DISTRICT BRIEF

Privacy, built for
public schools.

Kidaboard is designed from the ground up to meet the obligations US public K-12 districts carry under FERPA (20 U.S.C. § 1232g) and COPPA (16 CFR Part 312). This page is the plain-English version - a formal Data Processing Addendum is available on request.

What we collect

Student roster data (first name, last name, school-issued student code, assigned route, optional NFC tag ID). Boarding and exit events (student ID, route ID, driver ID, timestamp, bus GPS coordinates at time of event). Guardian contact information (email, optional phone) - only for adults who create an account and link to a student. Drivers' contact information and assigned routes.

What we do not collect

We never collect student photographs, voice recordings, academic records, grades, disciplinary records, health information, or home addresses. We do not track student location independently of the bus - only a boarded/exited event tied to a known route.

Where the data lives

All production data is stored in Google Cloud regions within the United States. Custom data residency (e.g., specific state or FedRAMP-Moderate boundary) is available for districts with procurement requirements beyond the default.

Who can see what

Kidaboard enforces role-based, multi-tenant access at the database layer. Parents see only their own children. Drivers see only the roster for their current route. Administrators see only their own district. Cross-district access is not a feature - it is architecturally impossible.

How long we keep it

Boarding and exit events are retained for the academic year plus 90 days for audit and parent-inquiry purposes, after which they are automatically purged. Districts can request shorter retention in their Data Processing Addendum. Roster data is retained only while a student is enrolled; removal is immediate on roster update.

Deletion rights

A parent or guardian can request their account and its associated records be deleted at any time. A district administrator can export or delete any user record in their district from the admin console within minutes. No manual vendor intervention required.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256) using Google Cloud-managed keys. We are working toward SOC 2 Type II attestation; timeline and current posture available on request.

Third-party processors

Google Cloud / Firebase (hosting, database, authentication, push notifications). Apple Maps / Google Maps (map rendering; no location data is shared with the provider - we request only tile rendering). We do not sell data, ever. We do not use student data for advertising, training, or any purpose outside operating the service.

Parental consent & COPPA

Students do not create accounts. Students do not install the app. Students do not carry phones. Student identification is via a passive NFC wristband or school-issued ID card. This design sidesteps the most common COPPA pitfalls entirely - we have no direct relationship with any child under 13.

Incident response

In the unlikely event of a security incident affecting your district, you will be notified within 24 hours with a preliminary scope and within 72 hours with a full incident report, consistent with GDPR Article 33 timing even though we are US-focused.

Contact

Security, privacy, and Data Processing Addendum requests: moe@kidaboard.com.

Privacy, built forpublic schools.