Introduction
VantageTech Apps, LLC, a Delaware limited liability company ("we," "us," "our," or the "Company"), operates the School-Core platform (the "Service"), a cloud-based school management system available at school-core.com and related subdomains.
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use our Service. It applies to all users of the Service, including school administrators, teachers, staff, students, parents/guardians, partners, and visitors.
We are committed to protecting the privacy and security of personal information, particularly the data of children and minors. We comply with applicable data protection laws worldwide, including but not limited to:
- General Data Protection Regulation (GDPR) (EU/EEA/UK)
- Family Educational Rights and Privacy Act (FERPA) (United States)
- Children's Online Privacy Protection Act (COPPA) (United States)
- California Consumer Privacy Act (CCPA/CPRA) (California, United States)
- Protection of Personal Information Act (POPIA) (South Africa)
- Personal Data Protection Act (PDPA) (Singapore, Thailand, Malaysia)
- Information Technology Act, 2000 & Digital Personal Data Protection Act, 2023 (India)
- Privacy Act 1988 & Australian Privacy Principles (APPs) (Australia)
- Privacy Act 2020 (New Zealand)
- Lei Geral de Protecao de Dados (LGPD) (Brazil)
- Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation, or criminal records, as well as data concerning children.
- "Data Controller" means the entity that determines the purposes and means of processing Personal Data. For school-managed data, the subscribing school or institution is the Data Controller.
- "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. School-Core acts as Data Processor for school-managed data.
- "Data Subject" means the individual whose Personal Data is processed.
- "Tenant" means a subscribing school, institution, or organization using the Service.
- "Sub-processor" means a third-party service provider engaged by School-Core to assist in processing Personal Data.
Our Role: Controller vs. Processor
School-Core as Data Processor: When schools and institutions use our Service to manage student, staff, and parent data, the school is the Data Controller and School-Core is the Data Processor. We process this data solely on the school's instructions and in accordance with our Data Processing Agreement (DPA).
School-Core as Data Controller: We act as Data Controller for:
- Account registration and authentication data
- Platform usage analytics (aggregated, non-personal)
- Partner and reseller data
- Marketing and communications (where applicable)
- Website visitor data
Personal Data We Collect
Data Provided by Schools (Processor Role)
Schools may upload or enter the following categories of data into the Service:
Student Data
| Category | Data Elements |
|---|---|
| Identity | First name, last name, middle name, local language names, nickname, date of birth, gender, nationality, admission number, profile image |
| Contact | Email, phone, residential address (street, city, state, zip, country), emergency contact name and phone |
| Demographic | Blood group, religion, caste, mother tongue, languages spoken, second nationality |
| Educational | Previous school, last grade attended, transfer reason, curriculum type, enrollment records, grades, transcripts, submissions, attendance records |
| Health | Medical notes, allergies, chronic conditions, current medications, dietary restrictions, immunization records, clinic visit records, health screenings, physician name and contact, insurance provider and policy number, vital signs |
| Counseling | Counseling case records, session notes, referrals, wellness observations, goals, interventions (marked confidential) |
| Behavioral | Behavior incidents, escalations, disciplinary actions, private notes |
| Financial | Fee invoices, payment records, discounts, scholarship status |
| Extracurricular | Activity memberships, awards, competition entries, quest/gamification progress (XP, badges, streaks) |
Staff/Employee Data
| Category | Data Elements |
|---|---|
| Identity | First name, last name, middle name, local language names, employee ID, date of birth, gender, profile image |
| Contact | Email, phone, residential address, emergency contact |
| Employment | Designation, department, qualification, experience, join date, contract type, contract dates |
| Financial | Salary, bank account details (account number, routing number, bank name, branch), PAN number, Aadhar number |
| Health | Medical notes, blood group |
| HR Records | Attendance records, leave requests, payroll data, performance appraisals, CPD training logs, compliance documents, disciplinary cases, grievance cases, contracts, onboarding records |
Parent/Guardian Data
| Category | Data Elements |
|---|---|
| Identity | First name, last name, local language names, profile image |
| Contact | Email, phone, alternate phone, residential address |
| Employment | Occupation, employer name |
| Financial | Fee invoices, payment history |
| Relationship | Relationship to student, primary contact status |
Visitor Data
| Category | Data Elements |
|---|---|
| Identity | Name, government ID type and number |
| Contact | Phone, email |
| Visit | Purpose, person to meet, department, check-in/out times, badge number, vehicle number |
Data We Collect Directly (Controller Role)
Account Registration
- Email address, first name, last name, password (hashed)
- School/institution name
Authentication Data
- OAuth tokens (Google, Microsoft) — encrypted
- Session tokens (JWT-based)
- Last login timestamp
- Password reset tokens (temporary, cryptographically generated)
Partner/Reseller Data
- Company name, contact person, email, phone, website
- Business address, tax ID, business registration number
- Banking/payout details (bank name, account number, SWIFT/IBAN, PayPal/Wise details)
- Commission rates, sales data, referral codes
- Team member names, emails, roles
Automatically Collected Data
- IP address (logged in audit trail)
- User agent (browser/device information)
- Pages accessed and actions performed (audit logs)
- Timestamps of activity
Data We Do NOT Collect
- We do not use tracking cookies, advertising cookies, or third-party analytics (no Google Analytics, Facebook Pixel, etc.)
- We do not sell, rent, or trade personal data to third parties
- We do not engage in behavioral advertising or profiling for marketing purposes
How We Use Personal Data
Purpose of Processing (Processor Role — School Data)
We process school data solely to:
- Provide the Service as instructed by the subscribing school
- Manage student enrollment, academic records, attendance, and assessments
- Facilitate classroom management, assignments, and grading
- Generate report cards, transcripts, and progress reports
- Manage health records, clinic visits, and immunization tracking
- Facilitate counseling case management and wellness monitoring
- Process staff HR functions (attendance, payroll, recruitment, appraisals)
- Enable communication between school stakeholders
- Manage school finances (fee invoicing, payment tracking)
- Provide AI-powered features (tutoring, quiz generation, lesson planning, grading assistance, report card comments)
- Manage facility operations (transport, library, hostel, visitor management)
- Generate analytics and dashboards for school decision-making
Purpose of Processing (Controller Role — Our Data)
We process data we control to:
- Create and manage user accounts and authentication
- Provide customer support
- Send transactional communications (password resets, system notifications)
- Manage partner/reseller relationships and commissions
- Monitor and improve the security and performance of the Service
- Comply with legal obligations
- Enforce our Terms of Service
Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Service delivery to schools | Performance of contract (Art. 6(1)(b)) and Processor obligations (Art. 28) |
| Student educational records | Legitimate interests of the school (Art. 6(1)(f)) and/or consent |
| Health and counseling data | Explicit consent or vital interests (Art. 9(2)(a)/(c)) — managed by school |
| Account management | Performance of contract (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Partner management | Performance of contract (Art. 6(1)(b)) |
AI-Powered Features and Data Processing
AI Services Overview
School-Core integrates artificial intelligence features to enhance educational outcomes. These features are optional and configurable by school administrators.
Data Sent to AI Providers
When AI features are activated, the following data may be sent to our AI sub-processors:
| AI Feature | Data Transmitted |
|---|---|
| Study Buddy (AI Tutor) | Student messages, conversation history, coursework context, student language preference |
| Quiz Generation | Topic, difficulty level, learning standards |
| Lesson/Unit Plan Generation | Subject, grade level, curriculum standards, learning objectives |
| Essay Feedback | Essay text content, rubric criteria |
| Report Card Comments | Student name, assessment data, performance metrics |
| Behavior Insights | Anonymized behavior incident data, frequency/severity patterns |
| At-Risk Detection | Academic metrics, attendance data, behavior records |
| Parent Digest | Student progress summaries, achievements |
| OCR (Document Scanning) | Image data for text extraction |
| Grading Assistant | Submission content, rubric criteria |
AI Sub-processors
| Provider | Purpose | Data Location |
|---|---|---|
| Anthropic (Claude) | Primary AI processing | United States |
| OpenAI (GPT) | Alternative AI processing | United States |
AI Data Safeguards
- AI providers process data in real-time and do not retain prompts or outputs for training purposes under our enterprise agreements
- No student data is used to train or improve AI models
- AI responses are not stored by the AI providers beyond the immediate request
- All AI requests are rate-limited per user and per tenant
- AI usage is tracked and budget-controlled per subscription
- Schools can enable or disable individual AI features
- AI features are subject to the same tenant isolation as all other data
AI and Children's Data
- AI features involving student data are controlled by the school (Data Controller)
- Schools are responsible for obtaining appropriate consent for AI feature use
- The Study Buddy AI tutor operates in a controlled, curriculum-aligned environment
- AI outputs are supplementary and do not replace human educator judgment
Data Sharing and Disclosure
Sub-processors
We use the following categories of sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (PostgreSQL) | Primary database hosting | All platform data | Singapore (AWS ap-southeast-1) |
| Vercel | Application hosting and edge delivery | Application data, platform-generated files | Global (edge network) |
| Cloudflare R2 | User file storage | User-uploaded documents, attachments, media | Configurable (region hints available) |
