Student data rights

Plain language. The rights you actually have.

Federal and state laws give students and parents specific rights in student education records. The summary below is in plain language, not legal-form. For the legal-form coverage, see our privacy policy and the relevant statute.

FERPA — your federal rights

The Family Educational Rights and Privacy Act applies to schools that receive U.S. Department of Education funds (most public K-12 districts and most U.S. higher-ed institutions).

  • Right to inspect. Parents (or students 18+ — known as ‘eligible students’) can inspect education records the school maintains. The school responds to the request within 45 days.
  • Right to request correction. If the records have errors or misleading information, you can request the school correct them.
  • Right to consent (or refuse) disclosure. The school cannot share education records with most third parties without written consent. There are exceptions (school officials with legitimate educational interest, audit / evaluation, financial aid, etc.).
  • Right to file a complaint. If you believe the school has violated FERPA, you can file a complaint with the U.S. Department of Education's Family Policy Compliance Office.

How ArthurAI fits. Eve-Education, LLC operates as a school official under FERPA when deployed inside a covered institution. Education records are processed only on the institution's instructions; we don't redisclose to third parties without institutional authorization. The institution remains the holder of records.

COPPA — for children under 13

The Children's Online Privacy Protection Act applies when an online service is directed to children under 13 or knowingly collects personal information from children.

  • Verifiable parental consent. An online service must get verifiable parental consent before collecting personal information from a child. For school-based services, the FTC permits a school-as-agent model: the school provides the consent on the parent's behalf for educational purposes.
  • Parental access and control. Parents have the right to review the personal information collected from their child, refuse further collection, and request deletion.
  • Limits on use. The personal information collected from a child cannot be used for behavioral advertising, profile-building outside the educational context, or third-party marketing.

How ArthurAI fits. For SLE deployments serving under-13 cohorts, the school-as-agent model applies. The school informs parents and obtains consent for the educational service. We never use children's personal information for advertising, profiling, or third-party marketing.

State AI-disclosure laws

States are increasingly enacting laws that require schools to disclose AI use in instruction. The most prominent today:

  • California AB-1791 (effective January 1, 2026). Schools must disclose AI use to students and parents.
  • Tennessee HB 1630 (effective July 2025). Requires policies on student AI use.
  • Utah HB 251. AI-disclosure obligations for K-12.
  • Other states (Texas, Florida, New York, etc.) are tracked in our state AI disclosure tracker.

How ArthurAI fits. The disclosure surface in the platform is configurable per district to satisfy the specific notice requirement of the applicable statute. New statutes are added as they enact.

CCPA / CPRA — California consumer rights

The California Consumer Privacy Act (as amended by the CPRA) gives California residents specific rights in their personal information: right to know, right to delete, right to correct, right to opt out of sale or sharing, and right to limit use of sensitive information.

How ArthurAI fits. The marketing site (arthurgrid.ai) collects personal information under CCPA when California residents interact with it. We do not sell or share personal information for cross-context behavioral advertising. Education-record data inside the SaaS portals is exempt from the CCPA personal-information definition where the institution is a public agency.

International rights (EU GDPR, UK GDPR, regional regimes)

For students in the European Economic Area, the United Kingdom, Kenya, Nigeria, Pakistan, and other jurisdictions with personal-data-protection regimes, the equivalent rights apply: access, rectification, erasure, restriction, portability, objection. The institution is the data controller and the primary contact for rights requests; ArthurAI supports the institution in fulfilling them.

How to exercise your rights

  • For education records (FERPA / COPPA / state student-privacy laws). Contact the school's registrar or designated records officer. The institution holds the records and responds to the request. We support the institution in fulfilling the request through technical features (export, correction, deletion) and operational support.
  • For marketing-site personal information (CCPA / GDPR / etc.). Use the contact form or write directly to the privacy email in our privacy policy. We respond within 45 days (CCPA) or as required by the applicable statute.

See also: for parents · SLE safety and disclosure · full compliance posture · privacy policy.