EduSched

Privacy Policy

Last updated: May 23, 2026

Companion documents: Terms of Service, Security Overview, Sub-processors, Student Data Privacy.

1. Who we are

EduSched, Inc. ("EduSched," "we," "us," or "our") is a Delaware corporation that provides a flex-period scheduling, planning, and student-engagement platform for K-12 schools (the "Service"). Schools and school districts ("Schools") license the Service to operate their flex periods, special days, planners, and related workflows.

We are a service provider to Schools under FERPA, COPPA, the California Consumer Privacy Act (as amended by the CPRA), and analogous state laws. We act only on the documented instructions of the School and only for the purposes authorized in our contract with that School.

2. Scope of this policy

This Privacy Policy describes how EduSched collects, uses, shares, retains, and protects information in connection with the Service. It applies to:

  • Students of any age enrolled at a licensed School
  • Parents and guardians who use the parent-access surface
  • Teachers, counselors, school administrators, district administrators, substitutes, and outside presenters
  • Visitors to our public marketing pages

Where the School is the controller of education records (which is the case for all student data on the Service), the School's own privacy notice and Data Privacy Agreement with EduSched govern in the first instance. This policy is consistent with those documents and explains EduSched's practices in plain language.

3. Applicable laws we comply with

  • FERPA — Family Educational Rights and Privacy Act, 20 U.S.C. §1232g, 34 CFR Part 99
  • COPPA — Children's Online Privacy Protection Act, 15 U.S.C. §§6501–6506, 16 CFR Part 312
  • PPRA — Protection of Pupil Rights Amendment, 20 U.S.C. §1232h
  • IDEA / Section 504 — protections for special-education and accommodation records
  • SOPIPA — California Student Online Personal Information Protection Act, Cal. Bus. & Prof. Code §§22584–22585
  • AB 1584 — California Education Code §49073.1
  • CCPA / CPRA — California Consumer Privacy Act as amended, Cal. Civ. Code §1798.100 et seq.
  • NDPA Standard v1.0a — SDPC National Data Privacy Agreement framework, executed with each licensed district

State-specific addenda are appended to the NDPA on a per-district basis. The California Exhibit applies to all California districts, including Irvine Unified School District.

4. Categories of information we collect

We collect only information necessary to operate the contracted Service. Categories and sources are listed below; the full column-by-column inventory is published in our public Schedule A (Data Elements) at /security#sub-processors.

4.1 Identifiers and profile

  • Full name, school email, role, school, district
  • Grade level and school-issued student ID (for students)
  • Phone number (optional; staff only by default; student SMS requires district enablement and, for under-13 students, parent consent)
  • Date of birth (for under-13 detection only)

4.2 Education records

  • Schedule, flex-session signups, special-day participation, attendance, hall passes
  • Planner items (titles, due dates, free-text notes; notes are encrypted at the application layer)
  • Lesson plans, teacher tasks, sub-plan documents (encrypted at the application layer; workplace-privacy boundary enforced)
  • Counselor request reasons and status (encrypted; access restricted to counselor and authorized school staff)
  • Optional academic-status summary derived from the School's Aeries gradebook — severity band, missing-assignment count, and an encrypted free-text summary. Full grade detail remains in Aeries; we do not copy it.
  • Optional mood check-in (a single emoji-equivalent per day; no free text; opt-in per school)
  • Special-day post-survey responses (non-PPRA-protected categories only; opt-in)
  • Seating chart layout and, if a teacher opts in, student photos used solely for in-classroom roster recognition

4.3 Imported third-party data

  • Aeries SIS — read-only roster, schedules, attendance, and (only if grade-gated FlexTime is enabled by the district) gradebook summaries
  • Canvas LMS — read-only assignments and announcements via per-student OAuth
  • Google Classroom — read-only coursework and announcements via per-student OAuth
  • Google SSO / Microsoft SSO — identity claims at sign-in only

4.4 Operational data

  • Audit log: who accessed what record, when, and for what purpose. Hash-chained and immutable. Retained per district policy (default 7 years).
  • Notification log: outbound email and SMS metadata, including recipient address, message subject, and delivery status
  • Magic-link tokens: one-time, time-bound tokens for parent access and substitute access. We store only a SHA-256 hash of each token, never the plaintext.
  • Encrypted OAuth tokens for the integrations listed in §4.3
  • Server request metadata (IP address, user agent, request path, response status) for security, abuse-prevention, and debugging. No request body is logged in the hosting layer.

