Privacy Policy

1. Introduction

Chabad Chinuch ("we," "our," or "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational management platform. We comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and other applicable student privacy laws.

2. Information We Collect

2.1 Student Data

We collect student information provided by schools or parents, including:

• Student names, grade levels, and class assignments
• Attendance records
• Behavior logs and incident reports
• Assessments, grades, and academic progress
• Standards and skills tracking data
• Bus check-in/check-out records
• Emergency contact information
• Parent/guardian information

2.2 Teacher & Staff Information

• Names, email addresses, and contact information
• School affiliation and role
• Class assignments and schedules
• Login credentials (encrypted)

2.3 Parent Information

• Names, email addresses, and phone numbers
• Relationship to students
• Account credentials

2.4 Usage Data

• Log data (IP addresses, browser type, pages visited)
• Device information
• Usage patterns and preferences
• Audit logs of data access and modifications

2.5 Financial and Payment Data

When schools or parents use our payment features, we collect payment-related information through our payment processor, Stripe:

• Credit/debit card details (processed and stored securely by Stripe, not stored on our servers)
• Bank account information for ACH payments (tokenized account and routing numbers)
• Billing addresses
• Payment history and transaction records
• Account ownership verification details (name and address associated with bank accounts)

Important: We use Stripe Financial Connections to securely verify bank account ownership and enable ACH payments. When you link a bank account, you authorize Stripe to retrieve your tokenized account details and account ownership information. This data is used solely for payment processing and fraud prevention. We do not access your bank balance, transaction history, or any other financial data beyond what is necessary for payment processing.

3. How We Use Your Information

We use the collected information solely for educational and school operational purposes:

• Provide and maintain our educational services
• Track student progress and academic performance
• Facilitate communication between teachers, students, and parents
• Generate reports and analytics for educational improvement
• Manage attendance and behavior tracking
• Handle transportation and bus logistics
• Process tuition payments, event fees, and other school-related payments
• Verify bank account ownership for ACH payment processing
• Prevent payment fraud and unauthorized transactions
• Ensure platform security and prevent fraud
• Comply with legal obligations (FERPA, COPPA, state laws)
• Provide technical support and troubleshooting

We do NOT use student data for:

• Advertising or marketing purposes
• Behavioral profiling for commercial purposes
• Selling or renting data to third parties
• Any non-educational purpose

4. Data Sharing and Disclosure

We do not sell, trade, or rent student data. We may share information only with:

• The School: Teachers, administrators, and authorized staff within the school organization
• Parents/Guardians: For their own children's records, as authorized by the school
• Service Providers: Vendors who assist in platform operations (hosting, security, email notifications). All service providers must sign data protection agreements and cannot use data for their own purposes
• Legal Requirements: When required by law, court order, or to protect rights and safety
• With Explicit Consent: When the school or parent provides explicit written consent

We never share student data with advertisers or unrelated third parties.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure authentication with password hashing
• Role-based access controls
• Multi-school data separation
• Audit logs for all data access and modifications
• Regular security audits and updates
• Secure data centers with physical security
• Incident response procedures
• Regular backups with encryption

A detailed Security Policy is available upon request or at /legal/schools.

6. Student Privacy (FERPA Compliance)

We comply with the Family Educational Rights and Privacy Act (FERPA) and are designated as a School Official with a legitimate educational interest. We:

• Protect student education records as required by FERPA
• Limit access to authorized school officials and parents
• Do not disclose personally identifiable information without consent
• Allow parents to review and request corrections to their child's records
• Maintain student data ownership with the school
• Provide data export capabilities upon request
• Delete data according to school requests and retention policies

Our Data Processing Agreement (DPA) further details our FERPA compliance obligations.

7. Children's Privacy (COPPA Compliance)

We comply with the Children's Online Privacy Protection Act (COPPA). For children under 13:

• Schools may consent on behalf of parents for educational use (COPPA "School as Agent" provision)
• Parents may directly provide consent through school invitation or account creation
• We collect only information necessary for educational services
• We do not allow children to submit personal information directly
• We do not use children's data for advertising or commercial purposes

For detailed COPPA information, see our COPPA Notice.

8. State Student Privacy Laws

We comply with applicable state student privacy laws, including:

• California SOPIPA (Student Online Personal Information Protection Act)
• New York Education Law §2-d
• Colorado SB 16-173
• Texas Student Privacy Laws
• Other applicable state regulations

9. Data Retention and Deletion

We retain student data only as long as necessary:

• Active Schools: Data is retained while the school's account is active
• School Termination: Data is archived for 60 days, then permanently deleted
• School Requests: We delete specific student records within 10 business days of request
• Audit Logs: Retained for 1 year for compliance, unless longer retention is required

For detailed retention policies, see our Data Retention Policy.

10. Data Ownership and Export

Schools own 100% of all Student Data. Schools may:

• Access, edit, export, or delete student data at any time
• Request full data exports in CSV, JSON, or SQL format
• Request deletion of individual students, classes, or full database
• Transfer data to other systems

We provide data exports within 10 business days of request. See our Data Ownership & Export Statement for details.

11. Breach Notification

In the event of unauthorized access or disclosure of student data, we will:

• Notify affected schools within 72 hours of confirming a breach
• Provide details about what happened and what data was affected
• Describe steps taken to contain and remediate the issue
• Offer guidance and support for schools
• Cooperate fully in any investigation

See our Incident Response Plan for details.

12. Your Rights

You have the right to:

• Access your personal information
• Correct inaccurate data
• Request deletion (subject to legal requirements and school policies)
• Opt-out of non-essential communications
• Data portability and export
• Review audit logs of data access

Parents requesting corrections or deletions should contact their child's school, as schools control educational records under FERPA.

13. Subprocessors

We may use service providers (subprocessors) to support platform operations, such as:

• Hosting and infrastructure providers (e.g., Supabase)
• Email notification services
• Security and monitoring tools
• Payment processing (Stripe, Inc.) - Handles all payment transactions, credit card processing, ACH bank payments, and financial data. Stripe is PCI-DSS Level 1 certified and processes payments securely. See Stripe's Privacy Policy for details.

All subprocessors must sign data protection agreements and meet equal or higher security standards. They cannot use student data for any purpose outside of providing the services. A current list of subprocessors is available upon request.

14. Payment Processing

Our platform enables schools to collect tuition payments, event fees, form payments, and other school-related charges from parents and families.

14.1 Payment Processor

All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We do not store credit card numbers, CVV codes, or full bank account numbers on our servers. All sensitive payment data is tokenized and stored securely by Stripe.

14.2 Stripe Financial Connections

For ACH bank payments, we use Stripe Financial Connections to securely link and verify bank accounts. When you connect a bank account:

• We collect tokenized account and routing numbers to initiate payments
• We verify account ownership (name and address) to prevent fraud
• We do NOT access your bank balance or transaction history
• We do NOT share bank data with third parties except as necessary for payment processing
• All financial data is stored securely in the United States

14.3 Payment Data Retention

Payment records (transaction history, receipts, payment method identifiers) are retained as long as the school account is active and for 7 years thereafter for tax and legal compliance purposes. You may request deletion of payment methods at any time through your account settings.

14.4 Your Rights Regarding Payment Data

You have the right to:

• View your payment history and receipts
• Add or remove payment methods
• Request a copy of your payment records
• Disconnect linked bank accounts at any time

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect legal changes, operational updates, or improvements. We will notify schools of material changes via email or platform notification. The "Last Updated" date at the top indicates when this policy was last revised. Continued use of the platform after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For school-specific legal agreements, please visit /legal/schools.