Policies & Guidelines
SyncSchool is committed to transparency, student safety, and responsible data stewardship. Review our complete set of policies governing platform use, data handling, and user rights.
Privacy Policy
Last updated: Jan 1, 20251.1 Information We Collect
SyncSchool collects information provided directly by users (administrators, educators, students, and guardians) and information generated through platform use. Categories include:
- Account data: Name, email address, role, institutional affiliation, and login credentials.
- Student records: Grades, attendance, behavioral notes, learning progress, and assessment results — stored strictly on behalf of the institution.
- Usage data: Log files, device identifiers, browser type, IP address, pages visited, and feature interactions.
- Communication data: Messages sent through in-app messaging between educators, students, and guardians.
- Payment data: Billing address and tokenized payment method (processed by PCI-DSS-certified processors; full card numbers are never stored by SyncSchool).
1.2 How We Use Your Information
- Deliver, maintain, and improve the SyncSchool platform and AI-powered features.
- Authenticate users and enforce role-based access controls.
- Generate analytics and reports for institutional administrators.
- Send transactional notifications (grade alerts, attendance flags, announcements).
- Comply with legal obligations and respond to lawful requests from authorities.
- Detect, investigate, and prevent fraud, abuse, or security incidents.
1.3 Information Sharing
We do not sell, rent, or trade personal information. We share data only with:
- The institution: Authorized staff access records within their school or district.
- Service providers: Sub-processors bound by data processing agreements (cloud hosting, analytics, email delivery).
- Legal requirements: When required by applicable law, regulation, or valid legal process.
1.4 Data Subject Rights
Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data. Submit requests to privacy@syncschool.com. We respond within 30 days.
Terms of Service
Last updated: Jan 1, 20252.1 Acceptance of Terms
By accessing or using SyncSchool, you confirm that you are at least 18 years old (or the age of digital consent in your jurisdiction), that you have the authority to bind your institution if registering on its behalf, and that you have read and agree to these Terms.
2.2 License Grant
Subject to these Terms, SyncSchool grants your institution a limited, non-exclusive, non-transferable, revocable license to access and use the platform solely for internal educational management purposes during your subscription period.
2.3 Prohibited Conduct
- Reverse engineering, decompiling, or attempting to extract source code from the platform.
- Uploading or transmitting malware, unauthorized scripts, or harmful content.
- Circumventing authentication, access controls, or rate limits.
- Reselling, sublicensing, or providing platform access to third parties without consent.
- Harvesting or scraping data for commercial use outside your institution.
- Using the platform for any unlawful purpose or in violation of applicable education law.
2.4 Intellectual Property
SyncSchool retains all rights to the platform, branding, and proprietary AI models. Institutional data you upload remains your property; you grant SyncSchool a limited license to process it solely to provide the service.
2.5 Limitation of Liability
To the maximum extent permitted by law, SyncSchool's aggregate liability arising out of or related to these Terms will not exceed the fees paid by your institution in the twelve months preceding the claim. We are not liable for indirect, incidental, or consequential damages.
2.6 Termination
Either party may terminate the agreement with 30 days' written notice. SyncSchool may terminate immediately for material breach or non-payment. Upon termination, your data is available for export for 60 days, after which it is securely deleted.
Student Data Protection Policy
3.1 FERPA Compliance
SyncSchool operates as a "school official" under FERPA with a "legitimate educational interest." Education records are disclosed only to authorized institutional personnel and as otherwise permitted by FERPA. We do not disclose personally identifiable information from education records without written parental or eligible-student consent, except as FERPA allows.
3.2 COPPA Compliance (Under-13 Users)
When schools deploy SyncSchool to students under 13, the institution acts as the agent of parental consent under the COPPA school-official exception. We do not:
- Use children's personal information for advertising or marketing.
- Build behavioral profiles of children for commercial purposes.
- Share children's data with third parties except as necessary to provide the service.
- Condition a child's participation on the disclosure of more information than necessary.
3.3 Minimum Necessary Data
We collect only the minimum data required to deliver each feature. Administrators can configure data collection granularity at the institutional level via the privacy settings panel.
3.4 Student Record Ownership
Student education records remain the property of the student (and parents/guardians for minors) and the institution. SyncSchool has no independent right to use student records beyond service delivery, de-identified research, and platform improvement with contractual protections in place.
3.5 Consent Management
- Parental consent workflows are built into the onboarding flow.
- Schools can download signed consent records at any time.
- Consent can be withdrawn; data associated with a revoked consent is deleted within 30 days.
3.6 De-Identification Standards
Aggregate analytics shared outside the institution are de-identified to NIST SP 800-188 standards, ensuring no individual student can be re-identified from released datasets.
Acceptable Use Policy
All Users4.1 Permitted Uses
- Managing student enrollment, attendance, grades, and schedules.
- Communicating with students, parents, and staff within the platform.
- Generating academic reports, transcripts, and performance dashboards.
- Using AI-assisted grading, feedback, and early-intervention features.
- Administering assessments, assignments, and curriculum resources.
- Coordinating fee collection, transport, and cafeteria management.
4.2 Prohibited Uses
- Accessing another user's account without explicit authorization.
- Posting or sharing discriminatory, harassing, or abusive content.
- Attempting to probe, scan, or test the platform's security systems.
- Uploading content that infringes intellectual property rights.
- Using automation or bots to interact with the platform in unauthorized ways.
- Sharing login credentials or allowing unauthorized individuals access.
- Using student data to target, profile, or advertise to students or families.
4.3 Enforcement
Violations may result in feature restrictions, account suspension, or termination without refund, depending on severity. We reserve the right to cooperate with law enforcement for serious violations.
4.4 Reporting Violations
Report misuse or policy violations to trust@syncschool.com. All reports are handled confidentially.
Data Retention Policy
Last updated: Jan 1, 20255.1 Retention Schedules
- Active student records: Retained while the student is enrolled and for 5 years post-graduation (configurable per institutional policy).
- Attendance & grade records: Minimum 7 years from record creation to support transcript requests.
- Communication logs: 2 years for in-app messages; audit logs retained 3 years.
- Usage and access logs: 12 months, then purged or anonymized.
- Payment records: 7 years to satisfy financial regulation requirements.
- Deleted account data: Purged within 90 days of account deletion request, except where legal holds apply.
5.2 Institution-Controlled Retention
Administrators can define custom retention periods in the Data Management console, subject to regulatory minimums. Automated deletion workflows run nightly to enforce configured schedules.
5.3 Backup Retention
Database backups are retained for 30 days with point-in-time recovery. Backups are encrypted at rest and are not accessible to unauthorized parties.
5.4 Legal Holds
When SyncSchool receives a lawful preservation request, affected data is placed under a legal hold and exempted from normal deletion schedules until the hold is lifted.
Data Security Policy
7.1 Encryption
- In transit: All connections use TLS 1.2 or higher. HSTS is enforced with a 1-year max-age and preloading.
- At rest: Databases and file storage are encrypted with AES-256. Encryption keys are managed via a dedicated KMS with automatic rotation every 90 days.
- Backups: Encrypted with the same standards as live data.
7.2 Access Controls
- Role-based access control (RBAC) with principle of least privilege.
- Multi-factor authentication (MFA) available for all accounts; mandatory for administrators.
- Single sign-on (SSO) via SAML 2.0 and OAuth 2.0 for institutional identity providers.
- All privileged access is logged and subject to periodic access reviews.
- SyncSchool staff access to production systems requires approval and generates an immutable audit trail.
7.3 Infrastructure Security
- Hosted on SOC 2 Type II certified cloud infrastructure with ISO 27001 certification.
- Web Application Firewall (WAF) and DDoS mitigation at the network edge.
- Regular automated vulnerability scanning and annual penetration testing by a third-party security firm.
- Zero-trust network architecture: internal services authenticate each other via mTLS.
7.4 Vulnerability Disclosure
We run a responsible disclosure program. Report security vulnerabilities to security@syncschool.com. We acknowledge within 24 hours and aim to patch critical issues within 7 days.
Parent & Guardian Access Policy
FERPA §99.108.1 Access Rights
Parents and legal guardians of students under 18 may, through the school administration, request access to all education records held in SyncSchool. Schools must respond within 45 days (FERPA requirement). The SyncSchool parent portal provides real-time access to:
- Attendance records and absence notifications.
- Grade book entries and report cards.
- Homework assignments and submission status.
- Fee statements and payment history.
- Behavioral notes (as permitted by school policy).
- Communication history with teachers and staff.
8.2 Amendment Requests
Parents who believe a record contains inaccurate or misleading information may request an amendment through the school. SyncSchool provides tools for schools to flag, amend, and audit record corrections.
8.3 Transfer of Rights
When a student turns 18 or attends a post-secondary institution, FERPA rights transfer to the student. The platform automatically updates access permissions at the age of digital majority configured by the institution.
8.4 Guardian Verification
Guardian accounts are provisioned by the school after identity verification. Schools are responsible for confirming legal guardian status before granting portal access.
Third-Party Integration Policy
Last updated: Jan 1, 20259.1 Approved Integrations
SyncSchool maintains a curated marketplace of pre-vetted integrations including learning management systems, assessment platforms, library catalogs, transport management, and identity providers. Each integration undergoes:
- Security assessment against NIST Cybersecurity Framework.
- Privacy review for FERPA/COPPA compliance.
- Execution of a Data Processing Agreement (DPA).
- Annual re-review to maintain approved status.
9.2 Data Minimization for Integrations
Integrations receive only the minimum data scope needed to function. Administrators configure data-sharing permissions per integration at the field level. Broad data exports to unapproved systems are blocked by default.
9.3 API Access
Institutions accessing SyncSchool data via the REST/GraphQL API must authenticate with OAuth 2.0 tokens scoped to specific resources. API usage is logged, rate-limited, and subject to the same Acceptable Use Policy as the web platform.
9.4 Sub-Processor List
A current list of all sub-processors with access to personal data is maintained and updated at syncschool.com/sub-processors. Institutions are notified 30 days in advance of any new sub-processor additions.
Incident Response Policy
72-hr Notification10.1 Detection & Classification
Our security operations team monitors for anomalous access, unusual data transfers, and system compromises around the clock. Incidents are classified by severity:
- Critical: Confirmed unauthorized access to personal data affecting more than 100 individuals.
- High: Potential data exposure or service compromise under investigation.
- Medium: Policy violation or near-miss with no confirmed data exposure.
- Low: Isolated anomalies with no evidence of impact.
10.2 Notification Timeline
- 0–4 hours: Internal incident declared; response team assembled.
- 4–24 hours: Scope and impact assessment completed; containment measures applied.
- 24–72 hours: Affected institutions notified via email and in-app alert with all known details.
- 72 hours: Regulatory notifications submitted where required (GDPR Article 33, CCPA, state breach laws).
- Post-incident: Full written report delivered to affected institutions within 30 days.
10.3 Notification Contents
Breach notifications include: nature of the incident, categories and approximate volume of records affected, likely consequences, measures taken and proposed, contact person for queries, and guidance for affected individuals.
10.4 Business Continuity
SyncSchool maintains a tested Business Continuity Plan with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for critical services.
AI & Automated Decision-Making Policy
11.1 AI Feature Scope
SyncSchool uses AI and machine learning for the following purposes:
- Early-warning systems that flag students at risk of falling behind.
- Automated grading assistance for objective assessments (multiple choice, fill-in-the-blank).
- Natural language feedback suggestions for written assignments.
- Attendance anomaly detection and pattern analysis.
- Personalized learning pathway recommendations.
- Administrative workload automation (scheduling, substitution management, report generation).
11.2 Human Oversight Requirement
All AI-generated scores, flags, and recommendations are labelled as AI-assisted and require review and confirmation by a qualified educator or administrator before becoming part of the official student record. AI outputs cannot be published to parents or students without human sign-off.
11.3 Bias Monitoring
We conduct quarterly fairness audits of AI models across demographic dimensions including race, gender, language, and disability status. Models exhibiting statistically significant disparate impact are retrained or withdrawn. Audit reports are available to institutional administrators on request.
11.4 Explainability
Educators can request a plain-language explanation of any AI recommendation through the platform's "Why?" feature. We use interpretable model architectures where possible and supplement complex models with SHAP-based explanations.
11.5 Right to Human Review
In line with GDPR Article 22, individuals have the right to request human review of any automated decision that significantly affects them. Submit requests to ai-review@syncschool.com.
11.6 AI Training Data
Student data is never used to train commercial AI models or shared with AI providers for model improvement without explicit institutional consent and individual opt-in. Internal model improvements use privacy-preserving techniques such as federated learning and differential privacy.
Accessibility Policy
12.1 Our Commitment
SyncSchool is designed and developed to be accessible to all users, including those with visual, auditory, motor, and cognitive disabilities. We target WCAG 2.1 Level AA conformance and exceed it wherever feasible.
12.2 Accessibility Features
- Full keyboard navigation throughout the platform with visible focus indicators.
- Screen-reader compatibility (tested with NVDA, JAWS, VoiceOver, and TalkBack).
- Sufficient colour contrast ratios (minimum 4.5:1 for normal text, 3:1 for large text).
- Scalable text up to 200% without loss of content or functionality.
- Alternative text for all non-decorative images and icons.
- Captions and transcripts for all video content.
- High-contrast mode and reduced-motion preferences honoured via CSS media queries.
- Dyslexia-friendly font option (OpenDyslexic) available in user settings.
12.3 Testing & Maintenance
Accessibility is tested at every release cycle using automated tools (axe-core, Lighthouse) and manual testing with assistive technology users. A dedicated accessibility sprint is conducted semi-annually.
12.4 Reporting Barriers
If you encounter an accessibility barrier, contact us at accessibility@syncschool.com or use the in-app feedback button. We acknowledge accessibility reports within 2 business days and target resolution within 14 days for critical barriers.
12.5 Accommodation Support
For students with documented disabilities, SyncSchool supports individualized accommodation plans (IEPs/504 Plans). Administrators can configure extended time, larger text defaults, and screen-reader-first modes at the student-profile level.
Questions About Our Policies?
Our Data Protection Officer and Legal team are available to help institutions, parents, and students understand their rights and our obligations.
These policies are effective as of January 1, 2025 · SyncSchool Technologies Inc. · Version 3.0