Online Privacy Statement

Introduction

‘SchoolParency’; ‘we’; ‘us’; and ‘our’; means SchoolParency of North Massapequa, New York State, US.

SchoolParency is a platform designed for the communications and transparency between Home (Parent and Student) and School (Teachers and Administrators). SchoolParency has been designed for the adoption and use by administrators, teachers, parents, and students who fall within the demographics of pre-K-12 school ages. Those who utilize SchoolParency can share messages about school logistics, school functions, school calendars, classroom learning, directory information, files, and media files.

To provide our services to you, we must process personal data, or Personally Identifiable Information (PII). We are committed to maintaining the highest standards of compliance with regulatory environments.

State and federal laws such as Education Law § 2-d; the Commissioner of Education’s Regulations at 8 NYCRR Part 121, the Family Educational Rights and Privacy Act (“FERPA”) at 12 U.S.C. 1232g (34 CFR Part 99); Children’s Online Privacy Protection Act (“COPPA”) at 15 U.S.C. 6501-6502 (16 CFR Part 312); Protection of Pupil Rights Amendment (“PPRA”) at 20 U.S.C. 1232h (34 CFR Part 98); the Individuals with Disabilities Education Act (“IDEA”) at 20 U.S.C. 1400 et seq. (34 CFR Part 300); protect the confidentiality of a student’s identifiable information.

This Privacy Policy aims to explain to the Users of our Service and Website how we process personal data so that you can make well-informed decisions regarding your legal rights. The Policy also aims to outlay our duties and responsibilities to process Student, Parent, and School Staff Data securely, including but not limited to the transfer and storage of PII from you, the LEA (Local Education Authority).

All documents and data transferred belonging to students, teachers, or principals are done within the scope and according to the New York State Education Law 2-d.

When does this Privacy Policy apply?

This Policy applies to the personal information that we collect, use or ask you to provide to help us establish and manage your SchoolParency account through your applicable LEA. Where you contact our team by email, we are the Data Controller of the data being processed. This Privacy Policy applies as soon as you access our Services, visit our Website, contact or engage with us.

We may update this Privacy Policy from time to time to keep up with legislative or regulatory changes and ensure that it remains in-line with our business needs and obligations. Any update or modification of the current version of this Policy will be considered applicable from its publication time. If we make material changes, such as how we may use your personal information, we will notify you prior to the change becoming effective. Our notification will be via email, a notice to our home page, and by email to your parents/guardians, if you are a minor, in order to obtain consent for new uses to your personal information, if required. We strongly suggest that you read our Terms of Use so you may understand additional terms and conditions that may apply to the use of our Website. Should you have any questions, comments, or suggestions concerning our privacy policy, we ask that you contact us at support@SchoolParency.com.

Without affecting your rights under any current applicable legislation, this Privacy Statement is not contractual by nature and does not form part of your contract with us. By using our services or products, you are presumed to have read and understood this Privacy Statement.

Types of data that we collect

We strive to be transparent about our practices concerning the collection and usage of personal data, or PII (Personally Identifiable Information).

Contact Data: Full name, email address, phone number, address (including district)
Student Performance Data – grade level, courses enrolled in, groups the student is a member of, primary language, language proficiency level, attendance records, student assignments, school trips attended or planned, Physical or Behavioural Identifying characteristics, Place of Birth, Date of Birth, School Enrolment details, Year of Graduation, Academic or Extracurricular activities, Standardised Test Scores, Student-Generated Content, teachers names,
Sensitive Student Data: Details of any free or reduced meal programs received by the student, the balance of the student’s meal account, details of how the student commutes to School (by bus, walks, driven by parent or guardian…), Gender, Attendance Record, Ethnicity or Race, Student Disability Information, living situation, medical alerts, low-income status
Transaction Data – information about payments and subscriptions to the Services and past transaction history.
Information you provide to us during customer service interactions and to receive technical assistance from us.
Device Data – Browser type and settings, IP address, Operating System (if applicable), Internet Connection type, Use of Cookies, User Interaction Metadata
Parent Data – Full name, relationship with the student, language preferences, email address, and phone number
School Staff Data: Full name, job title, courses responsible for (if applicable), name of School, address of School, type of School, contact details
Optional Data: career or income data, interests and hobbies, talents or achievements, messages and posts, photos and videos, comments, and engagements.
System data – SchoolParency username, login credentials, aggregated data, or other information that does not identify individuals, for example, information regarding our page views. App downloads, email delivery, test delivery, and engagement

Student Data or any other Education Records transmitted to the Provider pursuant to this Agreement is and will continue to be the property of and under the control of the LEA or to the party who provided such data (such as the student or parent.) All intellectual property rights, in and to Student Data or Education Records shall remain the exclusive property of the LEA or the party who provided such data.

How we use the data, we collect

Depending on your relationship with us, we may use your data to:

Provide you with our Service, features including but not limited to:
– Community Wall
– Communication
– Multi-tiered system
– School Shop
– Ribbons
– Points Systems
Create and manage your SchoolParency account
Please verify your identity and entitlement to services when you contact us or access our services (i.e., school eligibility and attendance)
Provide quotes for our services or negotiate a contract with you
Process your transactions
Monitor your School’s level of usage of our Service and identify areas of potential development.
Provide you with technical and customer support
Provide you with service messages about our products and services
We may use cookies to personalize your experience with our site and help you navigate through it. If you so choose, you may block or remove cookies using the technical settings on your browser, though some devices may not allow this. If you decide to disable cookies, it may impact your ability to enjoy all the services our site offers.

What grounds do we process your data under?

The General Data Protection Regulations (GDPR) of Europe forbids personal data processing unless we are collecting and using it in line with one of 6 lawful bases. The lawful bases we rely on are:

Consent: When individuals have given explicit consent for their personal data to be processed for a specific purpose. This consent must be well-informed and freely given.
Performance of a Contract: the processing is necessary for a performance of a contract or because they have been asked to take specific steps before entering into a contract.
Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
Vital Interests: the processing is necessary to protect someone’s life.
Public Task: the processing is necessary to perform a task in the public interest or your official functions, and the task or function has a clear basis in law.
Legitimate Interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests

draw 2-D and your child’s data

NYS Education Law 2-D sets our specific standards to be met when processing student, teacher, or principal data. For more information on how we comply, please see Schedule A below.

Should you wish to report a suspected breach or unauthorized disclosure of child data, Complaints may be submitted to NYSED at http://www.nysed.gov/data-privacysecurity/report-improper-disclosure; by mail to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234; by email to privacy@nysed.gov; or by telephone at 518-474- 0937.

If you have any questions or comments relating to the modification or erasure of student data, please feel free to contact your School directly or contact us at support@SchoolParency.com. In the event that we agree to amend or erase data on your behalf, we must share this data with your School to ensure your request is acted upon.

How long do we keep your personal data?

We process your personal data only for as long as necessary to achieve the purposes for which it was initially collected. After a student graduates or withdraws from attendance at their School, the School will delete their SchoolParency account and the data involved, as appropriate. Please note that account deletions can with reversed if needed within 30 days from closure.

Please note that we may have the retain elements of your personal information on some occasions after our relationship has ended. We are required to keep this data for as long as necessary to comply with our legal and regulatory obligations, including possible claims relating to the services we offer and the use of our Website.

Who do we share your data with?

We may share your data with the following third parties to fulfill our commitment to you. The PII that we collect and receive from a student, parent or educational institution, or agency is solely processed for service provision within this Policy’s scope. Please note that we will never share or sell your data to a third party:

SchoolParency account admins within your School. On occasion, other staff members within the School may be granted access to this information if deemed appropriate by the registered admins.
In the event that your School should wish to create an online directory, your contact information, including your name, email address, and phone number, would be made available for other registered parents/guardians in your School. This data, however, will not be shared outside of your School. You can opt-out of this, meaning your details will not be disclosed to any other parent/guardian in the online directory but will still be visible to registered staff at your School. Please see more information in ‘Other Rights and Obligations’ below.
Data processing companies and suppliers from time to time to help manage our Website and services, analyzing the use of our app and Website, sending emails (distributions), communication platform providers (phone calls and text messages), website hosting, providing customer support, and communications to users.
Technology service providers who host our information systems, back up servers, or that offer us technological support. These parties will be subject to the terms of this Privacy Policy, our Terms of Use, and their security and privacy obligations.
Administrative, judicial, and/or legal authorities in response to requirements, as long as they are required in accordance with the applicable law and regulations;
Our legal advisors when a claim is presented in relation to our services and products.
If we sell or buy any business or assets, in which case we may need to disclose your data to the prospective seller, buyer, or business partner.
Where we use a third party or service provider to provide our Service to you, we enter into written agreements with them as sub-processors, including specific data processing terms with the same level of protection as afforded by us.
FERPA is a federal statute governing the confidentiality and privacy of students’ educational records. Generally, PII relating to Student Educational Records should not be shared with a third party unless under the consent of the relevant parent or guardian (Model Notification of Rights under FERPA. However, FERPA (99.31(a)(1)(i)(B) offers two exemptions to this, one of which we utilize in our capacity as School Official. .

In line with COPPA rules, all third-party service providers/operators, including name and contact information (address, telephone number, and/or email address), will be made available on request.

