Privacy Policy

1. Introduction

Chabad Chinuch ("we," "our," or "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational management platform. We comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and other applicable student privacy laws.

2. Information We Collect

2.1 Student Data

We collect student information provided by schools or parents, including:

• Student names, grade levels, and class assignments
• Attendance records
• Behavior logs and incident reports
• Assessments, grades, and academic progress
• Standards and skills tracking data
• Bus check-in/check-out records
• Emergency contact information
• Parent/guardian information

2.2 Teacher & Staff Information

• Names, email addresses, and contact information
• School affiliation and role
• Class assignments and schedules
• Login credentials (encrypted)

2.3 Parent Information

• Names, email addresses, and phone numbers
• Relationship to students
• Account credentials

2.4 Usage Data

• Log data (IP addresses, browser type, pages visited)
• Device information
• Usage patterns and preferences
• Audit logs of data access and modifications

3. How We Use Your Information

We use the collected information solely for educational purposes:

• Provide and maintain our educational services
• Track student progress and academic performance
• Facilitate communication between teachers, students, and parents
• Generate reports and analytics for educational improvement
• Manage attendance and behavior tracking
• Handle transportation and bus logistics
• Ensure platform security and prevent fraud
• Comply with legal obligations (FERPA, COPPA, state laws)
• Provide technical support and troubleshooting

We do NOT use student data for:

• Advertising or marketing purposes
• Behavioral profiling for commercial purposes
• Selling or renting data to third parties
• Any non-educational purpose

4. Data Sharing and Disclosure

We do not sell, trade, or rent student data. We may share information only with:

• The School: Teachers, administrators, and authorized staff within the school organization
• Parents/Guardians: For their own children's records, as authorized by the school
• Service Providers: Vendors who assist in platform operations (hosting, security, email notifications). All service providers must sign data protection agreements and cannot use data for their own purposes
• Legal Requirements: When required by law, court order, or to protect rights and safety
• With Explicit Consent: When the school or parent provides explicit written consent

We never share student data with advertisers or unrelated third parties.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure authentication with password hashing
• Role-based access controls
• Multi-school data separation
• Audit logs for all data access and modifications
• Regular security audits and updates
• Secure data centers with physical security
• Incident response procedures
• Regular backups with encryption

A detailed Security Policy is available upon request or at /legal/schools.

6. Student Privacy (FERPA Compliance)

We comply with the Family Educational Rights and Privacy Act (FERPA) and are designated as a School Official with a legitimate educational interest. We:

• Protect student education records as required by FERPA
• Limit access to authorized school officials and parents
• Do not disclose personally identifiable information without consent
• Allow parents to review and request corrections to their child's records
• Maintain student data ownership with the school
• Provide data export capabilities upon request
• Delete data according to school requests and retention policies

Our Data Processing Agreement (DPA) further details our FERPA compliance obligations.

7. Children's Privacy (COPPA Compliance)

We comply with the Children's Online Privacy Protection Act (COPPA). For children under 13:

• Schools may consent on behalf of parents for educational use (COPPA "School as Agent" provision)
• Parents may directly provide consent through school invitation or account creation
• We collect only information necessary for educational services
• We do not allow children to submit personal information directly
• We do not use children's data for advertising or commercial purposes

For detailed COPPA information, see our COPPA Notice.

8. State Student Privacy Laws

We comply with applicable state student privacy laws, including:

• California SOPIPA (Student Online Personal Information Protection Act)
• New York Education Law §2-d
• Colorado SB 16-173
• Texas Student Privacy Laws
• Other applicable state regulations

9. Data Retention and Deletion

We retain student data only as long as necessary:

• Active Schools: Data is retained while the school's account is active
• School Termination: Data is archived for 60 days, then permanently deleted
• School Requests: We delete specific student records within 10 business days of request
• Audit Logs: Retained for 1 year for compliance, unless longer retention is required

For detailed retention policies, see our Data Retention Policy.

10. Data Ownership and Export

Schools own 100% of all Student Data. Schools may:

• Access, edit, export, or delete student data at any time
• Request full data exports in CSV, JSON, or SQL format
• Request deletion of individual students, classes, or full database
• Transfer data to other systems

We provide data exports within 10 business days of request. See our Data Ownership & Export Statement for details.

11. Breach Notification

In the event of unauthorized access or disclosure of student data, we will:

• Notify affected schools within 72 hours of confirming a breach
• Provide details about what happened and what data was affected
• Describe steps taken to contain and remediate the issue
• Offer guidance and support for schools
• Cooperate fully in any investigation

See our Incident Response Plan for details.

12. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate data
• Request deletion (subject to legal requirements and school policies)
• Opt-out of non-essential communications
• Data portability and export
• Review audit logs of data access

Parents requesting corrections or deletions should contact their child's school, as schools control educational records under FERPA.

13. Subprocessors

We may use service providers (subprocessors) to support platform operations, such as:

• Hosting and infrastructure providers (e.g., Supabase)
• Email notification services
• Security and monitoring tools

All subprocessors must sign data protection agreements and meet equal or higher security standards. They cannot use student data for any purpose outside of providing the services. A current list of subprocessors is available upon request.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect legal changes, operational updates, or improvements. We will notify schools of material changes via email or platform notification. The "Last Updated" date at the top indicates when this policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For school-specific legal agreements, please visit /legal/schools.