Blue: The Business of You

Trust Center

Data Security & Privacy Plan

How Blue protects student data—collection limits, hosting on AWS in the United States, encryption, access controls, logging, AI boundaries, retention, and incident response. For questions, contact privacy@blueapp.ai.

Back to Trust Center

1. Overview

Blue is a student-centered platform designed to help learners reflect on experiences, develop personal narratives, and build readiness for postsecondary opportunities.

Blue is operated by EBNix, LLC and is designed with a privacy-first approach that minimizes data collection, avoids surveillance, and prioritizes student control over personal content.

This Data Security and Privacy Plan describes the administrative, technical, and physical safeguards implemented to protect student data and ensure compliance with applicable federal and state student privacy laws, including FERPA and state-level data protection requirements.

2. Data Collection and Use

Blue collects only the data necessary to provide its core educational functionality.

Categories of data collected

  • Student identifiers (e.g., name, email, username)
  • Student-generated content (e.g., reflections, narratives, responses)
  • Optional student-submitted media (e.g., audio story recordings)
  • Platform usage data (e.g., feature usage, session activity)
  • Limited technical metadata (e.g., IP address, browser type)

Purpose of data use

  • To provide and operate the Blue platform
  • To store and organize student-created content
  • To generate user-requested summaries and reflections
  • To support student-directed sharing of content
  • To maintain platform security and integrity

Blue does not use student data for advertising, profiling, or unrelated product development.

3. Data Ownership and Control

Blue distinguishes between:

Student Personal Content

Content created by students, including reflections, narratives, and personal insights.

Institutional Reporting Data

Summary-level data (e.g., completion indicators, progress signals) used by schools for educational oversight.

Students control access to their personal content. Schools and educators receive access only to summary-level information unless explicitly shared by the student.

When Blue is used by a school or district, educational records are handled in accordance with applicable law and contractual agreements with the institution.

4. Data Storage and Hosting

Blue is hosted on Amazon Web Services (AWS) in U.S.-based data centers (US East region).

Data is stored across:

  • Amazon RDS (PostgreSQL) for structured data
  • Amazon S3 for file and media storage
  • AWS CloudWatch for logging and monitoring

All environments are configured using secure, access-controlled infrastructure.

Blue primarily operates on Amazon Web Services (AWS) in U.S.-based infrastructure. We also use a limited number of vetted service providers to support core platform functionality, including transactional email delivery and application notifications. These providers are used solely to operate the platform and are not used for advertising, data brokerage, or cross-platform tracking.

For more detail, see our Subprocessors & Infrastructure page.

5. Encryption and Data Protection

Blue implements encryption across all major systems:

Encryption in transit

All data is transmitted over HTTPS using TLS encryption

Encryption at rest

  • Amazon RDS databases are encrypted using AWS KMS
  • Amazon S3 storage enforces server-side encryption (SSE-KMS)
  • AWS CloudWatch logs are encrypted using KMS
  • Amazon EBS volumes are encrypted by default

Customer-managed KMS keys are used where applicable, with automatic key rotation enabled.

6. Access Controls

Access to student data is restricted based on role and necessity.

  • Role-based access controls (RBAC) are enforced across systems
  • Access is limited to authorized personnel with a legitimate operational need
  • Administrative access requires authentication and is logged
  • Least-privilege principles are applied to all access permissions

7. Monitoring and Logging

Blue maintains system and security logs to support monitoring and incident detection.

  • Logs include authentication events, system activity, and error tracking
  • Logs are encrypted and access-controlled
  • Monitoring is limited to platform activity and does not extend to device-level surveillance

Blue does not monitor:

  • Keystrokes
  • Device location
  • Camera or video feeds
  • Activity outside the platform

8. AI Usage and Data Protections

Blue uses AI in limited, controlled ways to support students.

AI is used to:

  • Summarize student-provided content
  • Identify themes and strengths within user input
  • Structure content for reuse

Safeguards include:

  • AI outputs are advisory and student-facing only
  • AI does not make evaluative or disciplinary decisions
  • Student data is not used to train AI models
  • Original student content is preserved

9. Data Retention and Deletion

Blue supports data deletion and retention in accordance with user requests and contractual obligations.

  • Users may delete content or request account deletion at any time
  • Data is removed from active systems upon deletion
  • Backup data is retained for a limited period before permanent deletion

When Blue is used by a school or district:

  • Data retention and deletion follow contractual agreements
  • Data is returned or securely deleted upon contract termination in accordance with applicable law

10. Incident Response

Blue maintains an incident response process designed to identify, contain, and remediate security events.

In the event of a confirmed data breach involving student data:

  • Blue will notify affected educational institutions without unreasonable delay
  • Notifications will occur in accordance with applicable contractual and legal requirements
  • Blue will provide information necessary for institutions to meet notification obligations

11. Subprocessors

Blue uses a small set of vetted service providers to support infrastructure and core platform operations.

Core providers include:

  • Amazon Web Services (AWS) for U.S.-based hosting, storage, and core infrastructure
  • Google for transactional email delivery (system-generated messages)
  • Firebase (Google Cloud Platform) for application notifications

These providers are used only to operate the platform. Blue does not use advertising networks, data brokers, or cross-platform tracking providers. All subprocessors are required to maintain appropriate security and confidentiality protections consistent with applicable data protection requirements.

12. Employee Training and Confidentiality

Personnel with access to systems handling student data are:

  • Bound by confidentiality obligations
  • Trained on data protection and security practices
  • Granted access only as required for their role

13. Data Transition and Destruction

Upon termination of services with a school or district:

  • Student data will be returned or securely deleted as directed by the institution
  • Deletion will occur within contractually required timeframes
  • Secure deletion methods are used to prevent data recovery

14. Security Framework Alignment

Blue’s security practices align with the NIST Cybersecurity Framework (Version 1.1), including:

  • Identification of risks and assets
  • Protection through access controls and encryption
  • Detection via logging and monitoring
  • Response through incident management procedures
  • Recovery through system resilience and backup practices

15. Accessibility

Blue is designed with accessibility considerations in mind and continues to evolve to improve usability across a wide range of users.

Accessibility documentation can be provided upon request.

16. Contact Information

For questions regarding this Data Security and Privacy Plan:

EBNix, LLC (Blue App)

Email: privacy@blueapp.ai