policy Legal & Compliance

Policies & Guidelines

SyncSchool is committed to transparency, student safety, and responsible data stewardship. Review our complete set of policies governing platform use, data handling, and user rights.

update Effective: January 1, 2025 verified_user FERPA Compliant child_care COPPA Compliant gpp_good GDPR Ready
lock

Privacy Policy

Last updated: Jan 1, 2025
Summary: We collect only the data necessary to operate SyncSchool, never sell personal information, and give users full control over their data.

1.1 Information We Collect

SyncSchool collects information provided directly by users (administrators, educators, students, and guardians) and information generated through platform use. Categories include:

  • Account data: Name, email address, role, institutional affiliation, and login credentials.
  • Student records: Grades, attendance, behavioral notes, learning progress, and assessment results — stored strictly on behalf of the institution.
  • Usage data: Log files, device identifiers, browser type, IP address, pages visited, and feature interactions.
  • Communication data: Messages sent through in-app messaging between educators, students, and guardians.
  • Payment data: Billing address and tokenized payment method (processed by PCI-DSS-certified processors; full card numbers are never stored by SyncSchool).

1.2 How We Use Your Information

  • Deliver, maintain, and improve the SyncSchool platform and AI-powered features.
  • Authenticate users and enforce role-based access controls.
  • Generate analytics and reports for institutional administrators.
  • Send transactional notifications (grade alerts, attendance flags, announcements).
  • Comply with legal obligations and respond to lawful requests from authorities.
  • Detect, investigate, and prevent fraud, abuse, or security incidents.

1.3 Information Sharing

We do not sell, rent, or trade personal information. We share data only with:

  • The institution: Authorized staff access records within their school or district.
  • Service providers: Sub-processors bound by data processing agreements (cloud hosting, analytics, email delivery).
  • Legal requirements: When required by applicable law, regulation, or valid legal process.

1.4 Data Subject Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data. Submit requests to privacy@syncschool.com. We respond within 30 days.

gavel

Terms of Service

Last updated: Jan 1, 2025
Summary: By using SyncSchool you agree to these terms. Institutions are responsible for appropriate use by their staff and students.

2.1 Acceptance of Terms

By accessing or using SyncSchool, you confirm that you are at least 18 years old (or the age of digital consent in your jurisdiction), that you have the authority to bind your institution if registering on its behalf, and that you have read and agree to these Terms.

2.2 License Grant

Subject to these Terms, SyncSchool grants your institution a limited, non-exclusive, non-transferable, revocable license to access and use the platform solely for internal educational management purposes during your subscription period.

2.3 Prohibited Conduct

  • Reverse engineering, decompiling, or attempting to extract source code from the platform.
  • Uploading or transmitting malware, unauthorized scripts, or harmful content.
  • Circumventing authentication, access controls, or rate limits.
  • Reselling, sublicensing, or providing platform access to third parties without consent.
  • Harvesting or scraping data for commercial use outside your institution.
  • Using the platform for any unlawful purpose or in violation of applicable education law.

2.4 Intellectual Property

SyncSchool retains all rights to the platform, branding, and proprietary AI models. Institutional data you upload remains your property; you grant SyncSchool a limited license to process it solely to provide the service.

2.5 Limitation of Liability

To the maximum extent permitted by law, SyncSchool's aggregate liability arising out of or related to these Terms will not exceed the fees paid by your institution in the twelve months preceding the claim. We are not liable for indirect, incidental, or consequential damages.

2.6 Termination

Either party may terminate the agreement with 30 days' written notice. SyncSchool may terminate immediately for material breach or non-payment. Upon termination, your data is available for export for 60 days, after which it is securely deleted.

school

Student Data Protection Policy

FERPA COPPA GDPR PPRA
Summary: Student data is treated with the highest level of care. We comply with FERPA, COPPA, GDPR-K, and all applicable state student privacy laws.

3.1 FERPA Compliance

SyncSchool operates as a "school official" under FERPA with a "legitimate educational interest." Education records are disclosed only to authorized institutional personnel and as otherwise permitted by FERPA. We do not disclose personally identifiable information from education records without written parental or eligible-student consent, except as FERPA allows.

3.2 COPPA Compliance (Under-13 Users)

When schools deploy SyncSchool to students under 13, the institution acts as the agent of parental consent under the COPPA school-official exception. We do not:

  • Use children's personal information for advertising or marketing.
  • Build behavioral profiles of children for commercial purposes.
  • Share children's data with third parties except as necessary to provide the service.
  • Condition a child's participation on the disclosure of more information than necessary.

3.3 Minimum Necessary Data

We collect only the minimum data required to deliver each feature. Administrators can configure data collection granularity at the institutional level via the privacy settings panel.

3.4 Student Record Ownership

Student education records remain the property of the student (and parents/guardians for minors) and the institution. SyncSchool has no independent right to use student records beyond service delivery, de-identified research, and platform improvement with contractual protections in place.

3.5 Consent Management

  • Parental consent workflows are built into the onboarding flow.
  • Schools can download signed consent records at any time.
  • Consent can be withdrawn; data associated with a revoked consent is deleted within 30 days.

3.6 De-Identification Standards

Aggregate analytics shared outside the institution are de-identified to NIST SP 800-188 standards, ensuring no individual student can be re-identified from released datasets.

rule

Acceptable Use Policy

All Users
Summary: Use SyncSchool only for legitimate educational purposes. Misuse results in suspension or termination of access.

4.1 Permitted Uses

  • Managing student enrollment, attendance, grades, and schedules.
  • Communicating with students, parents, and staff within the platform.
  • Generating academic reports, transcripts, and performance dashboards.
  • Using AI-assisted grading, feedback, and early-intervention features.
  • Administering assessments, assignments, and curriculum resources.
  • Coordinating fee collection, transport, and cafeteria management.

4.2 Prohibited Uses

  • Accessing another user's account without explicit authorization.
  • Posting or sharing discriminatory, harassing, or abusive content.
  • Attempting to probe, scan, or test the platform's security systems.
  • Uploading content that infringes intellectual property rights.
  • Using automation or bots to interact with the platform in unauthorized ways.
  • Sharing login credentials or allowing unauthorized individuals access.
  • Using student data to target, profile, or advertise to students or families.

4.3 Enforcement

Violations may result in feature restrictions, account suspension, or termination without refund, depending on severity. We reserve the right to cooperate with law enforcement for serious violations.

4.4 Reporting Violations

Report misuse or policy violations to trust@syncschool.com. All reports are handled confidentially.

database

Data Retention Policy

Last updated: Jan 1, 2025
Summary: We retain data only as long as needed. Institutions control their own retention schedules within regulatory minimums.

5.1 Retention Schedules

  • Active student records: Retained while the student is enrolled and for 5 years post-graduation (configurable per institutional policy).
  • Attendance & grade records: Minimum 7 years from record creation to support transcript requests.
  • Communication logs: 2 years for in-app messages; audit logs retained 3 years.
  • Usage and access logs: 12 months, then purged or anonymized.
  • Payment records: 7 years to satisfy financial regulation requirements.
  • Deleted account data: Purged within 90 days of account deletion request, except where legal holds apply.

5.2 Institution-Controlled Retention

Administrators can define custom retention periods in the Data Management console, subject to regulatory minimums. Automated deletion workflows run nightly to enforce configured schedules.

5.3 Backup Retention

Database backups are retained for 30 days with point-in-time recovery. Backups are encrypted at rest and are not accessible to unauthorized parties.

5.4 Legal Holds

When SyncSchool receives a lawful preservation request, affected data is placed under a legal hold and exempted from normal deletion schedules until the hold is lifted.

security

Data Security Policy

SOC 2 Type II ISO 27001 AES-256
Summary: We employ enterprise-grade security controls. All data is encrypted in transit and at rest.

7.1 Encryption

  • In transit: All connections use TLS 1.2 or higher. HSTS is enforced with a 1-year max-age and preloading.
  • At rest: Databases and file storage are encrypted with AES-256. Encryption keys are managed via a dedicated KMS with automatic rotation every 90 days.
  • Backups: Encrypted with the same standards as live data.

7.2 Access Controls

  • Role-based access control (RBAC) with principle of least privilege.
  • Multi-factor authentication (MFA) available for all accounts; mandatory for administrators.
  • Single sign-on (SSO) via SAML 2.0 and OAuth 2.0 for institutional identity providers.
  • All privileged access is logged and subject to periodic access reviews.
  • SyncSchool staff access to production systems requires approval and generates an immutable audit trail.

7.3 Infrastructure Security

  • Hosted on SOC 2 Type II certified cloud infrastructure with ISO 27001 certification.
  • Web Application Firewall (WAF) and DDoS mitigation at the network edge.
  • Regular automated vulnerability scanning and annual penetration testing by a third-party security firm.
  • Zero-trust network architecture: internal services authenticate each other via mTLS.

7.4 Vulnerability Disclosure

We run a responsible disclosure program. Report security vulnerabilities to security@syncschool.com. We acknowledge within 24 hours and aim to patch critical issues within 7 days.

family_restroom

Parent & Guardian Access Policy

FERPA §99.10
Summary: Parents and guardians have the right to inspect, correct, and in some cases restrict their child's educational records.

8.1 Access Rights

Parents and legal guardians of students under 18 may, through the school administration, request access to all education records held in SyncSchool. Schools must respond within 45 days (FERPA requirement). The SyncSchool parent portal provides real-time access to:

  • Attendance records and absence notifications.
  • Grade book entries and report cards.
  • Homework assignments and submission status.
  • Fee statements and payment history.
  • Behavioral notes (as permitted by school policy).
  • Communication history with teachers and staff.

8.2 Amendment Requests

Parents who believe a record contains inaccurate or misleading information may request an amendment through the school. SyncSchool provides tools for schools to flag, amend, and audit record corrections.

8.3 Transfer of Rights

When a student turns 18 or attends a post-secondary institution, FERPA rights transfer to the student. The platform automatically updates access permissions at the age of digital majority configured by the institution.

8.4 Guardian Verification

Guardian accounts are provisioned by the school after identity verification. Schools are responsible for confirming legal guardian status before granting portal access.

integration_instructions

Third-Party Integration Policy

Last updated: Jan 1, 2025
Summary: All third-party services that access student data must pass a security and privacy review and sign a data processing agreement.

9.1 Approved Integrations

SyncSchool maintains a curated marketplace of pre-vetted integrations including learning management systems, assessment platforms, library catalogs, transport management, and identity providers. Each integration undergoes:

  • Security assessment against NIST Cybersecurity Framework.
  • Privacy review for FERPA/COPPA compliance.
  • Execution of a Data Processing Agreement (DPA).
  • Annual re-review to maintain approved status.

9.2 Data Minimization for Integrations

Integrations receive only the minimum data scope needed to function. Administrators configure data-sharing permissions per integration at the field level. Broad data exports to unapproved systems are blocked by default.

9.3 API Access

Institutions accessing SyncSchool data via the REST/GraphQL API must authenticate with OAuth 2.0 tokens scoped to specific resources. API usage is logged, rate-limited, and subject to the same Acceptable Use Policy as the web platform.

9.4 Sub-Processor List

A current list of all sub-processors with access to personal data is maintained and updated at syncschool.com/sub-processors. Institutions are notified 30 days in advance of any new sub-processor additions.

emergency

Incident Response Policy

72-hr Notification
Summary: In the event of a data breach, we notify affected institutions within 72 hours and provide full transparency throughout the resolution process.

10.1 Detection & Classification

Our security operations team monitors for anomalous access, unusual data transfers, and system compromises around the clock. Incidents are classified by severity:

  • Critical: Confirmed unauthorized access to personal data affecting more than 100 individuals.
  • High: Potential data exposure or service compromise under investigation.
  • Medium: Policy violation or near-miss with no confirmed data exposure.
  • Low: Isolated anomalies with no evidence of impact.

10.2 Notification Timeline

  • 0–4 hours: Internal incident declared; response team assembled.
  • 4–24 hours: Scope and impact assessment completed; containment measures applied.
  • 24–72 hours: Affected institutions notified via email and in-app alert with all known details.
  • 72 hours: Regulatory notifications submitted where required (GDPR Article 33, CCPA, state breach laws).
  • Post-incident: Full written report delivered to affected institutions within 30 days.

10.3 Notification Contents

Breach notifications include: nature of the incident, categories and approximate volume of records affected, likely consequences, measures taken and proposed, contact person for queries, and guidance for affected individuals.

10.4 Business Continuity

SyncSchool maintains a tested Business Continuity Plan with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for critical services.

smart_toy

AI & Automated Decision-Making Policy

GDPR Art. 22 Responsible AI
Summary: AI in SyncSchool augments human judgment — it never replaces it. No high-stakes academic decisions (grades, expulsions) are made solely by automated systems.

11.1 AI Feature Scope

SyncSchool uses AI and machine learning for the following purposes:

  • Early-warning systems that flag students at risk of falling behind.
  • Automated grading assistance for objective assessments (multiple choice, fill-in-the-blank).
  • Natural language feedback suggestions for written assignments.
  • Attendance anomaly detection and pattern analysis.
  • Personalized learning pathway recommendations.
  • Administrative workload automation (scheduling, substitution management, report generation).

11.2 Human Oversight Requirement

All AI-generated scores, flags, and recommendations are labelled as AI-assisted and require review and confirmation by a qualified educator or administrator before becoming part of the official student record. AI outputs cannot be published to parents or students without human sign-off.

11.3 Bias Monitoring

We conduct quarterly fairness audits of AI models across demographic dimensions including race, gender, language, and disability status. Models exhibiting statistically significant disparate impact are retrained or withdrawn. Audit reports are available to institutional administrators on request.

11.4 Explainability

Educators can request a plain-language explanation of any AI recommendation through the platform's "Why?" feature. We use interpretable model architectures where possible and supplement complex models with SHAP-based explanations.

11.5 Right to Human Review

In line with GDPR Article 22, individuals have the right to request human review of any automated decision that significantly affects them. Submit requests to ai-review@syncschool.com.

11.6 AI Training Data

Student data is never used to train commercial AI models or shared with AI providers for model improvement without explicit institutional consent and individual opt-in. Internal model improvements use privacy-preserving techniques such as federated learning and differential privacy.

accessibility

Accessibility Policy

WCAG 2.1 AA ADA Title II Section 508
Summary: SyncSchool is committed to WCAG 2.1 Level AA conformance. Education must be accessible to every student, including those with disabilities.

12.1 Our Commitment

SyncSchool is designed and developed to be accessible to all users, including those with visual, auditory, motor, and cognitive disabilities. We target WCAG 2.1 Level AA conformance and exceed it wherever feasible.

12.2 Accessibility Features

  • Full keyboard navigation throughout the platform with visible focus indicators.
  • Screen-reader compatibility (tested with NVDA, JAWS, VoiceOver, and TalkBack).
  • Sufficient colour contrast ratios (minimum 4.5:1 for normal text, 3:1 for large text).
  • Scalable text up to 200% without loss of content or functionality.
  • Alternative text for all non-decorative images and icons.
  • Captions and transcripts for all video content.
  • High-contrast mode and reduced-motion preferences honoured via CSS media queries.
  • Dyslexia-friendly font option (OpenDyslexic) available in user settings.

12.3 Testing & Maintenance

Accessibility is tested at every release cycle using automated tools (axe-core, Lighthouse) and manual testing with assistive technology users. A dedicated accessibility sprint is conducted semi-annually.

12.4 Reporting Barriers

If you encounter an accessibility barrier, contact us at accessibility@syncschool.com or use the in-app feedback button. We acknowledge accessibility reports within 2 business days and target resolution within 14 days for critical barriers.

12.5 Accommodation Support

For students with documented disabilities, SyncSchool supports individualized accommodation plans (IEPs/504 Plans). Administrators can configure extended time, larger text defaults, and screen-reader-first modes at the student-profile level.

contact_support

Questions About Our Policies?

Our Data Protection Officer and Legal team are available to help institutions, parents, and students understand their rights and our obligations.

These policies are effective as of January 1, 2025 · SyncSchool Technologies Inc. · Version 3.0