Capti Privacy Policy

Version Effective Date: 03/31/2026

1. Introduction and Key Definitions

This is the Privacy Policy of Charmtech Labs LLC, doing business as Capti ("Capti," "Company," "we," "our" or "us") for use of the capti.com website, and related online pages (including the publicly accessible portions of the website, referred to as the "Public Site," and the authenticated platform, applications, assessments, and tools made available to schools, districts, and other customers, referred to as the "School Services," and collectively, the "Services"). We want our visitors to learn about our Services, and we help educators, researchers, parents, students, and other authorized users to easily put our Services to work. Capitalized terms used but not defined in this Privacy Policy have the meanings given to them in our Terms of Service.

In this Privacy Policy, we describe the information we may collect about you through our Services (as defined in our Terms of Service), how we use that information, circumstances in which we share it, how we protect it, and the rights and choices you may have with regard to your information. Please read this Privacy Policy carefully before accessing or using our Services. By accessing or using any of our Services, you accept and agree to be bound by this Privacy Policy. If you do not agree to this Privacy Policy, do not access or use our Services.

This Privacy Policy is incorporated into and made a part of our Terms of Service. Any capitalized terms not defined in this Privacy Policy have the definitions set forth in the Terms of Service. Any claim, dispute, or cause of action arising out of or relating to this Privacy Policy or Capti's collection, use, disclosure, or other processing of Personal Information will be subject to the Terms of Service, including the limitations of liability, warranty disclaimers, indemnification obligations, governing law, venue, dispute resolution, arbitration, and class action waiver provisions set forth therein. To the extent of any conflict between this Privacy Policy and the Terms of Service, the Terms of Service will control unless a provision of this Privacy Policy is required by applicable law.

If you or the school district with which you are associated have entered into a separate written agreement with us governing the Services (such as a Data Sharing Agreement, Data Processing Agreement, or other contract), that written agreement controls to the extent of any conflict with this Privacy Policy. For customers whose agreement incorporates a specific attached or executed version of these terms, that executed version governs unless amended in writing by the parties.

In the event we add future Services that affect the terms of this Privacy Policy, we will revise accordingly. References to "you" or "your" pertain to all visitors to our public website, Authorized Users of our Services or other individuals whose data we process throughout this Privacy Policy.

Privacy Compliance Contact. Brian Ash is the Company's designated privacy compliance contact and may be reached at privacy@capti.com. Mr. Ash is responsible for directing the Company's policies and procedures for compliance with applicable privacy laws.

2. What Is Our General Approach to Your Personal Information?

We do not sell Personal Information as that term is commonly defined in applicable privacy laws. We do not share Personal Information for targeted advertising. We do not use Personal Information to train large language models or generative artificial intelligence systems; any such use is limited to de-identified and aggregated data.

We collect Personal Information only to the extent it is reasonably necessary and proportionate to provide or maintain the specific product or service you have requested. We collect or process sensitive data only where strictly necessary to provide the specific product or service requested and, where required by applicable law, only with your consent.

We use reasonable efforts to protect information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with you or your household (your "Personal Information"). We may use de-identified and aggregated data derived from the Services for internal analytics, security, service improvement, product performance evaluation, benchmarking, and reporting purposes, provided such data does not identify, and cannot reasonably be used to identify, any individual. Where we use identifiable Personal Information for research or product development purposes beyond the scope described in this Privacy Policy, we will do so only with express consent or pursuant to a separate written agreement with the applicable Customer or individual.

We know that when users provide Personal Information to an organization, it is an act of trust. That trust is something we take seriously. We work to ensure that the Services observe compliance standards for online privacy, security, business practices, honest transactions, and availability. This Privacy Policy explains the steps we take to protect Personal Information shared with us through the Services or when you otherwise interact with us, including how we collect it, who has access to it, and what is done with it.

We maintain a data inventory that identifies the categories of Personal Information we process and the purposes for which we process it. This inventory supports our obligations under applicable privacy and data security laws.

In addition to federal privacy laws like FERPA (the Family Educational Rights and Privacy Act) and COPPA (the Children's Online Privacy Protection Act), we at Capti are aware of and design our systems and controls to abide by applicable state student privacy laws, including the Student Online Personal Information Protection Acts (SOPIPA) in California and Virginia, the Student Online Personal Protection Acts (SOPPA) in Illinois and Michigan, and comprehensive state consumer data privacy laws such as the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Connecticut Data Privacy Act, and similar laws in other states where we operate. We conduct data protection assessments where required by applicable law.

