Legacy Haven Academy Privacy and Data Protection Policy

Policy Number:  
LHA-DIA-001
Version:  
1.2
Effective Date:  
October 1, 2025
Review Date:  
October 1, 2026
Last Updated:  
October 12, 2025
Functional Area Manager:  
Director of Information Activities

1. Introduction

Legacy Haven Academy Foundation (the "Academy") is committed to protecting the privacy and confidentiality of personal information collected from students, parents, guardians, donors, volunteers, and website visitors. As an educational institution serving youth ages 10-18 who are orphans or homeless, the Academy handles sensitive student data in alignment with the Family Educational Rights and Privacy Act (FERPA), which safeguards the privacy of student education records (U.S. Department of Education, n.d.a). This policy also complies with Arizona's student data privacy laws, including Arizona Revised Statutes (A.R.S.) § 15-1046 and the Student Online Personal Information Protection Act (SOPIPA, S.B. 1314), which restrict the use and disclosure of covered student information by online operators (Arizona Legislature, 2023a). For non-profit operations, the policy incorporates Internal Revenue Service (IRS) record-keeping and public disclosure requirements under Section 501(c)(3) guidelines, supporting the Academy's pending application for tax-exempt status (Internal Revenue Service, 2025a). No specific Mohave County ordinances impose additional data privacy requirements beyond state and federal laws, as local regulations defer to Arizona state education privacy statutes (Mohave County, 2024).

This policy applies to all personal data processed by the Academy, including through its website (legacyhavenacademy.org), enrollment processes, academic programs, mentorship services, and fundraising activities. It ensures compliance with the Children's Online Privacy Protection Act (COPPA) for data involving children under 13 (Federal Trade Commission, n.d.). The Academy designates the Executive Director as the Privacy Officer responsible for oversight.

2. Data We Collect

The Academy collects the following categories of personal data to fulfill its educational, operational, and charitable missions:

  • Student Data: Names, ages, contact information (addresses, phone numbers, emails), academic records (grades, test results, evaluations), health and medical records, socioeconomic information, biometric data (if applicable for security), discipline records, juvenile dependency records, and special education data. This constitutes "covered information" under A.R.S. § 15-1046 and education records under FERPA (Arizona Legislature, 2023a; U.S. Department of Education, n.d.a).
  • Parent/Guardian Data: Names, contact details, and emergency contacts.
  • Donor/Volunteer Data: Names, addresses, email addresses, phone numbers, donation history, and payment details.
  • Website Visitor Data: IP addresses, browser types, cookies for analytics (e.g., Google Analytics), and form submissions (e.g., inquiries, event registrations).

Data collection is limited to what is necessary for legitimate purposes, adhering to data minimization principles (VeraSafe, 2025).

3. How We Collect Data

Data is collected via:

  • Enrollment and intake forms (paper or online).
  • Academic and mentorship interactions.
  • Website forms, cookies, and tracking tools.
  • Donation platforms and events.

For children under 13, verifiable parental consent is obtained before collecting personal information, per COPPA (Federal Trade Commission, n.d.). Website visitors are notified of cookie use via a banner, with opt-out options.

4. How We Use Data

Personal data is used solely for:

  • Delivering educational services, mentorship, and support programs.
  • Administrative functions (e.g., scheduling, reporting).
  • Fundraising and donor communications.
  • Website functionality and analytics to improve user experience.
  • Compliance with legal obligations, such as IRS reporting for non-profit status.

Under FERPA, data is used only by school officials with legitimate educational interests (U.S. Department of Education, n.d.a). Arizona law prohibits using student data for targeted advertising or profiling beyond school purposes (Arizona Legislature, 2023a). Donor data supports IRS-required record-keeping for contributions (Internal Revenue Service, 2025a).

5. Disclosure and Sharing

The Academy does not sell, rent, or disclose personal data except:

  • With parental/eligible student consent (specific, informed, and revocable).
  • To school officials, contractors, or affiliates under strict agreements limiting use to school purposes (FERPA §99.31(a)(1); A.R.S. § 15-1046).
  • For enrollment transfers to other schools (FERPA §99.34).
  • In emergencies threatening health/safety (FERPA §99.36).
  • To authorized representatives for audits/evaluations (e.g., IRS compliance; FERPA §99.35).
  • Directory information (e.g., name, photo) if not opted out, with annual notice.
  • As required by law (e.g., subpoenas, with notice where possible).

Third-party disclosures require contracts ensuring security and no further sharing (SOPIPA requirements; CaseGuard, 2022). Donor names/addresses are not publicly disclosed per IRS rules for non-private foundations (Internal Revenue Service, 2025a).

