SB

SchoolBoardHQ

Home › Privacy Policy

Privacy Policy

Effective: April 29, 2026 · Version 1.2.0

Overview

SchoolBoardHQ is built for America's K-12 school board members. This Privacy Policy explains what information we collect, why we collect it, how we protect it, and what rights you have. We are committed to handling your data transparently and responsibly.

Information categories

We collect and process data in the following categories:

• Account credentials — email address, password hash, multi-factor authentication tokens.
• Profile information — display name, bio, avatar image, phone number, preferred contact method.
• Official board records — name, role, seat, district, term dates, and public contact information sourced from official school board websites.
• Messaging content — text of messages exchanged between verified board members.
• Device and session data — device type, operating system, push notification tokens, IP address, and session identifiers.
• Product analytics — events that record screens viewed, features used, sign-up funnel steps, and feature-flag exposures, linked to your account identifier and stored in our managed Supabase database. We do not capture session replay (video-style screen recordings).

How we use data

We use your data for the following purposes:

• Authentication and account security.
• Board-member identity verification against official board records.
• Facilitating peer networking, messaging, and collaboration.
• Sending push notifications and service communications.
• Providing customer support and resolving reports.
• Detecting and preventing abuse, fraud, and security incidents.
• Improving the platform through product analytics that record which features you use and where you encounter friction. These analytics are linked to your account identifier (not anonymized).

We do not sell personal data. We do not use your data for advertising, marketing profiling, or cross-app or cross-site tracking.

Lawful basis for processing

We process your data based on:

1. Consent — when you create an account and agree to these terms.
2. Contractual necessity — to provide the core service you signed up for.
3. Legitimate interests — platform security, abuse prevention, and service improvement, balanced against your privacy rights.
4. Legal obligations — record retention, law enforcement requests, and compliance with applicable state and federal laws.

Data retention schedule

We retain data for the minimum period necessary for its purpose:

• Account credentials — retained while your account is active; deleted within 30 days of account closure.
• Profile information — retained while active; deleted within 30 days of closure.
• Official board records — retained as long as the source record exists in public records.
• Messaging content — retained for up to 3 years after account closure to meet potential public records and compliance obligations.
• Device and session data — retained for 90 days after last use.
• Security and audit logs — retained for 1 year.
• Aggregated analytics — anonymized and retained indefinitely.

You may request earlier deletion of your personal data, subject to legal retention requirements.

Your rights

Depending on your jurisdiction, you may have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data.
• Portability — receive your personal data in a structured, machine-readable export in JSON or CSV format.
• Restriction — request that we limit processing of your data.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — withdraw previously given consent at any time.

How to exercise your rights

To submit a data rights request:

1. Email privacy@schoolboardhq.com with your full name, account email, district name, and the right you wish to exercise.
2. We will verify your identity within 3 business days.
3. We will confirm the scope of your request and begin processing.
4. We will fulfill your request within 30 calendar days, or notify you if an extension is needed (up to 60 additional days for complex requests). If you request portability, we will provide the export in JSON or CSV unless a different legally available format is required.
5. You will receive a confirmation email when your request is complete.

If we cannot fulfill part of a request due to a legal obligation, we will explain the specific reason in plain language.

Data sharing and third parties

We share data only when necessary to operate the service:

• Supabase — managed PostgreSQL database, authentication, file storage, realtime infrastructure, and product-analytics-event storage (United States data centers).
• Vercel — hosting and content delivery for the web build (United States data centers).
• Resend — transactional email delivery (account verification, founding-member invites, and support correspondence).
• Apple and Google — push notification delivery on iOS and Android, limited to opaque device tokens and notification payloads.
• Legal obligations — law enforcement requests, court orders, or regulatory requirements.

All third-party providers are bound by data processing agreements that limit their use of your data to the services they provide to us. We do not share data with advertisers, data brokers, or social media platforms.

Subprocessors and vendors

Our current subprocessors are:

• Supabase — managed database, authentication, file storage, realtime, and analytics-event storage.
• Vercel — web hosting and content delivery.
• Resend — transactional email.
• Apple and Google — push notification delivery on iOS and Android, respectively.

Each subprocessor processes data only under our written instructions and is reviewed for security practices and contractual safeguards before engagement and during periodic compliance audits. We will update this list when we add or change a subprocessor, and notify users of material changes via in-app notification at least 14 days before the change takes effect, or as soon as possible if we cannot provide advance notice.

Data transfers

Your data is processed and stored in the United States. If you access SchoolBoardHQ from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and other applicable legal mechanisms to ensure adequate protection for any cross-border data transfers.

Cookies and tracking technologies

The SchoolBoardHQ mobile app does not use browser cookies. The web build stores authentication tokens in browser local storage (with an in-memory fallback for browsers that disallow local storage); it does not set cookies for sign-in. We use device identifiers and session tokens for authentication and security purposes.

Our product analytics are linked to your account identifier so we can correlate feature usage with your verification status and feature-flag exposure — they are not anonymized. We do not use third-party tracking pixels, advertising trackers, or cross-site tracking. We do not capture session replay (video-style recordings of your screen).

Automated decision-making

SchoolBoardHQ uses automated matching during onboarding to verify your identity against official board records. This process compares the name and district you provide with public board records. No fully automated decisions with legal or significant effects are made — verification results are transparent, and you may contact support if you believe a match is incorrect.

Security measures

We protect your data with:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls with least-privilege principles.
• Audit logging for data access and administrative actions.
• Regular security reviews and vulnerability assessments.
• Multi-factor authentication support for user accounts.
• Secure credential storage using platform-native secure enclaves.

Breach notification

In the event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours of confirming the breach.
• Describe the nature of the incident and the types of data involved.
• Explain remediation steps we are taking and actions you can take.
• Report to relevant authorities as required by applicable law.
• Provide ongoing updates until the incident is resolved.

Children's privacy

SchoolBoardHQ is designed exclusively for elected and appointed school board members and is not intended for use by individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us immediately at privacy@schoolboardhq.com.

State-specific privacy rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. Residents of other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, and others) may have similar rights. To exercise any state-specific right, follow the process described in "How to exercise your rights" above.

Policy updates

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or platform features. Material changes will be communicated via in-app notification at least 14 days before taking effect. The "Effective" date at the top of this page indicates when this version became active. Previous versions are available upon request.

Related policies

Read this Privacy Policy together with our Terms of Service and Data Policy so you can quickly find the right answer for each issue:

• Privacy Policy — what personal data we collect, why we collect it, how long we keep it, and how you can access, delete, or export it.
• Terms of Service — the rules for using SchoolBoardHQ, account responsibilities, moderation standards, and dispute process.
• Data Policy — deeper operational detail on retention schedules, incident response, prohibited data classes, and district-level controls.

If you have a rights question, start here. If you have a question about allowed platform use, review the Terms of Service. If you need storage, retention, or incident-handling detail, review the Data Policy.

Contact

For privacy questions, data requests, or concerns:

Email: privacy@schoolboardhq.com
Web: schoolboardhq.com/support
Mail: SchoolBoardHQ, Seattle, WA 98155, United States

We aim to respond to all inquiries within 5 business days.