GiftMatch logo GiftMatch Compass
  • How It Works
  • Who We Are
  • Pricing
    • High Schools
    • Career Coaches
  • FAQ
  • Log In
Start Quiz Log In

School Privacy & Compliance Package

Effective date: May 7, 2026 · Last updated: May 7, 2026

How to use this page. This page is a public reference for schools, districts, parents, and procurement teams. It is not a signed contract by itself unless a School agreement, order form, or DPA expressly incorporates it. For a School deployment, the signed School agreement controls if it conflicts with this page.
On this page 1. Overview 2. Launch Status 3. School Data Terms 4. Subprocessor List 5. Security & Privacy Exhibit 6. AI Processing Addendum 7. State Privacy & Accessibility Notes 8. Reference Sources 9. Contact & Updates

1. Overview

GiftMatch Compass is a career-discovery service that may be licensed by a school, school district, college, workforce program, or other educational institution (a “School”) for student use. This package explains how GiftMatch handles School-controlled student data and the standard terms we expect to include in a School agreement.

GiftMatch does not sell student data, does not use covered student information for targeted advertising, does not create advertising profiles from student data, and does not use student data for unrelated commercial purposes.

2. School Launch Status

This page intentionally separates current product behavior from items that must be completed for a School launch. GiftMatch should not represent a deployment as fully school-approved or ZDR-enabled unless the applicable items below are complete.

AreaStatusBefore School Launch
FERPA school-official termsStandard terms are drafted on this page for incorporation into a signed School agreement.School agreement or DPA must be signed or otherwise accepted by the School.
COPPA under-13 useDirect signup is 13+. Under-13 use is limited to School-authorized deployments.School must provide or obtain required consent. OpenAI-based personal-data processing remains blocked unless either the configured OpenAI ZDR/MAM project is active for the deployment and the traffic uses eligible OpenAI endpoints, or a separate written arrangement permits it.
OpenAI ZDR/MAMApproved by amendment; project activation and endpoint eligibility required.Confirm the approved OpenAI organization/project shows ZDR/MAM active, use the configured project API key, keep traffic on eligible OpenAI endpoints/features, and enable voice/audio only where the School agreement permits voice/audio processing.
SubprocessorsThe complete subprocessor list (including hosting and TLS-CA) is published in Section 4 below.Confirm the list matches the School’s acceptable-subprocessor policy and obtain any state-required subprocessor notice.
AccessibilityNo WCAG conformance certification is claimed on this page.Complete a WCAG 2.1 AA review/remediation plan or provide the accessibility documentation required by the School.
State privacy addendaGeneral no-sale/no-targeted-ad/no-non-educational-profile commitments are stated below.Review and sign state-specific terms where required, such as California, Illinois, New York, Connecticut, Colorado, Texas, or district-specific DPAs.

3. School Data Terms for a DPA or School Agreement

The following terms are intended to be incorporated into a signed School agreement or DPA when GiftMatch processes student data for a School. They are not a complete replacement for School counsel review or state-specific addenda.

Definitions

  • School Data means personal information, education records, student-created content, assessment responses, experience entries, personalized outputs, account data, usage data, and other information provided by or on behalf of a School or School user through the service.
  • Education Records has the meaning given under FERPA when applicable.
  • School User means a student, parent/guardian, teacher, counselor, administrator, or other person authorized by the School to use GiftMatch under the School agreement.
  • Subprocessor means a third party that processes School Data for GiftMatch to provide the service.

Purpose, Roles, and Use Limits

  • GiftMatch processes School Data only to provide, secure, support, maintain, and improve the School-authorized educational service, and to comply with legal obligations. Product-improvement use of School Data should be limited to de-identified or aggregate analysis unless the signed School agreement permits a broader use.
  • To the extent a School discloses Education Records to GiftMatch, GiftMatch acts as a FERPA “school official” with a legitimate educational interest, subject to the School’s direct control with respect to the use and maintenance of those records.
  • GiftMatch will not use School Data for targeted advertising, advertising profiles, sale or rental of data, or unrelated commercial profiling.
  • GiftMatch will not re-disclose personally identifiable information from Education Records except to approved Subprocessors acting for GiftMatch, as directed by the School, or as required by law.
  • GiftMatch will not use School Data to train or fine-tune general-purpose AI models. OpenAI processes content to return outputs to GiftMatch under its API or commercial terms.

School Responsibilities

  • The School is responsible for determining whether GiftMatch is an appropriate educational service for its students and for authorizing the data it provides or permits users to submit.
  • The School is responsible for any FERPA annual-notice requirements, parent/eligible-student access processes, and any consent, notice, or opt-out process required by FERPA, COPPA, PPRA, state student-privacy laws, or the School’s policies.
  • For students under 13, the School must provide or obtain any required COPPA school authorization or verifiable parental consent before onboarding those students.
  • If the School wants to restrict features such as resume upload, AI processing, self-serve AI Coach tools, job search, or voice practice, the School should identify those restrictions in the signed agreement or onboarding configuration.