3. What Categories of Personal Information Do We Collect?

Depending on the nature of your relationship with Capti, the categories of Personal Information we collect and use may include the following (these are examples and may be subject to change):

Category	Description
Identity Data	Information such as your name; address; email address; telephone number; age and/or age range; grade level; account login details, including your username and password, or other account-related information; and information you provide in connection with your application to be an employee or to otherwise collaborate with us.
Contact Data	Identity Data that relates to information about how we can communicate with you, such as email, phone numbers, physical addresses, and information you provide to us when you contact us by email or otherwise communicate with us.
Location Data	Information about your general location as determined based on your IP address. We do not collect precise geolocation data.
Device/Network Data	Browsing history, search history, and information regarding your interaction with our Services (e.g., IP Address, MAC Address, SSIDs or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, browsing data, first-party cookies, web beacons, clear GIFs, and pixel tags.
Commercial Data	Information about the Customer's subscription, Order history, service tier, and account status; transaction and invoicing records; and similar information relating to the commercial relationship between Capti and the Customer. For individual Authorized Users, this may include information about which Services or features are accessible through the user's account.
Inference Data	Personal Information used to create a profile about you, which may include your preferences, reading or writing levels, abilities, aptitudes, and other data or analytics generated by our Services about your use of the Services.
Audio/Visual Data	Data collected if you submit audio, images, or video recordings to our Services. We do not use any such data for the specific identification of any individuals. See "Handling Audio Recordings" below for additional detail.
User Content	Unstructured or free-form data that may include any category of Personal Information, e.g., data that you give us in free-text fields such as comment boxes, content that you upload to our Public Site or School Services, answers you provide when you participate in assessments, and any other Personal Information which you may provide through or in connection with our Services.

4. Sensitive Data

Under applicable state privacy laws, certain categories of Personal Information are considered "sensitive data" and are subject to heightened protections. Depending on applicable law, the following categories of data that Capti may collect or process could be classified as sensitive:

Demographic data provided by schools or districts (e.g., race, ethnicity, disability status, free/reduced lunch status), collected only when provided by a school or district for educational purposes
Children's data (Personal Information collected from children under 13, or under 16 or 18 depending on the applicable state law)
Audio recordings of student voice (which may constitute biometric data under certain state and federal definitions; see "Handling Audio Recordings" below)
Precise geolocation data (we do not collect this)

We collect or process sensitive data only where strictly necessary to provide the specific product or service requested by the consumer or, in the case of school accounts, to fulfill the educational purpose authorized by the school or district. We do not sell sensitive data. Where required by applicable law, we obtain consent before collecting or processing sensitive data.

5. What Information Do We Collect Automatically About You?

Some information is collected automatically when you use our Services. This information may not on its own reveal your name or contact information, but it may include device and usage information, such as your IP address, browser, device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. We also use this information to improve our Services, to determine which features of our Services are most popular with our users, and to otherwise better understand our users' preferences. Capti limits automatic data collection on student-facing pages of the School Services to information necessary for the internal operation, security, and technical functionality of those Services, and does not use such data for marketing or advertising purposes.

The technologies we use for this automatic data collection may include:

Cookies (or browser cookies). "Cookies" are small text files that are placed on your device to help us recognize you and remember your preferences.
Web Beacons. Pages of the Services and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics.
Universal Opt-Out Mechanisms. We recognize and respond to browser-based opt-out preference signals, including the Global Privacy Control (GPC), as required by applicable state law. When we detect a valid opt-out signal, we treat it as a request to opt out of the sale of Personal Information and of targeted advertising, to the extent those activities apply. You may also exercise your opt-out rights by visiting Your Privacy Choices on our website.

6. What Information Do We Collect When You Voluntarily Provide It?

We collect Personal Information from and about you when you voluntarily provide it to us, in addition to Personal Information and other data we collect automatically when you visit the Services. Depending on the website you have accessed, or the other ways in which you interact with us, we may collect different types of information as outlined below.

Some of our Services require an account. If you are provided an account by a school, district, or other organization, or if an administrator provisions an account for you, we may collect your name, username or email address, and password or other authentication credentials. On some Services we may also collect additional Personal Information associated with your account (such as your organization, school, or other data). We use this information in connection with your account and your use of our Services. We may also use this information to contact you regarding the Services you are using and other Company Services we believe would be of interest to you.

Any user of our Services wishing to obtain support must provide an email address. Without this information we cannot answer your questions. When submitting a support question to us you must not only provide a valid email address, but also first and last name, US state if applicable, country, role, and your specified request. Some of our Services offer multiple levels of access based on the Customer’s configuration or subscription, which may be free or paid. Differences between levels of access may require corresponding differences in data collection practices.
If you are an administrator or other representative responsible for a Customer's account with Capti, you may be required to provide a valid email address, password, and additional information such as role, organization name, country, and US state. This information is used to establish and manage the Customer's account and to communicate regarding the Services.
We use Intuit QuickBooks to bill administrators directly for our Services. Note that qualifying educators in partner states can subscribe to some of our Services for free and thus without the need to provide billing information. Authorized Users may voluntarily submit additional Personal Information, like their first and last name, into their profile information and select mailing lists to which they wish to subscribe.

We may offer limited time, seasonal, early or limited access, special purpose, or demonstration versions of our Services. In such cases we may collect additional information, tied to the Authorized User's email, role, country, and state. Where applicable, we may permit Authorized Users to provide student data in order to customize the Authorized User's use of the offered Services. Some such Services allow Authorized Users to provide:

Student name or nickname
Current grade level
Class assignment
Ability level (e.g., in reading, writing, etc.)
School district or state
Demographic information (sex, race, IEP, free and reduced lunches, etc.)
Performance measurement results

Paid Subscriptions and Financial Information

If you need to submit a payment to us via credit or debit card, we use Intuit QuickBooks for invoice payment. Intuit QuickBooks processes credit and debit cards via the QuickBooks website; we have no access to card information. We encourage you to review the Intuit QuickBooks Privacy Policy to learn about how they manage your data.

