Arbol Privacy Policy

Last Updated: December 9, 2025

Arbol Community, Inc. (“Arbol”) is committed to protecting privacy and handling Personal Data responsibly. This Privacy Policy (Internal Governance) establishes the internal framework, principles, and processes governing the collection, use, processing, storage, and disposal of Personal Data handled by Arbol.

Arbol places heightened safeguards on Student Education Records and processes such records in strict accordance with the Family Educational Rights and Privacy Act (FERPA).

This internal governance policy complements Arbol’s external-facing Privacy Policy, which describes how data is handled for public users and visitors.

1. Purpose and Scope

1.1 Purpose

This policy establishes Arbol’s internal privacy governance and operational controls for the responsible processing of Personal Data, including Student Education Records. It defines the privacy principles, roles, responsibilities, and required procedures used to ensure compliance with FERPA and other applicable privacy laws.

1.2 Scope

This policy applies to all Personal Data processed by Arbol, regardless of format (digital, paper, or otherwise) or location (including cloud infrastructure). It includes Personal Data relating to employees, contractors, customers (educational institutions and authorized staff), and end-users (students).

This policy applies to all Arbol employees and contractors who handle or may have access to Personal Data.

2. Definitions

Personal Data

Any information relating to an identified or identifiable individual, including information that can reasonably be used to identify that person directly or indirectly.

Student Education Records

Records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the institution, as defined by FERPA.

FERPA Data

Student Education Records or other student-related data protected by FERPA, treated as Arbol’s highest sensitivity classification.

Processing

Any operation performed on Personal Data, including collecting, recording, organizing, storing, using, analyzing, sharing, or deleting data.

Data Subject

An individual whose Personal Data is processed by Arbol, including students, staff, contractors, or employees.

School Official

A vendor or service provider performing an institutional service or function for which the institution would otherwise use employees, under direct control of the institution with respect to the use and maintenance of Student Education Records, and subject to FERPA’s restrictions.

3. Policy Statements

Arbol is committed to responsible and ethical handling of Personal Data, adherence to applicable laws and regulations, and implementation of strong privacy and security practices.

3.1 Core Privacy Principles

Arbol adheres to the following privacy principles in all Personal Data processing activities:

  • Lawfulness, fairness, and transparency: Personal Data will be processed lawfully, fairly, and transparently.

  • Purpose limitation: Personal Data will be collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.

  • Data minimization: Personal Data will be limited to what is necessary to deliver services and meet contractual obligations.

  • Accuracy: Personal Data will be maintained accurately and kept up to date where necessary.

  • Storage limitation: Personal Data will be retained only as long as necessary to support service delivery, contractual obligations, and legal requirements.

  • Integrity and confidentiality (security): Personal Data will be protected using appropriate administrative, technical, and physical safeguards.

  • Accountability: Arbol will maintain documentation and practices that demonstrate compliance with these principles.

3.2 Roles and Responsibilities

Privacy Oversight

Kevin Menegay (Head of Engineering) is responsible for overseeing Arbol’s privacy compliance program and the implementation and maintenance of this policy.

All Personnel

All employees and contractors are responsible for understanding and complying with this policy and completing privacy and security training requirements.

3.3 FERPA Compliance and Student Education Records

Arbol recognizes the paramount importance of FERPA. All processing of Student Education Records must comply with FERPA and the requirements established by partner institutions.

Arbol’s commitments for FERPA Data include:

  • Student Education Records are classified as FERPA Data and receive the highest level of security controls.

  • Access is restricted based on the principle of least privilege and role-based access controls.

  • Employees and contractors who may handle Student Education Records receive mandatory FERPA training.

  • Student Education Records are accessed and used only to perform services described in Arbol’s agreements with educational institutions.

  • Arbol processes Student Education Records solely under the direction and control of the partner institution, consistent with its role as a School Official.

3.4 Individual Rights and FERPA Requests

Arbol respects the rights of individuals regarding their Personal Data. Individuals may request access, correction, deletion, or information about processing by contacting security@growarbol.com.

Arbol will verify the identity of the requester before responding, respond within a reasonable timeframe in accordance with applicable laws, and document and track requests internally for compliance.

