Privacy Policy

Last updated: February 15, 2026

1. Information We Collect

AccredLeap collects information necessary to provide our accreditation document preparation services. This includes:

  • Account information: Name, email address, institutional affiliation, and role when you create an account.
  • Institutional data: Information provided during AI-guided interviews, uploaded documents (including faculty CVs), and generated accreditation narratives.
  • Usage data: How you interact with our platform, including pages visited, features used, and collaboration activity.
  • Technical data: Browser type, device information, and IP address for security and performance purposes.
  • Payment information: When you subscribe to an institutional license, our payment processor (Stripe) collects billing details including credit card information, billing address, and transaction history. AccredLeap does not store credit card numbers directly.

2. How We Use Information

We use the information we collect to:

  • Provide and improve our accreditation document preparation services.
  • Generate AI-powered narrative drafts based on your interview responses and institutional data.
  • Enable real-time collaboration between your team members.
  • Send service-related notifications (review assignments, approval requests, system updates).
  • Maintain platform security and prevent unauthorized access.

We do not sell your data to third parties. Institutional data is never used to train AI models. Your accreditation documents remain your property.

3. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • SOC2-compliant security practices and infrastructure.
  • Institutional data isolation -- each institution's data is logically separated using row-level security policies.
  • Regular security audits and vulnerability assessments.
  • Role-based access controls ensuring team members only access authorized data.

4. Data Retention

We retain your institutional data for as long as your account is active. Upon account termination, we will delete your data within 90 days, unless retention is required by law. You may request data export at any time before account closure.

5. FERPA and Educational Records

AccredLeap may process education records protected under FERPA, including faculty qualification data, student learning outcome data (in Assurance of Learning), institutional accreditation reports, and uploaded evidence documents. The institution is the data controller; AccredLeap acts as a data processor and school official. Only authorized institutional users with appropriate roles can access education records within their tenant.

Education records may be processed by third-party AI services (Anthropic Claude for narrative generation, Google Gemini for document analysis). These services process data ephemerally for the requested task only and do not retain education records. AccredLeap does not use education records to train AI models.

Row-level security policies enforce institutional data isolation across our multi-tenant architecture, ensuring one institution cannot access another's records. All API routes require authentication. In the event of a data breach involving education records, AccredLeap will notify affected institutions within 72 hours, consistent with FERPA requirements. Institutions can export all education records at any time; upon termination, data is retained for 30 days to allow export, then permanently deleted within 90 days.

6. Legal Basis for Processing

We process personal data under the following legal bases as defined by the EU General Data Protection Regulation (GDPR):

  • Consent: Where you have given explicit consent for specific processing activities, such as optional analytics cookies. You may withdraw consent at any time via our cookie settings.
  • Contractual necessity: Processing required to fulfill our service agreement with your institution, including account management, document generation, and collaboration features.
  • Legitimate interest: Processing necessary for our legitimate business interests, such as platform security, fraud prevention, and service improvement, where these interests are not overridden by your data protection rights.
  • Legal obligation: Processing required to comply with applicable laws and regulations, including FERPA and tax reporting requirements.

7. EU Data Subject Rights

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under GDPR:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to data portability: Request your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to restrict processing: Request limitation of processing in certain circumstances.
  • Right to lodge a complaint: File a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us at privacy@accredleap.com. We will respond within 30 days.

8. International Data Transfers

AccredLeap is based in the United States. If you access the Service from the EEA, UK, or other regions with data protection laws, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate safeguards for international data transfers. Our hosting providers (Supabase, Vercel) and AI processing partners (Anthropic, Google) maintain comparable data protection commitments.

9. Cookies and Tracking Technologies

AccredLeap uses the following categories of cookies:

  • Essential cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled.
  • Analytics cookies: Used via Vercel Analytics and Speed Insights to understand usage patterns and improve the platform. These are only loaded with your consent.

You can manage your cookie preferences at any time using the "Cookie Settings" link in our website footer. You can also control cookies through your browser settings, though disabling essential cookies may prevent the Service from functioning properly.

10. Your Rights

You have the right to:

  • Access and export your institutional data at any time.
  • Request correction of inaccurate personal information.
  • Request deletion of your account and associated data.
  • Opt out of non-essential communications.

11. Third-Party Services

AccredLeap uses third-party services to provide our platform, including cloud hosting (Supabase, Vercel), AI processing (Anthropic), payment processing (Stripe), and email delivery. These providers are contractually bound to protect your data and process it only as instructed. Stripe processes payment information in accordance with PCI DSS requirements.

12. Contact Us

If you have questions about this privacy policy or our data practices, please contact us at privacy@accredleap.com.

We use cookies for essential site functionality and optional analytics to improve your experience. Privacy Policy