policystamp.com
Home / Examples / EdTech (K-8 learning)
EdTech (K-8 learning) · anonymized example

Schoolyard Studio

Schoolyard Studio publishes a math and reading app for children aged 6–12. Two distribution paths: parents subscribe directly through the App Store / Google Play, and schools license the app for classroom use under district-wide agreements. The two paths require completely different consent models — verifiable parental consent (COPPA) for direct-to-parent, and school-as-agent authorization (FERPA / state student-privacy laws) for classroom use.

Free preview · $2 Audit passed · 5 issues addressed 1380 words
Jurisdictions
USEUUK
Integrations
FirebaseRevenueCatClever (school SSO)ClassLink (school SSO)
Distinctive in this archetype
  • · COPPA verifiable parental consent flow described
  • · FERPA "school official" exception for classroom-licensed accounts
  • · EU age-of-digital-consent (13–16) handling
  • · No advertising, no behavioral profiling — children's app baseline
Start with this profile

Loads the wizard with the business name pre-filled.

Privacy Policy

Effective date: January 1, 2026

Schoolyard Studio ("Schoolyard", "we", "us") publishes the Schoolyard learning app for children aged 6–12. We have built the app, and this policy, to comply with children's-privacy laws including the U.S. Children's Online Privacy Protection Act ("COPPA"), the U.S. Family Educational Rights and Privacy Act ("FERPA") when the app is licensed to schools, the EU General Data Protection Regulation (including Art. 8 on the age of digital consent), and the UK Information Commissioner's Office Age Appropriate Design Code.

1. Two paths, two consent models

The app is offered through two distinct distribution paths:

  1. Direct-to-parent (consumer): parents subscribe through Apple App Store or Google Play and create an account for their child. We collect the child's first name and age (no last name, no email). Before any account is created, we obtain Verifiable Parental Consent ("VPC") under COPPA.

  2. School-licensed (classroom): schools license the app under a district-wide agreement. Teachers create accounts for students within their class. We act as a "school official" under FERPA, processing personally identifiable information ("PII") from education records only at the direction and for the educational purposes of the school.

This Privacy Policy applies to both paths, with sections noting differences where they exist. Schools licensing the app additionally receive a Student Data Privacy Agreement (DPA) which controls over this policy for school-licensed accounts.

2. Information we collect

From a parent setting up a direct-to-parent account

  • The parent's email address (for account management and verifiable parental consent).
  • The child's first name only (no last name).
  • The child's age.
  • Subscription receipt from Apple or Google (we never see payment-card data).

From a child using the app

  • Activity within the app (lessons completed, scores, time spent on tasks).
  • Locally stored progress so the child sees their progress on next launch.

We do not collect from children: last names, photos, location data, contact lists, free-form text or audio (the app contains no chat or open-ended input fields), persistent identifiers used across services, or anything that could be combined to identify the child outside our service.

From schools (classroom-licensed accounts)

  • The school's name and administrator contact information.
  • For each student account the school creates: first name, optional last name (the school decides whether to include this), grade level, class assignment, and a student ID assigned by the school's information system.
  • Student activity within the app, as described above.

Schools may provide additional information via roster-sync providers (Clever, ClassLink). The school controls what is shared and we use it only for the purposes described in our DPA.

3. Verifiable parental consent (COPPA)

For direct-to-parent accounts, we obtain VPC before collecting any information about a child. We use one of the methods approved by the FTC, currently the "credit card / debit card" method linked to the App Store subscription (the FTC has approved this method since 2019 for paid services where the parent must authenticate a payment to enable the service).

After consent is given:

  • The parent can review, modify, or delete the child's information at any time from the in-app Parent Dashboard.
  • The parent can revoke consent at any time by deleting the account.
  • We send the parent a confirmation email when consent is given and when material settings change.

4. FERPA — school-licensed accounts

For school-licensed accounts, the school is the controller of the student PII. We process student PII as a "school official" with a "legitimate educational interest" under 34 CFR §99.31(a)(1)(i)(B). Specifically:

  • We process student PII only for the educational purposes described in the school's DPA.
  • We do not use student PII for any purpose unrelated to the educational service.
  • We do not advertise to students.
  • We do not build profiles about students for non-educational purposes.
  • We delete student PII at the end of the school year (or as specified in the DPA).
  • Schools control access to student PII; parents may exercise FERPA rights through the school.

5. How we use information

We use the information above to:

  • Operate the app: load lessons, track progress, present the next appropriate activity.
  • Maintain accounts (parent or school).
  • Process subscription billing (D2C path) or school licensing (B2B path).
  • Send transactional emails to parents or school administrators (welcome, billing receipts, security notifications).
  • Support: respond when a parent, teacher, or administrator contacts us.
  • In aggregate, understand how children use the app to improve content quality. Aggregation is performed at the cohort level (e.g. "second graders take an average of 8 minutes to complete the addition unit") and is not used to profile individual children.

We do not use children's data for advertising, retargeting, behavioral analytics, or to train external AI models.

6. Sharing

We share information only with:

  • Firebase (Google) — backend hosting and authentication. We use Firebase services configured for children's-app compliance.
  • RevenueCat — subscription receipt validation, D2C path only.
  • Apple / Google — receipt of subscription payment, D2C path only.
  • Clever / ClassLink — roster sync, school path only, at the school's direction.

We do not share children's information with marketing networks, data brokers, or anyone for advertising or commercial purposes other than operating the service.

7. Children in the EU and UK

For children in the European Economic Area or United Kingdom, the GDPR's age of digital consent applies. The age varies by country (13 to 16 depending on the member state). For users below the applicable age, we require parental authorization equivalent to COPPA verifiable parental consent.

We comply with the UK ICO Age Appropriate Design Code, including its provisions on default high-privacy settings, no nudges towards weaker privacy, no profiling, no use of children's data in ways unfair to them, and transparency adapted to children.

8. Retention

  • Direct-to-parent accounts — retained while the subscription is active, plus 90 days after cancellation (so a returning subscriber can resume), then deleted.
  • School-licensed accounts — retained for the school year, then deleted at end of year unless the DPA specifies otherwise.
  • Aggregate analytics — retained indefinitely in fully de-identified form.
  • Billing records — 7 years (US tax retention).

9. Rights

Parents (D2C path) may review, modify, or delete their child's data at any time from the Parent Dashboard or by writing to [email protected].

Parents whose child uses the app through a school should contact the school first; FERPA rights are exercised through the school as controller. We assist schools in responding to parental requests as required by our DPA.

For EEA / UK residents, you have the right to access, correct, port, restrict, or delete personal data, and to object to processing based on legitimate interests.

10. Security

We protect data with TLS in transit, AES-256 at rest, role-based access controls, MFA on all employee accounts, annual security testing, and an incident-response plan with breach notification within 72 hours for personal data and within 30 days for student data under most state student-privacy laws.

11. Changes

Material changes will be announced to parents and to school administrators by email at least 30 days before they take effect. For changes affecting children's information, we re-obtain parental consent where COPPA requires it.

12. Contact

[email protected] Schoolyard Studio LLC, 75 Education Way, Portland, OR 97204, USA.

Want one for your business?

Start with the edtech (k-8 learning) profile.

The wizard takes 2–3 minutes. Free preview shows the first three sections. Two dollars unlocks the rest.

Start a privacy policy All examples