How we handle your data.
OnePointe processes some of the most sensitive records a higher-education institution holds. This policy explains what data we collect, how we use it, who we share it with, and the rights you have over it. We've kept the language plain on purpose.
We don't sell your data
Ever. Not to advertisers, data brokers, or AI companies. Not in any form.
We don't train AI on your records
Subject data is never used to train models for other institutions or external products.
Your data stays in the U.S.
Hosted in U.S. AWS regions. Never transferred outside the country.
You can export at any time
Standard, machine-readable formats. No need to ask permission.
1. Scope & definitions
This Privacy Policy applies to OnePointe Technologies, Inc. ("OnePointe," "we," "us") and to the OnePointe Case Management platform and related services (collectively, the "Service").
Throughout this policy, "Institution" means the university, college, K–12 district, or other organization that has subscribed to the Service. "User" means any individual who accesses the Service in their professional capacity (administrators, investigators, coordinators). "Subject" means any individual whose information is recorded in the Service in the context of a case, referral, or report — typically a student, employee, or third party.
2. Data we collect
From Users
- Account information: name, institutional email, role, department
- Authentication data: SSO assertions, MFA factors, session tokens
- Activity data: pages viewed, actions performed, timestamps, IP address
- Support communications: messages, screenshots, recordings you send to us
From Institutions (about Subjects)
- Identifying information: names, student IDs, dates of birth, contact details
- Case content: incident reports, evidence, witness statements, hearing records
- Outcome data: sanctions, accommodations, resolutions, appeals
- Documents and attachments uploaded by Users
Automatically collected
- Technical data: browser type, operating system, device identifiers
- Usage data: feature engagement, error events, performance metrics
- Cookies and similar technologies — described in our Cookie Policy
3. How we use data
We use data only for purposes that are necessary, proportionate, and clearly disclosed:
- Service delivery — providing the platform, processing case workflows, generating reports for the Institution
- Authentication & security — verifying identity, detecting unauthorized access, preventing abuse
- Support — responding to inquiries, resolving issues, providing training
- Service improvement — debugging, performance optimization, accessibility testing
- Legal compliance — meeting our regulatory and contractual obligations
What we never do: Sell personal data. Use Subject data to train AI models for other Institutions. Share Subject data with advertisers. Use Subject data outside the scope of the Institution's instructions.
4. Legal basis for processing
For Subjects in jurisdictions with comprehensive privacy laws (GDPR, UK GDPR, CCPA, and similar), our legal basis depends on the data and purpose:
- Contract — when processing is necessary to deliver the Service to the Institution
- Legal obligation — when required by Title IX, Clery Act, FERPA, state mandates, or judicial process
- Legitimate interest — for security, fraud prevention, and Service improvement, balanced against individual rights
- Consent — for optional features such as certain analytics, where consent is freely given and revocable
6. Retention & deletion
Subject data is retained according to the retention policy configured by the Institution, calibrated to FERPA, Title IX, Clery, and applicable state requirements. Default retention is seven years from case closure unless the Institution specifies otherwise.
User account data is retained while the account is active and for 90 days after deactivation, after which it is irreversibly deleted unless legal hold applies.
Backups are retained for 90 days. Cryptographic shredding ensures that deleted data cannot be reconstructed from backup media.
7. Your rights
If you are a Subject whose information is recorded in the Service, your rights are governed primarily by your relationship with the Institution. Direct requests to your Institution's privacy or compliance officer.
If you are a User, you may:
- Access — request a copy of your User account data
- Correct — update inaccurate or incomplete information
- Delete — request deletion of your account, subject to legal retention
- Object — to processing based on legitimate interest
- Portability — receive your data in a structured, machine-readable format
To exercise these rights, contact us. We respond within 30 days.
8. FERPA & HIPAA
OnePointe is a "school official" with a "legitimate educational interest" under FERPA when processing student education records on behalf of an Institution. We are bound by the same restrictions on use and re-disclosure as Institution employees.
OnePointe is not a HIPAA-covered entity. If your Institution operates a HIPAA-regulated health unit and uses OnePointe to manage related cases, a Business Associate Agreement is available — contact us to put one in place.
9. International transfers
OnePointe data is hosted and processed exclusively in the United States. We do not transfer Subject data outside the U.S. Customer support staff may, in limited circumstances, access metadata from EU or UK locations under Standard Contractual Clauses or equivalent transfer mechanisms.
10. Changes & contact
We will notify Institution administrators of any material changes to this policy at least 30 days before they take effect, by email and via the Service. The "Effective" date at the top of this page reflects the most recent revision.
Questions, complaints, or requests:
- Email: hello@onepointe.ai
- Mailing address: OnePointe Technologies, Inc., 830 NE Holladay St, Portland, OR 97232