Privacy Policy

1. Introduction

KlassKeep ("we," "our," or "us") is committed to protecting the privacy of students, parents, teachers, and school administrators who use our school management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

KlassKeep is designed to help schools manage student information, grades, attendance, and communications. We understand the sensitive nature of educational records and are committed to maintaining the highest standards of privacy and security.

2. Information We Collect

2.1 Student Information

Schools may enter the following student information into KlassKeep:

• Full name (English and Hebrew, including preferred/"goes by" names)
• Student ID number
• Date of birth
• Gender
• Grade level and class assignment
• Academic records (grades, test scores, assessments)
• Attendance records
• Behavioral incident reports
• Skill assessments and report cards
• Allergies and medical notes
• Doctor name and phone number
• Emergency contact information (name, phone, relationship) for up to two contacts

2.2 Parent/Guardian Information

• Full name
• Email address
• Phone number
• Relationship to student
• Account login credentials

2.3 Staff Information

• Full name and professional title
• Email address and phone number
• Department and subject areas
• Account login credentials

2.4 Automatically Collected Information

• IP address and browser type
• Device information
• Login timestamps and session data
• Pages visited and features used

3. How We Use Your Information

We use the information collected to:

• Provide Educational Services: Enable grade recording, attendance tracking, report card generation, and student progress monitoring
• Facilitate Communication: Allow teachers to communicate with parents about student progress
• School Administration: Support school management functions including staff management, class assignments, and academic term management
• Generate Reports: Create academic reports, progress summaries, and statistical analyses for school administrators
• Maintain Security: Protect accounts, detect fraud, and ensure platform security
• Improve Services: Analyze usage patterns to enhance features and user experience
• Legal Compliance: Comply with applicable laws and regulations

4. FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. KlassKeep is designed to help schools comply with FERPA requirements.

4.1 School Official Exception

KlassKeep operates as a "school official" under FERPA, meaning we may access education records to provide services that the school would otherwise perform itself. We:

• Use student data only for purposes authorized by the school
• Are under the direct control of the school regarding data use
• Do not disclose information to unauthorized parties
• Comply with FERPA's requirements regarding education records

4.2 Parent and Student Rights Under FERPA

Parents (and eligible students 18 or older) have the right to:

• Inspect and review their child's education records
• Request corrections to inaccurate or misleading records
• Consent to disclosure of personally identifiable information
• File complaints with the U.S. Department of Education

5. COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) requires parental consent before collecting personal information from children under 13. KlassKeep addresses COPPA requirements as follows:

5.1 School Consent

Under COPPA, schools may act as agents of parents and provide consent for the collection of student information for educational purposes. When a school uses KlassKeep:

• The school acts as the parent's agent for COPPA consent purposes
• Information is collected solely for school-authorized educational purposes
• We do not collect more information than necessary for educational use
• We do not require students to provide personal information as a condition of participation

5.2 Parental Rights Under COPPA

Parents of children under 13 may:

• Review their child's personal information
• Request deletion of their child's information
• Refuse further collection of their child's information

To exercise these rights, please contact your child's school, who will coordinate with us to fulfill your request.

6. Data Sharing and Disclosure

6.1 We Do NOT Share Data With:

• Advertisers or marketing companies
• Data brokers or information resellers
• Social media platforms
• Any third party for non-educational purposes

6.2 Limited Disclosure

We may share information only in these circumstances:

• With the School: Schools have full access to their own data
• Service Providers: Trusted vendors who help operate our services (hosting, email delivery) under strict contractual obligations
• Legal Requirements: When required by law, subpoena, or court order
• Safety: To protect the safety of students, staff, or others in emergency situations
• With Consent: When we have explicit consent from the school or parent

6.3 Sub-Processors

We use the following trusted sub-processors to operate KlassKeep:

• Railway (Railway Corp): Application hosting and PostgreSQL database — United States
• Cloudflare (Cloudflare, Inc.): DNS and DDoS protection — United States
• School-Configured SMTP Provider: Email delivery (configured per-school by the school's administrator)

All sub-processors are bound by contractual obligations to protect data in accordance with this policy. We will notify schools before adding new sub-processors.

6.4 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with schools that outline our obligations regarding student data. Schools may request a copy of our standard DPA template or contact us to execute a custom agreement.

7. Data Security

We implement comprehensive security measures to protect your information:

7.1 Technical Safeguards

• Encryption in Transit: All data is encrypted in transit using TLS/SSL (HTTPS enforced)
• Field-Level Encryption: Sensitive credentials (such as SMTP passwords) are encrypted at rest using AES-256 symmetric encryption (Fernet)
• Password Security: Passwords are hashed using industry-standard one-way hashing and are never stored in plaintext
• Access Controls: Role-based permissions (7 roles, 50+ configurable permissions) ensure users only access authorized data
• Multi-Tenant Isolation: Each school's data is logically separated and isolated at the application layer
• Audit Logging: All access to student records (views, edits, exports, emails) is logged with user identity, timestamp, and IP address
• CSRF Protection: All forms are protected against cross-site request forgery
• Session Security: Secure session management with configurable automatic timeout

7.2 Administrative Safeguards

• Regular security assessments and updates
• Employee training on data protection
• Incident response procedures
• Audit logging of sensitive operations

7.3 Breach Notification

In the event of a data breach affecting personal information, we will notify affected schools promptly (within 72 hours) so they can fulfill their notification obligations to parents and regulatory authorities.

8. Data Retention

8.1 Retention Period

We retain data according to the following guidelines:

• Active Accounts: Data is retained while the school's account is active
• Student Records: Retained as directed by the school's records retention policy
• Inactive Accounts: Data may be deleted after 2 years of account inactivity, with prior notice to the school
• Backups: Backup copies are retained for 90 days for disaster recovery purposes

8.2 Data Deletion

Schools may request deletion of their data at any time. Upon receiving a deletion request:

• Active data will be deleted within 30 days
• Backup copies will be purged within 90 days
• We will provide written confirmation of deletion

8.3 Data Export

Schools may request an export of their data in a standard format (CSV/Excel) at any time. We will provide the export within 30 days of the request.

9. Your Rights

9.1 Access and Correction

You have the right to:

• Access your personal information stored in KlassKeep
• Request correction of inaccurate information
• Request a copy of your data

9.2 Deletion

Parents may request deletion of their child's data through the school. Schools control student records and will process such requests in accordance with their records retention policies and legal obligations.

9.3 Opt-Out

Parents may opt out of certain data collection or communications by contacting the school. Note that opting out of essential data collection may limit access to educational features.

9.4 California Residents

California residents have additional rights under the California Consumer Privacy Act (CCPA) and the Student Online Personal Information Protection Act (SOPIPA). We do not sell personal information and comply with California's student privacy laws.

10. Google API Data Disclosure

KlassKeep offers optional Google Sign-In and Gmail integration for staff and parent accounts. This section discloses how KlassKeep accesses, uses, stores, and shares Google user data, in compliance with Google API Services User Data Policy.

10.1 Google Data We Access

• Sign-In (all users): Basic profile information (name, email address, profile picture) via OpenID Connect scopes — used solely to authenticate your identity and match you to your existing KlassKeep account
• Gmail Send (teachers only, optional): The gmail.send scope — used solely to allow teachers to send progress reports, grade notifications, and other school-related communications to parents from their own email address

10.2 How We Use Google Data

• Google profile data (name, email) is used only to log you in and display your name within KlassKeep
• The Gmail API is used only to send emails that the teacher explicitly composes and initiates within KlassKeep
• We do not read, scan, index, or store the contents of your Gmail inbox
• We do not use Google data for advertising, analytics, or any purpose unrelated to the educational services described in this policy

10.3 Storage of Google Credentials

• OAuth refresh tokens are encrypted at rest using AES-256 symmetric encryption (Fernet) and stored in our database
• Tokens are scoped to the minimum permissions required and can be revoked by the user at any time
• We do not share Google tokens or Google-derived data with any third party

10.4 Revoking Google Access

You may revoke KlassKeep's access to your Google account at any time by visiting Google Account Permissions or by contacting your school administrator. Revoking access will disable Google Sign-In and Gmail sending for your account; you can continue using KlassKeep with a password login.

11. Cookies and Tracking

11.1 Essential Cookies

We use only essential cookies necessary for the platform to function:

• Session Cookies: Maintain your login session
• Security Cookies: CSRF protection and security features
• Preference Cookies: Remember your settings (e.g., selected child)

11.2 No Third-Party Tracking

We do NOT use third-party analytics, advertising cookies, or tracking pixels. We do not share browsing data with social media platforms or advertisers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Effective Date" at the top of this policy
• We will notify schools via email at least 30 days before changes take effect
• Material changes affecting student data will require school acknowledgment

Continued use of KlassKeep after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: