Privacy Policy

Steppable Inc. (“Steppable,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect the sensitive information we receive through our platform and related services (collectively, the “Services”). Our Services are primarily provided to K–12 school districts (“Districts”) to help manage student care, clinical sessions, treatment plans, and facilitate Medicaid billing. By accessing or using our Services, you (“you,” or “user”) agree to the terms of this Privacy Policy.

1. SCOPE AND APPLICABILITY

1.1 Who This Policy Applies To

This Privacy Policy applies to information collected from:

• Districts and their authorized staff who use our Services;

• Students about whom the Services are used or applied;

• Parents/guardians or other authorized caregivers connected with a student; and

• Clinicians, counselors, and other service providers working with students through the Services.

1.2 Regulatory Compliance

Steppable complies with all applicable privacy and security laws, including the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), to the extent those laws apply to the services we provide. We also enter into Business Associate Agreements (“BAAs”) with Districts where required by HIPAA regulations.

2. INFORMATION WE COLLECT

We collect various types of information to provide and improve our Services. The information we collect includes:

2.1 District Information

• Contact details (e.g., name, email address, phone number) of District administrators or authorized representatives;

• Billing and payment details for subscription fees or service charges (if applicable).

2.2 Student Information

• Personal details: Name, date of birth, student ID, and other identifiers;

• Health and treatment data: Medical records, clinical session notes, treatment plans, mental health or developmental information, and other data that may constitute Protected Health Information (“PHI”);

• Educational information: Education records protected under FERPA, including academic progress, attendance, accommodations, or other relevant educational data.

2.3 Parent/Guardian Information

• Contact details: Name, email address, phone number, mailing address;

• Authorization documents: For example, consent forms or other written permissions needed for certain services or treatments.

2.4 Clinician/Service Provider Information

• Professional details: Name, qualifications, license or certification information, and contact information;

• Service documentation: Notes, session details, and other records related to student care.

2.5 Automatically Collected Information

When users interact with our Services, we may automatically collect:

• Log data: IP address, device information, browser type, pages visited, and timestamps;

• Cookies and similar technologies: For system administration, analytics, and security purposes.

3. HOW WE USE THE INFORMATION

We use the collected information for the following purposes:

3.1 Service Delivery

• To manage and maintain student records, treatment plans, and clinical sessions;

• To facilitate Medicaid billing and reimbursements on behalf of Districts;

• To enable authorized District staff and clinicians to access and update relevant student records.

3.2 Communication

• To respond to inquiries, provide support, and send updates regarding our Services;

• To notify Districts, parents/guardians, or clinicians about important Service-related information (e.g., security notices or policy changes).

3.3 Compliance and Legal Obligations

• To fulfill our obligations under FERPA and HIPAA when we handle education records or PHI;

• To comply with other applicable laws, regulations, court orders, or government requests.

3.4 Service Improvement and Analytics

• To analyze system performance, improve existing functionalities, and develop new features;

• To maintain the security and integrity of our Services (e.g., by detecting and preventing fraudulent activities).

4. LEGAL BASES FOR PROCESSING (WHERE APPLICABLE)

If required by applicable law, we rely on certain legal bases to process personal information, including:

• Consent: Where you have provided clear consent for processing;

• Contractual necessity: Where processing is necessary to perform the agreement with the District;

• Legal obligations: Where processing is required to comply with legal or regulatory obligations;

• Legitimate interests: Where processing is necessary for our legitimate business interests (e.g., improving our Services), unless overridden by individual rights and interests.

5. HOW WE SHARE AND DISCLOSE INFORMATION

5.1 With the District

We share student, parent/guardian, and staff information with authorized District personnel to deliver our Services in accordance with applicable legal and contractual obligations.

5.2 With Third-Party Service Providers

We may engage trusted third-party vendors to help us operate our Services (e.g., cloud hosting, analytics, or payment processing). These vendors have access to personal information solely for the purpose of performing tasks on our behalf and are obligated to maintain the privacy and security of such information.

5.3 As Required by Law

We may disclose personal information where required to comply with a subpoena, court order, legal process, or government request; or to establish or exercise our legal rights; or to defend against legal claims.

5.4 Business Transactions

In the event of a merger, acquisition, bankruptcy, or other business transaction, personal information may be transferred as part of the transaction. In such cases, we will provide notice to the District and/or affected users as required by law.

5.5 De-Identified or Aggregated Data

We may create de-identified or aggregated data for research, analytics, or statistical purposes. Such data cannot reasonably be used to identify any individual and is not considered personal information under this Privacy Policy.

6. DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise directed by the District. Upon request and in line with applicable laws, we will securely delete or de-identify personal information within reasonable timeframes.

7. DATA SECURITY

Steppable takes reasonable administrative, technical, and physical measures to protect the information we collect, including:

• Encryption of data in transit (e.g., HTTPS) and at rest where appropriate;

• Access controls restricting access to personal information to authorized personnel only;

• Regular security assessments and vulnerability testing of our networks and systems;

• Incident response protocols to address and mitigate any unauthorized access or data breach.

Despite these measures, no data transmission or storage system can be guaranteed to be 100% secure. If we become aware of a data breach, we will notify the affected District and take appropriate remedial action in accordance with applicable laws and regulations.

8. CHILDREN’S PRIVACY

Our Services are designed to be used under the direction and control of Districts. We do not knowingly collect personal information directly from children under the age of 13 without the express permission of a parent/guardian or the District, as permitted by law. If you believe we have received information directly from a child without proper authorization, please contact us at the information provided in Section 12 below so we can delete such information.

9. YOUR RIGHTS AND CHOICES

Depending on your jurisdiction, you may have certain rights regarding your personal information, such as the right to:

• Access or request a copy of your personal information;

• Request correction of inaccurate personal information;

• Request deletion of personal information, subject to certain exceptions.

Parents/guardians and eligible students should direct requests regarding educational records to their District in accordance with FERPA. For HIPAA-related requests, individuals can contact both their District and Steppable if Steppable acts as a Business Associate processing PHI on the District’s behalf. We will work with the District to fulfill these requests as required by law.

10. INTERNATIONAL DATA TRANSFERS

Our Services are primarily intended for use within the United States. If we transfer personal information outside of the country or region where it was originally collected, we will take steps to ensure appropriate safeguards are in place to protect the data, in accordance with applicable laws.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify the District (and/or affected users, where appropriate) via email or through the Services before the changes take effect. The “Last Updated” date at the top of this Privacy Policy indicates when it was most recently revised.

12. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

• Email: team@steppable.com

• Address: 169 Madison Ave Suite 2504 New York NY 10016

• Phone: (978) 254-1076

We value the trust you place in Steppable to protect sensitive information, and we are committed to maintaining robust privacy and security safeguards in accordance with applicable laws and industry best practices.