← Back to Home

Privacy Policy

How TXCCMRI, LLC protects student data, complies with federal privacy law, and safeguards every district's information.

Effective: May 30, 2026  |  Last Updated: May 30, 2026

01 Overview & Scope

This Privacy Policy describes how TXCCMRI, LLC ("CCMRI," "we," "us," or "our") collects, uses, protects, and shares information through the CCMRI™ platform ("Platform") — a K-12 analytics service that helps Texas school districts track and improve College, Career, and Military Readiness (CCMR) outcomes.

This policy applies to:

  • The CCMRI web application at txccmri.com and all associated Firebase-hosted domains
  • All data processed on behalf of school districts via CSV upload, SIS integration, or manual entry
  • Communications sent by the Platform (email, SMS, in-app notifications)
  • The public marketing website at txccmri.com

Core Commitment: CCMRI does not sell, rent, license, or trade student personal information. Student data is used exclusively for the educational purposes authorized by the contracting school district.

02 Operator Identity

Field Detail
Legal Entity TXCCMRI, LLC — a Texas limited liability company (S-Corp election)
Primary Contact Phil Steinert, Founder
Privacy Email privacy@txccmri.com
Security Email security@txccmri.com
Website txccmri.com

03 Data We Collect

3.1 Student Education Records (School-Directed)

The primary mode of data entry is through school-directed CSV uploads or SIS integrations performed by authorized district administrators. This data is imported under the school's existing FERPA authority and includes:

  • Student identifiers (district-assigned student IDs, PEIMS IDs)
  • Grade level, campus, and enrollment status
  • Assessment scores (SAT, ACT, TSIA2, MAP, STAAR, ASVAB)
  • CTE program enrollment, IBC certifications, and pathway completion
  • Demographic indicators required for TEA accountability reporting
  • Special education and economically disadvantaged status flags

3.2 District Administrator & Staff Data

When educators create accounts or are provisioned by their district, we collect:

  • Name and email address
  • Role assignment (District Admin, Campus Admin, Teacher)
  • Campus or school affiliation

3.3 Marketing Website Visitors

When you visit txccmri.com (this marketing website), we collect:

  • Waitlist submissions: Name, email, district name (voluntarily provided)
  • No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers on this website
  • Essential cookies only: Session management cookies required for platform functionality

3.4 Data We Do NOT Collect

  • Social Security numbers
  • Financial information (credit cards, bank accounts) from students or parents
  • Biometric data
  • Precise geolocation data
  • Student photographs or videos
  • Social media profiles or browsing history

04 How We Use Data

All student data is used exclusively for the educational purposes authorized by the contracting school district:

Purpose Description
CCMR Analytics Track student readiness across TEA's 11 CCMR indicators (SAT, ACT, TSI, CTE, IBC, AP, Dual Credit, Military Enlistment, Associate Degree, OnRamps, College Enrollment)
TEA Accountability Project Domain 1 performance, Bonus Outcome metrics, and Closing the Gaps subpopulation analysis
Educator Insights Generate AI-powered action plans and intervention recommendations for teachers and administrators
Progress Reporting Send school-authorized progress emails to parents and age-appropriate nudges to high school students
Platform Improvement Aggregate, de-identified analytics to improve the Platform's features and accuracy

We never use student data for: Advertising, behavioral profiling, marketing to students or parents, sale to third parties, or any purpose not explicitly authorized by the school district's Data Processing Agreement (DPA).

05 Data Sharing & Third Parties

We share student data only with service providers necessary to operate the Platform, each bound by contractual data protection obligations:

Service Purpose Data Shared
Google Cloud Platform Infrastructure (database, compute, hosting) All platform data — encrypted at rest (AES-256) and in transit (TLS 1.3)
Google Vertex AI AI-powered educator insights Anonymized data only — student IDs are SHA-256 hashed before transmission
SendGrid Transactional email delivery Parent/student email addresses for school-authorized communications
Cloudflare DNS, CDN, DDoS protection No student data — network traffic routing only

We do not share student data with: Advertisers, data brokers, social media companies, or any entity not listed above.

06 FERPA Compliance

🛡️ FERPA Designation: CCMRI operates as a "school official" under the FERPA school official exception (34 CFR § 99.31(a)(1)), performing services that the school would otherwise perform itself.

Our FERPA compliance program includes:

  • District-scoped access control: All database queries are constrained by cryptographically signed district identifiers — cross-district data leakage is blocked at the database engine level
  • Immutable audit logging: Every data access event is recorded in an append-only audit trail that cannot be modified or deleted
  • FERPA Bouncer: An autonomous security agent monitors for bulk data scraping. If any account attempts to access more than 50 student records in 60 seconds, the account is automatically disabled and an administrator alert is generated
  • AI anonymization: All student identifiers are replaced with SHA-256 hashes before any data is transmitted to AI processing services
  • Data Processing Agreements: Each school district signs a DPA specifying data handling obligations, retention periods, and deletion procedures

07 COPPA Compliance

⚠️ Children Under 13: CCMRI collects student data under the COPPA "school consent" exception (16 CFR § 312.5(c)(3)). Schools consent on behalf of parents for data collection used solely for educational purposes.

Additional protections for students under 13:

  • No self-registration: Students cannot create their own accounts. All accounts are provisioned by school administrators or via school-distributed magic links
  • Email age gate: Students in grades K-8 (potentially under 13) never receive direct email from CCMRI. All communications for younger students are routed exclusively to parent or guardian email addresses
  • AI chat age gate: A programmatic filter detects self-identified minors under 13 in chat interactions and blocks AI processing, returning a COPPA privacy disclosure instead
  • No social features: Students cannot communicate with each other or post public content
  • No advertising cookies: The platform does not serve ads and does not profile students for non-educational purposes
  • No persistent cross-site tracking: Only essential session cookies are used; no third-party trackers

For the complete COPPA compliance statement, see our COPPA Compliance Document.

08 Data Security

CCMRI implements enterprise-grade security controls to protect all data:

Control Implementation
Encryption at Rest AES-256 (FIPS 140-2 validated) via Google Cloud Firestore
Encryption in Transit TLS 1.3 with HSTS preload enforcement (max-age=31536000)
API Protection Firebase App Check with reCAPTCHA Enterprise — all 55+ API endpoints verify cryptographic tokens
SSRF Defense DNS-resolution outbound guard blocks RFC 1918, link-local, and cloud metadata endpoints
Access Control 6-tier RBAC with cryptographically signed Custom Claims — zero-read database enforcement
Vulnerability Scanning 7-layer stack: Semgrep SAST (blocking), Snyk SAST (advisory), GitHub CodeQL (advisory), Socket.dev, CI secret scanner (blocking), Coalition Control, Security Auto-Heal Bot
Email Security SPF + DKIM + DMARC (quarantine policy) — prevents domain spoofing
MFA Multi-Factor Authentication enforced on all administrative accounts since December 2021

For the complete security policy, see our Security Policy.

09 Data Retention & Deletion

  • Student records: Retained for the duration of the school district's active contract with CCMRI. Upon contract termination, all student data is purged within 30 days
  • Audit logs: Retained indefinitely in an immutable, append-only collection for compliance and security purposes
  • Demo/trial data: Automatically deleted after the demo session expires (default: 30 days) via an automated data retention enforcer
  • Backups: Automated daily backups with 98-day retention. Point-in-Time Recovery (PITR) enabled with a 7-day window
  • Marketing waitlist submissions: Retained until you request removal

Districts may request ad-hoc deletion of any student data at any time by contacting privacy@txccmri.com or using the Platform's built-in Data Governance tools.

10 Cookies & Tracking Technologies

Cookie Type Purpose Duration
Essential (Session) Firebase Authentication session management Session / auto-refresh
Security (App Check) reCAPTCHA Enterprise bot protection tokens Session
Performance (IndexedDB) Local data cache for faster dashboard loading Cleared on logout

We do NOT use: Google Analytics, Facebook Pixel, advertising trackers, cross-site tracking cookies, browser fingerprinting, or any third-party analytics or marketing tracking technologies.

11 Your Rights

For Parents & Guardians

Under FERPA, parents of students whose data is processed by CCMRI have the right to:

  • Access: Review your child's education records by contacting the school district
  • Correction: Request amendment of inaccurate records through the school district
  • Deletion: Request deletion of your child's data by contacting the school district, which will coordinate with CCMRI
  • Opt-out: Refuse further data collection by opting out through the school district

All parental requests should be directed to the school district, which acts as the data controller. CCMRI will comply with all verified parental requests within 30 days.

For District Administrators

  • Data export: Request a complete export of your district's data at any time
  • Data deletion: Request deletion of all district data upon contract termination
  • Audit access: View the immutable audit trail for all data access within your district

For Website Visitors

  • Waitlist removal: Request removal from the waitlist by emailing privacy@txccmri.com
  • Information request: Request a copy of any personal information we hold about you

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the "Last Updated" date at the top of this page
  • For material changes affecting student data, we will notify affected school districts via email at least 30 days before the changes take effect
  • Continued use of the Platform after notification constitutes acceptance of the updated policy

13 Contact Us

For questions about this Privacy Policy, data practices, or to exercise your rights:

Privacy inquiries privacy@txccmri.com
Security concerns security@txccmri.com
General contact phil@txccmri.com
Response SLA 4 business hours for initial acknowledgment

Questions About Your Data?

We take privacy seriously. Reach out and we'll respond within 4 business hours.

privacy@txccmri.com