Access, Correction, Export, and Deletion

  • Schools may request access, correction, export, or deletion of School Data associated with their deployment.
  • Parents and eligible students should direct FERPA, PPRA, COPPA, and state student-privacy requests to the School. GiftMatch will reasonably assist the School in responding to those requests.
  • On termination or expiration of a School agreement, GiftMatch will delete or return covered School Data within a commercially reasonable period unless retention is required by law, audit, billing, security, or dispute-resolution needs.

Security Incidents

GiftMatch will notify the School without unreasonable delay after confirming a security incident that affects School Data. The notice will describe, to the extent known, the nature of the incident, affected data categories, mitigation steps, and recommended School actions. Specific timelines may be set in the signed School agreement or required by applicable state law.

Order of Precedence

If there is a conflict between this public page and a signed School agreement, the signed School agreement controls for that School.

4. Subprocessor List

This list identifies known service providers and data recipients used by GiftMatch. Some optional providers are used only when the related feature is enabled.

ProviderPurposeData CategoriesSchool Notes
OpenAI, L.L.C. AI text generation, document parsing, speech transcription or text-to-speech where enabled. Relevant portions of trait profile, archetype profile, saved experience/education entries, extracted uploaded-document text, typed answers, personalized context, or audio recordings when voice features are used. OpenAI states that API data is not used to train its models without explicit consent. OpenAI Zero Data Retention / Modified Abuse Monitoring has been approved for EverRoad’s specified OpenAI API organization, but applies only to configured OpenAI projects and eligible traffic sent through those projects. Resume parsing sends extracted text, not the original uploaded resume file. Voice practice uses OpenAI’s speech and audio transcription endpoints when enabled under the School agreement. Under-13 School deployments remain blocked from OpenAI-based personal-data processing unless either the configured project controls are active for the deployment and the traffic uses eligible OpenAI endpoints, or a separate written arrangement permits it.
Google LLC — OAuth (Sign in with Google) and Workspace / Gmail API Sign-in via Google OAuth and outbound transactional email via a Google Workspace service account. OAuth: name, email address, optional profile photo, ID token. Gmail send: recipient email, message subject and body of transactional messages we send. If a School cannot approve Google sign-in, the deployment should document an email/password-only configuration before launch. The Workspace email path uses a service account whose credentials are stored outside the web root and are subject to the same rotation cadence as other secrets.
Paddle.com Market Limited Payment processing and merchant-of-record services for paid plans. Billing contact information, transaction identifiers, subscription status, payment metadata, country, and limited card metadata such as last four digits. Not used for student assessment responses, resume content, career reports, or School Data unless a School uses Paddle for billing contact/payment administration.
Adzuna Limited Optional self-serve AI Coach job-search results and job-application links. Career title, search terms, location or remote preference, and job-search filters when the user searches for jobs. Optional feature. Should be disabled or omitted for School/minor deployments unless approved in the School agreement. Displayed job results include Adzuna attribution.
USAJOBS / U.S. Office of Personnel Management API Optional federal job-search results and application links. Career title, search terms, location or remote preference, and job-search filters when the user searches for federal jobs. Optional feature. Should be disabled or omitted for School/minor deployments unless approved in the School agreement. USAJOBS is a public U.S. government job-search API.
DigitalOcean, LLC Underlying VPS that runs the entire service. All data stored or processed by the deployed service environment. Production deployment is a single Droplet in the NYC2 datacenter. All Student Data is stored in the United States. Subject to DigitalOcean’s Data Processing Agreement.
SSLMate TLS certificate authority & renewal automation. Domain-validation metadata only. SSLMate does not receive any Student Data. Listed for completeness; SSLMate’s scope is the public TLS certificate.
Google LLC — Google Analytics (gtag.js) Page-view analytics on public marketing pages. IP address, user-agent, page URL, referrer. Suppressed for users in active site-license org sessions; only emitted on the public marketing pages where the visitor is governed by the public Privacy Policy. Schools may approve analytics for their org users by configuring the per-org override; default for site licenses is off.
Google LLC — Google CDN (ajax.googleapis.com) Hosts the jQuery library loaded by every page. IP address and user-agent only (the inherent metadata of any browser fetch). No app data. Listed for completeness. Self-hosted-jQuery alternative is on the GiftMatch internal roadmap.

Public career-data sources such as BLS and O*NET are used as content sources. GiftMatch does not need to send student personal information to BLS or O*NET to display source-linked career information.

