccurate personal information by contacting us.

Delete Your Data: You may request deletion of your account and all associated personal data at any time. Upon receiving a verified deletion request, we will delete your data within 30 days, except where retention is required by law or legitimate business need (e.g., aggregate, de-identified data that cannot identify you). To request deletion, email brad@bannrsystems.com.

Withdraw Consent: Where we rely on your consent to process data, you may withdraw that consent at any time.

Opt Out of Communications: You may opt out of non-essential communications at any time by using the unsubscribe link in any email or by contacting us.

7. Children's Privacy

Ardvarq is designed for use by college and university students who are 18 years of age or older. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will promptly delete that information.

8. Use of Artificial Intelligence

Ardvarq uses AI models to power course recommendations, what-if simulations, and the AI assistant feature. When you interact with these features, the content of your queries and relevant academic data from your uploaded degree audit are sent to our AI provider to generate responses.

We do not use your personal data to train AI models. Your academic data and conversations with the AI assistant are used only to provide you with responses in real time and are not retained by our AI provider for model training purposes.

AI-generated recommendations are informational and do not replace professional academic advising. Students should verify all recommendations with their institution's official academic advisor or registrar.

9. State-Specific Privacy Rights

Colorado Privacy Act (CPA): Colorado residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of certain processing activities. To exercise these rights, contact brad@bannrsystems.com.

California (CCPA/CPRA): If applicable, California residents have additional rights regarding their personal information, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Service prior to the change becoming effective. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, your data, or our privacy practices, please contact us: