What Data We Collect
A complete inventory of the data elements we collect, why, and how they're protected.
Impact Suite practices data minimization — we collect only the information necessary to provide our safety and wellness services. All data is encrypted at rest (AES-256) and governed by role-based access controls; the most sensitive categories carry stricter access controls and PHI handling.
Student information (FERPA-protected)
Name, date of birth, grade level, school/building assignment, and SIS ID (required for identification and rostering); optional demographic fields (gender, race/ethnicity), contact information, safety status, tier classification, assigned counselor, class enrollments, academic performance, and attendance — used for intervention planning and risk assessment.
Guardian / family information
Guardian name, email, phone, and relationship to student (required for communication and emergency contact); optional address, demographics, and SIS ID.
Staff / faculty information
Name, email, role/position, and school/district assignment (required for permissions and reporting); optional phone, demographics, team memberships, SIS ID, and class assignments.
Behavioral concerns & tips
Concern description, date/time, type/category, urgency, students involved, and reporter; optional location, attachments/photos, and anonymous-tip metadata (SafeTip ID, submitter info if voluntarily provided). Mandatory-reporting flags are tracked for compliance.
Threat & suicide-risk assessments
Assessment type/framework (e.g. CSTAG, NTAC, Salem-Keizer, ASQ, C-SSRS), date, status, risk level, interviewer, and clinical interview notes; risk factors such as ideation, threat specificity, weapon access, prior attempts, and protective factors. Clinical and health-related fields are handled as PHI under stricter controls.
Intervention plans & safety planning
Safety-plan details, supervision requirements, behavioral interventions, mental-health services, accommodations, family-involvement plans, monitoring schedules, emergency contacts, coping strategies, and progress data.
Case management
Case title, type, status, priority, assigned manager, dates, notes, associated concerns, and attachments.
Training & compliance
Training completion records, timestamps, module progress, quiz results, certificates, and policy acknowledgements (with change-log tracking).
AI chat & knowledge
Chat messages and metadata, AI-response feedback, and knowledge-base references (see AI data handling).
System & usage data (automatic)
Login/access logs, IP address, session and authentication tokens (JWT, 90-minute expiry), failed-login attempts, admin-impersonation logs, and file/API activity — retained for security monitoring and audit.
What we do not collect
Social Security numbers, financial/payment information, biometric data, geolocation beyond school assignment, browsing history, social-media content, religious affiliation, political views, family income, or immigration status.
Retention
| Data category | Retention |
|---|---|
| Active student records | While enrolled / account active |
| Graduated / transferred students | Configurable per district (default aligned to educational need) |
| Concerns, cases, assessments, intervention plans | Aligned to educational & regulatory need |
| Training records | Per compliance requirements |
| Access/audit logs | 6 years (FERPA/HIPAA) |
| Operational logs | 30 days |
Retention is customizable per district via the Data Processing Agreement (Exhibit D) — see Customization & Alignment. Deletion follows Secure Deletion practices.