At The College Application Specialist, we understand that you’re trusting us with sensitive information about your student’s academic journey, your family’s financial considerations, and your college planning strategies. We take that responsibility seriously.
This page explains exactly how we protect your information—in plain language, without the legal jargon.
Most educational consultants treat data security as an afterthought. We’ve built it into every aspect of how we work.
Not Consumer Tools: - We use Google Workspace for Business—the same enterprise platform used by Fortune 500 companies - We don’t use free, consumer-grade Gmail or Google Drive that scan your emails for advertising - Our business accounts have contractual data protection commitments that consumer accounts don’t
Why This Matters: When you share your student’s essay or transcript with us, it’s not being scanned by algorithms to sell you ads. Your data is protected by business-grade security with legal guarantees.
Unlike many consultants who hoard client files indefinitely, we have a documented deletion schedule:
What Gets Deleted Immediately: - FAFSA and financial information: Deleted as soon as service ends - We have no reason to keep sensitive financial data, so we don’t
What Gets Deleted After 5 Years: - Application essays (with personal information) - College application materials - We may keep de-identified essay examples (no names, no personal details) for training purposes, but you can request deletion of these too
What We Keep for 7 Years: - Payment records (required by IRS for tax purposes) - Service contracts (required for legal compliance) - Session notes (required for professional liability protection)
Why This Matters: The longer data exists, the higher the risk of a breach. We minimize your exposure by deleting information we don’t need.
[Want to know more about our retention policy? See our complete Privacy Policy]
Complete Transparency:
We maintain a complete inventory of every platform that touches your data: - GoHighLevel (our CRM and communication hub) - Google Workspace (secure email and file storage) - Microsoft OneDrive (document backup and storage) - Zoom (video counseling sessions) - Stripe, PayPal, Square, QuickBooks (payment processing)
We Don’t: - Use sketchy third-party tools you’ve never heard of - Share data with marketers or data brokers - Sell email lists or contact information - “Monetize” your family’s information in any way
We Never Sell Your Information. Ever.
[See complete list of service providers in our Privacy Policy]
What “Encryption” Actually Means:
Think of encryption like a locked safe: - Your files are scrambled into unreadable code before being stored - Only authorized people with the “key” can unscramble and read them - Even if someone hacked our systems, your files would be useless gibberish
Our Encryption Standards:
Files at Rest (Stored): - AES-256 encryption (military-grade, same as banks) - Encrypted on Google and Microsoft servers
Files in Transit (Moving): - TLS encryption (the “lock” icon you see in your browser) - Protects data traveling between your device and our systems
Email Communications: - End-to-end encryption when both parties use secure email - Encrypted storage of all email correspondence
You know that annoying extra step when you log into your bank? That’s MFA, and it stops 99.9% of hacking attempts.
How We Use It: - Required on all our business accounts - Protects your data even if a password is compromised - Means a hacker would need BOTH our password AND our phone to access client files
What You Can Do: We encourage families to enable MFA on their own accounts too. It’s the single most effective security measure you can take.
Granular Access Controls:
Not everyone at TCAS sees all client information. We use role-based access:
Tamara (Owner): - Full access to client files and communications - Oversees all security practices
Future Team Members: - Access only to the specific clients they work with - Cannot access other families’ information - Regular access audits to ensure no unauthorized viewing
Your Family: - Student access: Only to their own materials - Parent access: Full access to student materials (for students under 18) - Age 18 transition: Students can control parental access when they turn 18
Former Clients: - Access revoked within 24 hours of service completion - Cannot access shared folders after service ends - Regular quarterly audits to verify no orphaned access
You’ll Always Know When You’re Being Recorded:
Before Every Session: - Email confirmation includes recording notice - Verbal confirmation at start: “This session will be recorded for note-taking. Do I have your consent?” - Zoom displays recording indicator
You Can Always Decline: - No penalty for declining recording - We’ll take manual notes instead - One-on-one sessions remain private regardless
How Recordings Are Protected: - Stored in password-protected, client-specific folders - Accessible only to you and TCAS staff - Never used for public marketing without explicit written consent - Deleted according to retention schedule or upon request
Maryland Law Compliance: Maryland requires all parties to consent to recording. We comply through multiple notice methods and your explicit verbal consent.
[See complete recording policy in our Privacy Policy]
Data Breach Response Plan:
Despite our best efforts, no system is 100% secure. Here’s what happens if there’s ever a breach:
Within 72 Hours: - We notify all affected families via email - We explain exactly what information was compromised - We provide specific guidance on protective steps you can take
Immediately: - We investigate the cause and close the security gap - We work with cybersecurity experts to prevent recurrence - We comply with all data breach notification laws
Ongoing: - We monitor for fraudulent use of compromised data - We provide updates as we learn more - We take responsibility and make it right
Our Commitment: We won’t hide a breach or downplay the risk. You deserve honest, immediate communication so you can protect your family.
Our AI-powered tool has additional security measures:
• Email address (for login)
• IP address (for security and fraud prevention)
• General location (city/state level, not precise GPS)
• Conversation history (your questions and YAC’s responses)
• Share your conversations with other students
• Use your data to train AI models (contractual commitment from AI providers)
• Track your browsing outside of YAC
• Access other apps or information on your device
• Collect precise location or GPS coordinates
• Encrypted login (password protection)
• Secure HTTPS connection
• Regular security updates
• Session timeout after inactivity
• Immediate access revocation when service ends
We recommend students avoid sharing in YAC: - Social Security numbers or government IDs - Bank account or credit card information - Full names of teachers or recommenders - Specific medical diagnoses or detailed health information
General academic info (GPA ranges, test scores, college interests) is fine.
