United States

FERPA — how LegacyLink supports US institutions

LegacyLink is designed so US K-12 districts, independent schools, colleges and universities can operate an alumni programme consistent with the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g).

Last updated: 2026. For a specific data processing agreement, email info@legacylink.tech.

School official designation

Under the FERPA "school official" exception (34 CFR § 99.31(a)(1)), LegacyLink may be designated by the institution as a school official with a legitimate educational interest, provided it is under the institution's direct control regarding use and maintenance of education records. Our Data Processing Agreement contains the requisite language.

Directory information

Alumni contact fields (name, class year, address, email) are typically treated as directory information under FERPA and can be disclosed for alumni-relations purposes unless the individual has opted out. LegacyLink supports an in-product opt-out that is honoured across all channels.

Consent for non-directory data

Any disclosure of non-directory education records via the platform requires prior written consent, captured and stored on the alumni profile.

Retention & deletion

Institutions can configure retention windows per record type. Alumni can request deletion via the in-product privacy centre; requests are actioned within the institution's chosen SLA.

Recordkeeping

LegacyLink maintains an audit log of privileged access to student/alumni records, available to institutional administrators, supporting the § 99.32 recordkeeping requirement.

Additional US state privacy laws

The controls above are designed to compose with SOPPA (Illinois), the CSDPA (New York), CCPA/CPRA (California, for adult alumni), and similar state frameworks. State-specific addenda are available on request.

501(c)(3) receipting (roadmap)

IRS-compliant contemporaneous written acknowledgements for tax-deductible gifts are on the Phase 2 roadmap for US institutions on the flat-SaaS pricing model.


Shared responsibility: LegacyLink provides the platform controls described above. Each institution (the data controller) is responsible for its own lawful basis, alumni notices, retention decisions, and any additional local requirements. This page is app-owner editable content, not independent legal advice or a certification issued by a third party.