CRM and practice management platforms
A practice-management platform holds more student data than any other tool you use: every student, every family note, every document, for years. That concentration is what makes the boring clauses (retention, business transfer, de-identification) matter most here.
Start with these explainers
-
What "de-identified" student data actually means
Platforms keep de-identified data forever. How de-identification works, why small groups re-identify easily, and the questions that reveal the difference.
-
"We never sell your data": it depends what "sell" means
Sharing data with partners for something of value can count as selling under state law, or not count under a policy's own definition. How to read the claim.
-
The bankruptcy clause: student data when a platform is acquired or folds
Most privacy policies let data transfer in a merger, acquisition, or bankruptcy. What the clause looks like and what happened when the FTC intervened.
-
Does FERPA protect your students' data? For IECs, mostly no
FERPA binds schools that take federal funds, not independent educational consultants. What actually protects the data families hand to your practice.
-
What SOC 2 does and does not tell you
SOC 2 is an audit of security controls the company chose, not a promise about what it may do with student data. What the badge covers and what it never can.
-
"Delete" versus "de-identify and retain"
Many platforms honor deletion requests by removing the name and keeping the rest. How to tell which kind of delete a policy actually promises.
Evaluating a specific platform in this category? Take the checklist to the demo, and run its policy through the prompt pack first.