Legal

Privacy Policy

Effective: May 26, 2026 · Last updated: May 27, 2026

The Engineering and Science Academy (“TESA,” “we,” “us,” or “our”) operates the website at tesa4space.org and delivers credit-bearing aerospace education programs to high-school students and professional development to educators. Because we serve minors and accept payments through a third-party processor, we take the privacy and security of personal information seriously. This Privacy Policy explains what information we collect, how we use and share it, and the rights and choices available to you.

This Privacy Policy is implemented under, and is consistent with, TESA's internal Information Security and Protection Policy (Effective May 26, 2026), which sets binding controls aligned to the NIST Cybersecurity Framework (CSF) 2.0, CIS Critical Security Controls v8, PCI DSS v4.0.1, and the federal and Maryland statutes referenced below.

1. Information we collect

1.1 Information you give us

• Applicant information when you submit a program application: full name, age, email address, preferred session date, prior flight training (yes/no and hours), and an essay response.
• Parent or legal guardian information when the applicant is under 18: guardian name, email address, phone number, and an explicit consent indication. We require parental consent before processing applications from minors under 18.
• Educator information for our Teachers in Space Suits program: school or organization, grade levels taught, and essay responses.
• Contact-form messages you submit through our contact page: your name, email, and the message text.

1.2 Information collected automatically

• Technical data from your browser or device: IP address (truncated for analytics purposes), browser type, device type, referring URL, pages viewed, and time stamps. We do not associate this data with applicant records unless required for security or fraud investigation.
• Cookies and similar technologies. See Section 5.

1.3 Information from third parties

• Payment data from Stripe. When you complete a payment, our payment processor (Stripe, Inc.) shares limited transaction metadata with us — a Stripe customer identifier, the amount paid, the last four digits and expiration of the card, the card brand, and the country of issuance. We do not receive or store your full card number (PAN) or CVV.

1.4 Information we do not collect

We do not collect Social Security numbers, government IDs, biometric identifiers, precise geolocation, full payment-card numbers, or sensitive categories of data beyond what is described above. We do not knowingly collect personal information from any child under 13 without verifiable parental consent, and our application form blocks submissions from anyone identifying as under 13 (see Section 7).

2. How we use information

• To review and respond to program applications.
• To communicate with applicants and guardians about application status, approval, payment, scheduling, and program logistics.
• To process tuition payments through Stripe.
• To deliver instruction, manage attendance, and award credit or certifications.
• To operate, secure, and improve the TESA website and learning environment, including fraud prevention and abuse mitigation.
• To respond to questions submitted through the contact form.
• To comply with our legal obligations, respond to lawful requests, and enforce our agreements.

We do not use personal information for targeted advertising, profiling, or sale to third parties. We do not engage in targeted advertising directed at any individual we know or reasonably should know is under 18.

3. How we share information

We share personal information only with the following categories of recipients, each under a written agreement that requires them to protect the data and use it only for the purposes we direct.

• Stripe, Inc. — payment processing (PCI DSS Level 1 certified).
• Resend, Inc. — transactional email delivery (applicant confirmations, approval emails, payment receipts).
• Railway Corp. — application hosting and database hosting.
• Cloudflare, Inc. — DNS, edge security, DDoS protection, and TLS termination.
• Google LLC — Google Analytics 4 (only when you accept analytics cookies; see Section 5).
• YouTube (Google LLC) — embedded videos served via the privacy-enhanced youtube-nocookie.com domain.
• Microsoft Corp. — TESA staff email, document storage, and virtual-classroom infrastructure (Microsoft 365).
• Tidewater Aviation — when you elect the optional Discovery Flight add-on, we share the information needed to schedule your flight (name and contact details).
• Educational and accreditation partners — when necessary to record credit, provide transcripts, or maintain accreditation; only with consent or as permitted by FERPA.
• Legal authorities — when required by law, subpoena, court order, or to protect the safety of TESA, its students, or the public.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

4. Educational records (FERPA)

To the extent the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) applies to records we maintain in our capacity as an educational institution, we will:

• Provide annual notice of FERPA rights to enrolled students and their parents or guardians.
• Honor inspection requests within 45 days of receipt.
• Disclose education records only with written consent or under a FERPA-permitted exception (e.g., transfer to an enrolling school, court order, health and safety emergency), and log every such disclosure.
• Permit students and parents to request correction of inaccurate records through a documented amendment process.

Inquiries about education records should be directed to [email protected] (Lt. Cdr. Diallo Wallace, USN (Ret.), Founder & Chief Administrator).

5. Cookies and similar technologies

We use two categories of cookies and similar technologies:

• Essential cookies are required for the site to function — for example, the cookie that keeps an administrator signed in, and cookies set by Stripe on its hosted Checkout page to complete a payment. Essential cookies always load.
• Analytics cookies (Google Analytics 4, measurement ID G-JWQZTXF68D) help us understand aggregate site usage so we can improve the experience. Analytics cookies only load if you click “Accept” on our cookie banner. If you click “Reject,” Google Analytics is not loaded and no analytics cookies are set.

