Welcome back

or sign in with email

Don't have an account? Sign up

Privacy Policy & Terms

How we protect your data and the terms of using our services

At Planned Quest, we take your privacy seriously. This page outlines how we collect, use, and protect your personal information, as well as the terms and conditions for using our services.

Data ProtectionUser Rights

Terms and Conditions

Last updated: February 24, 2023

1. Acceptance of Terms

By accessing or using Planned Quest's services, you agree to be bound by these Terms and Conditions. If you do not agree to these terms, please do not use our services.

2. User Accounts

When you create an account with us, you must provide accurate and complete information. You are responsible for safeguarding your account credentials and for all activities that occur under your account. We implement security measures aligned with the NIST Secure Software Development Framework (SSDF) to protect your account.

3. Intellectual Property

All content, features, and functionality of our services are owned by Planned Quest and are protected by copyright, trademark, and other intellectual property laws.

4. User Content

You retain ownership of any content you submit, post, or display on or through our services. By submitting content, you grant us a worldwide, non-exclusive license to use, reproduce, modify, and distribute your content.

5. Educational Data Compliance

If you are an educational institution using our services, you acknowledge that you may be subject to the Family Educational Rights and Privacy Act (FERPA), and you agree to use our services in compliance with FERPA requirements. We provide tools and features designed to help you maintain FERPA compliance, but ultimate responsibility for compliance remains with your institution.

Privacy Policy

Last updated: February 24, 2023

1. Information We Collect

Personal Information

We collect personal information that you voluntarily provide to us when you register, express interest in our products or services, or otherwise contact us. For educational institutions, we limit data collection to what is necessary for the specified purpose, in accordance with FERPA guidelines.

Usage Data

We automatically collect certain information when you visit, use, or navigate our services. This information does not reveal your specific identity but may include device and usage information. All usage data is collected and stored in accordance with our security framework based on NIST SSDF guidelines.

2. How We Use Your Information

We use the information we collect for various business purposes, including to provide, operate, and maintain our services, improve and personalize your experience, and develop new products and services. For educational data, we adhere to FERPA principles, using information only for legitimate educational purposes and with appropriate consent where required.

3. Sharing Your Information

We may share your information with third-party vendors, service providers, and other business partners who perform services on our behalf. We also share information in compliance with applicable laws and regulations. For educational institutions, we only share student information in accordance with FERPA requirements, including obtaining appropriate consent or meeting FERPA exceptions.

4. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information, such as the right to access, correct, or delete your personal information. For educational data covered by FERPA, students and parents have specific rights to access and amend educational records, which we support through our platform features.

5. FERPA Compliance

Educational Records Protection

For educational institutions, we act as a "school official" with a "legitimate educational interest" as defined under FERPA. We implement specific safeguards for educational records, including:

  • Limiting access to student records to authorized personnel only
  • Providing tools for educational institutions to respond to record access requests
  • Enabling institutions to control data sharing permissions
  • Supporting the right to opt out of directory information disclosure

6. Security Measures

Encryption

All data is encrypted in transit and at rest using industry-standard encryption protocols.

Access Controls

Strict access controls and authentication mechanisms protect against unauthorized access.

Secure Infrastructure

Our infrastructure follows NIST SSDF guidelines for secure development and deployment.

Regular Audits

We conduct regular security audits and vulnerability assessments to maintain data protection.

Questions About Our Policies?

If you have any questions or concerns about our Terms and Conditions, Privacy Policy, FERPA compliance, or security measures, please contact our support team at info@plannedquest.com.

Contact Privacy Team

Our Commitment to Security & Compliance

We've made significant improvements to our platform to better protect your data and ensure compliance with educational privacy laws. Here's what that means for you in simple terms:

FERPA Compliance

How We Protect Educational Records

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student educational records. We've implemented several features to ensure your educational data is protected:

Access Controls

What it means: Only authorized people can see student information.

Example: If you're a teacher, you'll only see information for students in your classes, not the entire school.

Consent Management

What it means: We get proper permission before sharing student information.

Example: Before sharing a student's career assessment results with a counselor, the system will check if consent has been given.

Data Minimization

What it means: We only collect the information we actually need.

Example: When generating career recommendations, we use academic interests and skills, not personal details like home address or phone number.

Audit Logging

What it means: We keep track of who accesses student information.

Example: If someone views a student's career assessment results, we record who looked at it, when, and why.