[Learn more about YAC in our Privacy Policy]
❌ Use “free” tools that monetize your data - No free Gmail scanning your emails for ads - No consumer Dropbox selling insights about your files - No sketchy freemium apps with unclear data practices
❌ Share information for marketing purposes - We don’t sell email lists - We don’t share data with data brokers - We don’t “partner” with companies to monetize your information
❌ Keep data longer than necessary - No indefinite retention “just in case” - No hoarding of sensitive financial information - Clear deletion schedules and enforcement
❌ Hide our practices in legal jargon - Our privacy policy is written in plain language - We explain exactly what we do and why - No surprises or hidden clauses
❌ Ignore security because “we’re too small to be targeted” - Small businesses are actually MORE targeted (less security) - We invest in enterprise-grade security regardless of company size - Your data deserves protection whether we have 10 clients or 1,000
We’re making our security even better:
We’re consolidating from multiple platforms to primarily GoHighLevel for: - Website hosting - Client communication - Scheduling and forms - Community and course delivery
Fewer Platforms = Lower Risk: - Fewer potential breach points - Simpler access management - Better oversight and monitoring - Reduced complexity = fewer mistakes
Better Security Features: - GoHighLevel has SOC 2 Type II certification - Enhanced encryption and access controls - Dedicated security team monitoring threats - Regular third-party security audits
• Seamless migration of your data
• No action required from clients
• Same level of service, better security
• Old platforms wiped clean within 30 days
We do our part, but you can help too:
• Don’t reuse passwords across sites
• Use a password manager (1Password, LastPass, Bitwear)
• Change passwords if you suspect compromise
• On your email accounts
• On any accounts you share with us
• On student college application portals
• Don’t send Social Security numbers via regular email
• Use secure file sharing (like our Google Drive folders)
• Call us if you’re unsure how to share something securely
• We’ll never ask for passwords via email
• Verify sender email addresses carefully
• When in doubt, call us directly
• Install security updates promptly
• Use antivirus software
• Lock devices when not in use
• Be careful on public WiFi
We comply with:
✅ California Consumer Privacy Act (CCPA) - Rights to know, delete, and correct your information - No sale of personal information - Clear opt-out mechanisms
✅ Maryland Recording Laws - Two-party consent for all recordings - Multiple notice methods before recording - Right to decline without penalty
✅ CAN-SPAM Act - Clear unsubscribe options in all marketing emails - Honest subject lines and sender information - Prompt processing of opt-out requests
✅ COPPA Compliance Strategy - Services for ages 14+ (avoiding under-13 requirements) - Parental consent for minors 14-17 - Clear age restrictions on AI tools
✅ FERPA Principles - Respect educational record privacy - Age 18 rights transfer process - Parental access controls
Our Service Providers’ Certifications: - Google Workspace: SOC 2/3, ISO 27001, HIPAA-eligible - GoHighLevel: SOC 2 Type II - Microsoft: SOC 1/2/3, ISO 27001, ISO 27018, HIPAA - Zoom: SOC 2, ISO 27001, HIPAA-compliant
We don’t just set it and forget it:
• Access audits (who can see what)
• Review and remove inactive user access
• Update password policies
• Review vendor security practices
• Privacy policy review and update
• Security training for all team members
• Vendor security reassessment
• Data retention enforcement
• Monitor for suspicious login attempts
• Track data breach news in our industry
• Stay current on privacy law changes
• Implement security updates promptly
Before You Engage Services: - How your data will be stored and protected - What specific security measures apply to your family - How we handle different types of sensitive information - Any concerns about privacy or security
During Services: - Request access to your data at any time - Ask how specific information is being used - Request deletion of specific files - Report security concerns immediately
After Services: - Request confirmation of data deletion - Verify access has been revoked - Export your data for your records - Ask about retention for specific documents
Privacy-Specific Questions: Email: [email protected]
General Inquiries: Email: [email protected]
Website: www.sayyestocollege.com
We Respond Within: - Privacy requests: 30 days (usually much faster) - Security concerns: 24 hours - General questions: 1-2 business days
Data security isn’t just a checkbox for us—it’s how we operate.
We’re not a big company with a dedicated IT department, but we use the same enterprise-grade tools and practices that big companies use. We’re transparent about what we do, honest about limitations, and committed to protecting your family’s information.
Your trust is everything. We earn it through consistent, transparent security practices—not marketing promises.
Schedule a Discovery Call | Read Our Privacy Policy | Learn About Our Services
Most college counselors can’t answer basic questions like: - “Where is my data stored?” - “How long do you keep files?” - “Do you use free consumer tools or business accounts?” - “What happens to my data if I cancel?”
We can answer all of these—in detail—because we’ve built security into our business from day one.
That’s the TCAS difference.
Last Updated: March 1, 2026
Questions? [email protected]
This page provides general information about our data security practices. For complete legal details, see our Privacy Policy. For specific questions about your data, contact us directly.