Compliance & Privacy

Built for schools, hospitals, and federal grantmakers.

The Force for Health® Network is designed to meet the standards required to serve K–12 districts, higher education, healthcare systems, state and federal agencies, and the communities they represent. Here is our current posture across the frameworks that matter.

We are a mission-driven platform serving minors, communities, and clinical partners. Compliance is not a checkbox for us. It is the foundation of partnership trust and the condition of every school district contract, every healthcare system integration, and every federal grant.

This page summarizes how The Force for Health® Network approaches data privacy, accessibility, and regulatory compliance. For partner-specific data sharing agreements (DSAs), Business Associate Agreements (BAAs), or Data Processing Agreements (DPAs), contact our team directly.

FERPA · Family Educational Rights and Privacy Act

Compliant

Applies when we serve students in K–12 and higher education through school or district partnerships.

How FFH Implements ItStudent data is isolated by organization through Supabase Row-Level Security. We operate as a “school official” with “legitimate educational interest” under written DSAs. No student personally identifiable information is ever shared with AI prompts or third-party services. Parents and eligible students retain access, correction, and deletion rights.

Data sharing agreements in place with every school and district partner before onboarding.
Annual FERPA review is part of every partnership contract renewal.
Data export and deletion capabilities available for parent or student requests.
No re-disclosure to third parties without verifiable consent.

HIPAA · Health Insurance Portability and Accountability Act

Ready for BAA

Applies when we handle Protected Health Information (PHI). The Force for Health is primarily a health education platform, not a healthcare provider, so most of our data is not PHI.

General health education content, anonymized literacy assessments, and gamification activity are not PHI and do not trigger HIPAA. Integration with healthcare systems, the Certified Patient program (launching with Asthma), and any feature that collects individually identifiable health information operates under a Business Associate Agreement with the partner.

Dr. Rob AI conversations are session-scoped only. No PHI is stored with personal identifiers.
Encryption at rest (Supabase default) and in transit (HTTPS/TLS).
Minimum necessary standard applied to any health data collection.
BAA framework in place and ready to execute with any healthcare partner.
Crisis safety reference to the 988 Suicide & Crisis Lifeline built into Dr. Rob.

WCAG 2.1 AA · Web Content Accessibility Guidelines

Conforming

Required for most school district partnerships and aligned with Section 508 for federal partners.

We build to Level AA across Perceivable, Operable, Understandable, and Robust criteria. Accessibility is part of the shipping checklist for every page, game, and module.

Keyboard navigation across all Prevention Bingo Cards, assessments, and games.
Color contrast meets 4.5:1 for standard text and 3:1 for large text.
Color is never the sole indicator of state; icons, labels, and patterns accompany it.
ARIA labels on all interactive elements and game controls.
Closed captions supported in the video player.
Screen reader tested with NVDA and VoiceOver before deployment.

COPPA · Children’s Online Privacy Protection Act

Compliant

Applies when we serve children under 13, particularly in elementary school partnerships.

We age-gate at registration. Children under 13 are onboarded through the school consent exception using school-provisioned accounts that require no email. For individual family registrations, verifiable parental consent is collected before any account activity.

Minimal data collection for users under 13.
No behavioral advertising or third-party data sharing for under-13 users.
Extra guardrails for Dr. Rob interactions with younger users. No health data retention.
Plain-language privacy policy written for families.

GDPR · EU General Data Protection Regulation

Compliant

Applies if we serve users in the European Union. Relevant for international expansion and partnerships.

Lawful basis for every processing activity (consent, contract, or legitimate interest) is documented.
User rights of access, rectification, erasure, and portability are available in profile settings.
Data Processing Agreements in place with Supabase and Vercel. Other sub-processors vetted.
Cookie consent banner with granular opt-in/opt-out for non-essential cookies.
72-hour breach notification procedure established.
Privacy by design across the product lifecycle.

Section 508 · U.S. Federal Accessibility

Conforming

Required for federal funding recipients and partners of federal agencies (NIH, CDC, HRSA, ED).

Section 508 incorporates WCAG 2.0 AA criteria. Our WCAG 2.1 AA conformance satisfies Section 508 requirements. A Voluntary Product Accessibility Template (VPAT) is available on request for institutional buyers.

EU AI Act · Artificial Intelligence Transparency & Safety

Monitored & Aligned

Classifies AI systems by risk level. Education AI can fall into “limited risk” or “high-risk” categories.

Dr. Rob operates as a “limited risk” health education tutor with transparency obligations only. Grading, progress gating, and assessments are based on objective quiz scores, not AI judgment. This keeps Dr. Rob out of “high-risk” classification while preserving the educational value.

Users are informed they are interacting with an AI system. Dr. Rob is always labeled.
Human oversight on all progress and completion decisions.
System purpose, training data sources, and limitations are documented and disclosed.
Monitoring for regulatory updates as the EU AI Act implementation evolves.

State-Level Student Privacy Laws

Built to California Standard

Applies to states with laws beyond FERPA. We build to the strictest applicable state (California) so we exceed requirements everywhere.

California (SOPIPA, CalOPPA, CCPA/CPRA) · No targeted advertising with student data. Expanded privacy notice.
New York (Education Law 2-d) · Parents Bill of Rights. Data security standards.
Colorado, Connecticut, Virginia and other comprehensive state privacy laws addressed through our California-first posture.
Illinois BIPA · We do not collect biometric data (no face recognition, no fingerprints).

Full Compliance Documentation

Detailed policies, statements, and partner documentation live in the Compliance Center.

Need a DSA, BAA, DPA, or VPAT?

School districts, healthcare systems, federal agency partners, and international organizations can request partner-specific compliance documentation directly from our team.

Request Documentation