NIST Security Framework

How We Keep Your Data Safe

The National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) provides guidelines for building secure software. Here's how we've implemented these guidelines:

Secure Logging

What it means: We track system activities without exposing sensitive information.

Example: When you log in, we record that an authentication happened, but we don't store your password in our logs.

Security Headers

What it means: We've added invisible protections to our website.

Example: Our website tells your browser not to run suspicious scripts, protecting you from attacks that try to steal your information.

Input Validation

What it means: We check all information entered into our system.

Example: If someone tries to enter malicious code in a form field, our system will detect and block it.

Rate Limiting

What it means: We prevent too many requests from a single source.

Example: If someone tries to guess a password by trying thousands of combinations, our system will temporarily block them.

Why This Matters

The Benefits for Educational Institutions and Students

Legal Compliance

Educational institutions are required by law to protect student data. Our platform helps schools meet these requirements without additional technical overhead.

Data Governance

Our security measures ensure that educational data is handled responsibly, with clear policies for who can access what information and under what circumstances.

Privacy Protection

Students and parents can trust that personal information is protected, allowing them to engage with educational technology without privacy concerns.

Transparency

Our clear documentation and audit trails provide transparency about how data is used, building trust with students, parents, and educational institutions.

Technical Security Implementation

We've implemented robust security measures at every level of our application. Here's a detailed look at the technical safeguards we've put in place:

Server Security

Protecting Our Infrastructure

Security Headers

We've implemented comprehensive HTTP security headers using the Helmet library:

app.use(helmet());

This adds protection against:

  • Cross-site scripting (XSS) attacks
  • Clickjacking
  • MIME type sniffing
  • Cross-site request forgery

Rate Limiting

We've implemented rate limiting to prevent brute force attacks:

const WINDOW_MS = parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000', 10);
const MAX_REQUESTS = parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100', 10);

This limits the number of requests from a single IP address, protecting against:

  • Brute force password attacks
  • Denial of service (DoS) attempts
  • Scraping and automated attacks

CORS Protection

We've implemented strict Cross-Origin Resource Sharing (CORS) policies:

const corsOptions = { origin: process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : '*', methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization'], credentials: true, maxAge: parseInt(process.env.CORS_MAX_AGE || '86400', 10) };

This ensures that only authorized domains can access our API, preventing:

  • Cross-site request forgery
  • Unauthorized API access
  • Data theft from malicious sites

Request Limiting

We've implemented request size limits to prevent overflow attacks:

app.use(express.json({ limit: '1mb' }));
app.use(express.urlencoded({ extended: true, limit: '1mb' }));

This protects against:

  • Buffer overflow attacks
  • Denial of service via large payloads
  • Server resource exhaustion

Authentication & Authorization

Securing User Access

We've implemented a robust authentication system with multiple layers of security to protect user accounts and ensure that only authorized users can access sensitive information.

Token Validation

We validate authentication tokens for format and signature before processing any requests, ensuring that only valid tokens from legitimate users are accepted.

const validateTokenFormat = (token: string): boolean => {};

Role-Based Access Control

We've implemented role-based access control to ensure users can only access data appropriate for their role, with special protections for educational data.

export const requireEducator = (
  req: AuthenticatedRequest,
  res: Response,
  next: NextFunction
) => {};

FERPA-Specific Controls: Our authentication system includes special middleware for educational data access that enforces FERPA compliance. This ensures that only authorized educators and administrators can access student records, and all access is logged for audit purposes.

Data Protection

Safeguarding Sensitive Information

Protecting sensitive data is at the core of our security implementation. We've implemented multiple layers of protection to ensure that educational and personal data remains secure.

Input Sanitization

All user inputs are sanitized to prevent injection attacks and ensure data integrity.

export const sanitizeInput = (input: string): string => {};

Secure Logging

Our logging system automatically redacts sensitive information to prevent data leakage.

const sanitizeMessage = (message: string): string => { let sanitized = message;
sensitivePatterns.forEach(pattern => { sanitized = sanitized.replace(pattern, '[REDACTED]'); });
return sanitized; };

FERPA Data Protection

For educational data covered by FERPA, we've implemented additional protections:

  • Data Minimization: We only collect the minimum necessary educational data required for the intended purpose.
  • PII Redaction: Personally Identifiable Information (PII) is automatically redacted in logs and exports when not needed.
  • Access Tracking: All access to educational records is logged with user ID, timestamp, and action performed.
  • Secure Storage: Educational data is stored with encryption and strict access controls.

Get Product Updates

We'll send you occasional updates about our product.