Privacy Policy
1. Introduction and Purpose
This Privacy Policy describes how the Anchora™ Access Control Portal ("the Portal") collects, uses, stores, and protects information in connection with its operation as a human-governed access management system for AI-assisted professional guidance tools. The Portal is designed, built, and operated by Figure 8 Intelligence ("Figure 8") and deployed in partnership with Joliet Township High School District 204 ("JTHS District 204" or "the District"). The Portal serves exclusively as an access credential management layer — it does not process, store, or transmit student data of any kind.
Anchora™ was designed from inception to comply with the Family Educational Rights and Privacy Act (FERPA), the Illinois Student Online Personal Protection Act (SOPPA), the Children's Online Privacy Protection Act (COPPA), and the Illinois Personal Information Protection Act (PIPA). This policy is provided in the interest of transparency and to support district compliance obligations when evaluating technology systems that interact with staff workflows.
2. Scope of This Policy
This policy applies to all interactions with the Anchora™ Access Control Portal, including:
- The web-based portal interface at the Portal's published domain
- The credential validation API endpoint (
POST /api/credentials/validate) - The access request intake process
- Administrative functions performed by authorized administrators
This policy does not govern the Anchora™ GPT (the AI guidance tool hosted on OpenAI's ChatGPT platform). Interactions with the GPT are subject to OpenAI's privacy policy and usage policies. The Portal's sole relationship with the GPT is through the credential validation API, which is described in Section 5 of this policy.
3. Data We Collect
The Portal adheres to a strict data minimization principle. We collect only the information necessary to manage access credentials and maintain an auditable governance record.
| Data Category | Specific Fields | Purpose | Retention |
|---|---|---|---|
| Staff Identity | Display name, district email | Identify authorized users for credential issuance | Authorization + 1 year |
| Professional Role | Job title, department, role tier | Enforce scope-appropriate access boundaries | Authorization + 1 year |
| Access Credentials | Credential ID, timestamps, HMAC signature | Issue and validate time-limited access tokens | 90 days after expiration |
| Access Logs | Event type, timestamp, IP address, user agent | Auditable record of all access events | 2 years |
| Access Requests | Name, email, dept, role, supervisor, justification | Process access authorization requests | Lifecycle + 1 year |
| High-Risk Events | Description, severity, resolution notes | Track and resolve anomalous access patterns | 3 years |
| Auth Session | Encrypted session cookie, OAuth ID | Maintain authenticated sessions | Session duration |
3.1 Data We Do Not Collect
The Portal explicitly does not collect, process, store, or transmit:
- Student data of any kind — no names, grades, IDs, behavioral records, IEP/504 information, or any other student-identifiable information
- Passwords — authentication is delegated to the OAuth provider; the Portal never sees or stores user passwords
- Biometric data — no fingerprints, facial recognition, voiceprints, or other biometric identifiers
- Location data — beyond the IP address logged for security audit purposes
- Financial information — no payment data, bank accounts, or financial records
- Content of AI interactions — the Portal has no access to conversations between staff and the Anchora™ GPT
4. How We Use Collected Data
Access Governance. Staff identity and role information is used to determine whether a user is authorized to receive an access credential, and at what scope tier. This determination is always made by a named human administrator — never by an automated system.
Credential Issuance and Validation. When an authorized user requests a credential, the Portal generates a cryptographically signed, time-limited Access Result String. When the Anchora™ GPT submits a credential for validation, the Portal verifies the signature, checks expiration, and confirms jurisdiction — returning only a valid/invalid determination and minimal identifying information.
Security and Compliance Auditing. Access logs and high-risk event records are maintained to support the District's compliance obligations, enable incident investigation, and provide an auditable trail of all access decisions.
Administrative Oversight. Authorized administrators use the Portal to review access requests, manage user authorizations, investigate anomalous activity, and maintain the governance record required by District policy.
5. Credential Validation API — Data Exposure
The credential validation endpoint (POST /api/credentials/validate) is the only externally accessible API on the Portal. It is designed to return the minimum data necessary for the Anchora™ GPT to make an access decision.
| Direction | Data Transmitted | Sensitivity |
|---|---|---|
| Inbound (GPT → Portal) | Full Access Result String | Staff name, role tier, credential ID, timestamps, HMAC signature |
| Outbound — Valid | valid: true, display_name, role, expires_at | Staff name and role tier only — no email, no user ID |
| Outbound — Invalid | valid: false, reason | No user-identifying information returned |
The validation endpoint is rate-limited to prevent abuse. All validation attempts are logged with timestamp and credential ID, regardless of outcome.
6. Data Sharing and Third Parties
The Portal does not sell, rent, lease, or trade any data to any third party. The Portal does not engage in targeted advertising, behavioral profiling, or data brokerage of any kind.
OpenAI (via Credential Validation). When the Anchora™ GPT calls the validation endpoint, the response data described in Section 5 is transmitted to OpenAI's infrastructure. This is limited to the staff member's display name, role tier, and credential expiration.
Portal Administration. Authorized administrators designated by Figure 8 Intelligence and JTHS District 204 have access to the Portal's administrative functions. Administrative access is itself governed by the Portal's role-based access control system.
Legal Compliance. Data may be disclosed if required by law, regulation, court order, or other governmental request, consistent with applicable Illinois and federal law.
7. Data Security
Encryption in Transit. All connections to the Portal are encrypted using TLS (HTTPS). Unencrypted HTTP connections are not accepted.
Cryptographic Credential Integrity. Every Access Result String is signed using HMAC-SHA256. Any modification to a credential after issuance invalidates the signature and causes the credential to be rejected.
Session Security. Authentication sessions use secure, HttpOnly, SameSite cookies that cannot be accessed by client-side JavaScript or cross-site requests.
Security Headers. The Portal enforces HTTP Strict Transport Security (HSTS), X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers on all responses.
Anomaly Detection. The Portal monitors for anomalous access patterns, including rapid credential generation, unusual IP addresses, and out-of-pattern access times. Detected anomalies are flagged as high-risk events for human review.
Credential Expiration. All Access Result Strings expire after 12 hours. Expired credentials cannot be renewed — a new credential must be generated through the Portal.
8. FERPA Compliance
The Portal is designed to operate entirely outside the scope of FERPA-protected education records. No student data enters, passes through, or is stored in the Portal at any point. The Portal manages access credentials for staff members only — it is an access governance layer, not an educational technology tool.
To the extent that the Anchora™ GPT may be used by staff to discuss student-related matters, those interactions occur on OpenAI's platform and are subject to OpenAI's data handling policies and the District's acceptable use policies. The Portal's role is limited to verifying that the staff member is authorized before those interactions begin.
9. Illinois SOPPA Compliance
No Student Covered Information. The Portal does not collect, maintain, or have access to any student covered information as defined by 105 ILCS 85/5.
Not an Operator Under SOPPA. Because the Portal does not collect student covered information and is not used by students, it does not meet the definition of an "operator" under SOPPA. However, the Portal was designed with SOPPA's principles in mind — particularly data minimization, purpose limitation, and security — as a matter of best practice.
Supporting District Compliance. The Portal supports the District's broader SOPPA compliance posture by ensuring that only authorized, role-appropriate staff members can access AI-assisted guidance tools, and that all access is logged and auditable.
10. COPPA Compliance
The Portal is not directed at children under 13 (or any children). It is used exclusively by adult staff members of JTHS District 204 and designated personnel of Figure 8 Intelligence. No information is collected from children at any point.
11. Data Retention and Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Active user records | Duration of authorization | Removed upon revocation + retention period |
| Expired credentials | 90 days after expiration | Automatic purge |
| Access logs | 2 years | Automatic purge |
| High-risk event records | 3 years | Automatic purge |
| Denied access requests | 1 year after denial | Automatic purge |
| Authentication sessions | Session duration | Cleared on logout or expiration |
Upon request by an authorized administrator, individual user records can be permanently deleted from the system, subject to any legal hold or compliance retention requirements.
12. User Rights
Access. Users may view their own access status, credential history, and access logs through the Portal's dashboard.
Correction. Users may request correction of inaccurate personal information by contacting a Portal administrator.
Deletion. Users may request deletion of their Portal account and associated data by contacting a Portal administrator. Deletion requests will be processed within 30 days, subject to any legal hold or compliance retention requirements.
Objection. Users who believe their data has been processed inappropriately may raise concerns with the Portal administrator or the District's designated privacy officer.
13. Changes to This Policy
This Privacy Policy may be updated from time to time to reflect changes in the Portal's functionality, applicable law, or District policy. Material changes will be communicated to authorized users through the Portal's dashboard. The "Last Updated" date at the top of this policy will always reflect the most recent revision.
14. Contact Information
For questions, concerns, or requests related to this Privacy Policy or the Anchora™ Access Control Portal's data practices, please contact:
Monica Smith
System Architect — Anchora™
Figure 8 Intelligence
Email: [email protected]
15. Regulatory References
- Family Educational Rights and Privacy Act (FERPA) — U.S. Department of Education
- Student Online Personal Protection Act (SOPPA) — 105 ILCS 85 — Illinois General Assembly
- Children's Online Privacy Protection Rule (COPPA) — Federal Trade Commission
- Personal Information Protection Act (PIPA) — 815 ILCS 530 — Illinois General Assembly