← Back to Home

Privacy Policy

Last Updated: April 2026

1. Introduction & Overview

TrackEDU ("we", "our", or "us") provides a digital school culture, gamification, and house point tracking platform. We are deeply committed to protecting the privacy and security of educators, administrators, and students.

In the context of data protection laws, the School or Educational Institution is the Data Controller, and TrackEDU acts solely as the Data Processor. We only process student data under the direct instruction and authorization of the school.

2. Information We Collect

We adhere to the principle of data minimization, collecting only what is strictly necessary to operate the platform.

A. Educator & Administrator Data

  • Account Information: First and last name, school email address, school affiliation, and professional role.
  • Authentication Data: We use Google Single Sign-On (SSO) to authenticate educators. We do not process or store your Google password.

B. Student Data (Provided by the School)

  • Profile Information: First name, last initial (or last name), grade/category, class assignment, and house assignment. Student names are partially displayed (e.g., "Bill S." instead of full name) to protect individual privacy.
  • Platform Activity: Points earned, badges unlocked, daily streaks, and poll participation.
  • What we DO NOT collect: We strictly prohibit and do not collect student email addresses, phone numbers, home addresses, dates of birth, social security numbers, or sensitive demographic/health data. Students access the app via auto-generated anonymous ID tokens and shared class passcodes.

C. Automatically Collected Usage Data

  • Log data, device types, browser types, and non-identifying interaction metrics used strictly to monitor system security, prevent fraud, and ensure platform uptime.

3. How We Use the Information

We use the collected data exclusively to provide and support the TrackEDU platform. Specifically, to:

  • Operate the house point tracking, leaderboards, and gamification mechanics.
  • Authenticate authorized school staff.
  • Generate anonymized, aggregated school-wide analytics for administrators.
  • Provide customer support and respond to technical issues.
Strict Prohibition: We never sell student or teacher data. We never use student data to target advertisements, build commercial profiles, or market third-party products.

4. Subprocessors & Data Sharing

We do not share your data with third parties except as necessary to provide the service through trusted infrastructure partners (Subprocessors). Our subprocessors are contractually bound to stringent privacy and security standards:

  • Google Cloud Platform (Firebase): Used for secure database hosting, real-time syncing, and educator authentication. Google Cloud's underlying infrastructure is certified under SOC 2 and ISO 27001.
  • EmailJS: Used exclusively to route transactional emails (e.g., account approvals and system alerts) to educators.

5. Cookies & Local Storage

TrackEDU does not use third-party tracking cookies or advertising pixels.

We use browser Local Storage strictly for functional purposes within the Student App, such as tracking "daily login streaks," preventing duplicate poll votes, and temporarily locking gamification elements (like House Power Boosts) to ensure fair play. This data remains on the device and is not used to track students across the internet.

6. Data Security

We implement robust security measures to protect educational records:

  • Encryption: Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access Controls: Firebase Security Rules strictly govern database reads and writes, ensuring that student data is only accessible to authorized educators within that specific school domain.
  • Anonymous IDs: The Student App requires only a randomly generated alphanumeric ID and a shared Class Passcode, mitigating the risk of credential theft.
  • Privacy-First Display: Student names are partially displayed (e.g., "Bill S." instead of full name) to protect individual privacy while maintaining functionality.

7. Data Retention & Deletion

Schools have absolute control over their data lifecycle.

  • Active Subscriptions: Data is retained as long as the school maintains an active license to provide continuous service.
  • Self-Serve Deletion: School Administrators have access to a "Full System Wipe" feature in their dashboard, allowing them to permanently and irrevocably destroy all student records, points, and history instantly.
  • Account Termination: Upon cancellation or expiration of a contract, we will permanently delete the school's database within 90 days unless legal holds apply.

8. Privacy-First Design Principles

FERPA Considerations (United States)

TrackEDU is designed with privacy-first principles to support schools in their educational record-keeping. We act as a "School Official" with a legitimate educational interest. We operate under the direct control of the school regarding the use and maintenance of educational records. Schools should consult their legal counsel to determine compliance with specific regulations.

COPPA Considerations (United States)

The Children's Online Privacy Protection Act (COPPA) protects children under 13. TrackEDU relies on the School to provide verifiable consent to create student profiles. We intentionally do not collect PII directly from students, nor do we require personal accounts for students to interact with the system.

GDPR Principles (European Union / UK)

Schools act as the Data Controller and TrackEDU as the Data Processor. Data processing is based on the legitimate interest of the school to administer educational programs. Data is processed within the region determined by Google Cloud infrastructure routing. Schools should consult their legal counsel for GDPR compliance requirements.

9. Your Privacy Rights

Depending on your jurisdiction, you or your school administrators have the right to:

  • Access: Request a copy of the personal data we hold.
  • Correction: Request that inaccurate data be updated.
  • Deletion: Request the erasure of your data (Right to be Forgotten).
  • Portability: Export data via the built-in CSV export tools in the Admin Dashboard.

Note: Parents or students wishing to exercise these rights must contact their School Administrator directly, as the school controls the data. TrackEDU will assist the school in fulfilling these requests.

10. Contact Our Privacy Team

If you have any questions about this Privacy Policy, our data practices, or wish to review our Data Processing Agreement (DPA), please contact us at:

TrackEDU Privacy & Security Team

hello@trackedu.net