In any event, when you enter into a paid subscription for one of our Services, sensitive credit card data is exchanged using direct and indirect communication between these payment processors and you. We do not collect, control, see, or store any of the card data exchanged with these payment processors.

Service Form Inquiry

Certain pages on some of our Services enable you to submit inquiries or requests to us. These Services collect Personal Information when users complete an inquiry or request for more information using our online form. These forms typically collect the following information: first and last name, phone number, email address, organization name, organization type, and areas of interest. We may share this information with our third-party service providers, including storing the information in cloud-based contact management systems, and providing the information to third parties who assist us with our email marketing and other communications.

Handling Audio Recordings

Some of our Services enable users to submit audio recordings, e.g., audio notes, voiceover, speech analysis, or oral reading fluency assessments. These Services may enable users to record themselves reading a presented passage or to upload an audio file of themselves or others reading. When we collect oral reading samples, data collected may include the reader's grade (if a student), date and time of the recording, and prior ability information used to calculate current oral reading ability. Information we send back as a result of the analysis may also be linked to data or files retained in our system.

We use a third-party automated speech analysis provider to process audio recordings. As of the date of this Privacy Policy, our provider is Microsoft. Our provider processes audio in real time and does not retain audio recordings after processing. Capti retains audio recordings on its own servers so that educators can review student reading sessions.

Voice recordings and biometric data

Student voice recordings may be considered biometric identifiers under certain federal and state laws, including revised COPPA (which includes "voiceprints" in the definition of Personal Information). We do not process voice recordings for the purpose of identifying any individual. We do not extract voiceprints, create voice templates, or use voice data for biometric identification or authentication. Voice recordings are used solely to assess oral reading fluency and provide educational results to the student's educator.

We do not use identifiable audio recordings for product improvement, model training, or any purpose other than delivering assessment results and supporting educator review of student reading sessions. Any use of audio data for product research or improvement is performed only on deidentified and aggregated data that cannot be linked back to an individual student.

Children's and Adult Information Collected

Children's Personal Information is generally provided to us by schools or districts, teachers or parents, rather than collected directly from children; However, children may provide Personal Information directly through use of the Services, such as when recording their voice for oral reading assessments or entering responses in free-form text fields.

School accounts

If you are logging in through a school or district facilitated program, the school or district has authorized us to collect and process student Personal Information in connection with the educational services we provide. Under FERPA, the school or district designates us as a "school official" with a legitimate educational interest. Under COPPA, the school or district acts as the parent's agent for purposes of providing consent on behalf of parents of children under 13. Because the school is acting as the parent's agent, we provide the school or district with full notice of our data collection, use, and disclosure practices, including this Privacy Policy and the terms of our Data Sharing Agreement, so that the school can make an informed authorization on behalf of parents. We collect and use children's Personal Information through school accounts solely for the educational purposes authorized by the school or district and for no other commercial purpose. We do not need to obtain consent directly from parents for school-mediated accounts, provided the school has authorized the collection for educational purposes.

Researchers and Non-School Organizations

The term "Customer" includes researchers, universities, and other organizations that access the School Services pursuant to an Order or other written agreement with Capti. Where a Customer's use of the School Services involves the collection or submission of Personal Information from research subjects or other individuals, the Customer is solely responsible for obtaining all consents, approvals, and authorizations required by applicable law (including without limitation COPPA, FERPA, HIPAA, applicable IRB requirements, and any other federal or state law governing the collection of Personal Information from human subjects) before submitting such information to Capti. Capti relies entirely on the Customer's representations that all required consents have been obtained and all applicable legal requirements have been satisfied. Capti shall have no liability arising out of or relating to the Customer's failure to obtain required consents or comply with applicable law in connection with the collection or submission of research subject data.

If you access the Services other than through a school or district facilitated program (for example, as an independent researcher, you are responsible for obtaining any consents required by applicable law before providing Personal Information of research subjects or other individuals to Capti. Capti will process such data in accordance with this Privacy Policy and any applicable written agreement between Capti and you. If you believe that Personal Information of a child under the age of 13 has been provided to Capti without consent please contact us at privacy@capti.com.

Information Collected from Children Under Age 13

The Children's Online Privacy Protection Act of 1998 and its rules (collectively, "COPPA") require us to inform parents and legal guardians (as used in this policy, "parents") about our practices for collecting, using, and disclosing Personal Information from children under the age of 13 ("children"). It also requires us to obtain verifiable consent from a child's parent for certain collection, use, and disclosure of the child's Personal Information. Please see our Children's Privacy Policy Supplement below for information about the Personal Information that we collect from or about children under age 13.

7. How Do We Use Your Personal Information?

We use Personal Information we collect to:

Provide, maintain, and improve our Services
Process transactions and send related information
Respond to your comments, questions, and requests, and provide customer service
Communicate with you about products, services, and events offered by us, and provide news and information we think will be of interest to you (you may opt out of marketing communications at any time)
Monitor and analyze trends, usage, and activities in connection with our Services
Detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities, and protect the rights and property of Capti and others
Comply with legal obligations
Deliver assessment results and support educator review of student performance

We do not use Personal Information collected from or about students ("Student Data") for targeted advertising, profiling for commercial purposes, sale to third parties, or training of large language models or generative AI systems. Student Data is a subset of Customer Data (as defined in the Terms of Service) and is subject to the same terms, conditions, and protections applicable to Customer Data under this Privacy Policy and the Terms of Service.

License to Process Data. By using the Services or submitting data to Capti, you grant Capti the rights described in the Terms of Service to host, store, process, transmit, display, and otherwise use your data solely as necessary to provide, maintain, support, secure, and operate the Services. All Customer Data is processed subject to both this Privacy Policy and the Terms of Service. For school and district accounts, the Customer grants this license on behalf of itself and all of its Authorized Users, including students and educators whose data is submitted through the Customer's account.

Professional Development Services. Capti may offer Professional Development Services, which may include training sessions, data review sessions, coaching, and related support activities. In the course of delivering Professional Development Services, Capti personnel may access Customer Data, including Student Data, solely as necessary to provide the requested services. Such access is subject to the same protections applicable to other processing of Personal Information under this Privacy Policy. Professional Development Services are governed by the applicable Order and the Terms of Service, which control in the event of any conflict with this Privacy Policy.

Where the Customer's use of the School Services involves children under the age of 13, the Customer is solely responsible for providing appropriate notice to parents and legal guardians regarding the School Services and for ensuring that any required parental consent has been obtained, or that the Customer has authority to act as the parent's agent for consent purposes under COPPA. By authorizing children under 13 to access the School Services, the Customer represents and warrants to Capti that it has provided such notice, obtained such consent, or has the legal authority to act on behalf of parents for this purpose. Capti relies on the Customer's authorization and representations regarding parental notice and consent and shall have no liability arising from the Customer's failure to provide required notice or obtain required consent.

Capti does not use Customer Data or Student Data to train large language models, generative artificial intelligence systems, or other machine learning models. Third-party artificial intelligence providers engaged by Capti to deliver Automated Features are contractually prohibited from using Customer Data or Student Data for model training, fine-tuning, or any purpose other than performing the specific services for which they are engaged. Any use of data in connection with AI-related research, benchmarking, or service improvement is performed exclusively on de-identified and aggregated data that cannot reasonably be used to identify any individual, as further described in this Agreement and the Privacy Policy.

8. Information Transfer and Disclosure

We may share Personal Information in the following circumstances:

Service Providers. We share Personal Information with third-party service providers who perform services on our behalf, such as hosting, data storage, payment processing, automated speech analysis, customer support, and analytics. These providers are contractually required to use Personal Information only to perform the services we have engaged them to provide and to maintain appropriate security measures. We obtain written assurances from each service provider that collects or maintains children's Personal Information that the provider will employ reasonable measures to maintain the confidentiality, security, and integrity of such information.
Schools and Districts. For education accounts, we may share student data with the school or district that authorized the student's use of our Services, including assessment results, usage data, and other information relevant to the educational purpose.
Legal Requirements. We may disclose Personal Information if required to do so by law or legal process, such as to comply with any court order or subpoena, or to respond to any government or regulatory request.
Protection of Rights. We may disclose Personal Information if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Charmtech Labs LLC, our customers, or others.
Business Transfers. If Charmtech Labs LLC is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of its assets, we may transfer Personal Information to the buyer or other successor. In the case of student data, any successor will be bound by the same restrictions on use and disclosure that apply to us under our agreements with schools and districts.

We do not sell Personal Information. We do not share Personal Information for targeted advertising.

Third-Party Service Providers and Data Sharing

The following table identifies our principal third-party service providers, the categories of Personal Information shared with each, and the purpose of the sharing. Unless otherwise noted, the providers listed below support the School Services and process data in connection with the delivery of those Services:

Provider	Categories of Data Shared	Purpose
Microsoft	Audio recordings (student voice)	Automated speech analysis for oral reading fluency assessment; real-time processing with no retention by Microsoft
Intuit QuickBooks	Financial data, identity/contact data (administrator billing)	Invoicing and payment processing
Google	Identity data (authentication credentials), student roster	Single sign-on authentication, sharing student data with authorized personnel/educators
Zoom	Identity data, student roster	Student data review sessions with educators
Apple	Identity data, student roster	iCloud backups
Microsoft	Identity data, student roster	OneDrive backups
Slack	Identity data, student roster	Internal communication and collaboration could reference student data
OpenAI	Identity data	AI-assisted scoring of student written responses. Students are instructed not to include Personal Information in free-form responses; however, inadvertent disclosure may occur. Capti's agreement with OpenAI prohibits OpenAI from using API inputs to train its models. Capti does not use student responses for AI training.
Clever	Identity data (authentication credentials), student roster (where district uses Clever rostering)	Single sign-on authentication and, where enabled by the school or district, automated rostering for school accounts
Schoology	Identity data (authentication credentials), student roster (where district uses Schoology rostering)	Single sign-on authentication and, where enabled by the school or district, automated rostering for school accounts
ClassLink	Identity data (authentication credentials), student roster (where district uses ClassLink rostering)	Single sign-on authentication and, where enabled by the school or district, automated rostering for school accounts
Metametrics	Assessment response data, student identifiers	Lexile scoring and assessment validation services
ETS	Assessment response data, student identifiers	Assessment scoring and validation services

We may update this list from time to time. If you would like a current list of the specific third parties to whom we have disclosed your Personal Information, you may request one by contacting us at privacy@capti.com.

9. Education Records and FERPA

When Capti receives student data from a school or district, that data may constitute "education records" under the Family Educational Rights and Privacy Act (FERPA). With respect to education records:

We perform an institutional service or function that the school or district would otherwise use its own employees to perform.
We operate under the direct control of the school or district with respect to the use and maintenance of education records.
We use personally identifiable information from education records only for the purposes authorized by the school or district.
We do not re-disclose personally identifiable information from education records to any other party without the prior written consent of the parent or eligible student, except as authorized by the school or district consistent with FERPA.
We will ensure that all education records in our possession and in the possession of any subcontractors or agents to which we may have transferred education records are destroyed or returned to the school or district, under the direction of the school or district, when the records are no longer needed for their specified purpose or at the request of the school or district.
We will not make material changes to the handling of education records under a school or district agreement without the school or district's written consent. The school or district retains authority to direct how education records are used and maintained.

Any education records held by us will be made available to the school or district upon request. Any retained Personal Information will remain subject to the restrictions on sharing and use outlined in this Privacy Policy and in the applicable agreement with the school or district for as long as it resides with us.

10. Social Media Features

Our Public Site (capti.com) may include social media features, such as sharing buttons or interactive widgets. These features may collect your IP address and which page you are visiting and may set a cookie to enable the feature to function properly. Social media features are governed by the privacy policy of the company providing them.

These social media features are not present on pages of our School Services. Students using our assessment or instructional tools do not encounter third-party social media tracking.

11. How Long Do We Keep Personal Information?

We retain Personal Information only as long as reasonably necessary for the purpose for which it was collected, subject to applicable legal requirements and any separate written agreement with a school, district, or other customer. Personal Information may not be retained indefinitely. Specific retention practices by data category:

Data Category	Retention Period
Student account data (identity, contact, performance data)	For the duration of the school or district's active account with Capti. Following termination or non-renewal of the account, Capti may retain student data for up to one (1) year solely to permit account reactivation, retrieval of historical assessment data by the school or district, compliance with a pending data request, or resolution of any dispute. At the conclusion of that period, or within forty-five (45) days of the school or district's written request, Capti will delete or return such data in accordance with our standard procedures.
Audio recordings (student voice recordings from oral reading assessments)	For the duration of the school or district's active account with Capti, to allow educators to review student reading sessions. Following termination or non-renewal, Capti may retain audio recordings for up to one (1) year solely to permit account reactivation or retrieval by the school or district. At the conclusion of that period, or earlier upon the school or district's written request, Capti will delete such recordings. Audio sent to our speech analysis provider (Microsoft) is processed in real time and is not retained by that provider after processing.
Educator and administrator account data	For as long as the account is active. Following termination or non-renewal of the associated school or district account, Capti may retain educator and administrator account data for up to one (1) year to permit account reactivation. Deleted upon request or at the conclusion of the retention period.
Payment and billing data	We do not store credit card data. Invoice and transaction records are retained as required for tax and accounting purposes.
Automatically collected data (cookies, device data, logs)	Retained for up to 24 months for analytics and security purposes, then deleted or aggregated.
Support inquiries and form submissions	Retained in Capti's support systems (including email and issue tracking platforms) for as long as reasonably necessary for support, quality assurance, and legal compliance purposes. Support communications may be retained indefinitely in archived form.

We do not retain Personal Information that is no longer relevant and reasonably necessary in relation to the purposes for which it was collected and processed, unless retention is required by law or permitted under a specific legal exception.

We will ensure that all Personal Information that constitutes an education record under FERPA in our possession and in the possession of any subcontractors or agents to which we may have transferred education records is destroyed or returned to the school/district under the direction of the school/district when the records are no longer needed for their specified purpose, or at the request of the school/district.

12. Your Rights and Choices

Depending on where you live and subject to applicable law, you may have some or all of the following rights with respect to your Personal Information:

Access. You may have the right to know what Personal Information we have collected about you, including the categories of Personal Information, the sources, the purposes for collecting it, and the categories of third parties with whom we have shared it.
Specific Third Parties. You may have the right to request a list of the specific third parties to whom we have disclosed your Personal Information.
Copy. You may have the right to receive a copy of the Personal Information we hold about you in a portable format.
Correction. You may have the right to request that we correct inaccurate Personal Information.
Deletion. You may have the right to request that we delete Personal Information we hold about you, subject to certain exceptions required by law.
Opt-Out of Sale and Targeted Advertising. We do not sell Personal Information or use it for targeted advertising. If we change this practice in the future, we will provide a clear mechanism for you to opt out.
Opt-Out of Profiling. You may have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
Right to Question Profiling. If we engage in profiling that produces legal or similarly significant effects concerning you, you may have the right to be informed of the reason for a specific profiling decision, to be informed of the actions you can take to secure a different decision, to review the Personal Information used in the profiling, to correct inaccuracies in that data, and to have the profiling decision re-evaluated based on corrected data.
Limit Use of Sensitive Personal Information. You may have the right to direct us to limit our use of sensitive Personal Information to what is necessary to perform the services you have requested. We use sensitive data only for that purpose.
Limitation of Processing. You may have the right to object to or limit the manner in which we process some of your Personal Information.
Opt-Out of Marketing. All individuals have the right to opt out of receiving marketing communications from Capti at any time. You may exercise this right by clicking the "unsubscribe" link in emails we send you, or by emailing privacy@capti.com.
No Discrimination. We will not discriminate against you for exercising any of these rights.

No Marketing to Children

We do not market to children.

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@capti.com. You will be required to verify your identity before we fulfill your request. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as additional information we have on file, in order to verify your identity.

Authorized Agents

You may designate an authorized agent to make a request on your behalf. If an agent submits a request on your behalf, we may require: (a) written authorization signed by you, (b) verification of the agent's identity, and (c) direct confirmation from you that you authorized the agent. We reserve the right to deny a request from an agent who does not provide sufficient proof of authorization.

For education accounts, parents and eligible students should direct rights requests through the school or district, which may in turn direct those requests to us. To the extent Personal Information constitutes "education records" under FERPA, that information may be exempt from certain state consumer privacy laws, including the California Consumer Privacy Act and similar state statutes. Rights regarding such information are governed by FERPA and are exercised through the school or district, not directly through Capti.

Response to Your Requests

We will respond to your request within 45 days of receipt. If we need additional time, we will notify you of the extension and the reason for it within the initial 45-day period. We may extend the response period by up to an additional 45 days where reasonably necessary. Information provided in response to a consumer request will be provided free of charge, up to twice per year.

When We May Decline a Request

We may decline to act on a request if we are unable to verify your identity, if the request is manifestly unfounded or excessive, if applicable law requires or permits us to retain the data, or if the data falls within a legal exemption (such as data necessary to complete a transaction you requested, data required for legal compliance, or data subject to other applicable legal protections). When we decline a request, we will not disclose certain sensitive information (such as Social Security numbers, government-issued identification numbers, financial account numbers, account passwords, or biometric data) in our response, but we will inform you whether we have collected such information. If we decline your request in whole or in part, we will inform you of the reasons for the decision.

Right to Appeal

If we decline to act on your request, you have the right to appeal that decision. To submit an appeal, contact us at privacy@capti.com with the subject line "Privacy Rights Appeal." The appeal process is also available through [Your Privacy Rights] on our website. We will respond to your appeal within 45 days, including a written explanation of the reasons for our decision. If your appeal is denied, we will provide you with information on how to contact your state's Attorney General or other applicable regulator to submit a complaint. We maintain records of all appeals and our responses for at least 24 months and will provide a copy to the applicable state regulator upon request.

Postings by Minors

Users of our Services under the age of 18 in certain jurisdictions have the right to require that we delete any content they have posted on one of our Services.

Information for California Residents

California residents may have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), including the right to know specific pieces of Personal Information collected, the right to request deletion, the right to opt out of sale or sharing for cross-context behavioral advertising, and the right to limit the use of sensitive Personal Information. We do not sell or share Personal Information for cross-context behavioral advertising. We do not offer financial incentives related to the collection of Personal Information. California residents may also request a list of Personal Information we have disclosed to third parties for direct marketing purposes during the preceding calendar year, or confirm that no such disclosure has been made. To exercise any California-specific right, contact us at privacy@capti.com.

13. Data Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption of data in transit and at rest, role-based access controls, regular security assessments, and staff training.

If you are provided with login credentials for any of our Services, you will be asked to select or use a password to help protect your Personal Information. You should never share your password with anyone. The Company will never ask you for your password in a phone call or email. We also offer for your convenience single sign-on via various Service Providers, including Google, Clever, ClassLink, Schoology, and others.

We cannot guarantee that Personal Information will never be accessed, disclosed, or altered in a manner inconsistent with this Privacy Policy (for example, as a result of unauthorized acts by third parties that violate applicable law or our Terms of Service).

14. Data Breach Notification

In the event of a breach of security involving Personal Information, we will comply with applicable federal and state breach notification laws, including providing notice to affected individuals, schools or districts, and regulators as required. We will investigate the incident, take steps to mitigate harm, and implement measures to prevent recurrence.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we do, we will post the updated Privacy Policy on our Public Site and update the "Updated" date at the top of this Privacy Policy.

If we make a material change to this Privacy Policy or to our data practices, we will notify affected consumers through reasonable electronic measures (taking into account available technology and the nature of the relationship) and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected Personal Information under the changed policy.

Material changes to the handling of education records collected under a school or district agreement will not take effect with respect to data collected under that agreement without the school or district's written consent.

16. Survival

Termination or expiration of your use of the Services, or of any agreement between Capti and a Customer, does not terminate those provisions of this Privacy Policy that by their nature should survive. The following provisions survive indefinitely: (a) Capti's right to retain Personal Information during any applicable post-termination retention period and to delete or return such data in accordance with Section 11 of this Privacy Policy; (b) Capti's right to use de-identified and aggregated data derived from the Services for the purposes described in this Privacy Policy, which right is perpetual and survives any termination; (c) all disclaimers, limitations of liability, and warranty exclusions incorporated into this Privacy Policy from the Terms of Service; (d) the obligations of data security and breach notification described in Sections 13 and 14, to the extent any obligation arises from events occurring prior to or in connection with the termination; (e) the incorporation of the Terms of Service, including all survival provisions set forth therein, which apply equally to claims arising under or related to this Privacy Policy; and (f) Customer obligations regarding the confidentiality of Assessment Materials and other proprietary information of Capti, as set forth in the Terms of Service.

