Privacy Policy

How School-Core collects, uses, and protects personal information.

Effective May 1, 2026 · v1.0 — June 2026

Introduction

VantageTech Apps, LLC, a Delaware limited liability company ("we," "us," "our," or the "Company"), operates the School-Core platform (the "Service"), a cloud-based school management system available at school-core.com and related subdomains.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use our Service. It applies to all users of the Service, including school administrators, teachers, staff, students, parents/guardians, partners, and visitors.

We are committed to protecting the privacy and security of personal information, particularly the data of children and minors. We comply with applicable data protection laws worldwide, including but not limited to:

  • General Data Protection Regulation (GDPR) (EU/EEA/UK)
  • Family Educational Rights and Privacy Act (FERPA) (United States)
  • Children's Online Privacy Protection Act (COPPA) (United States)
  • California Consumer Privacy Act (CCPA/CPRA) (California, United States)
  • Protection of Personal Information Act (POPIA) (South Africa)
  • Personal Data Protection Act (PDPA) (Singapore, Thailand, Malaysia)
  • Information Technology Act, 2000 & Digital Personal Data Protection Act, 2023 (India)
  • Privacy Act 1988 & Australian Privacy Principles (APPs) (Australia)
  • Privacy Act 2020 (New Zealand)
  • Lei Geral de Protecao de Dados (LGPD) (Brazil)
  • Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)

Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation, or criminal records, as well as data concerning children.
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data. For school-managed data, the subscribing school or institution is the Data Controller.
  • "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. School-Core acts as Data Processor for school-managed data.
  • "Data Subject" means the individual whose Personal Data is processed.
  • "Tenant" means a subscribing school, institution, or organization using the Service.
  • "Sub-processor" means a third-party service provider engaged by School-Core to assist in processing Personal Data.

Our Role: Controller vs. Processor

School-Core as Data Processor: When schools and institutions use our Service to manage student, staff, and parent data, the school is the Data Controller and School-Core is the Data Processor. We process this data solely on the school's instructions and in accordance with our Data Processing Agreement (DPA).

School-Core as Data Controller: We act as Data Controller for:

  • Account registration and authentication data
  • Platform usage analytics (aggregated, non-personal)
  • Partner and reseller data
  • Marketing and communications (where applicable)
  • Website visitor data

Personal Data We Collect

Data Provided by Schools (Processor Role)

Schools may upload or enter the following categories of data into the Service:

Student Data

CategoryData Elements
IdentityFirst name, last name, middle name, local language names, nickname, date of birth, gender, nationality, admission number, profile image
ContactEmail, phone, residential address (street, city, state, zip, country), emergency contact name and phone
DemographicBlood group, religion, caste, mother tongue, languages spoken, second nationality
EducationalPrevious school, last grade attended, transfer reason, curriculum type, enrollment records, grades, transcripts, submissions, attendance records
HealthMedical notes, allergies, chronic conditions, current medications, dietary restrictions, immunization records, clinic visit records, health screenings, physician name and contact, insurance provider and policy number, vital signs
CounselingCounseling case records, session notes, referrals, wellness observations, goals, interventions (marked confidential)
BehavioralBehavior incidents, escalations, disciplinary actions, private notes
FinancialFee invoices, payment records, discounts, scholarship status
ExtracurricularActivity memberships, awards, competition entries, quest/gamification progress (XP, badges, streaks)

Staff/Employee Data

CategoryData Elements
IdentityFirst name, last name, middle name, local language names, employee ID, date of birth, gender, profile image
ContactEmail, phone, residential address, emergency contact
EmploymentDesignation, department, qualification, experience, join date, contract type, contract dates
FinancialSalary, bank account details (account number, routing number, bank name, branch), PAN number, Aadhar number
HealthMedical notes, blood group
HR RecordsAttendance records, leave requests, payroll data, performance appraisals, CPD training logs, compliance documents, disciplinary cases, grievance cases, contracts, onboarding records

Parent/Guardian Data

CategoryData Elements
IdentityFirst name, last name, local language names, profile image
ContactEmail, phone, alternate phone, residential address
EmploymentOccupation, employer name
FinancialFee invoices, payment history
RelationshipRelationship to student, primary contact status

Visitor Data

CategoryData Elements
IdentityName, government ID type and number
ContactPhone, email
VisitPurpose, person to meet, department, check-in/out times, badge number, vehicle number

