SB

SchoolBoardHQ

Home › Data Policy

Data Policy

Effective: April 29, 2026 · Version 1.2.0

Overview

This Data Policy describes how SchoolBoardHQ handles, stores, and protects the data entrusted to us by school board members across the United States. It supplements our Privacy Policy with detailed information about data flows, retention controls, incident response, and compliance practices.

Data handling principles

SchoolBoardHQ applies the following principles to all data processing:

• Purpose limitation — data is collected and used only for specified, legitimate purposes.
• Data minimization — we collect only the data necessary to provide the service.
• Accuracy — we take reasonable steps to keep data current and correct.
• Storage limitation — data is retained only as long as needed for its purpose.
• Integrity and confidentiality — data is protected with appropriate technical and organizational measures.
• Transparency — our practices are documented in plain language.

Data categories

We process the following categories of data:

• Account credentials — email address, password hash, multi-factor authentication tokens.
• Profile information — display name, bio, avatar image, phone number, preferred contact method.
• Official board records — name, role, seat, district, term dates, and public contact information sourced from official school board websites.
• Messaging content — text of messages exchanged between verified board members.
• Device and session data — device type, operating system, push notification tokens, IP address, session identifiers.
• Product analytics — events that record screens viewed, features used, sign-up funnel steps, and feature-flag exposures, linked to your account identifier and stored in our managed Supabase database. Session replay is not captured.

Data flow overview

Your data flows through the following systems:

1. Mobile app and web build — collect input, display content, and store session credentials in secure device storage (iOS Keychain, Android Keystore, or browser local storage on web). The web build is hosted on Vercel.
2. API and database — Supabase provides PostgreSQL with row-level security, authentication, and realtime subscriptions for messages and presence.
3. File storage — Supabase Storage securely stores uploaded media (avatars, attachments) with access controls.
4. Records verification service — a read-only table within the Supabase database holding publicly available school board member information, refreshed periodically from official sources.
5. Notification service — Apple and Google push notification gateways deliver notifications to registered devices.
6. Email — Resend delivers transactional email (verification, invites, support correspondence).
7. Product analytics — event-level analytics linked to your account identifier are stored in a dedicated table in our managed Supabase database. Feature flags are stored in the same database and read at app start.

All data in transit is encrypted with TLS 1.2+. All data at rest is encrypted with AES-256.

Retention schedule

Data retention periods are set to the minimum necessary for each category:

• Account credentials — retained while your account is active; deleted within 30 days of closure.
• Profile information — retained while active; deleted within 30 days of closure.
• Official board records — retained as long as the source record exists in public records; updated with each crawl cycle.
• Messaging content — retained for up to 3 years after account closure for public records and compliance purposes.
• Device and session data — retained for 90 days after last use.
• Security and audit logs — retained for 1 year.
• Aggregated analytics — anonymized and retained indefinitely.

You may request earlier deletion of your personal data, subject to legal retention obligations.

Prohibited data

Do not upload highly sensitive records to SchoolBoardHQ, including:

• Family Educational Rights and Privacy Act (FERPA)-protected student education records.
• Health Insurance Portability and Accountability Act (HIPAA)-protected health information.
• Social Security numbers or government-issued ID numbers.
• Confidential personnel files or employment records.
• Attorney-client privileged communications.

Exceptions apply only where your district's policy and applicable law explicitly authorize such use. You are responsible for ensuring compliance with your district's data governance policies.

Your data rights

You have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data.
• Portability — receive your data in a structured, machine-readable export of your account data and profile data in JSON or CSV format.
• Restriction — request that we limit processing of your data.
• Objection — object to processing based on legitimate interests.

Rights request workflow

To exercise any data right:

1. Submit your request — email privacy@schoolboardhq.com with your full name, account email, district, and the right you wish to exercise.
2. Identity verification — we verify your identity within 3 business days using your account email and, if needed, additional verification.
3. Scope confirmation — we confirm what data is covered and any limitations.
4. Fulfillment — we process your request within 30 calendar days. Complex requests may take up to 90 days, and we will notify you of any extension.
5. Completion — you receive a confirmation email with the outcome.

If we cannot fulfill part of a request due to a legal obligation (e.g., public records retention), we will explain the specific reason in plain language and fulfill all other aspects of the request.

District-level controls

District administrators or authorized representatives may:

• Request a data inventory of all district-associated records stored in SchoolBoardHQ.
• Request deletion or export of district-associated data.
• Designate data retention preferences for their district's governance content.
• Request audits of how their district's data is processed.

Districts retain ownership of governance content uploaded by their board members. To submit a district-level request, contact privacy@schoolboardhq.com with the district name and the name and title of the authorized representative.

Incident response

Our incident response process follows industry best practices:

• Detection — automated monitoring and user reports identify potential incidents.
• Classification — incidents are classified by severity:
  • Critical: confirmed breach of personal data affecting multiple users.
  • High: suspected breach or unauthorized access to sensitive systems.
  • Medium: security anomaly with no confirmed data exposure.
  • Low: policy violation or minor security event.
• Containment — affected systems are isolated to prevent further exposure.
• Notification — affected users and relevant authorities are notified within 72 hours of confirming a breach. Notifications include the nature of the incident, data involved, and recommended actions.
• Remediation — root cause analysis, system hardening, and process improvements.
• Review — post-incident review with findings documented and shared with affected parties as appropriate.

Compliance framework

SchoolBoardHQ operates with awareness of the following regulatory frameworks:

• Family Educational Rights and Privacy Act (FERPA) — we do not store student education records; official board data comes from public sources.
• Children's Online Privacy Protection Act (COPPA) — our service is not directed at children under 13; we do not knowingly collect their data.
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) — California residents may exercise additional rights described in our Privacy Policy.
• State privacy laws — we comply with applicable state privacy statutes and update our practices as new laws take effect.
• Section 508 of the Rehabilitation Act / Web Content Accessibility Guidelines (WCAG) 2.1 — we design for accessibility compliance.

We do not claim formal certification under these frameworks but design our practices to align with their requirements.

Data minimization

We actively minimize the data we collect and retain:

• We collect only fields necessary to provide each feature.
• Board-member record data is sourced from publicly available records — we do not supplement with purchased data.
• Product analytics are limited to the minimum events needed to understand feature usage and feature-flag exposure. Analytics events are linked to your account identifier (not anonymized) so we can correlate behavior with verification state and feature-flag cohorts. We do not capture session replay.
• Expired session data and unused push tokens are purged automatically.
• We periodically review stored data to identify and remove unnecessary records.

Audit and accountability

We maintain accountability for data handling through:

• Access logging — all data access by staff and systems is logged with timestamps and purpose.
• Least-privilege access — team members access only the data necessary for their role.
• Periodic reviews — we conduct regular reviews of data access patterns, retention compliance, and security controls.
• Vendor audits — subprocessors are reviewed for security and privacy practices before engagement and during periodic assessments.
• Change management — material changes to data handling practices are documented and communicated to users.

Related policies

Use this Data Policy with our Privacy Policy and Terms of Service so each document answers a different question:

• Privacy Policy — what personal data we collect, how we use it, who we share it with, and how to submit an individual rights request.
• Terms of Service — who may use the platform, what conduct is prohibited, and how enforcement, suspension, and disputes are handled.
• Data Policy — what data classes we store, how long we retain them, what district-level controls apply, and how we respond to incidents.

If you are deciding whether to share content, start with the Terms of Service for use rules, then review this Data Policy for retention and prohibited-data guidance, and review the Privacy Policy for rights and request procedures.

Contact

For data-related questions, rights requests, or incident reports:

Email: privacy@schoolboardhq.com
Web: schoolboardhq.com/support
Mail: SchoolBoardHQ, Seattle, WA 98155, United States

We aim to respond to all inquiries within 5 business days.