top of page

Lennections Privacy Policy

Effective date: September 16, 2025
Who we are: Lennections Inc. ("Lennections," "we," "us," or "our").
Covered services: www.lennections.com and any related sites or apps we operate, including our educator platforms and services (collectively, the "Services").

1) Scope & Relationship With Schools & Districts

 

This Privacy Policy explains how we collect, use, disclose, and protect Personal Information when you visit our websites, create an account, or use our Services.

For school districts and individual schools (including public, private, charter organizations, regional service centers, and consortia), Lennections acts as a service provider (and a FERPA “school official” with a legitimate educational interest) when processing Student Data on behalf of an educational agency or institution (an Education Agency). We process Student Data solely to provide the Services to the Education Agency, in accordance with our agreement and its written instructions.

Student access & registration. Students access the Services only through Education Agency‑managed methods (e.g., district SSO, LTI launch from an LMS, SIS/LMS rostering, or teacher‑provisioned accounts). We do not permit direct student self‑registration on our public marketing site.

This Policy also applies when educators, parents/guardians, and students use our Services as authorized by an Education Agency.

2) Key Definitions

 

Personal Information means information that identifies, relates to, describes, or can reasonably be linked to an individual or household.
Student Data means Personal Information that we process on behalf of an Education Agency about a student, parent/guardian, or educator in connection with educational purposes.
Education Agency means a U.S. K–12 public school district, individual school (public or private), charter network, regional service center/consortium, or similar entity that contracts for or authorizes use of the Services. References to “School” in this Policy include Education Agencies.
De‑identified/aggregated data means data that cannot reasonably be used to identify an individual.

3) Information We Collect

 

We collect the following categories of information (depending on your relationship with us and your use of the Services):

Identifiers and contact details. Name, email address, school/district, role, grade/subject focus, account IDs, and similar identifiers.
Account and profile data. Credentials, preferences, roster/section details provided by Schools, and settings.
Student work and education records (Student Data). Student responses, submissions, scores/feedback, progress indicators, assessment assignment metadata, and related instructional context provided by educators or imported by the School.
Commercial information. Order history, quotes, transactions, and billing details processed by our payment providers.
Internet or device activity. Log files, IP address, device/browser type, pages viewed, session metadata, and interactions with our sites/apps.
Support communications. Messages and content you send to our support team.
Inferences. Limited inferences we derive to improve and personalize the Services (not for behavioral advertising).

We do not knowingly collect sensitive categories such as precise geolocation, biometric templates, or government IDs for typical use of the Services. Schools may enter limited health‑ or disability‑related flags to provide accommodations, solely for educational purposes at the School’s direction.

4) Sources of Information

  • Directly from you when you register, request a demo/quote, place an order, or contact support.

  • From Districts and Schools via roster files, SIS/LMS integrations, LTI launches, or educator input.

  • Automatically from your browser or device when you access our Services.

  • Service providers that support identity, analytics (marketing site only), hosting, and payments.
     

4a) Data Ownership & Control

Student Data (Education Agency‑provided records). The Education Agency (district or school) owns and controls Student Data. Lennections does not claim ownership of Student Data and processes it only to provide the Services at the Education Agency’s direction.
Educator/Admin content. Educators and Education Agencies retain ownership of instructional materials and other content they upload or create; you grant Lennections a limited license to host, process, and display that content as needed to operate the Services.
Marketing‑site personal data. Individuals retain their rights in personal data submitted via our website forms; Lennections acts as controller for that activity solely to run the website, fulfill requests, and comply with law.
Lennections IP. Lennections owns the platform, software, and content we supply. This Policy does not transfer our intellectual property rights.

5) How We Use Information

 

We use Personal Information to:

  • Provide, operate, secure, and troubleshoot the Services;

  • Create and manage accounts;

  • Deliver assessments, feedback, and reporting;

  • Process orders and payments;

  • Provide customer support and communicate about the Services;

  • Analyze usage to improve quality, reliability, and performance;

  • Develop new features and content;

  • Comply with law, enforce terms, and protect rights, safety, and integrity.
     

We may use de‑identified and/or aggregated data for analytics and to improve the Services. We will not attempt to reidentify de‑identified data.

6) No Sale or Sharing; Student Advertising Restrictions

 

We do not sell or share Personal Information as defined by CPRA (including cross‑context behavioral advertising). We do not use or disclose Student Data for targeted advertising or for creating profiles for marketing purposes. We do not permit third‑party advertising networks in student‑facing Services.

We do not use sensitive Personal Information for purposes that require a right to limit under CPRA.

7) Cookies and Similar Technologies
 

We use cookies and similar technologies to operate and secure the Services, understand usage, and improve performance.

Controls. You can manage cookies through your browser settings. On our marketing site, you may also use the Cookie Preferences link in the footer to opt out of non-essential analytics cookies. Student-facing Services use only cookies necessary for authentication, security, and core functionality; we do not serve third-party ads.

Cookie categories & examples (subject to change):

  • Essential (Services). session_id, csrf_token, load-balancer/route cookies — required to sign in, keep you logged in, and protect against fraud; expire at end of session or within 12 months.

  • Preferences (Marketing site). cookie_consent — records your cookie choices; typically 6–12 months.

  • Analytics (Marketing site, if enabled). e.g., Google Analytics cookies — help us understand site usage; not used in student experiences. You can opt out via Cookie Preferences.

For a current list of cookies used on the marketing site and their lifespans, check the Cookie Preferences panel.

8) How We Disclose Information

 

We disclose Personal Information to:

  • Service providers/contractors (e.g., hosting, analytics, support, email, identity/SSO, payment processing) bound by contractual confidentiality and use restrictions;

  • Education Agencies (districts and schools) and authorized educators, as needed to deliver the Services;

  • Successors in a merger, acquisition, or similar transaction (subject to this Policy or substantially similar protections);

  • Authorities when required by law or to protect rights, safety, or integrity.
     

Current subprocessors (as of the Effective Date). We engage service providers to help deliver the Services. The core categories and examples include:

  • Hosting & infrastructure: Typical data elements: customer account identifiers, content stored and processed within the Services, and system logs necessary to operate the platform.

  • Database services: Typical data elements: application database records (including Student Data entered by the Education Agency), backups, and metadata required for reliability and performance.

  • Application hosting: Typical data elements: application binaries and runtime configuration, operational logs, and limited metadata needed to run the application.

  • Customer support/in‑product messaging (educator/admin only): Typical data elements: educator/admin name, email, role, and support messages; not used in student‑facing experiences.

  • Payments (if you purchase directly): Typical data elements: billing contact info, invoice details, and transaction metadata (card data handled by the processor and not stored by Lennections).
     

For each service provider, we share only the minimum data necessary for the stated purpose, and we require comparable security and privacy commitments. We remain responsible for our service providers’ processing of Student Data.

Changes to subprocessors. If we add or replace a subprocessor that handles Student Data, we will update this list and notify Education Agency administrators (e.g., via email or in‑product notice) at least 30 days before the change takes effect, where contractually required.

We do not allow service providers to use Student Data for their own marketing. We require them to implement appropriate security controls and to delete data when services end or as instructed.

9) Data Retention and Deletion

 

High-level rules. We retain Personal Information only as long as necessary for the purposes described in this Policy or as required by law. When retention ends, we delete or de-identify data. Backups roll on fixed schedules, so complete purge may take additional time after primary deletion.

9A) Deletion on Request — Timelines

  • Marketing-site personal data (non-Education-Agency accounts). Upon a verified deletion request, we delete active records within 30 calendar days and complete backup overwrites within 65 days of confirmation, absent legal holds.

  • Student Data (Education Agency context). We act on the Education Agency’s written instruction. After the Education Agency approves/initiates deletion, we delete active Student Data within 30 calendar days and complete backup overwrites within 65 days, unless a longer period is required by law or a documented disaster-recovery cycle.

  • We will confirm completion to the requester (or to the Education Agency, for Student Data).

9B) Standard Retention Schedule

The table below summarizes typical retention. Contract terms or law may specify different periods.

Privacy Policy

9C) End‑of‑Contract/School Year

  • On Education Agency request or contract termination: We delete or return Student Data within 30 days and complete backup overwrites within 65 days, unless law requires longer retention.

  • Annual cycle: Prior‑year student progress data is de‑identified for reporting continuity and then purged on the schedule above.

10) Your Privacy Rights

 

Depending on your jurisdiction (e.g., California, Colorado, Connecticut, Utah, Virginia) you may have rights to:

  • Know/Access the categories and specific pieces of Personal Information we collected about you;

  • Correct inaccurate Personal Information;

  • Delete Personal Information;

  • Opt out of sale or sharing of Personal Information and of certain profiling (we do not sell or share);

  • Limit the use/disclosure of sensitive Personal Information (we do not use it for purposes requiring this right);

  • Non‑discrimination for exercising privacy rights.

 

How to exercise your rights. Email info@lennections.com and describe your request. We may need to verify your identity (and your authority, if you are an agent). For Student Data, we will route the request to the appropriate School, which controls those records. Where required by state law, you may appeal a denial by replying to our decision email with “Appeal.”

Global Privacy Control (GPC). If we ever engage in sale/sharing on the marketing site, we will honor browser‑based opt‑out signals, including GPC. Today, because we do not sell/share, GPC does not change your experience.

Shine the Light. California residents may request a list of third parties (if any) to which we disclosed Personal Information for their own direct marketing in the past 12 months. We do not share for such purposes, but you may still contact us to confirm.

11) Children’s Privacy (COPPA) & FERPA

 

We do not knowingly collect Personal Information directly from children under 13 outside of the Education Agency context. When Student Data relates to children under 13, we rely on the Education Agency to provide or obtain any required parental consent under COPPA.

Under FERPA, Lennections acts as a School Official with a legitimate educational interest, and uses Student Data only for educational purposes authorized by the Education Agency. Parents/eligible students seeking to access, review, or correct education records should contact their district or school; we will support the Education Agency in responding.

We do not serve third‑party advertising in student‑facing Services, nor do we build behavioral profiles for students for marketing.

12) Security

 

We implement administrative, technical, and physical safeguards designed to protect Personal Information, including:

  • Encryption in transit and at rest for Personal Information;

  • Access controls (least‑privilege, role‑based access, and authentication safeguards);

  • Network and application security monitoring, logging, and vulnerability management;

  • Backups and continuity practices designed for resiliency and recovery; and

  • Employee security program with training and confidentiality obligations.
     

Authentication & Access

Strong passwords. We enforce password requirements for educator/admin accounts and encourage Schools to apply their identity policies.
 

Single sign‑on (SSO) / LTI support. When enabled by a School, users may sign in using district‑managed SSO or launch via LTI from an LMS; student self‑registration on our marketing site is not permitted.
 

Multi‑factor authentication (MFA). Where supported by the School’s identity provider, MFA can be enforced for users under the School’s control.
 

Security notices. In the event of a confirmed security incident affecting Personal Information, we will notify the School or affected individuals without undue delay and provide information to support investigation and remediation, consistent with applicable law.

13) International Users (GDPR/UK GDPR)

 

Our Services are primarily designed for U.S. K‑12 customers. If you are located in the EEA/UK and use our marketing site, Lennections is the controller for that activity. Our legal bases may include consent, contract, legitimate interests, and compliance with legal obligations. We may transfer Personal Information to the U.S. and other countries using appropriate safeguards (such as Standard Contractual Clauses). You may have GDPR rights analogous to those listed above; to exercise them, contact privacy@lennections.com.

14) Third‑Party Links and Services

 

Our Services may link to third‑party sites or services. Their privacy practices are governed by their own policies. We encourage you to review those policies.

15) Changes to This Policy

 

We may update this Policy from time to time. We will post the updated Policy with a new effective date. If changes materially affect your rights, we will provide additional notice (e.g., via email or in‑product messaging) where required.

16) Contact Us

 

Lennections Inc.
106 Twilight Overlook, Canton, GA 30114
Email: info@lennections.com
Phone: 470‑708‑0755

If you are a School customer, your primary contact is your account representative or our support team; we will coordinate with you to address Student Data requests.

Appendix: School Data Processing Addendum (Summary)

  • Purpose. Process Student Data only to provide the Services to the School and for no other commercial purpose.

  • School Instructions. Process Student Data solely on documented instructions from the School.

  • Security. Maintain appropriate security measures; notify the School of a confirmed breach without undue delay and cooperate with investigation and remediation.

  • Subprocessors. Engage subprocessors under written contracts requiring comparable protections; provide a current list on request.

  • Data Subject Requests. Forward parent/eligible student requests to the School; assist the School in fulfilling them.

  • Deletion/Return. Delete or return Student Data to the School at contract end or upon written request, subject to limited backup retention cycles.

  • Audits. Provide information necessary to demonstrate compliance and allow reasonable assessments by the School or its designee.

  • No Sale/Ads. Do not sell, share, or use Student Data for targeted advertising or profiling unrelated to educational purposes.

bottom of page