privacy policy

Disagree Wisely, Inc. ("we," "us," or "our") is a Florida nonprofit corporation (501(c)(3) pending) that operates Sway (SwayBeta.ai), an educational discussion platform that connects college and university students in AI-facilitated peer conversations. This Privacy Policy explains how we collect, use, store, and protect information from all users of our platform and website, including students, instructors, and website visitors.

This policy applies to all interactions with SwayBeta.ai, including use of the discussion platform, our website, and any related communications.

We practice data minimization by design. We collect only what is necessary to operate the platform. We do not collect financial data, health data, Social Security numbers, grades, or transcripts.

Students

• Email address — for authentication. Provided by the institution for enrollment or self-registered. This is the only piece of personally identifiable information (PII) we require.
• Preferred first name — optional, and may be a pseudonym. We do not require or verify real names.
• Discussion messages — generated by students on the platform. These are private. Instructors and institutions never see student messages, opinions, or chat transcripts.
• Quiz and survey responses — completed as part of assignments.
• Usage metadata — message counts, session durations, and similar non-content data.
• Phone number — only if a student opts into SMS notifications.

Internally, students are identified by random IDs. Email addresses are never stored alongside messages.

For full details on student data collection and rights, see the Student Privacy and Research Consent document.

Instructors

• Email address — for authentication.
• First name — for identification within the platform.
• Class and assignment configuration data — topics, deadlines, and settings created by the instructor.

Website Visitors

• Standard web analytics — via Google Analytics, configured not to collect PII.
• Session cookies — for authentication only, not for tracking.

We use collected data for the following purposes:

• Operating the platform — authenticating users, running discussions, delivering assignments, and providing the core Sway experience.
• AI-facilitated discussion guidance — the AI "Guide" uses message content and pseudonymous first names to facilitate productive conversations. Email addresses are never sent to AI providers.
• Message quality tools — the rephrase suggester and message gate use fine-tuned AI models to help students communicate more effectively. These models were trained on public forum data supplemented by de-identified, opted-in student messages.
• Platform improvement — analyzing aggregated, non-identifying usage patterns to improve the educational experience.
• Educational research — opt-in only. Only de-identified data is used. Students can revoke consent at any time. See the Student Privacy and Research Consent document for details.
• Communications — sending email notifications about assignments or platform updates.

We do not use your data for:

• × Advertising or ad targeting
• × Sale to third parties
• × Training commercial AI models
• × Profiling for purposes unrelated to the educational experience

Sway uses AI to facilitate student discussions. Here is exactly what that involves:

• What is sent to AI providers: Message content and pseudonymous first names.
• What is never sent to AI providers: Email addresses or any other PII.
• Primary AI provider: Anthropic (Claude).
• Secondary AI provider: OpenAI (used as a fallback for discussion guidance, and for fine-tuned message quality models).
• AI provider data policies: Neither Anthropic nor OpenAI trains their models on data submitted through their APIs. Zero Data Retention agreements are in progress with both providers. Current provider-side retention is up to 30 days for service operation purposes.

The rephrase suggester and message gate use fine-tuned OpenAI models. These were trained on public forum data supplemented by de-identified messages from students who opted into research participation. No PII was included in training data.

We share data with the following third-party services (subprocessors) only as necessary to operate the platform:

No subprocessor receives student email addresses except Google Cloud Platform, which stores them for authentication purposes.

We do not sell, rent, or trade personal information to any third party.

We use cookies minimally:

• Session cookies — essential for authentication and keeping you logged in. These are functional cookies required for the platform to work. No separate consent is needed.
• No tracking cookies. We do not use cookies for advertising, retargeting, or cross-site tracking.
• No advertising cookies.
• No web-tracking pixels.
• Google Analytics — configured to anonymize IP addresses and not collect PII.

• Active accounts — data is retained while your account is active.
• Student messages — retained while the account is active. Deleted when the account is deleted.
• PII removal — within 30 days of account deletion.
• De-identified research data — retained indefinitely, but only from students who opted into research participation. Because it is de-identified, it cannot be linked back to any individual.
• Instructor class data — instructors can request deletion of class data after a semester ends.
• Infrastructure backups — Firestore backups are retained for 98 days with weekly snapshots. After a deletion request, data will persist in backups until the oldest backup expires.

We take the security of your data seriously. Our measures include:

• Encryption in transit — all data transmitted between your browser and the servers is encrypted using TLS 1.2 or higher.
• Encryption at rest — all stored data is encrypted with AES-256 using Google-managed encryption keys.
• Infrastructure security — private GKE cluster, Cloudflare DDoS protection, and Google Cloud Armor web application firewall.
• Access controls — multi-factor authentication is required on all production accounts. Only three team members have production access, following least-privilege principles.
• Application security — pre-commit security scanning (Bandit SAST), code review requirements, and branch protection on all production code.
• Breach notification — in the event of a data breach affecting your information, we will notify affected institutions within 72 hours and affected individuals as required by applicable law.

All Users

You have the right to:

• Access your data — request a copy of the personal information we hold about you.
• Correct inaccurate information in your account.
• Delete your account and associated personal data.
• Request information about how your data is processed.

To exercise any of these rights, contact us at privacy@swaybeta.ai.

Students

Students have additional rights detailed in the Student Privacy and Research Consent document, including:

• Opt in or out of research participation at any time.
• Control what information your instructor can see.
• Delete your account at any time, which removes all associated personal data.

FERPA U.S. Educational Institutions

Sway is designed to comply with FERPA. Key points:

• Student discussion messages are not education records accessible to the institution. Institutions cannot access, export, or claim ownership of student messages.
• The only information institutions provide to Sway is student email addresses for enrollment purposes.
• Students retain control over their own discussion content.

GDPR European Economic Area Users

If you are in the EEA, you have additional rights under the General Data Protection Regulation:

• Legal basis for processing: Consent (for research participation) and contractual necessity (for providing the platform).
• Your rights: Access, rectification, erasure, restriction of processing, objection to processing, and data portability.
• Data Protection Contact: privacy@swaybeta.ai
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

CCPA California Users

If you are a California resident, you have rights under the California Consumer Privacy Act:

• Right to know what personal information we collect and how it is used.
• Right to delete your personal information.
• Right to opt out of the sale of personal information. We do not sell personal information.
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

Sway is designed for college and university students aged 18 and older. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@swaybeta.ai.

All data is stored and processed in the United States, specifically in Google Cloud Platform's us-central1 region (Iowa). We do not store or transfer data to the European Economic Area, China, or other jurisdictions outside the United States.

If you are located outside the United States and use Sway, your data will be transferred to and processed in the United States. For EEA users, standard contractual clauses are available upon request to provide appropriate safeguards for international data transfers.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through an in-app notice before the changes take effect.

We encourage you to review this policy periodically. Your continued use of Sway after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@swaybeta.ai
• Mailing address: 7901 4th St N, Suite 300, St. Petersburg, FL 33702

For student-specific privacy details, including research consent, FERPA rights, and account deletion, please see the Student Privacy and Research Consent document.