To change your choice, clear your browser's storage for tesa4space.org and reload the page. We do not use cookies for advertising and we do not allow third-party advertisers to set cookies on our site.

6. Children's privacy

TESA programs are designed for high-school students (typically ages 14–18) and adult educators. Our application form blocks submissions from any applicant indicating an age below 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent, as required by the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.; 16 CFR Part 312).

For applicants ages 13–17, we require the name, email, phone, and explicit consent of a parent or legal guardian before accepting the application. Parents and guardians may review or request deletion of their child's information at any time by emailing [email protected].

7. Your privacy rights

7.1 All visitors

You may request that we:

• Confirm whether we hold personal information about you;
• Provide a copy of that information;
• Correct inaccurate information;
• Delete information we hold about you, subject to legal and educational-record retention requirements;
• Stop processing your information for marketing purposes.

Submit requests by emailing [email protected]. We will verify your identity (typically by replying to the email address we have on file) and respond within 45 days.

7.2 Maryland residents

The Maryland Online Data Privacy Act of 2024 (MODPA, Md. Code Ann., Com. Law § 14-4701 et seq.) grants Maryland residents additional rights, including the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of processing of sensitive data. TESA does not sell personal data, does not engage in targeted advertising, and does not use personal data for profiling that produces legal or similarly significant effects. We honor these rights through the same contact channel above.

Maryland residents are also protected by the Maryland Student Data Privacy Act of 2015 (Md. Code Ann., Educ. § 4-131) and the Maryland Personal Information Protection Act (MPIPA, Md. Code Ann., Com. Law § 14-3501 et seq.), under which we will notify affected Maryland residents and the Maryland Office of the Attorney General within 45 days of discovery of a security breach reasonably likely to result in misuse of personal information.

7.3 California, Virginia, Colorado, Connecticut, Utah, and other states

Residents of states with comprehensive privacy laws (including California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and Utah's UCPA) have rights substantially similar to those described above. We honor verified requests from residents of these states on the same terms. California residents have a specific right to know what personal information we have collected, disclosed, or sold in the preceding 12 months; we do not sell personal information, so the response will reflect collection and disclosure only.

7.4 Authorized agents and appeals

You may designate an authorized agent to act on your behalf by providing written authorization. If we deny a privacy request, you may appeal by replying to our denial within 60 days, and we will respond to the appeal within an additional 45 days.

8. Data retention

We keep personal information only as long as necessary for the purposes described above. Our retention schedule:

• Active applicant data: for the duration of the application and program, plus five years.
• Education records (grades, certificates, transcripts): seven years post-completion.
• Payment metadata (Stripe customer ID, last 4, expiration, brand — never the PAN): seven years for tax and audit purposes.
• Marketing email subscribers: until unsubscribed plus 30 days.
• Server access logs and edge logs: 90 days hot, up to one year cold.
• Incident-response records: seven years.

When the retention period expires, records are deleted from our systems through cryptographic erasure or secure deletion. Backups are aged out per the same schedule.

9. Data security

We protect personal information using administrative, technical, and physical safeguards proportionate to its sensitivity:

• TLS 1.2+ encryption in transit for all site traffic.
• Cloudflare edge security (Web Application Firewall, DDoS mitigation, bot management, rate limiting).
• Database connections require TLS; secrets are stored only as encrypted environment variables.
• Administrator access is gated by HMAC-signed session cookies and requires per-user credentials.
• All payment-card data is handled exclusively by Stripe under PCI DSS Level 1; TESA does not see or store full card numbers.
• Daily automated database backups and tested restore procedures.
• Annual review of this Privacy Policy and the underlying Information Security and Protection Policy, including a documented Risk Register and Vendor Risk Register.

No method of transmission over the Internet is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.

10. Email communications

Transactional emails (application confirmation, approval, payment receipt) are sent through Resend from [email protected]. We do not currently send marketing emails. If we begin marketing communications, you will have the right to opt out at any time, and every marketing email will contain an unsubscribe link.

11. International users

TESA operates from the United States and our programs are delivered in Maryland. By using our site or submitting an application, you understand that your information will be processed in the United States. We do not actively market to residents of the European Union, the United Kingdom, or other jurisdictions outside the United States.

12. Changes to this policy

We review and re-approve this policy at least annually, on or before May 26 of each year. We may update it sooner if our practices change or to comply with legal requirements. The “Last updated” date above will reflect the most recent change. Material changes will be highlighted on the site and, where appropriate, notified to existing applicants by email.

13. Contact us

For privacy questions, requests, or complaints:

This Privacy Policy is provided for transparency. Nothing in this Privacy Policy creates a contractual right between you and TESA. Your use of the TESA website is governed by our Terms of Service.