Legal

Privacy Policy

Effective as of April 10, 2026 · Last updated: April 24, 2026 (added Chrome Extension coverage)

Questions about this policy? Contact us at [email protected]. See also our Terms of Service and Cookie Policy.

1. Who We Are·2. Scope·3. Data We Collect·4. Legal Bases·5. How We Use Data·6. Data Sharing·7. International Transfers·8. Retention·9. Your Rights·10. Cookies·11. Security·12. Children & Student Privacy·13. Changes·14. Contact

1. Who We Are

Angstroma, Inc. ("Angstroma," "we," "us," or "our") is a Delaware corporation operating from Michigan, United States, that supplies website accessibility compliance software as a service.

Business name	Angstroma, Inc. (Delaware corporation)
Operates from	Michigan, United States
Privacy contact	[email protected]

2. Scope of This Policy

This Privacy Policy applies to portal users (angstroma.com accounts), website visitors, end users of our accessibility widget on customer websites, and users of the Angstroma Chrome Extension.

If you are a visitor to a website using the Angstroma widget:The website operator is the data controller for your personal data. Angstroma acts as a data processor on their behalf. Please refer to that website's own privacy policy.

If you are a Chrome Extension user: All accessibility adjustments (contrast, fonts, reading aids, etc.) run locally on your device. We do not collect your browsing history, nor any data about the websites you visit. We do not track which pages you open or how long you spend on them. See Section 3 for the full list of what an extension install does send to our servers.

3. Data We Collect

Portal users

Category	Data	Purpose
Account	Name, email, hashed password (Argon2id — never stored in plain text)	Authentication
Billing	Payment method tokenized via Stripe — we never store raw card numbers	Payments and invoices
Usage	API call logs, scan history, feature usage	Service, billing, analytics
Technical	IP address, browser type, session data, error logs, device fingerprint (browser user-agent and language derived hash — used for trusted device recognition only, not for tracking)	Security, debugging, and trusted device recognition

We do not sell your data. Widget end user data is never used for advertising or cross-site tracking.

Chrome Extension users

The extension is designed to minimize data collection. Most of what you configure stays on your device and is never transmitted to our servers.

Category	Data	Purpose	Where it lives
Accessibility preferences	Which accessibility tools you enabled, UI language, Quick Actions text-size level, master on/off state, collapsed-section state, accessibility profile selection	Restore your setup each time you open the panel	Your device only (`chrome.storage.local`) unless you sign in AND opt into cloud sync
Account data (optional)	Email address (via Google OAuth or email/password), first + last name (registration only)	Optional sign-in for cross-device settings sync and future Extension+ subscription	Our servers (hosted on Microsoft Azure, United States)
Cloud-synced preferences (optional)	Copy of your accessibility preferences + language	Sync settings across every device where you sign in with the same account; restore settings after reinstall	Our servers — sync is OFF by default on the free tier and requires opt-in
Feedback submissions	Message text (user-written), optional email, feedback type (bug/idea/compliment/etc.), browser user agent, submission timestamp	Respond to bug reports; improve the product	Our servers; we only send a notification to `[email protected]` — we never publish or share feedback
Authentication tokens	Short-lived access token (in-memory only, never written to `chrome.storage`); refresh token (stored locally, encrypted at rest by Chrome)	Keep you signed in across service worker restarts; re-obtain an access token when it expires	Your device; refresh token bound to your device ID
Technical — receive-time only	IP address at the moment a request reaches our API (used for rate-limit keying + anti-abuse); never correlated with browsing or stored beyond the rate-limit window	Anti-abuse, rate limiting, security monitoring	Transient at our servers; IPs in audit logs are masked (/24 for IPv4, /64 for IPv6) within 90 days
AI features (coming soon)	ONLY the text or image you explicitly select and hand to the AI tool (e.g. a paragraph you ask to summarize). Personal identifiers are stripped before transmission where technically feasible.	Claude API processes the input and returns a result to your extension. We do not train any AI model on your content.	Anthropic (Claude API) — United States

What we explicitly do NOT collect from Chrome Extension users: your browsing history, the URLs or content of pages you visit, which sites you spend time on, your tab list, passwords, form data, bookmarks, or any advertising identifiers. The extension applies visual adjustments locally on the page in front of you and nothing else.