International Transfers of Data

All our data is hosted in the United States. For those users who are in a country or region outside of the United States, please be advised the laws governing your private information may differ significantly from those laws in the United States that govern the collection and securing of personal information. By submitting your Personal Data to us, you agree to the transfer, storage, and processing of your Personal Data in the United States.
Where we use certain service providers within the EU or process a EU citizen’s data, we may use specific contracts approved by the European Commission which give personal data the same protection as it has in Europe called Standard Contractual Clauses (SCCs)

Security of your data

As per draw 2-D(b)(3), all applicable state and federal laws and regulations pertaining to data privacy and security. Within the scope of Service provision, safeguards considered to meet industry standards are; encryption, firewalls, and password protection

SchoolParency has incorporated technical and organizational security measures in protecting PII. When student data is transferred, it is done so in an encrypted fashion and transmitted securely. Access to the SchoolParency site is only through authentication of one’s username and password, which should remain confidential to the user. It is the responsibility of the LEA to ensure that unauthorized person(s) do not gain access to the Service, your school account, or any parent, student, or teacher PII. If a breach has occurred, the LEA should notify SchoolParency without undue delay and, where possible, within 72 hours (including weekends and non-business days).

Your information is protected on a server that is behind a firewall; while utilizing security software to maintain the confidentiality of the personal information we have accumulated. In the unlikely event of a security breach of a user’s personal information, we shall notify all users whose information may

[1] FERPA (§ 99.31(a)(1)(i)(B)) permits schools to outsource institutional services or functions that involve the disclosure of education records to contractors, consultants, volunteers, or other third parties provided that the outside party:

Performs an institutional service or function for which the agency or institution would otherwise use employees;
Is under the direct control of the agency or institution concerning the use and maintenance of education records;
It is subject to the requirements in § 99.33(a) that the personally identifiable information (PII) from education records may be used only for the purposes for which the disclosure was made, e.g., to promote school safety and the physical security of students, and to govern the redisclosure of PII from education records; and
Meets the criteria specified in the School or local educational agency’s (LEA’s) annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.

have been comprised to both the data subject and the LEA, in accordance with all applicable laws and regulations and their capacity as the data controller. We will also post a notice on our site of such a potential breach.

In line with NYS ED Law 2-D, in the case of a Security Incident or Data Breach involving Student Data, the LEA shall notify the parent or eligible student of any authorized release of Student Data involving Personally Identifiable Information from the student records in the most practical way possible and without undue delay.

In any notification to a parent, guardian, or eligible student due to a Security Incident by SchoolParency or any of our providers or sub-contractors, or if the Security Incident is unrelated to the LEA actions or omissions, SchoolParency, if so requested, shall reimburse the LEA for the full cost of such notification.

Links to other sites

Our Website may contain links to other third-party websites and services. This Privacy Policy does not apply to any links provided to you by anyone other than us. Third parties will appoint their privacy policies, and these should be consulted should you have any queries about how they process your data. We have no control over such third-party Website and have no responsibility for their actions.

Rights under GDPR

Any personal information you supply will be treated in accordance with applicable data protection laws, including the GDPR (EU) and any other applicable or superseding laws. We are committed to delivering the rights individuals are entitled to and upholding a transparent approach to processing data. These are:

The right to request a copy of the personal information we collected about you in the last 12 months. To do this, please contact us at support@schoolparency.com to request a copy including full details of what you require. You may also be required to submit or demonstrate proof of your identity.
The right to object (right to be forgotten) to your personal information being used for specific purposes. Where required, we ensure we will obtain your consent before undertaking marketing or data selling, and you will always have the ability to opt-out.
The right to rectification: You may request that we correct any inaccurate and/or complete any incomplete personal information. Unless your particular School does not allow for it, you may review, update, correct and add or delete your personal information in your account by logging on to SchoolParency. If your School does not allow you to do this, then instructions on how to rectify your information will be provided.
The right to withdraw consent: Where we are processing your personal information on the basis that you have given us your consent to do so, you may withdraw your consent at any time.
The right of erasure: You may request that we erase your personal information, and we will comply unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for retaining your personal information, such as keeping your payment information for several years to comply with tax laws or protect SchoolParency in any legal disputes.
The right to data portability: Under GDPR, in certain circumstances, you may request that we provide your personal information to you in a structured, commonly used, and machine-readable format and have it transferred to another provider of the same or similar services to us. Where this right is applicable, we will comply with such transfer as far as it is technically feasible.