6. Data Security

The Academy implements reasonable administrative, technical, and physical safeguards to protect data, including encryption, access controls, secure servers, and employee training. Per A.R.S. § 15-1046 and SOPIPA, security practices are appropriate to the data's sensitivity (Arizona Legislature, 2023a; CaseGuard, 2022). Breaches are reported promptly to affected parties and authorities as required by law. For IRS purposes, records are retained securely to support exemption applications and Form 990 filings (Internal Revenue Service, 2025a).

7. Rights of Students, Parents, and Eligible Students

Under FERPA, parents (or eligible students aged 18+) have the right to:

  • Inspect and review education records within 45 days.
  • Request amendments to inaccurate records (with hearing if denied).
  • Consent to disclosures (except exceptions).
  • File complaints with the U.S. Department of Education (familycompliance@ed.gov).

Annual notices of these rights will be provided via mail, email, or website (U.S. Department of Education, n.d.a). Arizona law grants parents opt-out rights for technology use sharing data with operators and prohibits student data sales (A.R.S. § 15-1046; Arizona Legislature, 2023a). For directory information, opt-out must be submitted in writing annually.

Website visitors may opt out of cookies via browser settings or our cookie management tool. Donors may request access, correction, or deletion of their data.

8. Children's Privacy (COPPA)

For users under 13, the Academy obtains verifiable parental consent before collecting, using, or disclosing personal information. This includes email-plus, credit card, or video conference methods. Parents may review, delete, or revoke consent at any time (Federal Trade Commission, n.d.).

9. Data Retention and Deletion

Data is retained only as long as necessary:

  • Student records: Duration of enrollment plus 3 years post-graduation (FERPA alignment).
  • Donor records: 7 years for IRS audits.
  • Website data: 2 years or upon request.

Upon request or program completion, covered information is deleted within a reasonable time, unless retention is required by law (A.R.S. § 15-1046; U.S. Department of Education, n.d.a).

10. Compliance, Enforcement, and Policy Updates

The Academy annually reviews this policy for compliance. Violations may result in disciplinary action. The Arizona Attorney General enforces state laws (A.R.S. § 15-1046), and FERPA complaints go to the U.S. Department of Education. This policy may be updated; material changes will be posted on the website with notice (CaseGuard, 2022).

11. Contact Us

Our Contact Us Page

Appendix A: References

Arizona Department of Education. (n.d.). Student data privacy (e.g., FERPA). https://www.azed.gov/data/student-data-privacy-eg-ferpa

Arizona Legislature. (2024). Arizona Revised Statutes § 15-1046: Student data privacy; definitions. https://www.azleg.gov/ars/15/01046.htm

CaseGuard Studio. (2022, March 10). Student data protection rules for Arizona schools. https://caseguard.com/articles/the-student-data-privacy-landscape-in-arizona/

Council of Nonprofits. (2024, January 22). Earning trust: The imperative of data privacy for nonprofits. https://www.councilofnonprofits.org/articles/earning-trust-imperative-data-privacy-nonprofits

Electronic Frontier Foundation. (n.d.). Online privacy for nonprofits: A guide to better practices. https://www.eff.org/pages/online-privacy-nonprofits

Federal Trade Commission. (2023). Complying with COPPA: Frequently asked questions. https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions

Goldwater Institute. (2025, February 20). Safeguarding student data: Arizona law puts parents in control. https://www.goldwaterinstitute.org/safeguarding-student-data-arizona-law-puts-parents-in-control/

Goldwater Institute. (2025, April 21). Parents in charge: AZ passes law to safeguard student data. https://www.goldwaterinstitute.org/parents-in-charge-az-passes-law-to-safeguard-student-data/

iKeepSafe. (2017). COPPA 101 for EdTech companies [PDF]. https://ikeepsafe.org/content/uploads/2017/01/COPPA-101-for-EdtTech-iKeepSafe.pdf

Read Lion. (2025, May 6). New Arizona law affirms parental rights, protects student privacy. https://readlion.com/new-arizona-law-affirms-parental-rights-protects-student-privacy/

SchoolHouse Connection. (n.d.). 6 things to know about privacy, FERPA, and homelessness. https://schoolhouseconnection.org/article/6-things-to-know-about-privacy-ferpa-and-homelessness

Squire Patton Boggs. (2018, March 8). Data privacy for non-profits: A toolkit for sound stewardship [PDF]. https://www.squirepattonboggs.com/-/media/files/insights/events/2018/03/data-privacy-for-non-profits/data-privacy-for-nonprofitspptx.pdf

U.S. Department of Education. (n.d.). FERPA: Protecting student privacy. https://studentprivacy.ed.gov/ferpa