4. Legal Bases for Processing (GDPR)

If you are in the EEA, UK, or Switzerland, we process your data under these legal bases:

Processing Activity	Legal Basis
Account creation and management	Performance of a contract (Art. 6(1)(b))
Processing payments	Performance of a contract (Art. 6(1)(b))
Transactional emails	Performance of a contract (Art. 6(1)(b))
Security monitoring and fraud prevention	Legitimate interests (Art. 6(1)(f))
Trusted device recognition (skipping 2FA on known browsers)	Legitimate interests (Art. 6(1)(f)) — improves security UX without reducing protection
Service improvement analytics	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a)) — withdraw at any time
Legal compliance	Legal obligation (Art. 6(1)(c))

5. How We Use Your Data

Provide, operate, and maintain the Angstroma service
Process transactions and send billing-related notices
Send account notifications and security alerts
Respond to support requests
Detect and prevent fraud, abuse, and security incidents
Generate aggregated, anonymized analytics to improve the product
Comply with applicable laws and enforce our Terms of Service

6. Data Sharing and Disclosure

We do not sell your personal data. We share data only with service providers (sub-processors) required to deliver our service, and when required by law.

Provider	Purpose	Location
Microsoft Azure	Cloud infrastructure, database hosting, blob storage, secrets (Key Vault), application monitoring (Application Insights)	United States
Vercel	Marketing site and customer portal hosting; edge request routing	Global (edge; primary US)
Stripe	Payment processing and subscription management	United States
Resend	Transactional email delivery (verification, invites, password reset, 2FA codes, billing notices)	United States
Cloudflare	DNS, CDN, WAF, DDoS protection, bot mitigation (Turnstile CAPTCHA)	Global
Bunny CDN	Widget SDK and asset delivery	Global
Sentry	Error monitoring and crash reporting	United States
Have I Been Pwned	Password breach screening (k-anonymity; only a partial hash prefix is transmitted — the password itself never leaves your browser)	Australia
Anthropic	AI processing — IEP accommodation extraction + extension AI features (redacted / user-selected text only)	United States
Google	Optional OAuth sign-in for the Chrome Extension (PKCE flow — Google sees only the sign-in event, not your extension usage)	United States

All sub-processors are bound by Data Processing Agreements. Contact [email protected] to request a copy.

7. International Data Transfers

Our infrastructure is primarily hosted in the United States. Transfers from the EEA, UK, or Switzerland are made under Standard Contractual Clauses (SCCs) or UK IDTAs. Contact us to request a copy of the relevant safeguards.

8. Data Retention

Data	Retention period
Account data	Duration of account + 90 days after deletion
Billing records	7 years (legal requirement)
API usage logs	13 months rolling
Security and audit logs	2 years (SOC 2 requirement)
Support correspondence	3 years
Widget end-user preference tokens	12 months of inactivity
Trusted device tokens (hashed)	30 days, or until revoked in Security Settings
Student accessibility profiles (Schools tier)	Active school contract + 30 days post-termination, or upon school request
IEP accommodation records (Schools tier)	3 years from creation (aligned with IDEA), then automatic purge or upon school request
IEP source files	Deleted immediately upon processing completion — never retained
Student feature usage logs	13 months rolling, or upon school request

9. Your Rights

All users may access, correct, delete, and export their data, and opt out of marketing at any time.

EEA / UK users (GDPR) may additionally restrict processing, object to legitimate-interest processing, and withdraw consent at any time. You may lodge a complaint with your national data protection authority.

California residents (CCPA / CPRA) have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell data.

To exercise your rights: [email protected]. Response within 30 days (GDPR) or 45 days (CCPA).

10. Cookies

We use strictly necessary, functional, and analytics cookies. For a complete list see our Cookie Policy. Manage preferences via the Privacy Choices link in our footer.

11. Security

We use Argon2id password hashing, RS256 JWT, AES-256 encrypted session cookies, TLS 1.2+ in transit, and immutable audit logs. For full details see our Security page.

No system is completely secure. In the event of a breach, we will notify affected users and supervisory authorities within 72 hours as required by law.

12. Children's Privacy & Student Data (COPPA · FERPA)

Schools tier customers: This section governs all student data processing. A signed Data Processing Agreement (DPA) is required before activating IEP or student-linked features. Contact [email protected] to request a DPA.

12.1 Platform Not Directed to Children

The Angstroma portal, API, and scanner are B2B services directed to businesses and educational institutions — not to individual children. Our consumer surface (angstroma.com) requires all account holders to be at least 13 years of age; registration attempts from anyone under 13 are rejected. We do not knowingly solicit or collect personal information directly from children under 13 outside of a signed Schools tier Data Processing Agreement. If you believe a child under 13 has provided us personal data without appropriate consent, contact [email protected] and we will delete it within 5 business days.

