PRIVACY POLICY OF CERESANT SOLUTIONS, INC.

Last Updated: May 2, 2025

 

INTRODUCTION AND OVERVIEW

Welcome to the Privacy Policy of Ceresant Solutions, Inc. (“Ceresant,” “we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our BrainDash platform and related services (collectively, the “Application”).

Ceresant is committed to protecting the privacy of all users, with special emphasis on safeguarding the sensitive information of children and students. As a company focused on mental health prevention in education, we understand the critical importance of maintaining the confidentiality and security of mental health information and educational records.

This Privacy Policy applies to information collected through Ceresant.com and the BrainDash platform. Ceresant.com serves as the delivery site through which the BrainDash platform is accessed. While Ceresant.com and BrainDash are related, they represent distinct components of our service offering, with BrainDash being the actual platform that provides mental illness risk screening and early intervention support services.

DEFINITIONS

For purposes of this Privacy Policy, the following definitions apply:

• “Aggregated Data” means statistical information derived from personal data that has been combined to provide generalized, non-identifiable information. Aggregated data is presented at a sufficiently high level such that individual-level attributes cannot be determined.
• “Anonymized Data” means data that has been irreversibly altered such that it can no longer be used to identify an individual, either directly or indirectly, by any means or by any person. Once data is truly anonymized, it is no longer considered personal data
• “BrainDash” means Ceresant’s mental illness risk screening and early intervention support platform designed for educational institutions, including all associated software, services, and content.
• “Ceresant” means Ceresant Solutions, Inc., its employees, agents, contractors, and authorized representatives.
• “COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506 and its implementing regulations.
• “De-identified Data” means data that has been processed to remove or modify personal identifiers and where additional controls are in place to prevent re-identification. De-identified data is derived from personal data but has had identifying information removed such that the risk of identification of the individual is very remote.
• “FERPA” means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g and its implementing regulations.
• “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.
• “Mental Health Data” means any data collected through the Application that relates to a student’s mental, emotional, or behavioral health, including but not limited to screening results, risk assessments, and intervention recommendations.
• “Personal Data” means any information that directly, indirectly, or in connection with other information allows for the identification or identifiability of a natural person.
• “School” means any educational institution that has entered into an agreement with Ceresant to use the BrainDash platform.
• “School Personnel” means employees, contractors, or agents of the School who are authorized by the School to access the Services.
• “Student Data” means any information collected through the Services that relates to an identifiable student.
• “User” means any individual who accesses or uses the Services, whether directly or through a School.

TYPES OF DATA COLLECTED

Student Data

We collect the following categories of Student Data:

• Identifiers: Name, email address, school ID number, grade level, classroom assignment
• Demographic Information: Age, gender, grade level
• Educational Records: Academic performance data, attendance records, behavioral records
• Mental Health Data: Responses to mental health screening questions, risk assessment results, intervention recommendations, progress tracking data

School Personnel Data

We collect the following categories of School Personnel Data:

• Identifiers: Name, email address, job title, department
• Account Information: Username, password (encrypted), role permissions
• Usage Data: Login history, actions taken within the platform, features accessed

Parent/Guardian Data

We collect the following categories of Parent/Guardian Data:

• Identifiers: Name, email address, phone number
• Relationship Information: Relationship to student, custody status (if provided by School)
• Communication Preferences: Notification settings, preferred contact methods

Technical and Usage Data

We automatically collect certain technical and usage information when you access our Services, including:

• IP address 
• Device information 
• Browser information 
• Operating system 
• Session statistics 
• Page views 
• Interaction events

COOKIES AND SIMILAR TECHNOLOGIES

This section informs Users about the technologies that help Ceresant.com to achieve its purposes. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User's device as they interact with Ceresant.com.

For simplicity, all such technologies are defined as "Trackers" within this document – unless there is a reason to differentiate. For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User's consent, depending on the applicable law. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

Ceresant.com uses Trackers managed directly by the Owner (so-called "first-party" Trackers) and Trackers that enable services provided by a third-party (so-called "third-party" Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.

The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User's browsing session.

Types of Trackers We Use:

• Essential Cookies: Required for the Services to function properly
• Functional Cookies: Remember user preferences and settings
• Analytics Cookies: Help us understand how users interact with our Services
• Security Cookies: Support security features and detect fraudulent activity

Third-Party Trackers:

We use several third-party services that may place cookies or similar tracking technologies on your device, including:

• Cloudflare: For traffic optimization, distribution, and security
• Google reCAPTCHA: For security and spam prevention
• Typeform: For data collection and surveys
• HubSpot: For analytics, customer relationship management, and marketing

Each of these third-party services has its own privacy policy governing how they use the data they collect. We require these providers to protect any data they collect.

Cookie Management:

• Most web browsers allow control of cookies through browser settings
• Users can typically refuse, accept, or remove cookies
• Blocking essential cookies may impact the functionality of our Services

Do Not Track Signals:

Ceresant respects user preferences regarding tracking. When we detect a Do Not Track signal from a user's browser, we will disable non-essential cookies for that user.

How to control or delete Cookies and similar technologies via your device settings

Users may use their own browser settings to:

• See what Cookies or other similar technologies have been set on the device
• Block Cookies or similar technologies
• Clear Cookies or similar technologies from the browser

The browser settings, however, do not allow granular control of consent by category.

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Internet Explorer
• Microsoft Edge
• Brave
• Opera

Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

How to opt out of interest-based advertising

Notwithstanding the above, Users may follow the instructions provided by YourOnlineChoices (EU and UK), the Network Advertising Initiative (US) and the Digital Advertising Alliance (US), DAAC (Canada), DDAI (Japan) or other similar services. Such initiatives allow Users to select their tracking preferences for most of the advertising tools. The Owner thus recommends that Users make use of these resources in addition to the information provided in this document.

The Digital Advertising Alliance offers an application called AppChoices that helps Users to control interest-based advertising on mobile apps.

Consequences of denying the use of Trackers

Users are free to decide whether or not to allow the use of Trackers. However, please note that Trackers help Ceresant.com to provide a better experience and advanced functionalities to Users (in line with the purposes outlined in this document). Therefore, if the User chooses to block the use of Trackers, the Owner may be unable to provide related features.

For more detailed information about the specific cookies we use, their purposes, and how to control them, please contact privacy@ceresant.com.

CHILDREN'S PRIVACY (COPPA COMPLIANCE)

We take children’s privacy extremely seriously and comply with the Children’s Online Privacy Protection Act (COPPA). Our Services are designed for use by educational institutions to support student mental health and are not intended for direct use by children under 13 without appropriate consent and supervision.

Age Restrictions and Verification

In compliance with COPPA, our Services are not intended for direct use by children under the age of 13. Students may only access BrainDash through school authorization or under adult supervision and cannot create accounts directly.

Parental Consent Requirements

For users under the age of 18, and particularly for children under 13, Schools are responsible for obtaining all necessary parental consents prior to allowing such users to access the Services. Schools must implement a verifiable consent mechanism that includes age-appropriate verification steps to ensure the authenticity of parental consent.

Such consent must:

• Be obtained in writing or through a verifiable electronic process that incorporates age-appropriate verification steps, such as knowledge-based authentication, confirmation via government-issued identification, or other methods reasonably designed to verify the identity of the parent or legal guardian 
• Clearly describe the types of data collected, how it will be used, and with whom it may be shared 
• Inform parents of their right to review their child’s data and request its deletion 
• Be renewed annually, with Schools required to conduct annual re-verification of parental consent, or when material changes are made to data collection or use practices

Direct Notice to Parents

Before collecting personal information from children under 13, Schools must provide direct notice to parents that:

• Clearly and comprehensively describes the types of personal information collected
• Explains how the information will be used
• Identifies Ceresant as the operator collecting or maintaining the information
• Provides both Ceresant’s and the School's contact information
• States that parental consent is required for the collection, use, and disclosure of the information
• Informs parents of their rights to review, delete, and refuse further collection of their child's information

This notice must be clearly and prominently displayed, written in plain language, and contain no unrelated marketing materials. Schools may use Ceresant’s template notice (available in the administrator dashboard) or create their own compliant notice.

For School-facilitated consent under COPPA, Schools must:

• Provide the above notice to parents before collecting information
• Obtain verifiable parental consent using methods appropriate to the level of risk
• Maintain records of all notices sent and consents received
• Provide a mechanism for parents to review their child's information
• Establish a process for parents to revoke consent

Limited Collection Principle

We adhere to the principle of data minimization when collecting information from children. We only collect personal information from children that is reasonably necessary to provide our Services and do not condition a child’s participation on the disclosure of more personal information than is reasonably necessary. 

Parental Rights

Parents and legal guardians have the right to:

• Review their child’s personal information maintained by Ceresant
• Request deletion of their child’s personal information
• Refuse to permit further collection or use of their child’s information
• Request that their child’s personal information not be made available to third parties

To exercise these rights, parents should contact their child’s School, which will work with Ceresant to fulfill these requests. Parents may also contact Ceresant directly at privacy@ceresant.com.

School’s Role Under COPPA

We rely on Schools to act as intermediaries between Ceresant and parents for notice and consent. Under COPPA, Schools may act as the parent’s agent and can provide consent for the collection of personal information from children. However, the School’s ability to consent on the parent’s behalf is limited to the educational context, where the collection of personal information is for the use and benefit of the School and not for commercial purposes.

EDUCATIONAL RECORDS (FERPA COMPLIANCE)

FERPA Compliance Statement

Ceresant acknowledges that Student Data may include education records protected under FERPA. We are committed to complying with the Family Educational Rights and Privacy Act (FERPA) and respect the privacy of educational records.

School Official Designation

Schools designate Ceresant as a “school official” with a “legitimate educational interest” in accessing education records as those terms are defined under FERPA. This designation allows Schools to share student information with Ceresant without additional parental consent.

Use Limitations

Ceresant shall use Student Data only for the purpose of fulfilling its duties under our agreement with the School and for the School’s and its students' benefit. We will not use Student Data for any purpose other than providing the contracted Services.

Disclosure Restrictions

Ceresant shall not share Student Data with or disclose it to any third party without the prior written consent of the School except as required by law or authorized under FERPA. We implement technical and organizational measures to prevent unauthorized disclosure of educational records.

Parent and Eligible Student Rights

Under FERPA, parents and eligible students (students who are 18 years of age or older) have the right to:

• Inspect and review the student’s education records maintained by the School
• Request that a School correct records which they believe to be inaccurate or misleading
• Control the disclosure of personally identifiable information from the student’s education records

To exercise these rights, parents or eligible students should contact their School directly. Ceresant will cooperate with Schools to facilitate access to Student Data upon request.

DATA PROCESSING AGREEMENTS

Requirement for Data Processing Agreements

Ceresant recognizes that Schools act as data controllers for Student Data, while Ceresant serves as a data processor. To formalize this relationship and ensure compliance with applicable privacy laws, Ceresant requires a signed Data Processing Agreement (DPA) with each School before processing any Student Data.

Standard DPA Terms

Our standard DPA includes, but is not limited to, the following key provisions:

• Clear delineation of roles and responsibilities between Ceresant (processor) and the School (controller)
• Detailed description of the types of data processed, purposes of processing, and processing duration
• Specific security measures implemented by Ceresant to protect Student Data
• Procedures for handling data subject rights requests and data breach notifications
• Limitations on subprocessing and requirements for subprocessor agreements
• Data transfer mechanisms for any cross-border data transfers
• Audit rights and compliance verification procedures
• Data retention and deletion requirements
• Indemnification and liability provisions related to data processing activities

Accessing the DPA Template

Schools can request Ceresant's standard DPA template through any of the following methods:

• Emailing a request to privacy@ceresant.com
• Contacting their Ceresant account representative
• Accessing the template directly through the administrator dashboard in the BrainDash platform

Ceresant will provide the DPA template within three (3) business days of receiving a request. Schools may propose reasonable modifications to the standard DPA to address specific legal requirements or institutional policies. Ceresant will review such requests and work collaboratively with Schools to finalize a mutually acceptable agreement.

DPA Execution Process

The DPA must be executed before any Student Data is processed in the BrainDash platform. The execution process includes:

• Review of the DPA by appropriate School personnel
• Negotiation of any necessary modifications
• Signature by authorized representatives from both School and Ceresant
• Implementation of any School-specific requirements outlined in the DPA

Ceresant maintains a record of all executed DPAs and reviews them annually to ensure continued compliance with evolving privacy regulations.

INTERNATIONAL DATA TRANSFERS

Ceresant primarily stores and processes all data within the United States. We do not currently transfer Student Data or Mental Health Data to locations outside the United States.

If circumstances require any international transfer of data in the future, we will:

• Implement appropriate safeguards in compliance with applicable data protection laws.
• Obtain necessary consents or approvals before transferring data internationally.
• Ensure any international recipients maintain security standards at least as protective as our own.

Schools will be notified in advance of any change to this international transfer policy.

MENTAL HEALTH DATA PROTECTIONS

Special Category Data Status

We recognize that Mental Health Data constitutes sensitive personal information that requires enhanced protections. We treat all Mental Health Data with the highest level of confidentiality and implement additional safeguards beyond those applied to other types of personal information.

Legal Basis for Processing

We process Mental Health Data only on the following legal bases:

• With explicit consent from parents/guardians (for students under 18) or from the student (if 18 or older)
• As necessary for the provision of preventive or counseling services in the educational setting
• Where processing is necessary to protect the vital interests of the student or of another person
• Where required by law

Enhanced Security Measures

Mental Health Data is protected by enhanced security measures, including:

• End-to-end encryption for all Mental Health Data in transit and at rest
• Strict access controls limiting access to only authorized personnel with a legitimate need
• Regular security assessments specifically focused on Mental Health Data protection
• Advanced monitoring for unauthorized access attempts
• Specialized training for all personnel with access to Mental Health Data

Use Limitations

Mental Health Data will only be used for:

• Providing risk screening and early intervention support services
• Generating insights to help Schools identify potential mental health concerns
• Creating aggregated, de-identified reports to improve the effectiveness of the Services
• Research purposes only when explicitly authorized and in anonymized form

Mental Health Data will never be used for:

• Marketing or advertising purposes
• Building user profiles unrelated to mental health support
• Selling or renting to third parties
• Making automated decisions that produce legal effects or similarly significant effects

Disclosure Limitations

Mental Health Data will only be disclosed to:

• Authorized School Personnel with a legitimate educational interest
• Parents/guardians of the student (in accordance with School policies)
• Third-party service providers who need access to provide the Services and who are bound by confidentiality obligations
• As required by law, such as in response to a subpoena or court order

Emergency Response Protocols

Ceresant’s BrainDash platform may identify students at risk of serious mental health concerns requiring immediate intervention. In such cases, the platform will generate high-priority alerts to designated School Personnel. Schools have the primary responsibility to respond to these alerts and to take all necessary actions in accordance with their emergency response protocols.

Schools are required to maintain documented emergency response procedures that include:

• Clear escalation pathways for different risk levels
• Designated personnel responsible for responding to high-risk alerts
• Protocols for parental/guardian notification
• Procedures for connecting students with appropriate mental health resources

Ceresant provides training materials on recognizing and responding to emergency situations. Schools acknowledge that delays in responding to high-risk alerts may increase the risk of harm to students.

In cases of imminent danger or threat of harm to self or others, Schools are primarily responsible for contacting emergency services or appropriate authorities in accordance with their policies and applicable law. Ceresant will only directly contact emergency services or appropriate authorities if (a) a high-priority alert is generated by the BrainDash platform indicating an imminent risk of serious harm to a student or others, and (b) Ceresant has actual knowledge that designated School Personnel have not responded to the alert within a reasonable and documented timeframe (such as 30 minutes), or if Ceresant receives information indicating that School Personnel are unable or unwilling to act. In such circumstances, and where permitted by law, Ceresant may take direct action to contact emergency services. This direct intervention by Ceresant is intended as a safeguard of last resort and does not diminish Schools' independent obligations under applicable laws to report suspected abuse, neglect, or imminent threats.

Ceresant maintains records of all high-risk alerts, School response times, and any direct interventions by Ceresant for quality assurance and continuous improvement purposes.

HIPAA Considerations

While Ceresant is not typically a covered entity under HIPAA, we implement a range of HIPAA-aligned practices as a matter of best practice when handling Mental Health Data. These practices include technical safeguards such as end-to-end encryption, access controls, and audit logging; administrative safeguards such as workforce training on privacy and security, regular risk assessments, and documented policies and procedures for data handling; and physical safeguards such as secure server facilities and restricted physical access to data centers.

For example, all Mental Health Data is encrypted both in transit and at rest using industry-standard protocols, and access to such data is limited to authorized personnel who have completed HIPAA-aligned privacy training. In situations where HIPAA may apply—such as when Ceresant provides services to school-based health centers or other entities that are covered entities or business associates under HIPAA—we will enter into appropriate Business Associate Agreements (BAAs) and comply with all applicable HIPAA requirements, including breach notification, minimum necessary use, and cooperation with covered entities’ compliance programs. In these cases, Ceresant will follow the terms of the BAA and implement any additional safeguards required by the covered entity. These measures ensure that, even when not legally required, Ceresant’s handling of sensitive health information meets or exceeds HIPAA standards.

DATA COLLECTION AND PROCESSING

Methods of Collection

We collect information through the following methods:

• Direct Input: Information provided by Schools, School Personnel, parents/guardians, or students when using our Services
• Automated Collection: Technical and usage information collected automatically when users interact with our Services
• Third-Party Sources: Information provided by authorized third-party applications integrated with our Services at the School’s request

Purposes of Processing

The Data concerning the User is collected to allow Ceresant to provide its Services, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as for the following specific purposes:

• Mental Health Risk Screening: To identify potential mental health concerns in students through evidence-based screening tools
• Early Intervention Support: To provide Schools with insights and recommendations for early intervention
• Progress Monitoring: To track the effectiveness of interventions and student progress over time
• Research and Improvement: To improve the effectiveness and accuracy of our screening and intervention methodologies (using only anonymized, aggregated data)
• Technical Support and Maintenance: To ensure the proper functioning and security of our Services
• Compliance: To fulfill our legal obligations and support Schools in their compliance requirements

Lawful Bases for Processing

We process personal information on the following lawful bases:

• Contractual Necessity: Processing necessary for the performance of our contract with Schools
• Legitimate Interests: Processing necessary for our legitimate interests or those of Schools, provided these interests are not overridden by the rights and freedoms of individuals
• Legal Obligation: Processing necessary to comply with our legal obligations
• Consent: Processing based on specific, informed, and unambiguous consent
• Vital Interests: In rare cases, processing necessary to protect someone’s life or safety

Automated Decision-Making

Our Services include automated risk assessment tools that analyze student responses to identify potential mental health concerns. However, we do not make fully automated decisions with legal or similarly significant effects. All automated assessments are designed to support, not replace, the professional judgment of qualified School Personnel. Human review by qualified professionals is required before any interventions are implemented based on our automated assessments.

Machine Learning and Artificial Intelligence

Ceresant may use anonymized, aggregated data to develop and improve machine learning models and artificial intelligence components of the Services. Our approach to machine learning and AI governance includes:

Data Usage for Model Training:

• Only anonymized, aggregated data that cannot be linked to individual students or Schools is used for model training
• Personal identifiers are removed before data is used for model development
• Training data undergoes rigorous privacy review to ensure no re-identification is possible

Model Ownership and Rights:

• Ceresant retains intellectual property rights in machine learning models and algorithms developed using platform data
• These models will not contain or be able to reproduce identifiable Student Data
• Schools grant Ceresant a limited license to use anonymized, aggregated data for model training and improvement

Transparency and Explainability:

• Ceresant provides documentation explaining the general types of data used for model training
• We disclose the purposes and intended functions of AI-driven features
• We implement measures to detect and mitigate potential biases in our models

Human Oversight:

• All automated assessments require human review by qualified professionals before interventions
• School Personnel maintain decision-making authority for all student interventions
• Regular audits are conducted to ensure AI systems function as intended

Ceresant continuously evaluates its AI systems for accuracy, fairness, and effectiveness, with particular attention to potential impacts on different demographic groups.

DATA SECURITY MEASURES

Information Security Program

Ceresant implements and maintains a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of personal information.

Technical and Organizational Measures

Our security measures include, at a minimum:

• Encryption: Encryption of Student Data and Mental Health Data in transit and at rest using Advanced Encryption Standard (AES) with a key length of 256 bits (AES-256), or an equivalent or stronger standard 
• Access Controls: Multi-factor authentication, role-based access controls, and regular access log reviews 
• Security Assessments: Regular security assessments and penetration testing conducted at least quarterly by qualified independent third parties 
• Personnel Security: Employee background checks and regular security training 
• Physical Security: Physical and environmental safeguards for all servers and facilities 
• Vulnerability Management: Regular scanning, patching, and remediation of security vulnerabilities
• Incident Response: A documented incident response plan with regular testing and updates
• Business Continuity: Backup and disaster recovery procedures to ensure the availability of data

Monitoring and Testing

We conduct regular monitoring and testing of our security measures, including:

• Continuous monitoring of our systems for unauthorized access or unusual activity
• Regular vulnerability scanning and penetration testing
• Annual third-party security assessments
• Regular testing of our incident response procedures

Personnel Security

All Ceresant personnel who may access personal information undergo:

• Background checks prior to employment
• Regular security and privacy training
• Specific training on handling sensitive information, including Mental Health Data
• Ongoing awareness programs about security threats and best practices

EMPLOYEE TRAINING PROGRAM

All Ceresant personnel who may access Student Data or Mental Health Data receive comprehensive privacy and security training:

• Initial Training: Required before any access to sensitive data is granted
• Regular Refreshers: Mandatory privacy and security training conducted quarterly
• Role-Specific Training: Specialized training for employees handling Mental Health Data
• Verification: All training includes competency assessments that employees must pass
• Documentation: Training completion records are maintained for all employees

Training materials are regularly updated to reflect changes in regulations, emerging threats, and best practices. Ceresant's training program is reviewed annually by privacy and security experts to ensure effectiveness.

Vendor Security

We require all third-party service providers who may access personal information to:

• Maintain security measures at least as protective as our own
• Undergo regular security assessments
• Promptly report any security incidents that may affect our data
• Comply with all applicable privacy and security laws

Data Protection Impact Assessments

Given the sensitive nature of the data processed through our Services, Ceresant conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities. These assessments:

• Systematically analyze how personal data is collected, used, and stored
• Identify and minimize data protection risks
• Demonstrate compliance with applicable privacy regulations
• Implement privacy by design principles

Ceresant conducts DPIAs:

• Before implementing new features that process sensitive data
• When deploying new technologies that could impact data privacy
• When processing Mental Health Data in new ways
• At regular intervals for existing high-risk processing activities

Schools may request a summary of relevant DPIA findings by contacting privacy@ceresant.com. Ceresant maintains records of all DPIAs for at least three years and updates them when processing activities change significantly.

Regulatory Compliance Documentation

Ceresant maintains appropriate documentation to demonstrate compliance with applicable privacy regulations. This documentation includes:

• Records of Processing Activities: Documentation of personal data processing, including categories of data processed, purposes, retention periods, and recipients.
• Impact Assessment Records: Documentation of Data Protection Impact Assessments for high-risk processing activities, including identified risks and mitigation measures.
• Compliance Verification: Regular internal compliance reviews and periodic third-party assessments to verify adherence to privacy regulations and internal policies.
• Regulatory Response Preparation: Documentation maintained in a format that can be readily shared with regulators when required by law.

Schools may request access to relevant compliance documentation by contacting privacy@ceresant.com. Ceresant will provide appropriate documentation within fifteen (15) business days of receiving a verified request, subject to confidentiality requirements and legal restrictions.

All compliance documentation is reviewed and updated at least annually or whenever significant changes occur to our data processing activities, systems, or applicable regulations.

Anonymization and De-identification Standards

Ceresant applies rigorous standards when anonymizing or de-identifying data:

Anonymization Process:

• Removal of all direct identifiers (names, IDs, contact information)
• Removal or generalization of indirect identifiers (demographic information, dates)
• Statistical techniques such as k-anonymity to prevent re-identification
• Regular risk assessments to verify anonymization effectiveness

De-identification Controls:

• Technical safeguards to prevent unauthorized re-identification
• Contractual prohibitions against re-identification attempts
• Access restrictions for de-identified datasets
• Regular auditing of de-identification processes

Aggregation Methods:

• Minimum threshold of individuals in any aggregated group (n≥10)
• Suppression of outlier values that could enable identification
• Rounding or banding of continuous variables
• Removal of unique or rare characteristics

Ceresant maintains detailed documentation of all anonymization and de-identification procedures and updates these methods as new privacy-enhancing technologies become available.

DATA SHARING AND THIRD-PARTY ACCESS

Categories of Recipients

Ceresant may share personal information with the following categories of recipients:

• School Personnel: Authorized School Personnel with legitimate educational interests
• Service Providers: Third-party service providers who need access to provide the Services
• Legal Requirements: Government authorities or other third parties when required by law
• Business Transfers: Parties involved in a potential or actual business transaction, such as a merger, acquisition, or sale of assets

Third-Party Service Providers

In addition to Ceresant, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of our Services (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by Ceresant.

Our key service providers include:

• Cloudflare, Inc.: For traffic optimization, distribution, and security 
• Google LLC: For security and analytics 
• HubSpot, Inc.: For analytics, customer relationship management, and communications 
• TYPEFORM S.L: For data collection and surveys

Contractual Safeguards

All third-party service providers are bound by contractual obligations that require them to:

• Process personal information only as instructed by Ceresant
• Implement appropriate security measures
• Assist Ceresant in fulfilling its obligations to data subjects
• Delete or return all personal information at the end of their service
• Submit to audits and inspections to verify compliance

Vendor Management

Ceresant implements a comprehensive vendor management program for all third parties that may access or process Student Data or Mental Health Data:

• Vendor Assessment: All potential vendors undergo a rigorous security and privacy assessment before engagement, including review of their security practices, compliance certifications, and data handling procedures.
• Contractual Requirements: Vendors must contractually commit to data protection standards at least as stringent as those in this Privacy Policy.
• Ongoing Monitoring: We conduct regular compliance verification through security questionnaires, documentation reviews, and where appropriate, third-party audits.
• Breach Notification: Vendors must notify Ceresant of any security incidents within 24 hours of discovery.

Ceresant maintains a current list of approved vendors and their security assessments, which Schools may request by contacting privacy@ceresant.com.

No Sale of Personal Information

Ceresant does not sell, rent, or lease personal information to any third party. We do not use Student Data or Mental Health Data for targeted advertising or marketing purposes.

Third-Party Integrations

The Services may integrate with third-party services or applications at the School’s request. For such integrations:

• School must authorize any integration with third-party services in writing
• School is responsible for ensuring it has appropriate agreements with third-party providers
• Ceresant will implement technical safeguards for data transferred to authorized third parties
• Ceresant is not responsible for the privacy practices or security measures of third-party services
• Any Student Data shared with authorized third parties remains subject to the data protection provisions in this Privacy Policy

DATA RETENTION AND DELETION

Retention Periods

Ceresant shall retain personal information only for as long as necessary to provide the Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Student Data: Retained for the duration of the School’s contract with Ceresant, plus 60 days to allow for data export, unless otherwise specified by the School or required by law
• Mental Health Data: Retained for the current academic year plus one additional year to allow for year-over-year analysis, unless otherwise specified by the School or required by law
• School Personnel Data: Retained for the duration of the individual’s account plus 30 days
• Technical and Usage Data: Retained for up to 24 months for security, troubleshooting, and service improvement purposes

Data Deletion

Upon termination of our agreement with a School or upon the School’s request, Ceresant shall:

• Provide School with a complete export of all Student Data in a structured, commonly used, and machine-readable format 
• Delete all Student Data within sixty (60) days after termination, except as required by law or as otherwise agreed in writing 
• Provide written certification of such deletion upon School’s request

Deletion Requests

Schools, parents/guardians, and eligible students may request deletion of personal information by contacting Ceresant at privacy@ceresant.com. Upon receipt of a verified deletion request, Ceresant will delete the requested information within 30 days, unless retention is required by law or necessary to provide the Services.

Data Minimization

Ceresant is committed to collecting and retaining only the minimum amount of personal information necessary to provide our Services. Our data minimization approach includes:

• Collection Limitation: We collect only data elements directly relevant to providing mental health screening and early intervention services, and regularly audit our collection processes to eliminate unnecessary data points
• Data Purging: We implement automated processes to purge inactive accounts, temporary data, and unnecessary historical information according to established schedules
• De-identification: When appropriate, we remove direct identifiers, use tokenization, and apply statistical techniques to protect individual privacy while maintaining data utility
• Retention Exceptions: We maintain documented justifications for any exceptions to our standard retention periods, such as legal requirements or security incident investigations

Schools may request information about our data minimization practices by contacting privacy@ceresant.com.

BREACH NOTIFICATION PROCEDURES

Incident Response

Ceresant maintains a detailed incident response plan that includes:

• Incident Classification: A tiered system for categorizing incidents based on severity, scope, and type of data affected.
• Response Team: Clearly defined roles and responsibilities for the incident response team, including technical, legal, and communications personnel.
• Containment Procedures: Specific steps to contain different types of incidents and prevent further data exposure.
• Investigation Protocols: Procedures for forensic investigation to determine cause, scope, and impact.
• Communication Templates: Pre-approved notification templates for different stakeholder groups.
• Testing and Updates: Quarterly tabletop exercises and annual full-scale simulations to test the effectiveness of the plan.

The incident response plan is reviewed and updated at least annually or after any significant security incident.

Breach Notification Requirements

In the event of a security incident or breach affecting personal information, Ceresant will notify affected Schools without unreasonable delay and, in any event, no later than seventy-two (72) hours after discovery of the incident.

Notification will include:

• Description of the incident and affected data
• Date of the breach and date of discovery
• Categories of personal information compromised
• Steps taken to investigate and mitigate the breach
• Measures to protect against future breaches
• Contact information for Ceresant’s incident response team

For breaches affecting residents of specific states, Ceresant will assist Schools in complying with state-specific requirements, including:

• California: Notification without unreasonable delay, typically within 45 days
• Virginia: Notification without unreasonable delay, but no later than 30 days
• Colorado: Notification within 30 days
• Other states: In accordance with applicable state breach notification laws

For breaches affecting Mental Health Data, additional measures include:

• Expedited notification within 24 hours regardless of state requirements
• Specialized support resources for affected individuals
• Enhanced monitoring for potentially affected accounts

Ceresant will coordinate with Schools to determine appropriate timing and content of notifications to affected individuals based on applicable legal requirements and the nature of the breach.

Breach Remediation

Following a data breach, Ceresant will:

• Take immediate steps to contain and mitigate the breach
• Conduct a thorough investigation to determine the cause
• Implement measures to prevent similar breaches in the future
• Provide affected Schools with regular updates on remediation efforts
• Offer assistance to affected individuals as appropriate, which may include credit monitoring or identity theft protection services

Documentation

Ceresant will maintain detailed records of all data breaches, including:

• The facts surrounding the breach
• The effects of the breach
• Remedial action taken
• Communications with affected parties
• Measures implemented to prevent recurrence

USER RIGHTS AND CONTROL

Rights of Data Subjects

Users may exercise certain rights regarding their Data processed by Ceresant. In particular, Users have the right to do the following, to the extent permitted by law:

• Withdraw consent: Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data 
• Object to processing: Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent 
• Access data: Users have the right to learn if Data is being processed by Ceresant, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing 
• Verify and seek rectification: Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected 
• Restrict processing: Users have the right to restrict the processing of their Data 
• Erasure: Users have the right to obtain the erasure of their Data from Ceresant 
• Data portability: Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without hindrance 
• Lodge a complaint: Users have the right to bring a claim before their competent data protection authority

How to Exercise These Rights

For Student Data, parents/guardians or eligible students should first contact their School to exercise these rights. Schools are the primary controllers of Student Data and are best positioned to respond to such requests.

For direct requests to Ceresant regarding Student Data, Ceresant will promptly forward such requests to the appropriate School for review and authorization. Ceresant will not process any Student Data rights requests without the School’s prior approval. The response timeframes set forth in this Privacy Policy will commence only after the School has approved the request and Ceresant has received it from the School. All such requests are free of charge and will be answered by Ceresant as early as possible and always within one month, of receipt from the School providing Users with the information required by law.

Response Timeframes

Ceresant will respond to requests to exercise user rights according to the following timeframes:

• Initial acknowledgment of request: Within 3 business days
• Verification of identity: Within 5 business days of receipt
• Substantive response to request: Within 30 calendar days of verification
• Extension notice (if needed): Before the initial 30-day period expires

If Ceresant requires additional time to respond to a request due to complexity or volume, we may extend the response period by up to an additional 30 days. In such cases, we will notify the requestor of the extension and the reasons for it.

For requests submitted through Schools regarding Student Data the above timeframes begin only after the School has reviewed, approved, and forwarded the request to Ceresant. Ceresant will coordinate closely with Schools to facilitate timely processing and ensure compliance with applicable requirements. Schools are encouraged to forward such requests to Ceresant promptly to avoid unnecessary delays.

For expedited requests involving Mental Health Data or other sensitive information, Ceresant will make reasonable efforts to respond more quickly than the standard timeframes, in coordination with the relevant School when applicable.

Verification Process

To protect the security and privacy of personal information, Ceresant employs a robust identity verification process before fulfilling any user rights requests. The level of verification required depends on the sensitivity of the data and the nature of the request. For standard requests, Ceresant uses basic verification methods, while for sensitive requests—such as those involving Mental Health Data or other special category information—Ceresant implements enhanced verification procedures. These may include technical safeguards such as multi-factor authentication, secure identity document upload portals, and encrypted communications, as well as procedural safeguards like dual-approval workflows and audit logging of all verification steps. Verification methods may include, but are not limited to, the following:

• Confirmation of account details (e.g., matching email address, username, or other account credentials on file) for standard requests involving non-sensitive data
• Verification through the School for Student Data (e.g., confirmation by a designated School administrator or use of official School communication channels).
• Multi-factor authentication for online requests, including a combination of password, one-time passcode sent to a verified email or phone number, and, for sensitive requests, additional verification such as secure video call or identity document upload via an encrypted portal.
• Written verification for requests made by mail, which may require notarized documents or certified copies of government-issued identification, especially for requests involving access to or deletion of Mental Health Data or other sensitive information.

STATE-SPECIFIC PRIVACY RIGHTS

California Privacy Rights (CCPA/CPRA)

California Consumer Privacy Act Notice

This California Privacy Rights section provides additional information to California residents whose personal information is processed by Ceresant pursuant to the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). If you are not a California resident, this section does not apply to you.

Categories of Personal Information Collected in the Last 12 Months

Ceresant has collected the following categories of personal information from consumers within the last 12 months:

• Identifiers: Name, email address, school ID number, grade level, classroom assignment, phone number, IP address, device information
• Protected classification characteristics: Age, gender
• Education records: Academic performance data, attendance records, behavioral records
• Sensitive personal information: Mental Health Data, including responses to mental health screening questions, risk assessment results, intervention recommendations, progress tracking data
• Commercial information: Account information, usage data, subscription details
• Internet or other electronic network activity: Browser information, operating system, session statistics, page views, interaction events
• Professional or employment-related information: For School Personnel - job title, department, role permissions
• Inferences: Derived from Mental Health Data to identify potential mental health concerns and provide appropriate interventions

Sources of Personal Information

We collect personal information directly from you, from Schools, from your use of our Services, and from third-party sources authorized by Schools.

Business or Commercial Purposes for Collecting Personal Information

We collect and use the categories of personal information listed above for the following business purposes:

• Providing our BrainDash platform and related Services to Schools and their students
• Mental Health Risk Screening to identify potential mental health concerns through evidence-based screening tools
• Early Intervention Support to provide Schools with insights and recommendations
• Progress Monitoring to track the effectiveness of interventions and student progress
• Research and Improvement of our screening and intervention methodologies (using only anonymized, aggregated data)
• Technical Support and Maintenance to ensure proper functioning and security of our Services
• Compliance with legal obligations and supporting Schools in their compliance requirements
• Detecting security incidents and protecting against malicious or fraudulent activity

Disclosure and Sharing of Personal Information

In the preceding 12 months, we have disclosed the following categories of personal information to the following categories of recipients for business purposes:

• Identifiers, Protected classification characteristics, Education records, and Sensitive personal information: Disclosed to authorized School Personnel with legitimate educational interests, third-party service providers who need access to provide the Services, and as required by law
• Internet or other electronic network activity: Disclosed to third-party service providers for security, analytics, and technical support purposes
• Commercial information: Disclosed to third-party service providers for billing and subscription management

Sale or Sharing of Personal Information

Ceresant does not and will not sell personal information of any consumers, including minors under 16 years of age. We also do not share personal information with third parties for cross-context behavioral advertising purposes.

Retention of Personal Information

We retain personal information only for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. For specific retention periods for different categories of data, please refer to the "Data Retention and Deletion" section of this Privacy Policy.

