Privacy Policy
Last updated: March 16, 2026
1. Introduction
SmartVax (“we,” “our,” or “us”) provides an AI-assisted immunization intake, review, and compliance platform for educational institutions. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our services at smartvaxai.com and related applications (the “Service”).
2. Information We Collect
Account information
When staff or guardians create an account, we collect name, email address, job title, organization affiliation, and authentication credentials. Staff accounts may be provisioned through Microsoft Entra ID single sign-on.
Student and immunization records
Institutions and guardians upload immunization documents (vaccination cards, registry printouts, school forms, lab reports) that may contain student names, dates of birth, vaccine histories, provider information, and other health-related data. Our OCR and AI systems extract structured data from these documents for compliance evaluation.
Usage data
We collect standard usage information including IP addresses, browser type, pages visited, and timestamps to maintain security, improve service quality, and generate aggregate analytics.
3. How We Use Information
We use collected information to:
Operate the immunization intake, OCR review, and compliance evaluation workflows
Process uploaded documents through AI-assisted extraction and structured data normalization
Evaluate immunization compliance against published rule profiles and state requirements
Generate secure transfer packets and share links for inter-institutional record sharing
Authenticate users and enforce role-based access controls
Maintain audit trails for all data access and disclosure events
4. Data Sharing and Disclosure
We do not sell personal information or student records. We share information only in the following circumstances:
We use Amazon Web Services (AWS) for hosting, storage, and database services; Google Gemini AI for document extraction and structuring; and Runpod for OCR processing. These providers process data on our behalf under contractual obligations to protect information.
When authorized by the institution or guardian, we generate secure transfer packets and share links for inter-institutional record transfer. All sharing events are logged with disclosure tracking.
We may disclose information when required by law, regulation, legal process, or governmental request.
5. FERPA Compliance
SmartVax is designed to support compliance with the Family Educational Rights and Privacy Act (FERPA). When used by educational institutions, student immunization records are treated as education records. We act as a school official with a legitimate educational interest under FERPA, processing records solely for the purposes defined by the institution. Institutions maintain ownership and control of their student records at all times.
6. Data Security
We implement industry-standard security measures including encryption in transit (TLS) and at rest, role-based access controls with audit logging, secure authentication with enterprise SSO support, and infrastructure isolation with private internal services. All access to student records is logged and auditable.
7. Data Retention and Deletion
We retain institutional data for the duration of the service agreement. Upon termination, institutions may request export of their data. We will delete institutional data within 90 days of a verified deletion request, except where retention is required by law. Audit logs may be retained for compliance purposes.
8. Children's Privacy
SmartVax processes immunization records for children as directed by educational institutions and authorized guardians. We do not knowingly collect personal information directly from children under 13. All child records are submitted and managed by authorized adults (guardians or institutional staff).
9. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal information. Guardians may exercise rights regarding their children's records through their institution or by contacting us directly. Institutional administrators may manage data access through the SmartVax staff dashboard.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify institutional administrators of material changes via email or through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
For privacy inquiries or to exercise your rights, contact us at [email protected].