Student Data Privacy

Built for schools.
Bound by their rules.

ConciergePad operates as a School Official under FERPA's school official exception. We only handle student data for the purposes our schools direct, never sell or share it for marketing, and contractually bind every vendor in our chain to the same standard.

Request a DPA → What We Collect
FERPA COPPA PPRA State Privacy Laws SDPC Member
Our Commitments

What we promise every school district.

These commitments are baked into our contracts, our infrastructure, and the way we operate every day.

School Official

We act as a School Official under FERPA

ConciergePad is engaged by schools to perform functions the school would otherwise carry out internally. We operate under the school's direct control and use student data only for the contracted educational purposes.

  • Use limited to contracted Services
  • No redisclosure without consent
  • Direct school control over data use
No Sale. No Ads.

Student data is never sold or used for marketing

We do not sell, rent, license, or share student data with third parties for advertising, marketing, or profiling purposes. We do not build profiles of students for any commercial purpose.

  • No targeted advertising to students
  • No commercial profiling
  • No data sales, ever
COPPA & Under-13

Strict controls for students under 13

ConciergePad does not market to or interact directly with students. When the platform handles records on students under 13, we rely on the school's authority to consent on behalf of parents under FERPA's school official exception.

  • No direct student-facing marketing
  • School-authorized data collection only
  • No persistent identifiers used for advertising
Biometrics

Facial recognition is adults-only, opt-in

Our optional facial recognition is restricted to adults (staff, volunteers, approved guardians) and is 100% opt-in. We never apply facial recognition to minors. Adults who enrolled can request immediate, permanent deletion at any time.

  • Never used with students under 18
  • Raw images not retained after enrollment
  • Permanently deleted on unenrollment request
Retention & Deletion

Your data leaves when you do

Upon contract termination, all student data is returned to the school in a portable format or securely destroyed, per the school's direction. We provide written confirmation of deletion on request.

  • Export available in standard formats
  • Backups subject to the same deletion rules
  • Written confirmation on request
Breach Notification

Prompt notification on any incident

In the event of a confirmed breach affecting your data, we notify the school's designated data privacy contact promptly and in accordance with applicable state and federal law, with a follow-up containing scope, affected records, and remediation steps.

  • Notification to designated contact
  • Detailed incident report
  • Cooperation with state breach laws
Schedule of Data

High-level categories.

Below is a high-level overview of the categories of data ConciergePad may collect on behalf of a school, depending on which modules the school enables. A complete Schedule of Data, including specific fields, is provided to district data privacy officers as part of the executed Data Privacy Agreement.

Category
Description
Identifiers & Enrollment
Student name, school-assigned ID, grade level, and homeroom or section assignment used for roster matching and module workflows.
Guardian & Pickup Contacts
Authorized guardian and pickup contact names, relationship, phone numbers, and email addresses used for school operations and dismissal.
Visitor Records
Visitor sign-in information including name, photo, host, and timestamps when applicable. Visitor screening data is processed and not retained beyond what is necessary for operations.
Attendance & Movement
Tardy arrival, early dismissal, routine dismissal, and intra-campus movement records generated by the modules the school enables.
School-Defined Records
Discipline, behavior, hall pass, and similar records created by school staff using modules the school enables. The school controls all definitions and entries.
Photos (School-Provided)
Yearbook or SIS-provided student photos used for staff visual verification during routine operations. Not used for any form of automated recognition.
Adult Biometric Information (Opt-In)
Mathematical embeddings derived from enrollment photos of opting-in adult users (staff, volunteers, approved guardians). Never collected from minors.
Audit & Security Logs
Authentication events and administrative actions by staff users, retained for security monitoring and audit purposes consistent with FERPA.
Not Collected
ConciergePad does not collect special education, IEP, 504, free/reduced lunch, immigration status, or other sensitive categories outside the scope of the contracted Services.

Full field-level Schedule of Data available to district data privacy officers under DPA.

Service Providers

Vendors in our chain.

ConciergePad uses a limited set of established service providers in delivering our platform, all of which operate under written agreements with protections at least as strong as those in our school DPAs. The full named list, including current security attestations, is available to district data privacy officers on request.

Cloud Infrastructure

Enterprise US-based cloud hosting

All ConciergePad infrastructure is hosted with an established enterprise cloud provider in United States data centers. The provider holds current SOC 2, ISO 27001, and FedRAMP attestations.

Communications

Transactional email & SMS delivery

Established email and SMS delivery providers handle school notifications and two-factor authentication codes. Each maintains current SOC 2 attestation.

Payments

PCI-compliant payment processor

Payment processing is handled by a PCI DSS Level 1 certified processor. Card data is never stored within ConciergePad systems.

Background Screening

Volunteer screening provider

When schools enable volunteer screening, results are provided by an established background check provider. ConciergePad receives only pass/fail eligibility codes.

Mobile Delivery

Mobile app infrastructure

Push notification delivery for our mobile apps is handled by an established provider with current SOC 2 attestation.

Edge & Security

Content delivery and DDoS protection

Edge security, content delivery, and DDoS mitigation are provided by a leading internet infrastructure company with current SOC 2 and ISO 27001 attestations.

Schools receive advance notice of material changes to our service provider list.

Data Privacy Agreements

Contracts you can sign today.

ConciergePad signs national and state-specific Data Privacy Agreements through the Student Data Privacy Consortium (SDPC) framework, as well as district-specific agreements when required.

National

SDPC National DPA

Our default agreement for any district nationwide. Covers FERPA, COPPA, PPRA, and the common privacy obligations across SDPC state alliances.

  • Schedule of Data included
  • General Offer available
  • Standardized terms
State-Specific

State Addenda & State DPAs

For states with specific student privacy frameworks, including Utah, New York, California, Colorado, Illinois, Texas, and others, we sign the corresponding state-specific agreements or addenda.

  • State-specific compliance language
  • Parent rights provisions
  • State breach notification timelines
Custom

District-Specific DPAs

If your district uses its own DPA template, we will review and counter-sign promptly. Most reviews complete quickly.

  • Redlines accepted
  • Direct review by counsel where needed
  • Counter-sign or marked-up return
Request a DPA →
State Coverage

State laws we comply with.

Beyond FERPA, every state has its own student data privacy laws. ConciergePad complies with applicable student data privacy laws in every state we operate in, including states with named statutes such as Utah, New York, California, Colorado, Illinois, Texas, Virginia, Connecticut, and others.

For state-specific compliance language, please reach out and we'll provide the appropriate addendum or state-specific DPA.

Parent & Student Rights

If you're a parent reading this.

Under FERPA, parents and eligible students (18+) have specific rights regarding education records. Here's how ConciergePad supports those rights.

Your rights and how they work with ConciergePad

  1. Inspect & review. Under FERPA, you have the right to inspect and review your child's education records. Because we hold these records on behalf of your school, requests must be directed to the school. We respond to school requests for student data promptly.
  2. Request corrections. If information in ConciergePad is inaccurate, your school can update it directly in the platform or contact us if a deeper correction is needed. We never refuse a school-initiated correction.
  3. Consent to disclosure. We never disclose student records outside the school official exception without the school's written authorization or your consent.
  4. File a complaint. Concerns about how a school handles your child's education records can be filed with the U.S. Department of Education's Student Privacy Policy Office. Concerns specifically about ConciergePad can be sent to support@getconciergepad.com.
  5. Opt out of biometrics. Facial recognition is opt-in and adults-only. ConciergePad never enrolls minors in facial recognition. Adults who enrolled can request immediate, permanent deletion at any time.
Internal Safeguards

How we hold ourselves accountable.

For operational and infrastructure security controls, see our Data Security page. Below are the privacy-specific commitments.

Annual Training

Mandatory annual privacy training

Every ConciergePad team member with access to school systems completes annual FERPA, COPPA, and information security training.

Access Reviews

Regular access reviews

Production access to school data is reviewed on a regular basis. Access is granted on a least-privilege basis and logged. Departing personnel access is revoked promptly.

Background Checks

Background checks on all staff

Any team member with potential access to student data is screened before being granted access. This includes contractors and consultants.

Incident Response

Documented and tested IR plan

We maintain a written incident response plan with defined roles, escalation paths, and notification commitments.

Vendor Reviews

Ongoing service provider reviews

Every service provider in our chain is reviewed for security posture and current attestations. Changes are disclosed to schools.

Third-Party Testing

External security testing

ConciergePad infrastructure and applications undergo external security testing. Findings are tracked to remediation with severity-based timelines.

Get in Touch

Talk to us about student privacy.

Whether you're a district data privacy officer, a parent with a question, or a procurement team running due diligence, we want to hear from you.

For District Data Privacy Officers

Questions about our DPAs, service provider list, full Schedule of Data, or state-specific compliance? We respond promptly.

support@getconciergepad.com →

For Parents & Guardians

Questions about your child's data should generally go to your school first, since they own the records. We're happy to help schools answer those questions.

support@getconciergepad.com →

For IT & Security Teams

Need our security overview, vendor questionnaire responses, or to schedule a security review? Reach out and we'll get you what you need.

support@getconciergepad.com →

For Researchers & Reporters

If you've identified a privacy concern or have a media inquiry related to student data, please reach out before publishing. We'll engage in good faith.

support@getconciergepad.com →

Need a signed DPA to move your procurement forward?

Send us the template your district uses or tell us which state you're in. We'll move quickly.

Request a DPA →