Where Student Education Records are involved, Arbol may direct requests to the relevant educational institution, consistent with FERPA requirements and institutional policies.

3.5 Privacy Concerns and Dispute Resolution

Individuals with privacy questions, concerns, or complaints should contact security@growarbol.com.

Arbol will acknowledge, log, investigate, and respond to inquiries within a reasonable timeframe, with a target response time of 15 business days. The investigation process and outcome will be documented internally, and corrective actions will be implemented when appropriate.

Individuals may also pursue remedies available under applicable laws, including FERPA complaint procedures with the U.S. Department of Education.

3.6 International Data Regulations

Arbol may process Personal Data of individuals located outside the United States, including regions governed by the GDPR or similar laws. Arbol is committed to complying with applicable privacy laws and implementing appropriate safeguards as required.

3.7 Privacy by Design

Arbol incorporates privacy considerations into the design and development of systems and services. This includes evaluating privacy impacts during system development, vendor selection, and operational changes.

3.8 Privacy Review for System Changes

Requirement

A privacy review is mandatory for changes to systems, applications, infrastructure, and workflows that involve Personal Data.

Process

Privacy review is integrated into Arbol’s change management workflow and includes:

  • Initial assessment: The change author documents whether the change collects new Personal Data, uses Personal Data for new purposes, creates additional exposure of Student Education Records, or aligns with minimization and security expectations.

  • Reviewer approval: Reviewers must explicitly confirm privacy considerations have been evaluated before approval. High-risk changes require additional review.

  • Escalation: When uncertain, the Privacy Oversight lead must be consulted.

Objective

To ensure changes respect privacy, comply with FERPA and applicable privacy laws, and preserve Arbol’s data stewardship commitments.

3.9 Use of Automated Systems and Analytics

Arbol uses automated systems to analyze student financial data in order to provide personalized recommendations and risk assessments to support student success, consistent with its role as a School Official.

Arbol’s commitments include:

Purpose and Specificity

Automated processing is used solely for delivering contracted services to students and partner institutions. Recommendations are generated using a deterministic, rules-based engine designed by Arbol subject matter experts to reflect coaching logic and financial wellness best practices.

Data Segregation and Model Training

  • Arbol does not use FERPA-protected Student Education Records to train general-purpose or multi-tenant AI/ML models.

  • Any future predictive models will be trained only on aggregated and fully anonymized data, or data for which explicit consent has been obtained.

  • Customer data is logically segregated and is not used to train models that benefit other customers.

Fairness and Bias

Automated logic and supporting algorithms are subject to periodic internal review to reduce risk of bias and ensure recommendations are based on financial inputs, not protected or demographic characteristics.

Human Oversight

Arbol’s systems are designed to support students and staff and are not intended to make final, binding decisions about aid eligibility, enrollment status, or institutional discipline.

3.10 Third-Party Management

Third-party service providers who process Personal Data on behalf of Arbol are subject to due diligence and contractual privacy and security requirements. Arbol requires appropriate protections including confidentiality obligations and limitations on data use.

3.11 Training and Awareness

All Arbol employees and contractors receive privacy and security training during onboarding and at least annually thereafter. Training includes FERPA requirements for those with access to Student Education Records.

3.12 Privacy Risk Mitigation

When privacy risks are identified through audits, reviews, incident response, or other means, Arbol will implement interim risk mitigation measures while permanent corrective actions are developed and deployed. Mitigation steps will be proportional to the severity of the risk.

4. Compliance and Enforcement

Compliance with this policy is mandatory. Failure to comply may result in disciplinary action, up to and including termination of employment or contract.

In rare cases, exceptions may be required due to business needs or legal obligations. Any exception must be approved by David Gonzalez (CEO) and documented with a clear justification and defined scope.

5. Policy Review and Maintenance

This policy will be reviewed at least annually, and whenever significant changes occur in applicable regulations, business operations, or technology or systems impacting Personal Data processing.

Reviews will be conducted by Kevin Menegay (Privacy Oversight) and approved by David Gonzalez (CEO).

Contact

For privacy-related questions, data subject requests, or concerns, contact security@growarbol.com.