Privacy Policy

Chinuch App (“we,” “our,” or “us”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational management platform.

We comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and other applicable student privacy laws.

2.1 Student Data

We collect student information provided by schools or parents, including:

• Student names, grade levels, and class assignments
• Attendance records
• Behavior logs and incident reports
• Assessments, grades, and academic progress
• Standards and skills tracking data
• Bus check-in/check-out records
• Emergency contact information
• Parent/guardian information

2.2 Teacher & Staff Information

• Names, email addresses, and contact information
• School affiliation and role
• Class assignments and schedules
• Login credentials (encrypted)

2.3 Parent Information

• Names, email addresses, and phone numbers
• Relationship to students
• Account credentials

2.4 Usage Data

• Log data (IP addresses, browser type, pages visited)
• Device information
• Usage patterns and preferences
• Audit logs of data access and modifications

2.5 Financial and Payment Data

When schools or parents use our payment features, we collect payment-related information through our payment processor, Stripe:

• Credit/debit card details (processed and stored securely by Stripe, not stored on our servers)
• Bank account information for ACH payments (tokenized account and routing numbers)
• Billing addresses
• Payment history and transaction records
• Account ownership verification details

Important: We use Stripe Financial Connections to securely verify bank account ownership and enable ACH payments. We do not access your bank balance, transaction history, or any other financial data beyond what is necessary for payment processing.

We use the collected information solely for educational and school operational purposes:

• Provide and maintain our educational services
• Track student progress and academic performance
• Facilitate communication between teachers, students, and parents
• Generate reports and analytics for educational improvement
• Manage attendance and behavior tracking
• Handle transportation and bus logistics
• Process tuition payments, event fees, and other school-related payments
• Ensure platform security and prevent fraud
• Comply with legal obligations (FERPA, COPPA, state laws)

We do NOT use student data for:

• Advertising or marketing purposes
• Behavioral profiling for commercial purposes
• Selling or renting data to third parties
• Any non-educational purpose

We do not sell, trade, or rent student data. We may share information only with:

• The School: Teachers, administrators, and authorized staff within the school organization
• Parents/Guardians: For their own children's records, as authorized by the school
• Service Providers: Vendors who assist in platform operations. All must sign data protection agreements
• Legal Requirements: When required by law, court order, or to protect rights and safety

We never share student data with advertisers or unrelated third parties.

We implement industry-standard security measures to protect your data:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure authentication with password hashing
• Role-based access controls
• Multi-school data separation
• Audit logs for all data access and modifications
• Regular security audits and updates
• Secure data centers with physical security
• Incident response procedures
• Regular backups with encryption

A detailed Security Policy is available upon request or at /legal/schools.

We comply with the Family Educational Rights and Privacy Act (FERPA) and are designated as a School Official with a legitimate educational interest. We:

• Protect student education records as required by FERPA
• Limit access to authorized school officials and parents
• Do not disclose personally identifiable information without consent
• Allow parents to review and request corrections to their child's records
• Maintain student data ownership with the school
• Provide data export capabilities upon request
• Delete data according to school requests and retention policies

We comply with the Children's Online Privacy Protection Act (COPPA). For children under 13:

• Schools may consent on behalf of parents for educational use
• Parents may directly provide consent through school invitation
• We collect only information necessary for educational services
• We do not allow children to submit personal information directly
• We do not use children's data for advertising or commercial purposes

For detailed COPPA information, see our COPPA Notice.

We comply with applicable state student privacy laws, including:

• California SOPIPA
• New York Education Law §2-d
• Colorado SB 16-173
• Texas Student Privacy Laws
• Other applicable state regulations

We retain student data only as long as necessary:

• Active Schools: Data is retained while the school's account is active
• School Termination: Data is archived for 60 days, then permanently deleted
• School Requests: We delete specific student records within 10 business days
• Audit Logs: Retained for 1 year for compliance

Schools own 100% of all Student Data. Schools may:

• Access, edit, export, or delete student data at any time
• Request full data exports in CSV, JSON, or SQL format
• Request deletion of individual students, classes, or full database
• Transfer data to other systems

We provide data exports within 10 business days of request.

In the event of unauthorized access or disclosure of student data, we will:

• Notify affected schools within 72 hours of confirming a breach
• Provide details about what happened and what data was affected
• Describe steps taken to contain and remediate the issue
• Offer guidance and support for schools
• Cooperate fully in any investigation

You have the right to:

• Access your personal information
• Correct inaccurate data
• Request deletion (subject to legal requirements)
• Opt-out of non-essential communications
• Data portability and export
• Review audit logs of data access

Parents requesting corrections or deletions should contact their child's school, as schools control educational records under FERPA.

We may use service providers (subprocessors) to support platform operations:

• Hosting and infrastructure providers (e.g., Supabase)
• Email notification services
• Security and monitoring tools
• Payment processing (Stripe, Inc.) — PCI-DSS Level 1 certified

All subprocessors must sign data protection agreements and meet equal or higher security standards.

Our platform enables schools to collect tuition payments, event fees, and other school-related charges.

14.1 Payment Processor

All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We do not store credit card numbers or full bank account numbers on our servers.

14.2 Stripe Financial Connections

For ACH bank payments, we use Stripe Financial Connections to securely link and verify bank accounts. We do NOT access your bank balance or transaction history.

14.3 Payment Data Retention

Payment records are retained as long as the school account is active and for 7 years thereafter for tax and legal compliance purposes.

We may update this Privacy Policy periodically. We will notify schools of material changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy:

Email: privacy@chinuchapp.com
Support: support@chinuchapp.com
Website: chinuchapp.com

For school-specific legal agreements, visit /legal/schools.