5. Information we do not collect

  • Social Security numbers
  • Government-issued ID numbers (driver license, passport)
  • Biometric identifiers (we do not generate face templates, fingerprints, or voiceprints; seating-chart photos are stored as ordinary images for visual recognition, not converted to biometric templates)
  • Geolocation data of any precision
  • Audio or video recordings of students
  • Financial information beyond the licensing transaction
  • Medical or health records (other than IEP/504 accommodations a teacher records for classroom use)
  • PPRA-protected survey categories (political affiliation, religious beliefs, sexual behavior, illegal behavior, critical family appraisals) — surveys are configured to exclude these
  • Behavioral profiles built for any commercial purpose

6. How we use information

We use information only as needed to provide, secure, and improve the Service for the contracting School, and only for the purposes authorized in our contract with that School. Specifically:

  • To let students browse, request, and attend flex-period sessions
  • To let teachers create sessions, manage rosters, take attendance, and prepare sub-plans
  • To let counselors manage caseloads, accept requests, and review seating accommodations
  • To let school and district administrators configure the platform, run reports, and discharge audit obligations
  • To let parents inspect their child's records, request deletion, and (with consent) receive copies of reminders
  • To send transactional notifications (e.g., a flex signup reminder) using the channels the School has enabled
  • To detect, investigate, and respond to security incidents and abuse
  • To meet our legal obligations (e.g., responding to a court order, after notifying the School unless legally prohibited)

7. AI and machine learning

The Service does not currently use artificial intelligence, machine learning, or large language models in any user-facing feature. Our recommendation engine is deterministic.

Our forward-looking commitments:

  • We will never use Student Data to train any external AI or machine-learning model.
  • We will never sell, license, or otherwise transfer Student Data to any AI training pipeline or data broker.
  • We will never use AI to make consequential decisions about students (placement, discipline, eligibility, grading).
  • If we ever introduce an AI-assisted feature that operates on tenant data, we will give districts at least 30 days' advance written notice, and the feature will be configurable on or off per district through the compliance profile.
  • Any AI processing will happen only within the tenant's authorized scope and will be disclosed in this policy and on our public sub-processor page.

These commitments are also reflected as binding obligations in §4.2(e) of our standard NDPA.

8. No advertising, no sale of data

EduSched does not display advertising of any kind on the Service. We do not sell or share Student Data, staff data, or parent data for any commercial purpose. We do not use cross-context behavioral advertising. We do not engage in targeted advertising as defined under SOPIPA or CPRA.

9. How information is shared

Within the Service, data is visible only to authorized users under row-level security policies. Across organizations, we share information only as follows:

  • Sub-processors we engage to operate the Service. The current list is published at /security#sub-processors and includes Supabase (database, authentication, key management), Vercel (application hosting), Resend (transactional email), and Twilio (SMS, only when enabled by the district).
  • Integrations the district has authorized: Aeries, Canvas, Google Classroom, Google SSO, Microsoft SSO. These are the district's own systems; we read from them, we do not act as their processor.
  • Legal requirements: a court order, subpoena, or other legally binding request. We notify the School in advance unless the law prohibits us from doing so.
  • A successor in connection with a merger, acquisition, or sale of substantially all assets, subject to equivalent privacy protections and 30 days' notice.

We provide districts at least 30 days' advance written notice before adding or removing a sub-processor.

10. Data storage, security, and residency

  • Residency. All data is stored in the United States. Default region is US-West; districts may select US-East. Non-US regions are off by default and require district consent.
  • Encryption in transit. TLS 1.2 or higher on every endpoint, including the public marketing site and the authenticated application.
  • Encryption at rest. Database, object storage, and backups are encrypted at the infrastructure layer (AES-256).
  • Application-layer encryption for sensitive free-text fields (planner notes, lesson-plan free text, sub-plan bodies, counselor reasons, academic-status summaries, OAuth tokens). We use AES-256-GCM with per-school key derivation and additional-authenticated-data (AAD) binding so a ciphertext lifted into a different row fails to decrypt.
  • Row-level security (RLS). Every education-record table enforces access policies in the database. Authorization cannot be bypassed by application bugs.
  • Multi-factor authentication is available for all administrator accounts and is required when the district's SSO mandate is set accordingly.
  • Hash-chained audit log. Every read of sensitive education-record data writes a row with the actor, subject, action, and purpose. The log is partitioned, immutable, and verified daily.
  • Backups. Point-in-time recovery via our database provider.
  • Penetration testing. Annual by a qualified third-party firm; high and critical findings are remediated within 90 days.
  • Background checks. Production-data access is limited to personnel who have completed a background check and signed a confidentiality agreement.

