Opportunitree is an educational technology platform that helps high school students discover extracurricular opportunities, track milestones, and receive personalized college-prep recommendations. We operate as a service provider to schools and school districts under written Data Privacy Agreements (DPAs).

When Opportunitree operates under a contract with a school or school district, we act as a "school official" with a legitimate educational interest, as defined under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. In this capacity, we are subject to the same restrictions on the use and disclosure of education records as district employees.

Account Information: First name, last name, email address, password (stored as a secure bcrypt hash), graduation year, and school affiliation.

Academic Profile: GPA, grade level, intended majors, dream schools, SAT/ACT scores, budget range, regional preferences, and extracurricular interests — provided voluntarily by the student through our onboarding survey.

Platform Activity: Opportunities viewed, saved, applied to, or ignored; milestones created or completed; counselor interactions; login timestamps and last active date.

Device & Technical Data: IP address (used for rate limiting and fraud prevention only), browser type, and session identifiers. We do not use persistent tracking cookies or build device fingerprints.

What we do NOT collect: Social Security numbers, government ID numbers, biometric data, health/medical records, political affiliation, religious affiliation, voting history, or financial account numbers. We never collect information beyond what is necessary to provide the educational service.

We use student data solely for the following educational purposes:

• Matching students with relevant extracurricular opportunities, programs, and scholarships
• Generating personalized milestone plans and college-prep recommendations
• Enabling counselors to monitor student progress and provide guidance
• Sending deadline reminders and opportunity notifications
• Improving platform features based on aggregate, de-identified usage patterns
• Complying with applicable law and responding to lawful requests

We do not use student data for targeted advertising, behavioral advertising, or any commercial purpose unrelated to the educational service. We do not build student profiles for non-K-12 purposes.

FERPA: When we receive student education records from a school or district, we operate under a Data Privacy Agreement as a school official. We use those records only as directed by the institution and do not re-disclose them to unauthorized parties. Students and parents retain all rights under FERPA, including the right to inspect, correct, and request deletion of education records held by the school.

COPPA: Opportunitree is not directed at children under 13 as a standalone consumer product. When deployed through a school, the school acts as the operator's agent and may provide consent on behalf of parents for educational use only, in accordance with FTC COPPA guidance for educational technology. No data collected from students under 13 is used for any commercial purpose. Parents may contact us at any time to review or request deletion of their child's data.

Florida Student Online Personal Information Protection Act (SOPIPA) — F.S. § 1006.1494:

• We do not sell, rent, or trade student personal information
• We do not use student data to engage in targeted advertising
• We do not build commercial profiles of students
• We will delete student personal information within 90 days of a written request from a school or district
• We maintain reasonable security procedures appropriate to the nature and sensitivity of the data we hold

Florida Student Data Privacy Act — F.S. § 1002.222: We collect only the minimum personal information necessary to provide the contracted educational service. We do not collect or retain political affiliation, religious affiliation, biometric information, or any other category of data prohibited under § 1002.222.

Florida Digital Bill of Rights — SB 262: For users under 18, we do not process personal information in ways that would result in substantial harm or significant privacy risks, and we do not sell or share minors' personal data.

We share student data only in the following limited circumstances:

• School administrators and counselors — who access student progress data through the platform as part of their educational duties
• Service providers — such as our cloud database provider (MongoDB Atlas), cloud storage (Cloudinary), email delivery (Resend), and error monitoring (Sentry) — all operating under data processing agreements that prohibit them from using student data for any other purpose
• Legal compliance — when required by law, subpoena, or court order, or to protect the safety of users or the public

We never sell student data to data brokers, advertisers, or any third party for commercial purposes.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data we hold, including:

• Passwords stored using bcrypt hashing — never in plaintext
• Authentication via JSON Web Tokens (JWT) stored in httpOnly, Secure cookies
• All data transmitted over TLS (HTTPS) — enforced via HTTP Strict Transport Security (HSTS)
• Role-based access controls — students, counselors, and admins can only access data appropriate to their role
• Rate limiting on all authentication endpoints to prevent brute-force attacks
• Input validation and NoSQL injection prevention on all API routes
• Security headers including Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options

In the event of a data breach that affects student personal information, we will notify affected schools and districts within the timeframe required by applicable law.

We retain student data only as long as the student has an active account or as required by the school's contract with us.

• Student-initiated deletion: Students may delete their account at any time from their profile settings. All personal data is removed within 30 days.
• School-initiated deletion: Schools and districts may request deletion of all student data for their institution at any time. We will complete the deletion within 90 days of the written request, in compliance with SOPIPA (F.S. § 1006.1494).
• Account expiration: Unverified accounts (where a student began signup but never confirmed their email) are automatically deleted within 24 hours.
• Aggregate data: De-identified, aggregated data that cannot reasonably be used to identify any individual may be retained for platform improvement purposes.

Depending on your role and location, you may have the following rights:

• Right to access: Request a copy of the personal information we hold about you
• Right to correct: Request correction of inaccurate information in your account
• Right to delete: Request deletion of your account and associated personal data
• Right to opt out: Opt out of non-essential communications
• Parental rights (FERPA/COPPA): Parents of students under 18 (or under 13 for COPPA) may exercise these rights on their child's behalf by contacting us directly

To exercise any of these rights, contact us at privacy@opportunitree.us.

We use only essential cookies required for authentication and security (httpOnly session cookies and CSRF tokens). We do not use third-party advertising cookies, tracking pixels, or analytics cookies that share data with external ad networks.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify users by email or in-app notice.

If you have questions about this Privacy Policy, a data request, or a concern about how we handle student data, please contact us: