LEGAL

Privacy Policy.

Last updated: April 19, 2026

1. Who we are

Kidaboard is a school-bus tracking service operated in partnership with US K-12 public school districts. The school district you are associated with is the "School" referenced below; Kidaboard acts as a processor of student data on behalf of the School.

2. Information we collect

We collect:

  • Student data provided by the School: first name, last name, a student code, assigned route, and optional NFC tag identifier. Student data is a School record under FERPA; we do not collect it directly from students.
  • Guardian account data: email address, password hash, optional phone number, and the student(s) the guardian is linked to.
  • Driver account data: email address, password hash, district assignment, and the routes they are authorized to operate.
  • Operational events: when a driver checks a student in or out of a bus, we record the event with a timestamp, the student ID, route, driver, and the bus's GPS coordinates at the moment of the scan.
  • Bus location while a driver is actively running a route: only while the driver has the app open and tapped "Start route." Location ends the moment the route ends.
  • Device tokens for push notifications (if you enable them).

3. What we do not collect

We never collect student photographs, voice recordings, academic records, grade information, disciplinary records, health information, or home addresses. We do not independently track students' location - only the bus's location at the moment a boarding or exit event is recorded.

4. How we use information

We use the information solely to operate the Kidaboard service: showing parents live bus status and notifications, helping drivers run routes accurately, and giving district administrators a district-wide operational view. We do not use student or guardian data for advertising, for training machine-learning models, or for any purpose beyond operating the service for your School.

5. How we share information

We share information only as follows:

  • With the School that is responsible for the student (district administrators, school staff with appropriate access).
  • With parents/guardians linked to a specific student, scoped to that student's information only.
  • With the drivers assigned to a student's route, scoped to the roster for that route only.
  • With service providers strictly necessary to operate the service: Google Cloud / Firebase (hosting, database, authentication, push delivery). These providers act as sub-processors and are contractually bound to equivalent privacy terms.

We do not sell personal information. We do not share personal information with advertisers, data brokers, or marketing partners.

6. How long we keep information

Boarding and exit events are retained for the academic year plus 90 days for audit and parent-inquiry purposes, after which they are automatically deleted. Roster data is retained only while a student is enrolled; removal is immediate on roster update from the School. Guardian accounts are retained while active; closed accounts are deleted within 30 days.

7. Your rights

Parents, students, and their guardians have the right to:

  • Access the information we hold about them
  • Request correction of inaccurate information
  • Request deletion of their personal information (subject to the School's record-keeping obligations)
  • Withdraw consent for optional features like push notifications at any time

Requests should be directed to your School in the first instance. You may also contact Kidaboard directly at moe@kidaboard.com.

8. Children's privacy (COPPA)

Kidaboard is designed so that students do not interact with the service directly. Students do not create accounts, install apps, or provide any information. A passive NFC tag or school-issued ID is scanned by a driver; the student's record is entered into the system only by the School acting under FERPA. Consistent with COPPA (16 CFR Part 312), we do not knowingly collect personal information from children under 13 via direct interaction with the service.

9. Data residency

All production data is stored in Google Cloud regions within the United States. Custom data residency (a specific state, FedRAMP-Moderate boundary, or equivalent) is available to Schools with procurement requirements beyond our default.

10. Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256) using Google Cloud-managed keys. Access is scoped at the database layer by role and district. We are working toward SOC 2 Type II attestation; current posture is available on request.

11. Incident response

In the unlikely event of a security incident affecting your School's data, you will be notified within 24 hours with a preliminary scope and within 72 hours with a full incident report.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify Schools and affected guardians by email and by posting a notice on kidaboard.com. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

13. Contact

Privacy questions, Data Processing Addendum requests, and security reports all go to moe@kidaboard.com.