Data We Collect Directly (Controller Role)

Account Registration

  • Email address, first name, last name, password (hashed)
  • School/institution name

Authentication Data

  • OAuth tokens (Google, Microsoft) — encrypted
  • Session tokens (JWT-based)
  • Last login timestamp
  • Password reset tokens (temporary, cryptographically generated)

Partner/Reseller Data

  • Company name, contact person, email, phone, website
  • Business address, tax ID, business registration number
  • Banking/payout details (bank name, account number, SWIFT/IBAN, PayPal/Wise details)
  • Commission rates, sales data, referral codes
  • Team member names, emails, roles

Automatically Collected Data

  • IP address (logged in audit trail)
  • User agent (browser/device information)
  • Pages accessed and actions performed (audit logs)
  • Timestamps of activity

Data We Do NOT Collect

  • We do not use tracking cookies, advertising cookies, or third-party analytics (no Google Analytics, Facebook Pixel, etc.)
  • We do not sell, rent, or trade personal data to third parties
  • We do not engage in behavioral advertising or profiling for marketing purposes

How We Use Personal Data

Purpose of Processing (Processor Role — School Data)

We process school data solely to:

  • Provide the Service as instructed by the subscribing school
  • Manage student enrollment, academic records, attendance, and assessments
  • Facilitate classroom management, assignments, and grading
  • Generate report cards, transcripts, and progress reports
  • Manage health records, clinic visits, and immunization tracking
  • Facilitate counseling case management and wellness monitoring
  • Process staff HR functions (attendance, payroll, recruitment, appraisals)
  • Enable communication between school stakeholders
  • Manage school finances (fee invoicing, payment tracking)
  • Provide AI-powered features (tutoring, quiz generation, lesson planning, grading assistance, report card comments)
  • Manage facility operations (transport, library, hostel, visitor management)
  • Generate analytics and dashboards for school decision-making

Purpose of Processing (Controller Role — Our Data)

We process data we control to:

  • Create and manage user accounts and authentication
  • Provide customer support
  • Send transactional communications (password resets, system notifications)
  • Manage partner/reseller relationships and commissions
  • Monitor and improve the security and performance of the Service
  • Comply with legal obligations
  • Enforce our Terms of Service

Legal Basis for Processing (GDPR)

PurposeLegal Basis
Service delivery to schoolsPerformance of contract (Art. 6(1)(b)) and Processor obligations (Art. 28)
Student educational recordsLegitimate interests of the school (Art. 6(1)(f)) and/or consent
Health and counseling dataExplicit consent or vital interests (Art. 9(2)(a)/(c)) — managed by school
Account managementPerformance of contract (Art. 6(1)(b))
Security and fraud preventionLegitimate interests (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))
Partner managementPerformance of contract (Art. 6(1)(b))

AI-Powered Features and Data Processing

AI Services Overview

School-Core integrates artificial intelligence features to enhance educational outcomes. These features are optional and configurable by school administrators.

Data Sent to AI Providers

When AI features are activated, the following data may be sent to our AI sub-processors:

AI FeatureData Transmitted
Study Buddy (AI Tutor)Student messages, conversation history, coursework context, student language preference
Quiz GenerationTopic, difficulty level, learning standards
Lesson/Unit Plan GenerationSubject, grade level, curriculum standards, learning objectives
Essay FeedbackEssay text content, rubric criteria
Report Card CommentsStudent name, assessment data, performance metrics
Behavior InsightsAnonymized behavior incident data, frequency/severity patterns
At-Risk DetectionAcademic metrics, attendance data, behavior records
Parent DigestStudent progress summaries, achievements
OCR (Document Scanning)Image data for text extraction
Grading AssistantSubmission content, rubric criteria

AI Sub-processors

ProviderPurposeData Location
Anthropic (Claude)Primary AI processingUnited States
OpenAI (GPT)Alternative AI processingUnited States

AI Data Safeguards

  • AI providers process data in real-time and do not retain prompts or outputs for training purposes under our enterprise agreements
  • No student data is used to train or improve AI models
  • AI responses are not stored by the AI providers beyond the immediate request
  • All AI requests are rate-limited per user and per tenant
  • AI usage is tracked and budget-controlled per subscription
  • Schools can enable or disable individual AI features
  • AI features are subject to the same tenant isolation as all other data

AI and Children's Data

  • AI features involving student data are controlled by the school (Data Controller)
  • Schools are responsible for obtaining appropriate consent for AI feature use
  • The Study Buddy AI tutor operates in a controlled, curriculum-aligned environment
  • AI outputs are supplementary and do not replace human educator judgment

Data Sharing and Disclosure

Sub-processors

We use the following categories of sub-processors:

Sub-processorPurposeData ProcessedLocation
Supabase (PostgreSQL)Primary database hostingAll platform dataSingapore (AWS ap-southeast-1)
VercelApplication hosting and edge deliveryApplication data, platform-generated filesGlobal (edge network)
Cloudflare R2User file storageUser-uploaded documents, attachments, mediaConfigurable (region hints available)
UpstashRate limiting and cachingUser IDs, request metadata (ephemeral)Global
ResendTransactional email deliveryEmail addresses, names, email contentUnited States
AnthropicAI processingAs described in Section 6.2United States
OpenAIAI processingAs described in Section 6.2United States
StripePayment processing for platform / AI subscription fees and partner payouts (school-collected parent fees do not flow through Stripe)Card data captured directly by Stripe (never reaches our servers); Stripe customer + payment intent identifiers; billing addressUnited States / Global
SentryError monitoringError context, stack traces (no PII by design)United States
Google (OAuth)Authentication for users signing in with a Google Workspace account, plus Google Drive personal-account connectionsAuthentication tokens, basic profile (name, email)Global
Microsoft Entra IDAuthentication for users signing in with a Microsoft 365 / Entra account, plus OneDrive personal-account connectionsAuthentication tokens, basic profile (name, email)Global

The current sub-processor list is published at https://school-core.com/legal/sub-processors and updated within 30 days of any change. Schools receive 30 days' advance notice of additions or replacements (see DPA §6.3).

Third-Party Integrations (School-Controlled)

Schools may optionally enable the following integrations, which involve sharing data with the respective providers:

  • Google Workspace — SSO authentication, Google Drive file access
  • Microsoft 365 — SSO authentication, OneDrive file access
  • Clever — Student/staff roster synchronization
  • ClassLink — SSO and roster synchronization
  • OneRoster — Standards-based data interoperability

These integrations are initiated and controlled by the school. School-Core acts as a conduit and does not independently share data with these providers.

When We May Disclose Data

We may disclose Personal Data only in the following circumstances:

  • With the school's authorization — as instructed by the Data Controller
  • To sub-processors — as listed above, under binding data processing agreements
  • Legal requirements — to comply with applicable law, regulation, legal process, or enforceable governmental request
  • Safety — to protect the rights, property, or safety of School-Core, our users, or the public
  • Business transfer — in connection with a merger, acquisition, or sale of assets (with prior notice to affected schools)

We Do NOT:

  • Sell personal data to third parties
  • Use personal data for advertising or marketing purposes
  • Share data with data brokers
  • Provide personal data to government agencies except as required by law
  • Use student data to build profiles for non-educational purposes

Platform Support Access (Impersonation)

To investigate bug reports, recover lost data, and help schools through onboarding, members of the School-Core support team can — under strict controls — temporarily enter a school's tenant and view the same screens a school administrator would see. We refer to this as impersonation, and the controls below apply on every single occurrence:

  • Limited authorisation. Only support staff who hold the platform SUPPORT_MANAGER role (or the broader SUPER_ADMIN role) and whose individual canImpersonate flag is set may start an impersonation session. Most support agents do not have this flag.
  • Documented justification. A reason for the access (e.g. "ticket #1234 — invoice display bug") is captured at the moment the session is opened.
  • Audit trail. The session start, the agent's identity, the target tenant, and the stated reason are written to the audit log under IMPERSONATION_STARTED. The session end is recorded under IMPERSONATION_ENDED along with whether it was self-ended or force-ended by a manager. **Both entries are written against the target tenant's audit log**, so the school's own administrators see exactly who from our team accessed their data and when.
  • Time-bounded. Sessions auto-terminate after a fixed period and can be force-ended at any time by a Support Manager or Super Admin.
  • No bulk access. A support agent can only impersonate one user at a time and can only view what that user is permitted to see — they do not gain a "god mode" view of the whole tenant.
  • Quarterly access review. All members of the support team are subject to a recurring access review (AccessReview records) where their continued need for the impersonation flag is reassessed. Review outcomes — APPROVED, PERMISSIONS_REDUCED, SUSPENDED, FLAGGED — are themselves audit-logged.
  • Data Processing Agreement. Every member of the support team signs a Data Processing Agreement before being granted access, and that signature is captured in the audit log (DPA_ACKNOWLEDGED).

What this means for parents and end-users. When a school administrator opens a support ticket that requires us to look at student or staff data, our support team's view of that data is recorded in your school's audit log alongside every other tenant action. You can ask your school administrator to show you those entries; under FERPA / GDPR you have a right to know who has accessed your records. We do not view tenant data outside of an open, audit-logged impersonation session.

Data Retention

School-Managed Data

Data uploaded by schools is retained for the duration of the school's subscription plus a post-termination grace period:

  • During subscription: All data retained and accessible
  • After termination — 30 days: Schools may export their data via the platform
  • After termination — 90 days: Active data permanently deleted from production database
  • After termination — 1 year: All archived data (including audit logs and backups) permanently deleted
  • Schools may request earlier deletion at any time

Automated Data Lifecycle

The Service automatically manages data retention to balance utility with privacy:

Data TypeRetention PeriodAction
Read notifications90 days after readAutomatically deleted
Audit logs (detailed)3 yearsArchived to cold storage after 1 year, permanently deleted after 3 years
XP transaction details2 yearsIndividual transaction records deleted; aggregated profile totals preserved
XP profile aggregatesDuration of enrollmentRetained for cumulative progression across the student's school career
AI usage summaries1 yearAutomatically deleted
Password reset tokens1 hourAutomatically expired and nullified
Deletion request records3 yearsRetained for compliance audit trail

Note on Audit Logs: Detailed audit logs (who did what, when, from where) are retained in the production database for 1 year for active querying. After 1 year, logs are archived to compressed cold storage (Cloudflare R2) where they remain accessible for compliance requests. After 3 years total, archived logs are permanently deleted. Schools may request audit log extracts for specific periods via our support team.

Note on XP Data: The gamification system tracks both cumulative lifetime XP and annual XP for each student. A student's aggregated XP profile (total XP, current level, tier, streak records, effort/achievement breakdowns, and coin balance) is retained for the full duration of their enrollment — which may span multiple years (e.g., Grade 3 through Grade 12). Only the granular transaction-level details (individual XP award records) are pruned after 2 years to manage database size, while the meaningful totals remain intact.

Account Data

  • Active accounts: retained for the duration of the relationship
  • Inactive accounts: retained for up to 2 years, then anonymized or deleted
  • Audit logs: retained for 3 years (1 year active + 2 years archived)

Partner Data

  • Active partner data: retained for the duration of the partnership
  • Terminated partnerships: financial records retained for 5 years (tax/legal requirements), other data deleted within 90 days

Data Security

We implement comprehensive technical and organizational measures to protect Personal Data:

Technical Measures

  • Encryption in Transit: All data transmitted via TLS 1.2+ (HTTPS enforced); HSTS in force
  • Encryption at Rest: AES-256 across the database and object storage; additional application-level AES-256-GCM encryption on sensitive fields (MFA secrets, OAuth refresh tokens)
  • Password Security: Passwords stored as irreversible bcrypt hashes at industry-recommended cost
  • Authentication: Encrypted, server-issued session tokens with periodic refresh
  • Multi-Factor Authentication: TOTP authenticator apps required for administrative roles, available to all users; one-time backup codes for recovery
  • Single Sign-On: OAuth 2.0 with Google Workspace and Microsoft Entra ID
  • Rate Limiting: Applied to authentication, account creation, password reset, and public form submissions
  • Token Security: Cryptographically secure random tokens for password reset and activation flows, short-lived and single-use

Access Controls

  • Role-Based Access Control (RBAC): A comprehensive role catalog covering school, leadership, specialist, platform, and partner contexts, plus a custom-role mechanism for tenant-defined permission sets
  • Three-Layer Permission System: Role defaults, tenant-level overrides, user-level overrides
  • Multi-Tenant Isolation: Every tenant-scoped database query enforces a tenant filter; defense-in-depth scoping on all create / update / delete operations
  • Principle of Least Privilege: Users only access data required for their role
  • Audit Logging: All data access and modifications are logged with IP address, user agent, and timestamp; auth-failure categories captured for security review

Organizational Measures

  • Regular security assessments and code reviews
  • Incident response procedures
  • Employee security training
  • Background checks for personnel with data access
  • Data processing agreements with all sub-processors

For full details, see our separate Security Policy document.

Children's Privacy

COPPA Compliance (United States)

  • School-Core does not collect personal information directly from children under 13
  • All student data is provided by and controlled by the school
  • Schools are responsible for obtaining verifiable parental consent as required by COPPA
  • We rely on the school's authority under COPPA to consent on behalf of parents for the educational use of the Service
  • We do not use children's data for commercial purposes unrelated to the educational context
  • We do not condition a child's participation on providing more data than necessary

How We Obtain Verifiable Parental Consent (VPC)

When a school records consent in the platform we capture not only the outcome (granted, denied, withdrawn) but also which FTC-recognised method produced it, the identity of the person who granted it, the timestamp, and a full audit trail (IP address, user agent, browser session). The recorded method is one of:

Method (enum value)When it appliesFTC reference
SCHOOL_AUTHORIZATIONA school administrator marks consent on behalf of the parent in the educational context. We use this as our default for under-13 students because we collect data solely for the school's educational purpose with no commercial use.FTC COPPA FAQ M.1 / M.2 — the school-authorisation exception.
PARENT_PORTAL_OPTINA parent logs in to their own authenticated parent account, reads the consent disclosure on screen, and clicks GRANT. Combines authentication, written disclosure, and an explicit click.16 CFR § 312.5(b)(2)(vii) — "email-plus" pattern.
SIGNED_FORMA school uploads a signed paper / PDF consent form returned by the parent.16 CFR § 312.5(b)(2)(i) — signed form.
EMAIL_PLUS_CONFIRMATIONA school records that consent was obtained via an email exchange with a documented second-step verification.16 CFR § 312.5(b)(2)(vii).
PHONE_CALLA school records that consent was obtained over the phone by trained personnel, with the call documented.16 CFR § 312.5(b)(2)(iii).
OTHERAny other method permitted by the school's local rules; the specific method is captured in the consent notes field.

Disclosure presented to parents at the moment of consent. When a parent grants consent through their authenticated account, they see (and must scroll past before the GRANT button enables): what data is collected, why, who it is shared with, the parent's rights to review and delete, and instructions for withdrawing consent at any time.

Annual review. Granted consent is treated as valid until the parent withdraws it or the student's school authority lapses. Schools may run annual re-consent campaigns through the same flow.

Withdrawal. A parent (or the school) can change parentalConsentStatus to WITHDRAWN at any time. This immediately disables AI processing of that student's data, blocks photo collection and publication, and triggers a 30-day deletion countdown for any data not subject to mandatory retention (e.g. transcripts, safeguarding records).

No commercial use, ever. The school-authorisation exception under COPPA is conditional on the operator using the data only for the educational benefit of the school. We use children's data only for the platform's educational purpose; we do not display advertising to students, do not profile them for marketing, do not sell their data, and do not allow our sub-processors to do so. (See Section 7.4.)

GDPR — Children's Data (EU/EEA/UK)

  • Processing of children's data is based on the school's role as Data Controller
  • Schools must ensure a valid legal basis (typically legitimate interests for educational purposes or parental consent)
  • We process children's data solely for educational purposes as instructed by the school

General Principles

  • Student data is used exclusively for educational purposes
  • We apply heightened security protections to student data
  • Behavioral tracking and gamification features (Quest Mode, XP) serve educational goals only
  • AI features involving children operate within controlled, curriculum-aligned parameters
  • We do not create marketing profiles of students
  • We do not serve advertisements to students

International Data Transfers

Data Locations

Data TypePrimary LocationBasis for Transfer
Database (PostgreSQL)Singapore (AWS ap-southeast-1)Standard Contractual Clauses (SCCs)
Application HostingGlobal (Vercel Edge)SCCs and adequacy decisions
File StorageConfigurable region (Cloudflare R2)SCCs; region selection available for data residency
AI ProcessingUnited States (Anthropic/OpenAI)SCCs
Email DeliveryUnited States (Resend)SCCs

Transfer Safeguards

For transfers of Personal Data outside the EEA/UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) for UK transfers
  • Binding data processing agreements with all sub-processors
  • Supplementary technical measures including encryption in transit and at rest

Data Sovereignty

Schools may request information about the specific geographic location of their data. We work with our infrastructure providers to accommodate data residency requirements where technically feasible.

Your Rights

Rights Under GDPR (EU/EEA/UK Residents)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure ("right to be forgotten") (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7)
  • Lodge a complaint with a supervisory authority

Rights Under CCPA/CPRA (California Residents)

You have the right to:

  • Know what personal information is collected and how it is used
  • Delete personal information
  • Opt-out of the sale or sharing of personal information (we do not sell data)
  • Non-discrimination for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information

Rights Under Other Jurisdictions

We respect data subject rights under all applicable laws, including POPIA (South Africa), LGPD (Brazil), PDPA (Singapore/Thailand/Malaysia), PIPEDA (Canada), and India's DPDP Act.

How to Exercise Your Rights

For school-managed data (student, staff, parent data): Please contact your school's data protection officer or administrator. As the Data Processor, we will assist the school in fulfilling your request.

For account and partner data: Contact us at: privacy@school-core.com

We will respond to verified requests within:

  • 30 days (GDPR)
  • 45 days (CCPA)
  • Or as required by applicable law

Cookies We Use

CookiePurposeTypeDuration
authjs.session-tokenAuthentication sessionEssential/FunctionalSession
school-context-idAdmin school context switchingEssential/FunctionalSession
school-context-nameAdmin school context displayEssential/FunctionalSession

What We Do NOT Use

  • No advertising or tracking cookies
  • No third-party analytics cookies
  • No social media cookies
  • No cross-site tracking

Because we only use essential cookies required for the Service to function, cookie consent banners are not required under most jurisdictions. However, we disclose our cookie usage here for transparency.

Changes to This Policy

We may update this Privacy Policy from time to time. We will:

  • Post the updated policy on our website with a new "Last Updated" date
  • Notify school administrators via email for material changes
  • Provide at least 30 days' notice for material changes affecting data processing
  • Maintain an archive of previous versions upon request

Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

Data Protection Officer and Regional Contacts

For questions or concerns about this Privacy Policy or our data practices, contact the Data Protection Officer first; the regional addresses below route requests through the same team but provide a local point of contact for residents of the listed regions.

Global Data Protection Officer

Data Protection Officer · VantageTech Apps, LLC · Email: privacy@school-core.com

The DPO is the primary contact for all privacy and data-protection requests, regardless of jurisdiction.

United States — California Privacy Officer

For California residents exercising rights under the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA):

  • Submit requests in-app via Account Settings → Download my data or Delete my account
  • Or email: privacy@school-core.com with subject line "California Privacy Request"
  • Response within 45 days (one 45-day extension permitted for complex requests)
  • See our dedicated California Consumer Privacy Notice for the full disclosure

European Union / EEA — Article 27 Representative

School-Core is not currently designated under GDPR Article 27 because we are not actively offering services to EU/EEA data subjects (see Terms §3.2.1). EU/EEA schools using the Service for evaluation can contact the global DPO above.

A formal EU representative will be designated at our EU launch and listed here. Anticipated 2027.

United Kingdom — UK Representative

As above, no UK Representative is currently designated under UK GDPR. UK schools using the Service for evaluation can contact the global DPO. A UK representative will be designated at our UK launch and listed here. Anticipated 2027.

Brazil — Encarregado de Dados (LGPD)

For data subjects in Brazil exercising rights under the Lei Geral de Proteção de Dados (LGPD):

  • Submit requests via the in-app flow above, or email privacy@school-core.com with subject line "Solicitação LGPD"
  • A formal Encarregado (data protection representative) will be designated when Brazilian use exceeds occasional / evaluation thresholds; until then the global DPO acts in this role

Other Jurisdictions

For PIPEDA (Canada), POPIA (South Africa), Privacy Act 1988 (Australia), PDPA (Singapore / Thailand / Malaysia / Sri Lanka), or any other jurisdiction's data-protection authority:

Supervisory Authorities

If you are located in the EU/EEA you have the right to lodge a complaint with your local data protection supervisory authority — list at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

UK residents may complain to the Information Commissioner's Office at https://ico.org.uk/concerns/.

California residents may complain to the California Privacy Protection Agency at https://cppa.ca.gov/.

Brazilian data subjects may complain to the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd/.

Residents of other jurisdictions should consult their local data protection authority.

Contact Us

For any questions about this Privacy Policy:

Email: privacy@school-core.com Website: [school-core.com]

For urgent data protection matters (e.g., suspected data breach): Email: security@school-core.com

Last updated: June 2026 · v1.0 — June 2026