Privacy Policy

1. Introduction

Classroom Pulse ("we," "our," or "us") provides a behavior observation and data collection platform specifically designed for educational settings. This Privacy Policy explains how we collect, use, protect, and share information when you use our services.

This policy applies to all users of our services including educators, school administrators, behavioral specialists, and authorized family members who access student data.

2. FERPA Compliance & Educational Privacy

We are committed to FERPA compliance:

• We act as a "School Official" under FERPA when handling educational records
• We only use student data for the educational purposes for which it was shared
• We do not disclose personally identifiable information from student records without consent
• We maintain direct control over the use and maintenance of education records
• We will delete student data upon request from the school or when no longer needed

COPPA Compliance:

• Our service is designed for use by educators and schools, not children directly
• We do not knowingly collect personal information directly from children under 13
• Schools obtain necessary parental consent before using our service with students
• Parents have the right to review and request deletion of their child's information

3. Information We Collect

Educator Account Information

• Name, email address, and professional role
• School or organization name and district
• Professional credentials (optional)
• Account preferences and settings
• Payment information (processed securely through Stripe, never stored by us)

Student Information

We minimize student data collection. We collect only:

• Student identifier (initials, ID number, or pseudonym - no full names required)
• Grade level and classroom assignment
• Behavioral observation data entered by educators
• Progress tracking and goal information
• IEP/BIP related notes (as entered by authorized staff)

Usage Information

• Anonymized app usage patterns to improve our service
• Device type and browser information for technical support
• IP address for security and fraud prevention
• Session data to maintain your login state

4. How We Use Information & Legal Basis

Processing Activities and Legal Basis (GDPR Article 6)

Special Category Data (GDPR Article 9)

Behavioral and health-related data may be considered special category data. We process this data based on:

• Explicit Consent: Schools provide consent for processing student behavioral data
• Substantial Public Interest: Supporting special education services
• Vital Interests: When necessary to protect student safety

We NEVER:

• Sell or rent student data to any third party
• Use student data for advertising or marketing
• Create profiles of students for non-educational purposes
• Share student data except as required by law or with explicit consent

5. Data Security & Protection

We implement comprehensive security measures to protect sensitive educational data:

Technical Safeguards

• 256-bit SSL/TLS encryption for all data in transit
• AES-256 encryption for data at rest
• Secure cloud infrastructure with SOC 2 Type II certified data centers
• Regular security audits and penetration testing
• Automated backup systems with point-in-time recovery
• Web Application Firewall (WAF) protection

Administrative Safeguards

• Role-based access controls with principle of least privilege
• Background checks for employees with data access
• Regular privacy and security training for all staff
• Strict data access logging and monitoring
• Incident response plan for potential breaches

6. Data Sharing & Third Parties

We limit data sharing to protect student privacy:

When We May Share Data

• With Consent: When schools or parents provide explicit written consent
• School Authorized: With other educators the school designates
• Service Providers: With carefully vetted providers who help operate our service (e.g., cloud hosting, payment processing) under strict confidentiality agreements
• Legal Requirements: When required by law, subpoena, or court order
• Safety: To protect the safety of students or others in emergency situations

Third-Party Services

We work with trusted service providers:

• Firebase (Google): Secure cloud infrastructure and database
• Stripe: Payment processing (no student data shared)
• SendGrid: Email notifications (educator emails only)

All third-party providers are contractually obligated to protect data according to our standards.

7. Data Retention & Deletion

Retention Periods

• Active Accounts: Data retained while account is active
• Inactive Student Data: Automatically archived after 1 school year of inactivity
• Deleted Accounts: Data removed within 30 days of deletion request
• Backup Retention: Secure backups retained for 90 days for recovery purposes

Data Deletion Rights

• Schools can request deletion of all their data at any time
• Individual student records can be deleted upon request
• Parents can request deletion of their child's data through the school
• Data export available before deletion for record-keeping

8. Your Rights & Choices

Educator Rights

• Access and download all data in your account
• Correct or update any information
• Delete your account and associated data
• Opt-out of non-essential communications
• Request a copy of this privacy policy

Parent/Guardian Rights

• Review their child's data (through school authorization)
• Request corrections to their child's records
• Request deletion of their child's data
• Opt-out of certain data uses
• Receive notification of any data breaches

School/District Rights

• Full control over their institution's data
• Audit logs of data access and modifications
• Bulk export capabilities for all student data
• Ability to designate authorized users and set permissions
• Right to terminate service and receive data export

9. International Data & Transfers

Classroom Pulse is based in the United States. By using our service, you understand that your data will be processed in the United States in accordance with U.S. laws. We ensure appropriate safeguards are in place for any international data transfers.

For users in the European Union, we comply with GDPR requirements including:

• Lawful basis for processing (legitimate interest or consent)
• Data minimization principles
• Right to erasure ("right to be forgotten")
• Data portability rights
• Privacy by design implementation

10. Communication & Notifications

Types of Communications

• Service Communications: Essential updates about your account, security, and service changes
• Educational Resources: Optional tips and best practices for behavior tracking
• Product Updates: Information about new features and improvements
• Security Alerts: Immediate notification of any security concerns

You can manage communication preferences in your account settings, except for essential service and security notifications.

11. Data Breach Notification

In the unlikely event of a data breach that compromises personal information, we will:

• Notify affected schools within 72 hours of discovery
• Provide details about what information was involved
• Describe steps we're taking to address the breach
• Offer guidance on protective measures
• Cooperate with schools to notify parents if required
• Document the incident and remediation steps taken

12. Updates to Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes:

• We will notify all users via email at least 30 days before changes take effect
• We will post the updated policy with a new effective date
• We will maintain a changelog of policy updates
• For significant changes affecting student data, we will seek renewed consent

13. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR and other privacy regulations. You can contact our DPO for:

• Questions about this privacy policy
• Requests to exercise your data protection rights
• Concerns about how we handle your data
• Data breach notifications
• Privacy impact assessments