At a glance
- Student & institutional data: processed under institutional direction with role-based access and audit logs.
- Security by default: encryption in transit/at rest, SSO/MFA, RBAC, tenant isolation, and monitoring.
- Compliance alignment: FERPA/GDPR practices with Data Processing Agreements (DPAs) available.
- AI with governance: transparent use, human-in-the-loop controls, and bias monitoring.
- Your choices: access, correction, deletion (where applicable), and cookie preferences.
Scope & roles
For institutional deployments, your institution is typically the Data Controller and Infinize acts as a
Data Processor/Service Provider. For our marketing site and outreach, Infinize is the Data Controller.
Contract terms in your DPA prevail.
What data we collect and why
Platform & student success data (institutional)
- Identifiers: student IDs, institutional emails, program/major, advisor/role assignments
- Academic signals: enrollments, grades (where provided), prerequisites, schedules
- Engagement: LMS activity, nudges/alerts status, appointments, caseload tasks
- Career/transfer context (optional): skills, resume extracts, credit equivalencies
Purpose: unify data, enable role-aware workflows (planning, nudging, insights), measure outcomes.
Operational & analytics data
- Logs/telemetry: API calls, job health, errors, performance
- Configuration: roles, permissions, feature flags
- Website forms: contact details, institution, interests
- Cookies (site usage), device/browser metadata
Purpose: secure the service, improve reliability, and understand product usage.
Sensitive categories (e.g., disability status) are processed only if directed by the institution and contractually permitted.
Legal bases for processing
- Contractual necessity to provide platform functionality to your institution
- Legitimate interests for security, fraud prevention, and product improvement (balanced with your rights)
- Consent for certain marketing or optional features (withdraw anytime)
- Legal obligations where applicable (e.g., compliance, lawful requests)
How we use AI — with governance
Infinize employs AI to power features like early alerts, academic planning validation, major/career recommendations,
transfer mapping, and productivity summaries. AI augments staff and faculty—it does not replace them.
- Human-in-the-loop: Advisors and staff can review, accept, or override recommendations.
- Explainability: We show rationale and references where feasible and appropriate.
- Bias monitoring: We monitor for disparate impact and support institutional reviews.
- No unapproved training: Customer data is not used to train foundation models unless contractually authorized.
- Safety guardrails: Abuse prevention, rate limits, and content controls are enforced.
Cookies & similar technologies
We use necessary cookies for core functionality and optional analytics to improve the site. You can manage preferences at any time.
Types
- Strictly necessary (authentication, load balancing)
- Functional (remember settings)
- Analytics (usage trends; aggregated)
Do Not Track: we honor applicable regional requirements and controls.
Data sharing & subprocessors
We do not sell personal data. We share data only with trusted providers that help us deliver the service, under contract and subject to security and confidentiality obligations.
Common recipients
- Cloud hosting & infrastructure
- Email & notification services
- Error monitoring & logging
- Customer support & ticketing
- Optional analytics (aggregated)
Your institution controls access
For institutional deployments, data flows are governed by the DPA and your institution’s configuration (SSO/RBAC). Subprocessor lists are available upon request and we notify customers before material changes.
We may disclose data if required by law or to protect rights, safety, and integrity of services.
Security
- Encryption: TLS in transit, AES-256 at rest; managed secrets
- Identity & access: SSO/MFA, fine-grained RBAC, least privilege
- Governance: data classification, retention controls, audit logs
- Isolation: tenant separation and environment hardening
- Monitoring: vulnerability management, logging, and alerting
- Continuity: backups, disaster recovery plans, change management
Report a security issue: security@infinize.ai
Data retention & location
We retain personal data for as long as necessary to provide services or as required by our agreements and applicable laws.
Retention periods are defined in institutional configurations and/or DPAs. Data residency options may be available.
Your privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to processing, and to data portability.
For institutional data, please contact your institution first; we will support them in fulfilling your request.
How to submit a request
- Email: data-rights@infinize.ai
- Include: your name, institution, and request details
We will respond within applicable timelines and coordinate with your institution as needed.
Automated decision-making
Infinize provides recommendations and scores to assist staff; final decisions remain with authorized humans.
You may request information about logic and significance where required by law.
We do not knowingly collect information from children under the age required by local law without appropriate authorization.
International data transfers
Where data is transferred across borders, we implement appropriate safeguards (e.g., Standard Contractual Clauses) and support institutional residency requirements where available.
Changes to this policy
We may update this policy to reflect changes in law, technology, or our services. We will post updates here and, when material, provide additional notice.
Effective date: September 28, 2025