12.2 Schools Tier — COPPA Compliance (16 C.F.R. Part 312)

The Schools tier enables K–12 institutions to deploy accessibility features for students, including those under 13. Under the COPPA school-consent exception (16 C.F.R. § 312.5(c)(6), codified in the FTC's 2024–2025 Final Rule, effective April 22, 2026), schools may authorize collection of student personal information on behalf of parents when the operator processes that data solely for the use and benefit of the school and for no other commercial purpose.

By activating the Schools tier and uploading student data, the subscribing institution:

Represents it is providing parental consent on behalf of enrolled students for the limited purpose of delivering accessibility services
Warrants it has complied with all applicable COPPA requirements, including providing direct notice to parents where required
Agrees that Angstroma processes student data solely as a data processor on the school's instructions

We never use student data for advertising, marketing, profiling, or any commercial purpose beyond the accessibility services contracted by the school. Student data is never sold.

12.3 FERPA Compliance (20 U.S.C. § 1232g; 34 C.F.R. Part 99)

For educational institutions subject to FERPA:

School Official Designation. Schools that execute a DPA with Angstroma designate Angstroma as a "school official" with a "legitimate educational interest" as defined under 34 C.F.R. § 99.31(a)(1). Angstroma uses education records only to provide contracted accessibility services.
No Re-Disclosure. Angstroma will not re-disclose education records to any third party except as explicitly authorized by the school's DPA or required by law.
Breach Notification. We will notify the school within 48 hours of discovering any unauthorized access to or disclosure of education records.

12.4 IEP Document Processing & AI Safeguards

Critical disclosure: IEP documents are processed using Claude AI (Anthropic, Inc., United States) to extract accessibility accommodation types. Robust safeguards are applied before any content leaves our systems.

When a school uploads an IEP document, the following sequence is enforced:

PII Redaction. Before any content is transmitted externally, an automated redaction engine replaces student names, dates of birth, parent/guardian names, contact information, Social Security Numbers, and other direct identifiers with anonymized placeholders (e.g., [STUDENT], [DATE], [GUARDIAN]).
AI Extraction. Only the redacted text is transmitted to Anthropic's Claude API — identifiable student information never leaves our systems.
File Deletion. The source IEP file is permanently and irreversibly deleted from our storage immediately upon processing completion — whether successful or failed. The file is never retained.
Accommodation Storage. Only anonymized accommodation descriptions (e.g., "requires text-to-speech for reading materials") are stored in our database — linked to the school's opaque student identifier, not to the student's name.

Angstroma maintains a Data Processing Agreement with Anthropic, Inc. governing AI processing. Anthropic processes only the de-identified content described above and does not retain it for model training without explicit consent.

12.5 What Student Data We Collect

Data	Purpose	Collected From
ExternalStudentId — opaque, school-assigned identifier (not the student's name or SSN)	Link accessibility profile to student within the school system	School's LMS / SIS
Accessibility feature preferences (toggles and values)	Deliver personalized accessibility accommodations	Student's widget interactions
Accommodation types extracted from IEP (e.g., "requires large font")	Apply recommended accessibility settings to student profile	IEP document (after redaction + AI extraction)
Feature usage events (aggregated)	Verify accommodation effectiveness; improve service	Widget usage telemetry

We do not collect: student names, dates of birth, Social Security Numbers, medical diagnoses, grades, disciplinary records, or any data beyond what is strictly necessary for accessibility service delivery.

12.6 Parent, Guardian & Student Rights

Parents of students under 18, and eligible students (18+), may exercise the following rights through their school administrator:

Review accessibility profiles and accommodation records on file
Request correction of inaccurate data
Request deletion of all data associated with a specific student
Receive a copy of student data in a machine-readable format (data portability)

Schools submit requests on behalf of parents or students by emailing [email protected] with the subject line "Student Data Request — [School Name]". We respond and act within 30 days. Deletion requests are confirmed in writing.

13. Changes to This Policy

We will provide at least 30 days' notice of material changes via email and a notice on our website. Continued use after the effective date constitutes acceptance.

14. Contact Us

For privacy questions, data subject requests, or to execute a DPA:

Email: [email protected]
Postal address: Angstroma, Inc., 131 Continental Drive, Suite 305, Newark, DE 19713, United States (Delaware registered agent — accepts executed DPAs and legal service of process).