5. Security & Privacy Exhibit

Control AreaCurrent Commitment or Launch Requirement
Data minimizationGiftMatch asks users not to submit government identifiers, precise geolocation, biometrics, health records, or financial account numbers. Resume uploads are used to extract text; original uploaded files are not sent to OpenAI for parsing and are not kept after processing.
Transmission securityHTTPS is enforced on all production traffic, with HTTP requests 301-redirected at the Apache vhost. Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy (microphone allowed only for the optional voice-practice feature, all other sensitive APIs denied), and Cross-Origin-Opener-Policy same-origin headers are set on every response.
Password handlingEmail/password accounts use password hashing rather than storing raw passwords. Google OAuth tokens are stored in the user session for sign-in continuity and are not stored in the application database.
Access controlAccount data is tied to authenticated users. Administrative access is restricted to authorized GiftMatch staff. School administrative visibility is limited to the scope authorized by the School agreement and role configuration.
Secrets managementOperational secrets and credential JSON files must be kept outside the web root/repo path in the deployed environment and must not be committed to source control.
LoggingGiftMatch logs operational events needed for security, debugging, billing, and audit. Logs are not used to build advertising profiles.
DeletionGiftMatch removes account-linked profile, assessment, personalized report, saved self-serve AI Coach tool work, and experience data from active systems within a commercially reasonable period after account or School deletion, subject to legal, billing, security, compliance, audit, dispute, and backup-rotation exceptions.
BackupsA daily Postgres dump is produced by an internal backup script with a 14-day rotation, and a documented quarterly restore-test cadence verifies the dumps are usable. Backups are stored on the production server with restrictive filesystem permissions; immediate deletion from rotation-eligible backups is performed on the standard schedule. Immediate deletion from immutable or disaster-recovery backups may not be technically possible.
Incident responseGiftMatch will investigate suspected unauthorized access, take containment/remediation steps, and notify affected Schools as required by agreement and law.
Cybersecurity frameworkGiftMatch self-attests alignment with the NIST Cybersecurity Framework (CSF) 2.0 at Tier 2 (Risk Informed). An internal Organizational Profile mapping the 6 CSF Functions to current and target state is maintained and is available to a School under NDA per NDPA §5.2 on written request. GiftMatch is also happy to complete additional security questionnaires sent by a School during procurement.
CertificationsGiftMatch does not claim SOC 2, ISO 27001, HIPAA, or FedRAMP certification unless that status is separately stated in a signed agreement or current security questionnaire.

6. AI Processing Addendum

AI Features

GiftMatch uses OpenAI to create narrative content, career matches, career deep-dives, experience reflections, document parsing, self-serve AI Coach tool responses, interview practice support, and optional speech features.

Inputs Sent To OpenAI

  • Assessment-derived trait profile and archetype profile.
  • Preference/reflection answers and career-stage context.
  • Saved jobs, education, volunteer work, projects, extracted resume text, and personalized context needed for the requested output.
  • Typed questions, interview answers, and audio recordings when voice practice is enabled.

AI Use Limits

  • GiftMatch does not send passwords or payment card data to OpenAI.
  • GiftMatch does not send original uploaded resume files to OpenAI for parsing and does not keep those original files after processing; extracted text/entries and saved personalized outputs may remain in the user account.
  • AI-assisted career content is decision-support information, not professional career, legal, financial, medical, psychological, or educational advice.
  • For School deployments involving students under 18 or Education Records, OpenAI-based personal-data processing is routed only through a configured OpenAI ZDR/MAM project and eligible OpenAI endpoints, or handled as separately approved in the School’s written agreement, data-processing terms, and subprocessor approval.
  • For under-13 School deployments, OpenAI-based personal-data processing is not used unless either the configured OpenAI ZDR/MAM project is active for the deployment and the traffic uses eligible OpenAI endpoints, or a separate written arrangement permits it.

School Configuration Options

Where technically and contractually supported, a School agreement can restrict or disable AI features, resume upload, self-serve AI Coach tools, job search, voice practice, or specific OpenAI-powered features. Those controls should be documented before launch.

7. State Privacy & Accessibility Notes

  • State student-privacy laws. GiftMatch’s standard commitments are designed to support laws such as California SOPIPA and analogous state student-data privacy laws: no sale, no targeted advertising, no non-educational profiling, reasonable security, limited disclosure, and deletion/return on termination. State-specific addenda may still be required.
  • PPRA. Schools should review GiftMatch assessment and reflection questions against PPRA requirements, especially if the School receives U.S. Department of Education funds and administers any survey, analysis, or evaluation involving PPRA-protected topics.
  • Accessibility. GiftMatch does not currently claim a formal WCAG certification on this page. Before a public school deployment, GiftMatch should complete the accessibility review/remediation or vendor documentation required by the School. Schools should report accessibility barriers so GiftMatch can prioritize remediation or provide an accessible alternative format where required.

8. Reference Sources

  • U.S. Department of Education FERPA school-official guidance
  • FTC COPPA guidance for ed tech companies and schools
  • U.S. Department of Education PPRA guidance
  • OpenAI data retention controls for abuse monitoring
  • DOJ Title II web and mobile accessibility rule fact sheet

9. Contact & Updates

School privacy, procurement, security questionnaire, or DPA requests can be sent to support@giftmatchcompass.com. GiftMatch may update this page as the service, subprocessors, legal requirements, or AI data-retention controls change. Material changes for a School deployment will be handled under the signed School agreement.

© 2026 GiftMatch Compass · operated by EverRoad Pathways LLC · Columbus, Ohio, United States

Terms of Service · Refund Policy · Privacy Policy · Contact
Featured on Featured on LaunchIt