Privacy Policy
Effective Date: February 1, 2026
Applicability: This policy applies to all educational institutions (“Schools” or “Districts”) utilizing the School Crest Interactive historical display platform.
1. Overview and Purpose
School Crest Interactive (“we,” “us,” or “our”) provides a digital kiosk platform designed to showcase school history, athletic achievements, and student rosters. We operate as a Third-Party Contractor and a School Official with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA). Our primary mission is to celebrate school heritage while maintaining the highest standards of student data privacy.
2. Data Collection and Scope
We adhere to the principle of Data Minimization. We only collect and store the following Personally Identifiable Information (PII) as directed and entered by authorized school personnel (e.g., Athletic Directors):
- Student Name: For identification in rosters and historical records.
- Team/Sport Affiliation: To categorize and archive school achievements.
- Student Likeness (Photographs): For the visual display of school history.
Prohibited Data Collection: School Crest Interactive does not collect, solicit, or maintain student email addresses, passwords, State Student IDs (SSID), academic grades, health records, or behavioral metadata.
3. School Ownership and Control
In accordance with federal student privacy standards:
- Ownership: All student data remains the exclusive property of the School/District.
- Administrative Access: Only authorized school personnel have administrative access to upload, modify, or delete data.
- Right to Delete: Schools maintain full autonomy to delete student records via the administrative dashboard. We will process additional manual deletion requests from authorized personnel within two (2) business days.
4. Technical Safeguards
We implement rigorous security measures to protect school data:
- Encryption: All data is encrypted in transit using SSL/TLS (HTTPS) and at rest using AES-256 encryption.
- Metadata Privacy: Our platform automatically strips EXIF/GPS metadata from uploaded images to ensure student location privacy.
- Gated Access: The public-facing kiosk display is protected by a school-specific access key, ensuring content is accessible only to the school community and is not indexed by open web search engines.
5. Parent Rights and Data Accuracy
We support the rights of parents and eligible students to inspect and challenge the accuracy of student data. While School Crest Interactive does not interact with parents directly, we provide the District with the tools to fulfill these requests. We will cooperate with the District to provide a portable copy of a student’s data or correct inaccuracies within a reasonable timeframe (not to exceed 45 days) of a verified request from the School.
6. Prohibited Uses of Data
School Crest Interactive strictly prohibits the following:
- No Sale of Data: We will never sell, rent, or trade student data to third parties.
- No Targeted Advertising: Student data is never used for behavioral or targeted advertising.
- No Profiling: We do not use student images or names to build internal profiles or for any purpose other than the historical display authorized by the School.
7. Data Residency and Sub-processors
All student data is hosted on secure, US-based servers managed by our primary sub-processor, Supabase (utilizing AWS infrastructure). Our sub-processors are contractually bound to the same strict data protection standards outlined in this policy. We do not store or transmit student PII outside of the United States.
8. Data Retention and Destruction
- Active Service: Data is retained for the duration of the active service agreement.
- Post-Termination: Upon termination of service, we will retain data for six (6) months to allow for potential contract renewal or data transition.
- Purging: Following this 6-month window, or upon written request from the School, all student PII and school-related records will be permanently erased from our production servers and backups.
9. Audit and Accountability
While the School’s authorized personnel maintain primary responsibility for data entry, School Crest Interactive maintains internal server logs to ensure platform security. These logs are used solely for security monitoring, unauthorized access prevention, and incident response.
10. Breach Notification
In the event of an unauthorized release of student data, School Crest Interactive will notify the affected School/District without unreasonable delay (typically within 24 hours of discovery) and will cooperate fully with the District’s reporting and remediation requirements.