free diagnosticupgrade

School Data Privacy

Last updated: April 2026

Fiveable helps high school students prepare for AP exams. Schools and districts across the country use Fiveable as a resource for their students and teachers. This page explains how we handle student data, what we collect, how we protect it, and what commitments we make to schools.

We built this page to answer the questions that come up most often during school and district procurement. If something isn't covered here, reach out to help@fiveable.me and we'll get you an answer.

What We Collect

Fiveable collects a minimal set of data to provide our educational services:

  • Account information: Name and email address (required to create an account)
  • Student-generated content: FRQ responses, practice answers, and quiz responses that students submit for scoring and feedback
  • Usage data: Pages visited, features used, and session information to improve the product

We do not collect: Social Security numbers, health or medical data, discipline records, attendance records, demographic information beyond what a user voluntarily provides, parent or guardian contact information, physical addresses, phone numbers, or biometric data.

How We Use Student Data

  • Exclusively for education. Student data is used only to provide our educational services: delivering study materials, scoring FRQ responses, tracking learning progress, and improving the learning experience.
  • Student data belongs to the school or district. When students use Fiveable through a school or district, the student data we hold remains the property of that school or district. Fiveable acts as a custodian, not an owner. This applies to private student work such as FRQ responses, practice answers, and learning progress. It does not apply to content that students or contributors have voluntarily authored and published publicly to Fiveable (such as community-contributed study guides), which remains the property of Fiveable as published educational content.
  • We do not sell student data. Not to advertisers, not to data brokers, not to anyone.
  • We do not use student data for advertising. Students using Fiveable through a school or district will not see targeted advertising based on their data.
  • We do not share student data with marketing partners. Student information is not provided to third parties for their own marketing or commercial purposes.
  • De-identified data only for product improvement. We may use aggregated, de-identified data to understand usage patterns and improve our platform. We do not attempt to re-identify data that has been de-identified.
  • Email addresses and browser properties for specific support. If you reach out with specific concerns, we may use email addresses, IP addresses, or browser related data to assist in supporting your requests.

How We Protect Data

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS everywhere).
  • Encryption at rest: All stored data is encrypted using AES-256 encryption.
  • United States data storage: All student data is stored in data centers located in the United States (Google Cloud Platform, Iowa region).
  • Access controls: We use role-based access controls so that only employees who need access to student data to perform their job functions can access it.
  • Monitoring: We monitor our systems for unauthorized access and suspicious activity.
  • Secure authentication: We support Google single sign-on and password-based authentication with secure session management.
  • NIST Cybersecurity Framework alignment: Our security program is structured around the NIST Cybersecurity Framework version 2.0 (Govern, Identify, Protect, Detect, Respond, Recover). We maintain a written security policy and an asset inventory that document our practices, both available to schools and districts upon request.

AI and Student Data

Fiveable uses AI to power features like FRQ scoring and feedback. Here is how student data interacts with our AI providers:

  • Data sent to AI is minimal. When a student submits an FRQ for scoring, we send the essay text and the scoring rubric to the AI provider. We do not send student names, email addresses, or other identifying information in AI API calls.
  • AI providers do not train on student data. Our API agreements with Anthropic (Claude), OpenAI, Google (Gemini), and xAI (Grok) prohibit the use of API inputs and outputs for model training.
  • Short retention windows. Anthropic retains API data for 7 days for safety monitoring, then deletes it. Google Vertex AI defaults to zero data retention. OpenAI retains for up to 30 days for abuse monitoring. xAI retention follows their API terms.
  • Provider compliance. Our AI providers maintain industry-standard security certifications (SOC 2, ISO 27001) and support FERPA compliance through their commercial and education-specific agreements.

For more details on how we use AI across the platform, see our AI Transparency page.

Service Providers

The following service providers may process data on our behalf in the course of delivering Fiveable's educational services:

ProviderPurposeData AccessLocation
MongoDB Atlas (Google Cloud)Database hostingAccount data, student-generated contentUnited States (Iowa)
SupabaseCurriculum and content databaseFRQ templates, rubrics, course structure (no student PII)United States
VercelApplication hostingRequest and session dataUnited States
Anthropic (Claude API)AI-powered FRQ scoring, feedback, and content qualityStudent essay text sent for scoring (no names or IDs)United States
OpenAI APIAI-powered FRQ scoring for select subjectsStudent essay text sent for scoring (no names or IDs)United States
Google (Gemini / Vertex AI)AI scoring, image generation, and content creationStudent essay text for scoring; educational content queries (no names or IDs)United States
xAI (Grok)Math notation processingEducational content with mathematical notation (no names or IDs)United States
StripePayment processingPayment information only (we do not store card numbers)United States
RailwayHosts limited Stripe data for analyticsStripe customer and subscription data only (no student data)United States
ResendTransactional and marketing emailEmail addressesUnited States
PostHogProduct analytics and feature flagsEmail, IP address, browser properties, usage events, and feature interactionsUnited States
BetterStackLog aggregation and monitoringServer logs and error tracesUnited States
Google Cloud StorageFile and image storageGenerated educational contentUnited States

Data Retention and Deletion

  • Account data: Retained while the account is active, plus up to 2 years after last activity. Data will be exported to you or deleted at your request.
  • Student-generated content: Retained while the account is active, plus up to 2 years. Data will be exported to you or deleted at your request.
  • School or district requested data export or deletion: We export, delete, or anonymize personal information within 30 days of a verified request. Contact help@fiveable.me to request.
  • End of school or district relationship: When a school or district ends their relationship with Fiveable, we will, at the school's option, return the data to the school or securely delete it. We will provide written confirmation of deletion upon request.

Breach Notification

In the event of a data breach that affects student information, we will notify affected schools and districts within 72 hours of discovery. Notification will include the nature of the breach, the data affected, and the steps we are taking to address and remediate the situation. We will cooperate fully with any investigation.

Fiveable maintains a written incident response plan that defines how we detect, investigate, contain, and communicate about security incidents. The plan is reviewed annually and is available to schools and districts upon request.

Law Enforcement Requests

If Fiveable receives a request from law enforcement or another government entity for student data that affects a school or district, we will notify the affected school or district before disclosing the data, unless we are legally prohibited from doing so. We do not voluntarily provide student data to law enforcement.

Business Continuity

If Fiveable were to cease operations, we would notify schools and users with reasonable advance notice and provide a window for data export before securely deleting remaining student data.

If Fiveable is acquired by or merged with another company, the acquiring entity will be required to honor the privacy commitments described on this page. We will notify schools of any change in control. Schools that prefer not to continue under new ownership may request that their data be returned or deleted.

Auditability

Schools and districts may request the following materials from us to verify our practices. We will respond within one week of a verified request:

  • Our written security policy (NIST CSF aligned)
  • Our asset inventory (systems, services, and data classifications)
  • Our written incident response plan
  • Subprocessor terms and privacy policies
  • Backup procedures and retention policies
  • Hosting vendors and the regions where data is stored
  • Sample data records for students associated with your school or district
  • Employee data privacy training materials and acknowledgment records

Requests can be sent to help@fiveable.me.

Employee Practices

Fiveable employees with access to student data review our internal data privacy and confidentiality training at least once per year and acknowledge that they have done so. The training covers federal and state student data privacy laws (including FERPA, COPPA, and applicable state laws), the rules we follow when handling student information, and how to report potential security incidents. Acknowledgment records are maintained in our internal documentation and are available to schools and districts upon request.

Access to student data is limited to employees who need it to perform their job functions.

Accessibility

Fiveable makes reasonable, ongoing efforts to ensure our platform is accessible to students with disabilities. If you encounter an accessibility issue, please contact us at help@fiveable.me so we can address it.

Legal Compliance

FERPA

When a school or district directs students to use Fiveable, we act in a manner consistent with the Family Educational Rights and Privacy Act (FERPA). We use student data only for the educational purposes for which it was provided and we do not re-disclose personally identifiable information from education records without authorization. Parents or guardians who wish to access, review, or request correction of their student's data should contact their school or district directly. We will cooperate with the school or district to fulfill these requests.

COPPA

Fiveable is designed for high school students (ages 13 and older). We do not knowingly collect personal information from children under 13 without proper consent. Where a school directs students under 13 to use the platform, we rely on the school's authorization consistent with FTC guidance on school consent under COPPA. If we learn that we have collected personal information from a child under 13 without proper consent, we will promptly delete it.

State Laws

Fiveable is committed to compliance with applicable state student data privacy laws, including New York Education Law 2-d, the Georgia Student Data Privacy Act, Texas student data privacy requirements, California SOPIPA, Illinois SOPPA, and other state-specific requirements. If your state has specific requirements you would like us to address, contact us at help@fiveable.me.

Data Privacy Agreements

For schools and districts that require a formal Data Privacy Agreement, we are prepared to work with you. We are familiar with the Student Data Privacy Consortium (SDPC) National DPA format and state-specific addenda. Contact help@fiveable.me to discuss your district's requirements.

Contact Us

For questions about student data privacy, data deletion requests, or to discuss your district's data privacy requirements:

Email: help@fiveable.me

Fiveable Inc.
211 West Mineral Street
Milwaukee, WI 53204

For additional details, see our full Privacy Policy, Terms of Use, and AI Transparency page. In the event of any conflict, our full Privacy Policy and Terms of Use supersede the summary on this page.

2,589 studying →