Privacy Policy
Last updated: March 5, 2026 | Effective: March 5, 2026
LexCommons ("we," "us," "our") operates Law School Commons (lawschoolcommons.com), AdminCommons (admin.lexcommons.org), CiteCommons (legalcitationchecker.org), and the LexCommons hub (lexcommons.org) (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our Services.
We are committed to complying with the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and other relevant federal and state privacy laws.
- We collect only what is necessary to provide our Services
- Student education records are protected under FERPA
- Health-related information (accommodations, counseling) receives HIPAA-level protections
- We never sell your personal information
- All data is encrypted in transit (TLS 1.2+) and sensitive fields are encrypted at rest
- You have the right to access, correct, and delete your data
1. Information We Collect
Account Information
When you create an account, we collect your name, email address, password (stored as a salted hash, never in plaintext), and your role (student, professor, or administrator). If you register using a professor code, we store your role accordingly.
Education Records (FERPA-Protected)
For students using Law School Commons, we may collect quiz scores, study progress, topic mastery data, course enrollment, and study activity (streaks, session data). These constitute education records under FERPA and are accessible only to the student and authorized institutional personnel.
Administrative Records (AdminCommons)
For institutional users of AdminCommons, we may process student directory information, enrollment and academic standing data, financial aid and scholarship records, employment and career outcomes data, and event and facilities management records.
Protected Health Information (HIPAA-Protected)
AdminCommons may process disability and accommodation records, counseling and wellness referral data, and health insurance information. This information is encrypted at rest using AES-256 encryption and access is restricted to authorized personnel with a legitimate need to know. All access is logged in our audit system.
Technical Information
We automatically collect IP addresses (logged for security and audit purposes), session tokens, browser type, and timestamps of access. This information is used for security, compliance, and system performance purposes.
2. How We Use Your Information
We use collected information to provide and improve our Services, authenticate users and maintain session security, generate analytics and reports for institutional administrators, comply with accreditation requirements (including ABA Standards), fulfill legal obligations under FERPA, HIPAA, and other applicable laws, detect and prevent security incidents, and maintain audit logs as required by HIPAA.
3. FERPA Compliance
If you are a student at an institution that uses our Services, you have the right to inspect and review your education records, request amendment of inaccurate records, consent to disclosure of personally identifiable information (with exceptions as permitted by FERPA), and file a complaint with the U.S. Department of Education.
Directory Information
Certain information may be designated as "directory information" by your institution (e.g., name, enrollment status, program of study). You have the right to opt out of directory information disclosure by contacting your institution's registrar or by adjusting your settings within AdminCommons.
Legitimate Educational Interest
We may disclose education records without consent to school officials with a legitimate educational interest, as determined by the institution. AdminCommons' role-based access control (RBAC) system enforces these access restrictions at the application level.
4. HIPAA Compliance
To the extent that our Services process protected health information (PHI), we implement the following safeguards:
| Safeguard | Implementation |
|---|---|
| Access Controls | Role-based access with 16-role permission system; minimum necessary standard enforced |
| Audit Controls | All access to PHI logged with user ID, timestamp, IP address, and action taken |
| Integrity Controls | Data validation on input; database constraints prevent unauthorized modification |
| Transmission Security | TLS 1.2+ encryption for all data in transit; HSTS enforced |
| Encryption at Rest | Sensitive fields (accommodations, counseling notes) encrypted using pgcrypto AES-256 |
| Session Management | 30-minute idle timeout; 8-hour maximum session; secure httpOnly cookies |
| Authentication | bcrypt password hashing (cost factor 12); password complexity requirements enforced |
| Network Security | Firewall restricts access to ports 22, 80, 443 only; SSH hardened |
Business Associate Agreements
We will enter into Business Associate Agreements (BAAs) with covered entities (institutions) as required by HIPAA before processing any PHI on their behalf. Our infrastructure providers are contractually bound to maintain appropriate safeguards.
Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days of discovery, notify the U.S. Department of Health and Human Services as required, notify the affected institution immediately upon discovery, and for breaches affecting 500+ individuals, notify prominent media outlets as required by HIPAA.
5. Data Security
We implement administrative, physical, and technical safeguards including encrypted connections (HTTPS/TLS) for all communications, salted bcrypt hashing for passwords, server firewall limiting access to essential ports only, automated session expiration and idle timeouts, comprehensive audit logging of all data access and modifications, encrypted storage for sensitive health-related data, and regular security review and updates.
6. Data Retention
We retain your data as follows: account information is retained for the duration of your account plus 1 year after deletion request, education records are retained as directed by the institution in compliance with FERPA, protected health information is retained for 6 years from the date of creation or last effective date as required by HIPAA, audit logs are retained for 6 years as required by HIPAA, and session data is automatically purged upon expiration.
7. Data Sharing and Disclosure
We do not sell your personal information. We may share information with your institution (for education records, as permitted by FERPA), service providers under contract who assist in operating our Services (subject to confidentiality obligations and, where applicable, BAAs), and law enforcement or regulatory bodies when required by law or to protect rights and safety.
8. Your Rights
Depending on your jurisdiction and applicable law, you may have the right to access your personal information, correct inaccurate data, delete your account and associated data (subject to legal retention requirements), receive a copy of your data in a portable format, opt out of directory information disclosure, and withdraw consent where processing is based on consent.
To exercise these rights, contact us at privacy@lexcommons.org.
9. Children's Privacy
Our Services are designed for law students and legal professionals (generally 18+). We do not knowingly collect information from children under 13. If we become aware of such collection, we will delete the information promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted prominently on our Services. Continued use after changes constitutes acceptance of the revised policy.
11. Contact Information
For privacy-related inquiries, to exercise your rights, or to report a concern:
LexCommons Privacy Office
Email: privacy@lexcommons.org
For FERPA complaints: U.S. Department of Education, Student Privacy Policy Office, 400 Maryland Ave SW, Washington, DC 20202
For HIPAA complaints: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Ave SW, Washington, DC 20201