Other Rights and Responsibilities

SchoolParency agrees to assist LEAs in fulfilling their data privacy obligations, including assisting in data subject rights requests and claims.
Where an LEA wishes to compile a Contact Directory, the LEA should warrant and guarantee to SchoolParency that it complies with the Directory Information Exemption offered by FERPA 2003. This exemption includes, without limitation, informing parents, guardians, and students what information the LEA considers to be “Directory Information” and the information they wish to disclose. Parents, Guardians, and Students should be offered a reasonable amount of time to object to the LEA disclosing their PII for the purposes of building a Contact Directory.
LEAs should comply with the School Official Exemption, including, without limitation, confirming to parents and guardians in their annual notification of FERPA rights that the Educational Institution considers their service providers as ‘School Officials’ is considered a ‘School Official’ and offer a definition of “legitimate educational interest” to include services provided by SchoolParency.
SchoolParency will ensure that all company personnel with access to student data, regardless of how limited it may be, is subject to confidentiality clauses in line with data privacy laws.
If you receive a data subject access request or require copies of Student Data held by SchoolParency to provide a copy to the data subject, we will provide you with copies of requested data within a thirty (30) day period.
Upon written request or following the termination of any service agreement, SchoolParency will securely destroy the relevant Student Data as soon as reasonably practicable following the thirty (30) day reversal period to allow an opportunity for any accounts closed in error to be reinstated.
We will never sell or release a student’s Personally Identifiable Information (“PII”) for commercial gain or purpose. As defined by Education Law 2-d and FERPA, PII includes direct identifiers such as a student’s name or identification number, parent’s name, or address; and indirect identifiers such as a student’s date of birth, which when linked to or combined with other information can be used to distinguish or trace a student’s identity. Please see FERPA’s regulations at 34 CFR 99.3 for further definition.
As part of SchoolParency’s commitment to transparency in data processing, please note that we will never use any PII supplied under the scope of the Service to target or direct advertising to any parents, guardians, or school staff without prior consent, wherever applicable.
SchoolParency ensure that all data processing falls within the scope as afforded by the provisions laid out in LEA’s Parents Bill of Rights (http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/parents-bill-of-rights_2.pdf)
Under the Parents Bill of Rights, Parents and Guardians have the right to request to inspect and review the complete contents of the student’s education record stored or maintained by an educational agency. This right may not apply to parents of an Eligible Student (18 years or older). This also includes directing us to delete it and refusing to allow any further collection or use of your child’s information.
Parents and Guardians have the right to be notified according to applicable laws and regulations if a breach or unauthorized release of their child’s PII occurs.
We ensure any vendors we contract with that will receive PII will address statutory and regulatory data privacy and security requirements (FERPA; Education Law Section 2-d)
Unless integral to the provision of our Services (i.e., a software provider), you can consent to collecting and using your child’s information but still not allowing disclosure to third parties.
We commit to ensuring that you will be notified in accordance with all applicable laws and regulations if a breach or unauthorized release of PII occurs. We will notify you by email, US mail, telephone, or other means as permitted by law if it is determined that a data security incident occurred.
We ensure that our personnel is trained on applicable state and federal laws, policies, and safeguards associated with industry standards and best practices that protect PII.
SchoolParency will never require you or your child to disclose more information than is reasonably necessary to participate in an activity.
Should you decide you no longer wish to agree with the Privacy Policy and withdraw your consent, you may unsubscribe by just clicking on the link in the SchoolParency email which was sent to you by your School or contacts the School directly and ask them to delete your account. Another option is to contact us at support@SchoolParency.com and make this request. We will honor your request and respond to you within a reasonable time as per NYS law. SchoolParency will retain your information for as long as your account remains active (+ 30-day reversal period).

The right to lodge a complaint

We suggest that you contact us with any questions or have a complaint about how we process your personal information. You can reach us at support@schoolparency.com.

However, you have the right to lodge a complaint with a supervisory authority – particularly the supervisory authority of the State of your habitual residence or place of the alleged infringement – if you believe that the processing of your Personal Data does not comply with legal requirements.

For unauthorized disclosure of Child data, complaints may be submitted here or by mail to Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, NY 12234, by email to privacy@nysed.gov, or by telephone at 518-474-0937.

For EU Citizens, a list of Data Protection Authorities within the European Union is available here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Schedule B – Sub-contractors

Provider	What they do for SchoolParency	Data involved in this processing
Digital Ocean	Digital Ocean provides SchoolParency with servers, databases, analytics, and network infrastructure.	All user personal information and uploaded content, device ID, request data, and all logs are stored on Digital Ocean. Passwords are stored as one-way hashes. All personal data is encrypted at rest.
Google Inc. (G Suite)	Utilized for SchoolParency internal emails, docs, slides, spreadsheets, etc.	SchoolParency stores its own emails and files using Google services. SchoolParency may share personal information with Google in the course of utilizing Google services, for example, if a user emails an employee for support.