| Upstash | Rate limiting and caching | User IDs, request metadata (ephemeral) | Global |
| Resend | Transactional email delivery | Email addresses, names, email content | United States |
| Anthropic | AI processing | As described in Section 6.2 | United States |
| OpenAI | AI processing | As described in Section 6.2 | United States |
| Stripe | Payment processing for platform / AI subscription fees and partner payouts (school-collected parent fees do not flow through Stripe) | Card data captured directly by Stripe (never reaches our servers); Stripe customer + payment intent identifiers; billing address | United States / Global |
| Sentry | Error monitoring | Error context, stack traces (no PII by design) | United States |
| Google (OAuth) | Authentication for users signing in with a Google Workspace account, plus Google Drive personal-account connections | Authentication tokens, basic profile (name, email) | Global |
| Microsoft Entra ID | Authentication for users signing in with a Microsoft 365 / Entra account, plus OneDrive personal-account connections | Authentication tokens, basic profile (name, email) | Global |
The current sub-processor list is published at https://school-core.com/legal/sub-processors and updated within 30 days of any change. Schools receive 30 days' advance notice of additions or replacements (see DPA §6.3).
Third-Party Integrations (School-Controlled)
Schools may optionally enable the following integrations, which involve sharing data with the respective providers:
- Google Workspace — SSO authentication, Google Drive file access
- Microsoft 365 — SSO authentication, OneDrive file access
- Clever — Student/staff roster synchronization
- ClassLink — SSO and roster synchronization
- OneRoster — Standards-based data interoperability
These integrations are initiated and controlled by the school. School-Core acts as a conduit and does not independently share data with these providers.
When We May Disclose Data
We may disclose Personal Data only in the following circumstances:
- With the school's authorization — as instructed by the Data Controller
- To sub-processors — as listed above, under binding data processing agreements
- Legal requirements — to comply with applicable law, regulation, legal process, or enforceable governmental request
- Safety — to protect the rights, property, or safety of School-Core, our users, or the public
- Business transfer — in connection with a merger, acquisition, or sale of assets (with prior notice to affected schools)
We Do NOT:
- Sell personal data to third parties
- Use personal data for advertising or marketing purposes
- Share data with data brokers
- Provide personal data to government agencies except as required by law
- Use student data to build profiles for non-educational purposes
Platform Support Access (Impersonation)
To investigate bug reports, recover lost data, and help schools through onboarding, members of the School-Core support team can — under strict controls — temporarily enter a school's tenant and view the same screens a school administrator would see. We refer to this as impersonation, and the controls below apply on every single occurrence:
- Limited authorisation. Only support staff who hold the platform
SUPPORT_MANAGERrole (or the broaderSUPER_ADMINrole) and whose individualcanImpersonateflag is set may start an impersonation session. Most support agents do not have this flag. - Documented justification. A reason for the access (e.g. "ticket #1234 — invoice display bug") is captured at the moment the session is opened.
- Audit trail. The session start, the agent's identity, the target tenant, and the stated reason are written to the audit log under
IMPERSONATION_STARTED. The session end is recorded underIMPERSONATION_ENDEDalong with whether it was self-ended or force-ended by a manager. **Both entries are written against the target tenant's audit log**, so the school's own administrators see exactly who from our team accessed their data and when. - Time-bounded. Sessions auto-terminate after a fixed period and can be force-ended at any time by a Support Manager or Super Admin.
- No bulk access. A support agent can only impersonate one user at a time and can only view what that user is permitted to see — they do not gain a "god mode" view of the whole tenant.
- Quarterly access review. All members of the support team are subject to a recurring access review (
AccessReviewrecords) where their continued need for the impersonation flag is reassessed. Review outcomes —APPROVED,PERMISSIONS_REDUCED,SUSPENDED,FLAGGED— are themselves audit-logged. - Data Processing Agreement. Every member of the support team signs a Data Processing Agreement before being granted access, and that signature is captured in the audit log (
DPA_ACKNOWLEDGED).
What this means for parents and end-users. When a school administrator opens a support ticket that requires us to look at student or staff data, our support team's view of that data is recorded in your school's audit log alongside every other tenant action. You can ask your school administrator to show you those entries; under FERPA / GDPR you have a right to know who has accessed your records. We do not view tenant data outside of an open, audit-logged impersonation session.
Data Retention
School-Managed Data
Data uploaded by schools is retained for the duration of the school's subscription plus a post-termination grace period:
- During subscription: All data retained and accessible
- After termination — 30 days: Schools may export their data via the platform
- After termination — 90 days: Active data permanently deleted from production database
- After termination — 1 year: All archived data (including audit logs and backups) permanently deleted
- Schools may request earlier deletion at any time
Automated Data Lifecycle
The Service automatically manages data retention to balance utility with privacy:
| Data Type | Retention Period | Action |
|---|---|---|
| Read notifications | 90 days after read | Automatically deleted |
| Audit logs (detailed) | 3 years | Archived to cold storage after 1 year, permanently deleted after 3 years |
| XP transaction details | 2 years | Individual transaction records deleted; aggregated profile totals preserved |
| XP profile aggregates | Duration of enrollment | Retained for cumulative progression across the student's school career |
| AI usage summaries | 1 year | Automatically deleted |
| Password reset tokens | 1 hour | Automatically expired and nullified |
| Deletion request records | 3 years | Retained for compliance audit trail |
Note on Audit Logs: Detailed audit logs (who did what, when, from where) are retained in the production database for 1 year for active querying. After 1 year, logs are archived to compressed cold storage (Cloudflare R2) where they remain accessible for compliance requests. After 3 years total, archived logs are permanently deleted. Schools may request audit log extracts for specific periods via our support team.
Note on XP Data: The gamification system tracks both cumulative lifetime XP and annual XP for each student. A student's aggregated XP profile (total XP, current level, tier, streak records, effort/achievement breakdowns, and coin balance) is retained for the full duration of their enrollment — which may span multiple years (e.g., Grade 3 through Grade 12). Only the granular transaction-level details (individual XP award records) are pruned after 2 years to manage database size, while the meaningful totals remain intact.
Account Data
- Active accounts: retained for the duration of the relationship
- Inactive accounts: retained for up to 2 years, then anonymized or deleted
- Audit logs: retained for 3 years (1 year active + 2 years archived)
Partner Data
- Active partner data: retained for the duration of the partnership
- Terminated partnerships: financial records retained for 5 years (tax/legal requirements), other data deleted within 90 days
Data Security
We implement comprehensive technical and organizational measures to protect Personal Data:
Technical Measures
- Encryption in Transit: All data transmitted via TLS 1.2+ (HTTPS enforced); HSTS in force
- Encryption at Rest: AES-256 across the database and object storage; additional application-level AES-256-GCM encryption on sensitive fields (MFA secrets, OAuth refresh tokens)
- Password Security: Passwords stored as irreversible bcrypt hashes at industry-recommended cost
- Authentication: Encrypted, server-issued session tokens with periodic refresh
- Multi-Factor Authentication: TOTP authenticator apps required for administrative roles, available to all users; one-time backup codes for recovery
- Single Sign-On: OAuth 2.0 with Google Workspace and Microsoft Entra ID
- Rate Limiting: Applied to authentication, account creation, password reset, and public form submissions
- Token Security: Cryptographically secure random tokens for password reset and activation flows, short-lived and single-use
Access Controls
- Role-Based Access Control (RBAC): A comprehensive role catalog covering school, leadership, specialist, platform, and partner contexts, plus a custom-role mechanism for tenant-defined permission sets
- Three-Layer Permission System: Role defaults, tenant-level overrides, user-level overrides
- Multi-Tenant Isolation: Every tenant-scoped database query enforces a tenant filter; defense-in-depth scoping on all create / update / delete operations
- Principle of Least Privilege: Users only access data required for their role
- Audit Logging: All data access and modifications are logged with IP address, user agent, and timestamp; auth-failure categories captured for security review
Organizational Measures
- Regular security assessments and code reviews
- Incident response procedures
- Employee security training
- Background checks for personnel with data access
- Data processing agreements with all sub-processors
For full details, see our separate Security Policy document.
Children's Privacy
COPPA Compliance (United States)
- School-Core does not collect personal information directly from children under 13
- All student data is provided by and controlled by the school
- Schools are responsible for obtaining verifiable parental consent as required by COPPA
- We rely on the school's authority under COPPA to consent on behalf of parents for the educational use of the Service
- We do not use children's data for commercial purposes unrelated to the educational context
- We do not condition a child's participation on providing more data than necessary
How We Obtain Verifiable Parental Consent (VPC)
When a school records consent in the platform we capture not only the outcome (granted, denied, withdrawn) but also which FTC-recognised method produced it, the identity of the person who granted it, the timestamp, and a full audit trail (IP address, user agent, browser session). The recorded method is one of:
| Method (enum value) | When it applies | FTC reference |
|---|---|---|
SCHOOL_AUTHORIZATION | A school administrator marks consent on behalf of the parent in the educational context. We use this as our default for under-13 students because we collect data solely for the school's educational purpose with no commercial use. | FTC COPPA FAQ M.1 / M.2 — the school-authorisation exception. |
PARENT_PORTAL_OPTIN | A parent logs in to their own authenticated parent account, reads the consent disclosure on screen, and clicks GRANT. Combines authentication, written disclosure, and an explicit click. | 16 CFR § 312.5(b)(2)(vii) — "email-plus" pattern. |
SIGNED_FORM | A school uploads a signed paper / PDF consent form returned by the parent. | 16 CFR § 312.5(b)(2)(i) — signed form. |
EMAIL_PLUS_CONFIRMATION | A school records that consent was obtained via an email exchange with a documented second-step verification. | 16 CFR § 312.5(b)(2)(vii). |
PHONE_CALL | A school records that consent was obtained over the phone by trained personnel, with the call documented. | 16 CFR § 312.5(b)(2)(iii). |
OTHER | Any other method permitted by the school's local rules; the specific method is captured in the consent notes field. | — |
Disclosure presented to parents at the moment of consent. When a parent grants consent through their authenticated account, they see (and must scroll past before the GRANT button enables): what data is collected, why, who it is shared with, the parent's rights to review and delete, and instructions for withdrawing consent at any time.
Annual review. Granted consent is treated as valid until the parent withdraws it or the student's school authority lapses. Schools may run annual re-consent campaigns through the same flow.
Withdrawal. A parent (or the school) can change parentalConsentStatus to WITHDRAWN at any time. This immediately disables AI processing of that student's data, blocks photo collection and publication, and triggers a 30-day deletion countdown for any data not subject to mandatory retention (e.g. transcripts, safeguarding records).
No commercial use, ever. The school-authorisation exception under COPPA is conditional on the operator using the data only for the educational benefit of the school. We use children's data only for the platform's educational purpose; we do not display advertising to students, do not profile them for marketing, do not sell their data, and do not allow our sub-processors to do so. (See Section 7.4.)
GDPR — Children's Data (EU/EEA/UK)
- Processing of children's data is based on the school's role as Data Controller
- Schools must ensure a valid legal basis (typically legitimate interests for educational purposes or parental consent)
- We process children's data solely for educational purposes as instructed by the school
General Principles
- Student data is used exclusively for educational purposes
- We apply heightened security protections to student data
- Behavioral tracking and gamification features (Quest Mode, XP) serve educational goals only
- AI features involving children operate within controlled, curriculum-aligned parameters
- We do not create marketing profiles of students
- We do not serve advertisements to students
International Data Transfers
Data Locations
| Data Type | Primary Location | Basis for Transfer |
|---|---|---|
| Database (PostgreSQL) | Singapore (AWS ap-southeast-1) | Standard Contractual Clauses (SCCs) |
| Application Hosting | Global (Vercel Edge) | SCCs and adequacy decisions |
| File Storage | Configurable region (Cloudflare R2) | SCCs; region selection available for data residency |
| AI Processing | United States (Anthropic/OpenAI) | SCCs |
| Email Delivery | United States (Resend) | SCCs |
Transfer Safeguards
For transfers of Personal Data outside the EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) for UK transfers
- Binding data processing agreements with all sub-processors
- Supplementary technical measures including encryption in transit and at rest
Data Sovereignty
Schools may request information about the specific geographic location of their data. We work with our infrastructure providers to accommodate data residency requirements where technically feasible.
Your Rights
Rights Under GDPR (EU/EEA/UK Residents)
You have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7)
- Lodge a complaint with a supervisory authority
Rights Under CCPA/CPRA (California Residents)
You have the right to:
- Know what personal information is collected and how it is used
- Delete personal information
- Opt-out of the sale or sharing of personal information (we do not sell data)
- Non-discrimination for exercising your rights
- Correct inaccurate personal information
- Limit use of sensitive personal information
Rights Under Other Jurisdictions
We respect data subject rights under all applicable laws, including POPIA (South Africa), LGPD (Brazil), PDPA (Singapore/Thailand/Malaysia), PIPEDA (Canada), and India's DPDP Act.
How to Exercise Your Rights
For school-managed data (student, staff, parent data): Please contact your school's data protection officer or administrator. As the Data Processor, we will assist the school in fulfilling your request.
For account and partner data: Contact us at: privacy@school-core.com
We will respond to verified requests within:
- 30 days (GDPR)
- 45 days (CCPA)
- Or as required by applicable law
Cookie Policy
Cookies We Use
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
authjs.session-token | Authentication session | Essential/Functional | Session |
school-context-id | Admin school context switching | Essential/Functional | Session |
school-context-name | Admin school context display | Essential/Functional | Session |
What We Do NOT Use
- No advertising or tracking cookies
- No third-party analytics cookies
- No social media cookies
- No cross-site tracking
Because we only use essential cookies required for the Service to function, cookie consent banners are not required under most jurisdictions. However, we disclose our cookie usage here for transparency.
Changes to This Policy
We may update this Privacy Policy from time to time. We will:
- Post the updated policy on our website with a new "Last Updated" date
- Notify school administrators via email for material changes
- Provide at least 30 days' notice for material changes affecting data processing
- Maintain an archive of previous versions upon request
Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
Data Protection Officer and Regional Contacts
For questions or concerns about this Privacy Policy or our data practices, contact the Data Protection Officer first; the regional addresses below route requests through the same team but provide a local point of contact for residents of the listed regions.
Global Data Protection Officer
Data Protection Officer · VantageTech Apps, LLC · Email: privacy@school-core.com
The DPO is the primary contact for all privacy and data-protection requests, regardless of jurisdiction.
United States — California Privacy Officer
For California residents exercising rights under the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA):
- Submit requests in-app via Account Settings → Download my data or Delete my account
- Or email: privacy@school-core.com with subject line "California Privacy Request"
- Response within 45 days (one 45-day extension permitted for complex requests)
- See our dedicated California Consumer Privacy Notice for the full disclosure
European Union / EEA — Article 27 Representative
School-Core is not currently designated under GDPR Article 27 because we are not actively offering services to EU/EEA data subjects (see Terms §3.2.1). EU/EEA schools using the Service for evaluation can contact the global DPO above.
A formal EU representative will be designated at our EU launch and listed here. Anticipated 2027.
United Kingdom — UK Representative
As above, no UK Representative is currently designated under UK GDPR. UK schools using the Service for evaluation can contact the global DPO. A UK representative will be designated at our UK launch and listed here. Anticipated 2027.
Brazil — Encarregado de Dados (LGPD)
For data subjects in Brazil exercising rights under the Lei Geral de Proteção de Dados (LGPD):
- Submit requests via the in-app flow above, or email privacy@school-core.com with subject line "Solicitação LGPD"
- A formal Encarregado (data protection representative) will be designated when Brazilian use exceeds occasional / evaluation thresholds; until then the global DPO acts in this role
Other Jurisdictions
For PIPEDA (Canada), POPIA (South Africa), Privacy Act 1988 (Australia), PDPA (Singapore / Thailand / Malaysia / Sri Lanka), or any other jurisdiction's data-protection authority:
- Email: privacy@school-core.com
- Include the jurisdiction and the specific right you are exercising
Supervisory Authorities
If you are located in the EU/EEA you have the right to lodge a complaint with your local data protection supervisory authority — list at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
UK residents may complain to the Information Commissioner's Office at https://ico.org.uk/concerns/.
California residents may complain to the California Privacy Protection Agency at https://cppa.ca.gov/.
Brazilian data subjects may complain to the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd/.
Residents of other jurisdictions should consult their local data protection authority.
Contact Us
For any questions about this Privacy Policy:
Email: privacy@school-core.com Website: [school-core.com]
For urgent data protection matters (e.g., suspected data breach): Email: security@school-core.com
Last updated: June 2026 · v1.0 — June 2026