Survival of the provisions described above does not extend any affirmative right of Capti to actively process Personal Information beyond the post-termination retention period described in Section 11. Following that period, Capti's data processing rights with respect to identifiable Personal Information cease except as required by applicable law.

17. Contact Us

If at any time you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

Privacy Compliance Contact: Brian Ash Email: privacy@capti.com Mail: Charmtech Labs LLC, PO Box 896, Buffalo, NY 14205

Privacy Notice for Children Under the Age of 13

Updated 03/31/2026

The Children's Online Privacy Protection Act of 1998 and its rules (collectively, "COPPA") require us to inform parents and legal guardians (as used in this notice, "parents") about our practices for collecting, using, and disclosing Personal Information from children under the age of 13 ("children"). It also requires us to obtain verifiable consent from a child's parent for certain collection, use, and disclosure of the child's Personal Information.

This notice covers:
The types of information we may collect from children
How we use the information we collect
Our practices for disclosing that information
Our practices for notifying and obtaining parents' consent when we collect Personal Information from children, including how a parent may revoke consent
All operators that collect or maintain information from children through the Services
Our data retention policy for children's Personal Information

This notice supplements the Capti Privacy Policy above. Only the general Privacy Policy applies to teens and adults. Terms defined in the general Privacy Policy have the same meanings when used in this notice.

1. Information We Collect from Children

Children can access many parts of the Public Site and its content without providing us with Personal Information. However, access to the School Services requires an account and involves the collection of certain information, including Personal Information. In addition, we use certain technologies, such as cookies, to automatically collect information from our users (including children) when they use the School Services.

We only collect as much information about a child as is reasonably necessary for the child to participate in an activity, and we do not condition participation on the disclosure of more Personal Information than is reasonably necessary.

Under COPPA, "Personal Information" collected from children includes, among other things, names, email addresses, screen names, persistent identifiers, photographs, audio files containing a child's voice, and biometric identifiers such as voiceprints. Student voice recordings collected through our oral reading fluency assessments constitute Personal Information under COPPA. We do not use voice recordings to identify individual children or extract voiceprints; they are used solely to assess oral reading fluency and deliver educational results.

2. Information We Collect Directly

A child's account is created by a school administrator, teacher, or other authorized adult. The account may include the following information: email (which need not be a real email address for school accounts), name or nickname and password or authentication method. The child does not self-register for our Services.

Certain features of our Services enable Authorized Users to record their voice, such as oral reading fluency assessment ("Audio Content"). Creation and use of Audio Content results in the collection and recording of a voice audio file. We use audio files generated from Audio Content only to assess students' oral reading (automatically or by the educator) and to provide results to the student's educator. We do not use identifiable audio files for product improvement, model training, or any other purpose. We retain audio files for the duration of the education account's active relationship with Capti, or we will delete them at any time upon the request of the school.

3. Automatic Information Collection and Tracking

We use technology to automatically collect information from our users, including children, when they access and navigate through the Public Site and use certain of its features. The information we collect through these technologies may include:

One or more persistent identifiers that can be used to recognize a user over time and across different websites and online services
Information that identifies a device's general location based on IP address

Where we collect persistent identifiers from children under the internal operations exception to COPPA's consent requirements, we use those identifiers solely for the following specific internal operations: supporting the internal functionality of the Services, maintaining and analyzing the technical functioning of the Services, and ensuring the security of the Services. We do not use persistent identifiers collected from children to contact a specific individual, for behavioral advertising, to amass a profile on a specific individual, cross‑site targeted advertising, or for any other purpose.

We also may combine non-Personal Information we collect through these technologies with Personal Information about you or your child that we collect online.

For information about our automatic information collection practices, including how you can opt out of certain information collection, see Section 5 of our general Privacy Policy.

4. How We Use Your Child's Information

We use the Personal Information we collect from your child to:

Register the child with the Services
Communicate with the child about activities or features of the Services that may be of interest
Track the child's performance in assessments and other educational activities
Deliver assessment results to the child's educator

We use the information we collect automatically through technology and other non-Personal Information we collect to improve our Services and to ensure that they perform as expected. Any such use involving children's data is performed only on deidentified and aggregated data.

5. Our Practices for Disclosing Children's Information

We do not share, sell, rent, or transfer children's Personal Information other than as described in this section.

We may disclose aggregated information about many of our users, and information that does not identify any individual or device. In addition, we may disclose children's Personal Information:

To third parties we use to support the internal operations of our Services and who are bound by contractual or other obligations to use the information only for such purposes and to keep the information confidential. We have obtained written assurances from each such third party that it will employ reasonable measures to maintain the confidentiality, security, and integrity of children's Personal Information. As of the date of this Privacy Policy, these third parties include:

Third Party	Data Received	Purpose
Microsoft	Audio recordings (student voice)	Automated speech analysis; real-time processing, no retention

Clever, Schoology, Google, and ClassLink, where the school or district uses those services for single sign-on or rostering, receive identity data and student roster data as necessary for authentication and account provisioning. These providers are bound by their own data protection commitments to schools and districts.
To the school or district that authorized the child's use of our Services.
If we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request.
If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Charmtech Labs LLC, our customers, or others, including to protect the safety of a child, protect the safety and security of the Services, or enable us to take precautions against liability.
To law enforcement agencies or for an investigation related to public safety.

In addition, if Charmtech Labs LLC is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of its assets, we may transfer the Personal Information we have collected or maintain to the buyer or other successor. Any successor will be bound by the same restrictions on use of children's data that apply to us.

6. Parental Consent and Rights

School-Mediated Consent. Where a child accesses our Services through a school or district facilitated program, the school or district acts as the parent's agent for purposes of providing consent under COPPA. This means the school or district may authorize us to collect and use children's Personal Information for educational purposes without requiring us to obtain consent directly from each parent.

To support the school's ability to act as an informed agent on behalf of parents, we provide the school or district with full notice of our data collection, use, and disclosure practices before collecting any Personal Information from children through a school account. This notice includes this Privacy Policy, the terms of our Data Sharing Agreement or other applicable contract, and any supplemental disclosures necessary for the school to understand how children's data will be handled. The school or district then authorizes us to collect and use student Personal Information solely for the educational purposes described in our agreement.

We collect and use children's Personal Information through school accounts only for the educational purposes authorized by the school or district and for no other commercial purpose. The school or district is responsible for its own obligations to parents under FERPA, including informing parents about the services used in the school and including Capti in the school's annual FERPA notification where applicable.

Parental Rights. Parents may:

Review the Personal Information we have collected from their child
Direct us to delete the child's Personal Information
Refuse to allow any further collection or use of the child's information
Revoke consent previously provided for the collection, use, or disclosure of the child's information

Upon revocation of consent, we will cease processing applicable data no later than 15 days after receipt of the request.

To exercise any of these rights, contact us at privacy@capti.com. For school accounts, parents should first contact the child's school or district, as the school is the party that authorized the data collection and is best positioned to direct changes to its students' data.

7. Operators That Collect or Maintain Information from Children

The following entities collect or maintain information from children through our Services:

Charmtech Labs LLC PO Box 896, Buffalo, NY 14205 privacy@capti.com

Microsoft Corporation (automated speech analysis provider; processes audio in real time without retaining audio files after processing)

8. Data Security for Children's Information

We maintain a written information security program that includes safeguards appropriate to the sensitivity of the Personal Information collected from children and to Capti's size, complexity, and the nature and scope of our activities. This program includes:

Designation of one or more employees to coordinate the program
Identification and at least annual assessment of internal and external risks to the confidentiality, security, and integrity of children's Personal Information
Design, implementation, and maintenance of safeguards to control identified risks, taking into account the volume and sensitivity of the data and the likelihood of unauthorized compromise
Regular testing and monitoring of safeguard effectiveness
At least annual evaluation and modification of the program

These safeguards include encryption of data in transit and at rest, role-based access controls, regular security assessments, and employee training. For additional detail, see Section 13 of the general Privacy Policy.

9. Data Retention Policy for Children's Information

We retain children's Personal Information only as long as reasonably necessary to fulfill the specific purpose for which the information was collected. Children's Personal Information may not be retained indefinitely.

Data Category	Purpose of Collection	Business Need for Retention	Retention Timeframe
Registration data (name or nickname, email, password)	Register child with the Services and provide access to educational features	Needed for the duration of the child's active use of the Services through the school account	For the duration of the school or district's active account. Following termination or non-renewal, Capti may retain such data for up to one (1) year solely to permit account reactivation or data retrieval. Deleted or returned to the school/district at the conclusion of that period or earlier upon request.
Assessment data (item-response data, scores, performance results, grade level, ability data)	Compute and Deliver assessment results and track educational progress	Needed to provide longitudinal educational results to the child's educator	For the duration of the school or district's active account. Following termination or non-renewal, Capti may retain such data for up to one (1) year solely to permit account reactivation, retrieval of historical assessment data, or compliance with a pending data request. Deleted or returned to the school/district at the conclusion of that period or earlier upon request.
Audio recordings (student voice from oral reading assessments)	Assess oral reading fluency and provide results to the child's educator	Retained so educators can review student reading sessions and track progress over time	For the duration of the school or district's active account. Following termination or non-renewal, Capti may retain audio recordings for up to one (1) year solely to permit account reactivation or retrieval by the school or district. Deleted at the conclusion of that period or earlier upon the school/district's request. Audio sent to our automated speech analysis provider (Microsoft) is processed in real time and not retained by that provider after processing.
Demographic data (if provided by school/district, e.g., grade, sex, race, free/reduced lunch)	Support educational assessment configuration and reporting	Needed to deliver assessment features that depend on grade-level or demographic context	Deleted or returned to the school/district upon termination of the school/district relationship or upon the school/district's earlier written request
Automatically collected data (persistent identifiers, device data, logs)	Support internal operations, maintain security, ensure technical functionality	Needed for ongoing security monitoring and technical troubleshooting	Retained for up to 24 months, then deleted or aggregated so that it no longer identifies an individual child

A copy of our written data retention schedule is available to schools, districts, and parents upon request. Contact privacy@capti.com.

When children's Personal Information is no longer needed for its specified purpose, or upon the request of the school or district, we will delete or return it. We will ensure that all education records in the possession of any subcontractors or agents are similarly deleted or returned.

```

Rostering Manual