Privacy Policy
Last updated: May 2026
1. Introduction
Vaccaro Ventures LLC ("we," "our," or "Casemate") operates Casemate, an IEP case management tool for special educators. This Privacy Policy explains how we collect, use, and protect information when you use our service.
When a school or district uses Casemate, we act as a school official with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)). We process student data only to provide the service under the direction of the educational agency, we do not re-disclose it, and we do not use it for our own purposes.
2. Information We Collect
Account information: When you sign up, we collect your email address, display name, and authentication credentials (managed by Firebase Auth).
Student data (minimal, de-identified):Teachers enter only student initials (e.g., J.M.), grade level, IEP goals, service requirements, accommodations, and class schedules (e.g., "Math, Room 101"). We do not store student full names, addresses, birth dates, or Social Security numbers.
Uploaded documents: If you upload an IEP or assessment PDF, we extract structured information from it and strip personally identifiable information (PII) before storing results. Full names are converted to initials; SSNs, dates of birth, phone numbers, emails, and addresses are removed.
Service logs & progress data: Session notes, completion status, and progress monitoring notes you enter, linked to student initials only.
Waitlist/leads: If you submit your email on our landing page, we store it to notify you about product updates.
3. How We Use Your Information
We use your data solely to provide and improve Casemate: to display your caseload, generate schedules, track compliance, draft IEP-related text, and produce progress reports. We do not sell your data. We do not use student data for advertising or marketing, and we do not use it to train our own models.
4. Artificial Intelligence & Automated Processing
Several features (IEP/assessment extraction, present levels, progress statements, and standards-aligned activity suggestions) use generative AI. By default, these requests are processed by Google Vertex AI on Google Cloud under the Google Cloud Data Processing Addendum. Content sent to Vertex AI is not used to train Google's models and is processed within a configured Google Cloud region.
We minimize the data sent to AI models: prompts are built from de-identified data (initials, not full names) and pass an additional PII-scrubbing step before being sent. A district or organization may optionally configure its own AI key (BYOK), in which case those requests use that customer's own provider relationship. AI output is a draft for educator review — a qualified professional reviews and finalizes all AI-assisted content. See our Trust Center for details.
5. Data Storage and Security
Data is stored in Google Cloud (Firebase/Firestore). All data is encrypted in transit (TLS 1.2+) and at rest. Access is restricted by authentication and Firestore security rules. See our Security & Data Practices page for details.
6. Who Can Access Student Data
Access follows your school or district's own structure, which your administrators control:
- A teacher can access the students on their own caseload.
- Teachers in the same school may share school-wide caseloads (e.g., to co-assign services), where enabled by the school.
- A principal may access caseloads of teachers in their school; a district administrator may access schools in their district.
There is no access across unrelated schools or districts. Casemate personnel do not access customer student data except as needed for support, security, or legal compliance.
7. Subprocessors
We do not share your data with third parties for marketing. We use the following subprocessors to operate the service, each contractually bound to protect data:
- Google Cloud — Firebase Authentication, Firestore (storage), Cloud Functions (compute), Vertex AI (AI inference), Document AI (PDF OCR), Secret Manager
- Netlify — application hosting / CDN
- Stripe — payment processing
- Resend — transactional invitation email (staff email addresses only)
We can provide a Data Privacy Agreement (DPA) and a current subprocessor list to schools and districts on request.
8. Data Retention and Deletion
You can delete your account and associated data at any time by contacting us. We will delete your data within 30 days of a valid request, except where we must retain it for legal or operational purposes. On termination of a school or district agreement, student data is deleted or returned per that agreement.
9. Your Rights
You may access, correct, or delete your personal information. For requests, contact us at the email below. If you are in a jurisdiction with additional privacy rights (e.g., GDPR, CCPA), we will honor those rights where applicable. Parents seeking access to student data should contact their school or district, which controls that data.
10. Children's Privacy
Casemate is intended for use by educators, not students or children, and is not directed to children. Student data entered by teachers (initials, goals, services) is minimal and de-identified, and is processed on behalf of the school under FERPA.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.
12. Contact Us
Vaccaro Ventures LLC
For privacy inquiries: privacy@iepcasemate.com