A more detailed security overview is at /security.

11. FERPA — our role and parents' rights

EduSched operates as a "school official" with a "legitimate educational interest" under FERPA §99.31(a)(1). We use education records solely to provide the contracted Service and are under the direct control of the School with respect to the use and maintenance of education records.

Parents and eligible students retain the right to inspect, review, request amendment of, and request deletion of education records through their School. To support these rights, we provide:

  • A one-time, time-bound parent magic-link page that lets a parent see what we hold on their child, without creating an account
  • A per-student data export available to the School in a portable, structured format
  • A disclosure-of-access report (FERPA §99.10(b)) available to School administrators from the compliance settings page
  • Deletion-on-request, executed by the School through the purge_student() function

12. COPPA — under-13 users

When a School authorizes EduSched to collect personal information from students under 13 for use in support of internal school operations, the School acts as the parent's agent and can consent to that collection on the parent's behalf (16 CFR §312.5(a)(2)).

EduSched provides Schools with a COPPA Direct Notice template (available in our vendor packet and at /coppa when enabled) that the School can give to parents. Until parent consent is recorded, EduSched will not send SMS or push notifications to under-13 students; this gate is configurable per district and is on by default.

Parents may, at any time, refuse further collection, request review, or request deletion through the School or by emailing privacy@edusched.com.

13. California — SOPIPA, AB 1584, CCPA/CPRA

In addition to the FERPA and COPPA practices above:

  • We do not engage in targeted advertising on the Service or any other site, service, or application using information acquired from the use of the Service.
  • We do not use information acquired from the Service to amass a profile about a K-12 student except in furtherance of K-12 school purposes.
  • We do not sell student information.
  • We disclose covered information only in furtherance of the K-12 school purpose, to ensure legal compliance, to protect against liability, or to respond to a judicial process.
  • We implement reasonable security procedures appropriate to the nature of the covered information (see §10).
  • We delete covered information of a student at the direction of the School.

Staff and parent California privacy rights. California residents who are EduSched users in a non-student capacity (teachers, administrators, parents) have rights under CCPA/CPRA to know, access, correct, delete, and limit the use of their personal information. To exercise these rights, email privacy@edusched.com. We will verify your identity and respond within 45 days (extendable once by 45 days as the law permits). We do not sell or share personal information for cross-context behavioral advertising.

Our role with respect to Student Data is properly characterized as a service provider under Cal. Civ. Code §1798.140(ag). The FERPA carve-out in §1798.145(j) further limits the CCPA's application to student education records.

14. Retention

Default retention windows (each district can adjust through the compliance settings page):

  • Audit logs: 7 years
  • Attendance records: 7 years
  • Student records: 5 years after end of relationship
  • Lesson plans: 3 years
  • Planner items, announcements, external assignments, academic status cache: 365 days
  • Magic-link tokens: 24-hour TTL by default
  • Notification log: 7 years

Upon contract termination, we will, at the School's election, return all data in a structured machine-readable format or securely destroy it within 60 days and provide written certification of destruction.

15. Data breach notification

In the event of confirmed unauthorized access to Student Data, we will notify the affected School within 72 hours (or such shorter period as the district's compliance profile specifies). The notice will describe the nature of the incident, the categories and approximate number of data subjects affected, the categories of data, likely consequences, and the remediation steps taken. The full breach procedure is published in our vendor packet.

16. Children's safety

We have not enrolled in a COPPA Safe Harbor program at this time and rely on the School-as-agent path under 16 CFR §312.5(a)(2). We will publicly disclose enrollment in any Safe Harbor program when it occurs.

17. Accessibility

EduSched is committed to WCAG 2.2 Level AA conformance. Our accessibility statement, conformance status, and contact channel for accessibility issues are at /security.

18. Security vulnerability disclosure

Security researchers can report findings to security@edusched.com. Our policy is published at /.well-known/security.txt.

19. Changes to this policy

We will notify Schools of material changes to this Privacy Policy at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

20. Contact

EduSched, Inc.
Privacy & FERPA: privacy@edusched.com
Security: security@edusched.com
Support: support@edusched.com

Our Data Protection Officer is reachable at privacy@edusched.com. The most current list of sub-processors is at /security#sub-processors.