Flint Inc (flintk12.com)
|
Last Updated: April 14, 2026
Flint K12's platform handles educational information through its technology infrastructure with AI capabilities. The service relies on Anthropic, OpenAI, Replicate (image and video generation), E2B (code execution), and Exa (web search) as AI sub-processors, with data storage managed through Supabase (PostgreSQL database on AWS), application hosting through Vercel, and workflow automation through Fly.io.
The system develops interactive learning experiences using teacher materials and student engagement data while maintaining privacy safeguards.
Data handling happens via secure connections to Student Information Systems and Learning Management Systems through Edlink. AI tools work with this information exclusively for customizing learning experiences based on teacher and student input. No student data is used for AI model training or stored beyond its educational purpose.*
The platform handles personal information for several core functions:
User login management through Google, Microsoft, and Circle SSO authentication
Monitoring learning advancement
Enabling student-AI tool communication
Generating tailored educational material (text, images, videos, code visualizations)
Maintaining academic records
Supporting school administrative operations
The system collects multiple data types:
Identification Information
First and last names
Email addresses
Google/Microsoft profile pictures (when available)
Authentication credentials
Educational Information
Class enrollment records
Learning advancement metrics
Assessment outcomes
System Usage Data
Browser specifications and operating system details
Viewed pages and clicked links
Feature engagement duration
Language settings
Device identification
Internet protocol address
Geolocation Data (derived from IP address)
City-level location
Country
Region/state
Analytics Event Data
User interaction events
Feature usage patterns
Session data
Student-Generated Content
AI chatbot conversation logs
Work submissions
Written essays
Audio files (where applicable)
Code submissions
Generated images and videos
All operations occur within United States territory. Primary data storage uses Supabase (PostgreSQL on AWS) servers within the United States with redundancy across different U.S. regions.
Data movement begins with school system integration (via Edlink), moves through approved processors, and employs encrypted connections with controlled access privileges.
Active accounts maintain data indefinitely unless the user requests deletion. Upon deletion requests, all associated data is removed within 30 days. Backup systems preserve data according to redundancy requirements. Schools may request institution-wide data removal anytime.
Active accounts maintain data indefinitely unless the user requests deletion. Upon deletion requests, all associated data is removed within 30 days. Backup systems preserve data according to redundancy requirements. Schools may request institution-wide data removal anytime.
The following third parties process personal data on behalf of Flint:
Provider
Purpose
Data Processed
Anthropic
AI chat, content generation
User prompts, conversation context
OpenAI
AI chat, content generation
User prompts, conversation context
Replicate
Image/video generation
User prompts, uploaded images
E2B
Code execution sandbox
User-submitted code
Exa
Web search for AI
Search queries
Provider
Purpose
Data Processed
Supabase
Database hosting (AWS)
All application data
Vercel
Application hosting
Request logs, application data
Fly.io
Workflow automation
Operational data
Provider
Purpose
Data Processed
Edlink
SIS/LMS integration
Student rosters, class data
Sentry
Error tracking
Error logs, user context
SendGrid
Email delivery
Email addresses, message content
Intercom
Customer support
User profiles, support conversations
PostHog
Product analytics
Usage events, user properties
Mixpanel
Product analytics
Usage events, user properties
Slack
Internal notifications
Aggregated alerts
Google Workspace
Calendar/email integration
Meeting data, email content
Google Analytics
Web analytics
Page views, user sessions, anonymized events
Google Ads
Advertising
Anonymized conversion data
ConvertAPI
Document conversion
Uploaded documents
Datalab
Document processing
Uploaded documents
HubSpot
CRM
Contact names, emails, school associations
GitHub
Code repository
Issue/PR content (may reference user data)
Authentication details create the foundation for account protection and access management. Educational information enables core service delivery and progress assessment. Usage data maintains system functionality and helps identify technical improvements. Geolocation data (city/country level, derived from IP) enables district-level analytics reporting.
Data gathering stays strictly limited to educational purposes with no marketing or commercial use of student data. Collection scope aligns with school requirements and learning objectives.
The current method represents minimum data processing necessary to achieve the platform's educational objectives. Reducing data collection would undermine educational functionality. The approach follows data minimization principles while preserving service quality.
For Student Users
Unauthorized access to records
Misuse of student-created materials
Privacy concerns regarding AI interaction records
Retention and cross-border transfer risks
For Teachers/Administrators
Access management vulnerabilities
Professional privacy exposure
Information accuracy concerns
System access challenges
The platform monitors content appropriateness and safety, potential algorithmic bias, decision-making transparency, and maintains boundaries between AI services and student data.
Technical Controls
HTTPS encryption for data in transit
Encryption at rest for stored data
Role-based access restrictions
Routine security evaluations and upgrades
Redundant backup infrastructure
Organizational Controls
Privacy documentation and processes
Designated Data Protection Officer
Incident response frameworks
Security training programs
Educational records receive FERPA guidelines protection. Users under 13 get enhanced protections in compliance with COPPA. Access restrictions include special handling procedures for any sensitive educational content.
Data Protection Methods
HTTPS encryption during transmission
Encryption at rest for stored data
Controlled API connections to service providers
Recurring security patches
Role-based, multi-factor authentication options
Session controls and timeout features
Comprehensive activity logging
Policy Framework
Detailed privacy documents
Ongoing team training
Emergency response procedures
Data management guidelines
Management Structure
Assigned Data Protection Officer
Security incident reporting pathways
Periodic policy revisions
Documented security procedures
COPPA Compliance:
Parental authorization requirements
Age-suitable privacy features
Limited information distribution
Strengthened security measures
Educational Privacy (FERPA):
School-based authorization systems
Minimal minor data collection
Strict access management
Users can submit access requests through a straightforward process with a 30-day response timeline.
The platform enforces strict data usage limitations, ensuring no student data is used for AI model training.
Transparency includes documented AI usage, interaction audits, teacher oversight of AI content, and explicit consent requirements for AI features.
The system avoids autonomous determinations entirely. All personalization is based on explicit inputs with mandatory teacher review and documented AI influence.
Regular audits assess content safety and detect bias. Teacher review processes and continuous monitoring protocols identify concerns.
The platform adheres to:
GDPR standards
FERPA guidelines
COPPA regulations
Third-party relationships remain limited to essential providers with data processing agreements. No commercial data sharing occurs, and compliance receives periodic review.
Date
Version
Change
April 14, 2026
2.0
Added missing AI sub-processors (Replicate, E2B, Exa); Updated hosting providers (Vercel, Fly.io, Supabase); Added third-party integrations; Added Circle SSO; Clarified encryption (HTTPS + at-rest, not E2E); Added geolocation and analytics data categories
December 18, 2024
1.0
Initial version
