Privacy Policy

This Privacy Policy describes how Aspen ESA, LLC ("Aspen ESA," "we," "us," or "our") collects, uses, and protects information when you use our products and services (the "Service"). By using the Service, you agree to this Privacy Policy.

Who we are

Aspen ESA, LLC is an Arizona-formed limited liability company. Our business address is on file with the Arizona Corporation Commission (Business ID 25056450). You can reach us anytime at hello@aspenesa.com.

What we collect

We collect the following categories of information:

Account information — your email address, name, and password (encrypted) when you create an account. If you upgrade to a paid plan, we also collect billing details through our payment processor (Stripe). We do not store your credit card number.

Kid profile information — when you add kid profiles to your account, you may include the child's name (first name only is sufficient), grade level, learning style preferences, accommodations or disability flag, and notes you choose to add. This information is provided by you, the parent — we do not collect data directly from children.

Receipts and supporting documents — photos and metadata of receipts you upload, including vendor name, purchase date, amount, and category. We use AI image analysis to extract this information. You may also choose to add notes.

Eligibility checks — text descriptions, photos, or product URLs you submit to check whether a purchase is ESA-eligible. We retain a record of each check (item, verdict, citations, your notes) so you can reference your history later.

Chat conversations — your messages and Aspen's responses are stored to maintain conversation context within a chat session. Past chats are accessible from your account history.

Usage data — pages you visit, features you use, time on site, error reports, and similar technical data. This is collected automatically through our hosting and analytics providers.

Communications — when you email us or use our support channels, we keep a record so we can help you.

How we use your information

We use the information above to:

• Provide the Service (answer questions, organize receipts, generate eligibility verdicts, manage subscriptions)
• Improve the Service over time (identify bugs, refine the eligibility engine, expand the curriculum directory)
• Communicate with you about your account, billing, and important Service updates
• Enforce our Terms of Service and prevent abuse
• Comply with legal obligations

Who we share your information with

We do not sell your personal information. We share information only with categories of third-party service providers necessary to operate the Service:

• AI model providers — process your text and image inputs to generate AI responses, perform eligibility analysis, and identify items in photos. Per our agreements with these providers, your inputs and outputs are not used to train their general AI models.
• Cloud hosting and database providers — host our application, database, and authentication. Your account data, kid profiles, receipts, and chat history are stored in encrypted databases with access restricted by row-level security.
• Payment processors — handle billing for paid subscriptions. Your credit card information is collected and stored directly by our payment processor; we never see or store it.
• Email and communication providers — send transactional emails (account verification, password reset, billing notices).
• DNS and domain providers — provide domain and email routing services.
• Error monitoring providers — collect error reports so we can fix bugs you encounter.
• Analytics providers — collect anonymized usage data to help us understand how the Service is used.

We do not use your private chat content, eligibility checks, or kid profile data to train any AI model.

We may also share information when required by law (subpoena, court order, regulatory request) or to protect our legal rights, the safety of our users, or the integrity of the Service.

In the event of a merger, acquisition, or sale of assets, your information may transfer to the acquiring entity, subject to your continued protections under this Privacy Policy.

How we use AI with your data

Aspen ESA is built on AI. When you ask Aspen a question, send a chat message, or run an eligibility check:

• Your input is sent to one or more third-party AI model providers for processing
• Aspen's response is generated based on the Arizona ESA Parent Handbook (which we have indexed), our system prompts, and your kid profile context (when relevant)
• Per our agreements with our AI model providers, your inputs and outputs are not used to train their general AI models

We do not use your private chat content, eligibility checks, or kid profile data to train any AI model — Aspen's behavior is controlled by our prompts and our handbook knowledge base, not by retraining on user data. If we ever add a feature that uses your data to improve Aspen specifically (for example, a feedback loop where you mark answers as helpful), we will tell you clearly and let you opt out.

How long we keep your information

• Active account data: retained as long as your account is active
• Cancelled accounts: retained for 90 days after cancellation, then deleted (you can request earlier deletion — see "Your rights" below)
• Receipts and uploaded photos: retained as long as your account is active; deleted with account
• Billing records: retained for 7 years for tax and audit purposes (legal requirement)
• Anonymous usage data: retained indefinitely in aggregated form for service improvement

Your rights

You can:

• Access your data — view it directly in the app, or request an export by emailing privacy@aspenesa.com
• Correct your data — edit profile, kid, receipt, and other fields directly in the app
• Delete your data — close your account in the account settings; we delete within 90 days
• Restrict processing — contact us to discuss
• Object to certain uses — contact us to discuss

If you're an Arizona resident, California resident (CCPA), or in a jurisdiction with similar data protection laws, you may have additional specific rights. Contact us and we'll honor them within the timeframes required by law.

Children's data

Aspen ESA is intended for use by parents, not by children directly. The kid profile information you enter is provided by you about your child — we do not collect information directly from children, do not allow children to create accounts, and do not knowingly market to children.

If you believe a child has created an account or submitted information directly to us, please contact us immediately at privacy@aspenesa.com and we will delete it.

Security

We use industry-standard security measures to protect your data:

• All connections to our servers use TLS encryption (HTTPS)
• Passwords are hashed; we never store plaintext passwords
• Your data is stored in encrypted Supabase databases with row-level security policies that prevent users from accessing each other's data
• Payment information is handled exclusively by Stripe, which is PCI-DSS Level 1 certified
• We require 2FA for our internal admin access

No system is 100% secure. If you believe your account has been compromised, contact us immediately.

International users

Aspen ESA is designed for and marketed to families in Arizona, USA. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We are not currently structured to comply with GDPR (Europe), so we do not knowingly serve users in the European Economic Area or United Kingdom. If you are in the EEA or UK, please do not create an account.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we'll notify you by email and update the "Last updated" date at the top. Continued use of the Service after a change constitutes acceptance.

Contact

Questions about this Privacy Policy? Email hello@aspenesa.com.