Product Pricing Security About Log In Start Free Trial
Legal

Privacy Policy

Effective date: March 1, 2026 · Last updated: March 25, 2026

OperateEDU ("we," "us," or "our") operates the OperateEDU School Command Center platform at app.operateedu.com and the marketing website at operateedu.com. This Privacy Policy explains what data we collect, how we use it, and what rights you have.

By using our services, you agree to the practices described in this policy. If you are a school administrator, you are responsible for ensuring that your use of OperateEDU complies with applicable laws, including FERPA.

1. Data We Collect

Account Information

When a school signs up for OperateEDU, we collect:

  • School name, address, and contact information
  • Administrator name and email address
  • User names, email addresses, roles, and job titles for team members added by the school
  • Login credentials (passwords are hashed and never stored in plaintext)

School-Imported Data

Schools may import data into OperateEDU via CSV upload, including:

  • Student records (names, enrollment data, grade levels, demographics)
  • Staff records (names, roles, departments, certifications)
  • Application and purchase data

Important: OperateEDU does not independently collect student data. All student personally identifiable information (PII) exists in the platform only because the school chose to import it.

Usage Data

We automatically collect:

  • Login timestamps and session activity
  • Feature usage patterns (pages visited, actions taken)
  • Browser type and device information
  • Error logs and performance data

Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other payment instrument data on our servers. We receive only transaction confirmations, subscription status, and a Stripe customer identifier.

2. How We Use Data

We use the data we collect to:

  • Provide the service — authenticate users, display dashboards, run workflows, generate reports, and deliver notifications
  • Maintain and improve the platform — diagnose errors, monitor performance, and develop new features
  • Communicate with you — send system notifications, onboarding emails, password resets, and service updates
  • Process payments — manage subscriptions, billing, and invoicing via Stripe
  • Ensure security — detect unauthorized access, enforce rate limits, and maintain audit logs

We do not:

  • Sell, rent, or trade your data to third parties
  • Use school data for advertising or marketing purposes
  • Share student PII with any party other than the school that imported it
  • Use your data to build profiles for purposes unrelated to the service

3. FERPA Compliance

OperateEDU is designed for use by K-12 schools that handle student education records subject to the Family Educational Rights and Privacy Act (FERPA).

  • The school is the data controller. Schools decide what data to import, who can access it, and how long it is retained. OperateEDU does not make independent decisions about student data.
  • OperateEDU is the service provider. We process data solely on the school's behalf, under the school's direction, and for the purpose of providing the OperateEDU platform.
  • Legitimate educational interest. Access to student data within OperateEDU is limited to school personnel with a legitimate educational interest as determined by the school through role-based access controls and permission flags.
  • No re-disclosure. We do not disclose student education records to any third party except as required to operate the platform (see Subprocessors below) or as required by law.
  • Data Processing Agreement. We are prepared to execute a Data Processing Agreement (DPA) with any school that requires one. Contact privacy@operateedu.com to request a DPA.

4. Data Storage & Security

We take the security of your data seriously. Our infrastructure includes:

  • Encryption at rest: All data stored in our database is encrypted using AES-256 encryption via Supabase's managed PostgreSQL infrastructure hosted on Amazon Web Services (AWS).
  • Encryption in transit: All connections use HTTPS with TLS 1.2 or higher. No unencrypted connections are accepted.
  • Access controls: Role-based access control (RBAC) with 40+ granular permission flags. All data queries are scoped to the authenticated school — schools cannot access each other's data.
  • Password security: Passwords are hashed with a server-side pepper using industry-standard algorithms. Plaintext passwords are never stored or logged.
  • Session management: Automatic session timeout after 45 minutes of inactivity. Sessions are invalidated immediately when a user is deactivated.
  • Audit logging: All significant actions (logins, data access, status changes, admin actions) are logged with actor, timestamp, and details. PII access is logged separately.

For more details, see our Trust Center.

5. Data Retention

  • Active subscriptions: Data is retained for the duration of the school's active subscription and is available for export at any time.
  • After cancellation: Upon subscription cancellation, the school's data is retained for 90 days in a read-only state to allow for data export. After 90 days, data is permanently deleted unless the school requests earlier deletion or retention extension.
  • Deletion on request: Schools may request full deletion of their data at any time by contacting privacy@operateedu.com. We will confirm deletion within 30 days.
  • Data return: Before or after cancellation, schools can export their data via CSV from the platform's reports, audit logs, and dashboards. We will assist with bulk data export on request.
  • Audit logs: Audit log data may be retained for up to 12 months after account deletion for compliance and legal purposes.

6. Subprocessors

We use the following third-party service providers to operate OperateEDU. Each processes data only as necessary to provide their service to us:

Subprocessor Purpose Data Processed Location
Supabase, Inc. Database hosting and storage All application data including school, user, workflow, and imported records AWS (United States)
Railway Corp. Application hosting (backend API) API request data in transit; environment variables for configuration United States
Cloudflare, Inc. CDN and frontend hosting Static frontend assets; request metadata (IP addresses, headers) for security Global edge network
Google LLC Authentication (SSO) and email delivery User email addresses for OAuth; email content for system notifications United States
Stripe, Inc. Payment processing Billing contact information, payment method details, transaction records United States

We will update this list if we add new subprocessors. Material changes will be communicated via email to account administrators at least 30 days in advance.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You may request a copy of the personal data we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal data.
  • Deletion: You may request that we delete your personal data, subject to our retention obligations.
  • Data portability: You may request your data in a structured, commonly used format (CSV).
  • Objection: You may object to certain uses of your data where we rely on legitimate interest.

For school-imported data (including student records), the school administrator is the appropriate contact for access, correction, and deletion requests. Schools can manage this data directly within the platform or contact us for assistance.

To exercise any of these rights, contact privacy@operateedu.com. We will respond within 30 days.

8. Contact

If you have questions about this Privacy Policy, your data, or our practices, contact us at:

OperateEDU — Privacy

Email: privacy@operateedu.com

Website: operateedu.com