Your Rights Under the CCPA/CPRA

As a California resident, you have the following rights under the CCPA/CPRA:

1. Right to Know: You have the right to request that we disclose to you:

• The categories of personal information we have collected about you
• The categories of sources from which we collected the personal information
• The business or commercial purpose for collecting or sharing the personal information
• The categories of third parties to whom we disclose personal information
• The specific pieces of personal information we have collected about you

2. Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
3. Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you.
4. Right to Limit Use and Disclosure of Sensitive Personal Information: You have the right to limit our use and disclosure of your sensitive personal information, including Mental Health Data, to only what is necessary to provide our Services.
5. Right to Opt-Out of Sale or Sharing: You have the right to opt-out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. However, as stated above, Ceresant does not sell personal information or share it for cross-context behavioral advertising.
6. Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights. We will not:

• Deny you goods or services
• Charge you different prices or rates for goods or services
• Provide you with a different level or quality of goods or services
• Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services

Exercising Your California Privacy Rights

For Student Data, parents/guardians or eligible students should first contact their School to exercise these rights. Schools are the primary controllers of Student Data and are best positioned to respond to such requests.

For direct requests to Ceresant, you may exercise your rights by emailing us at privacy@ceresant.com.

Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. You may also make a request on behalf of your minor child.

Verification Process

To protect your privacy and security, we will take reasonable steps to verify your identity before granting access to your personal information or complying with your request. We may require you to provide information that matches information we have on file about you. For requests related to particularly sensitive information, such as Mental Health Data, we may require additional verification steps.

• For authorized agents submitting requests on behalf of California residents, we may require:
• Proof of the agent's registration with the California Secretary of State
• Signed permission from the California resident authorizing the agent to make the request

Response Timeframes

We will acknowledge receipt of your request within 10 business days and provide information about how we will process the request.

We will respond to verifiable consumer requests within 45 calendar days of receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.

If we cannot comply with a request, we will explain the reasons in our response. For data access and portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Notice of Financial Incentive

Ceresant does not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

Contact Information for CCPA/CPRA Requests

For questions or concerns about our privacy policies and practices, please contact us at:

Email: privacy@ceresant.com

Postal Address: Ceresant Solutions, Inc., 14321 Winter Breeze Drive, Suite 188, Midlothian, VA 23113

For individuals with disabilities who need this notice in an alternative format, please contact us at privacy@ceresant.com.

Virginia Privacy Rights (CDPA)

Virginia residents have rights under the Consumer Data Protection Act (CDPA), including:

• The right to confirm whether a controller is processing their personal data
• The right to access their personal data
• The right to correct inaccuracies in their personal data
• The right to delete personal data
• The right to obtain a copy of their personal data in a portable format
• The right to opt out of targeted advertising, sale of personal data, and profiling

Virginia residents can exercise these rights by contacting Ceresant at privacy@ceresant.com or through their School for Student Data.

Colorado Privacy Rights (CPA)

Colorado residents have rights under the Colorado Privacy Act (CPA), including:

• The right to opt out of targeted advertising, sale of personal data, and profiling
• The right to access their personal data
• The right to correct inaccuracies in their personal data
• The right to delete personal data
• The right to data portability

Colorado residents can exercise these rights by contacting Ceresant at privacy@ceresant.com or through their School for Student Data.

Other State Privacy Laws

Ceresant complies with all applicable state privacy laws. Residents of states with specific privacy legislation may have additional rights not enumerated above. Please contact Ceresant at privacy@ceresant.com for information about rights under your state’s laws.

ARBITRATION AND DISPUTE RESOLUTION

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy or the breach, enforcement, interpretation, or validity thereof, including the determination of the scope or applicability of this agreement to arbitrate, shall be subject to the arbitration provisions set forth in Ceresant's Terms of Service. By using our Services, you agree that all privacy-related disputes between you and Ceresant shall be resolved through binding arbitration on an individual basis as described in the Terms of Service.

Users are encouraged to review the complete arbitration provisions in the Terms of Service for detailed information regarding the arbitration process, class action waiver, venue requirements, and other important terms governing the resolution of disputes. Nothing in this section limits your rights to file a complaint with a regulatory authority having jurisdiction over privacy matters.

CHANGES TO PRIVACY POLICY

Policy Updates

Ceresant reserves the right to make changes to this Privacy Policy at any time by notifying its Users on this page and possibly within the Services and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to Ceresant.

Notification of Changes

We will notify Users of material changes to this Privacy Policy at least 30 days before such changes take effect, except for changes required by law which may take effect immediately. Notification methods may include:

• Prominent notice on our website
• Email notification to School administrators
• In-app notifications

Consent to Changes

Should the changes affect processing activities performed on the basis of the User’s consent, Ceresant shall collect new consent from the User, where required.

Version History

We maintain a record of all previous versions of our Privacy Policy and the dates they were in effect. Users may request access to previous versions by contacting Ceresant at privacy@ceresant.com.

CONTACT INFORMATION

Ceresant Solutions, Inc.14321 Winter Breeze Drive, Suite 188, Midlothian, VA 23113 

All privacy-related inquiries, including questions about this Privacy Policy or requests to exercise your privacy rights, should be directed to this email address: privacy@ceresant.com.

General Inquiries

For general inquiries about our Services or this Privacy Policy, please contact:

Email: hello@ceresant.com

Regulatory Authorities

Users have the right to lodge a complaint with their competent data protection authority. In the United States, this may include the Federal Trade Commission or your state Attorney General’s office.