Classroom Insight Privacy Policy
Last updated: June 15, 2026
The short version
- Classroom Insight makes behavior-support software for K-12 schools. Schools use it to record daily check-ins, incident reports, and follow-up for their students.
- Schools own their students' data. We process it only to provide the service, at the school's direction, as a "school official" under FERPA.
- We never sell student data, never use it for advertising, and never use it to train AI models. There are no ads anywhere in our product.
- Parents and guardians: your school controls your child's records. To review, correct, or delete them, contact your school — and we'll help the school fulfill your request.
- Questions: [email protected].
The rest of this policy explains the details.
1. Who we are and what this policy covers
Classroom Insight is operated by Classroom Insight, LLC, a California Limited Liability Corporation ("Classroom Insight," "we," "us"). This policy covers our website at classroom-insight.com (the "Site") and the Classroom Insight application (together, the "Service").
We handle two different kinds of information, with different rules for each:
- Student Data — personally identifiable information about students, including education records under FERPA, that a school, district, or other educational institution (a "School") provides to the Service or directs its staff to enter. We process Student Data on behalf of and at the direction of the School. The School owns and controls it.
- Other information — information about Site visitors, people who book demos or contact us, and School staff who hold accounts. We are directly responsible for this information.
If a School has signed a data privacy agreement ("DPA") with us, that DPA controls over this policy as to that School's Student Data wherever they differ.
2. Information we collect
A. Student Data (provided by Schools)
Schools and their authorized staff choose what to enter. Depending on how a School uses the Service, Student Data may include:
- Roster information: student name, student ID, grade level, and class or period enrollment — entered by staff or imported from a CSV file.
- Optional student details the School chooses to record for instructional context and its own reporting, such as English-learner status, IEP or 504 status, disability category, and demographic information the School uses for its own equity analysis.
- Behavior records: daily check-in scores and notes, incident reports and referrals, resolutions, and related staff comments.
- Support records: student case files, support plans, draft behavior goals (including drafts intended for IEP team consideration), and intervention notes.
- Family communication records: logs of family contact, messages drafted through the Service, and family contact information as entered by the School.
Because the Service supports students receiving behavior interventions and, in some cases, special education services, Student Data may include sensitive information. We treat all Student Data with the protections described in this policy regardless of sensitivity.
Students do not have accounts, and we do not collect information directly from students. We collect only the Student Data that Schools choose to provide.
B. School staff account information
When a School provisions staff accounts: name, school email address, role and access scope, school affiliation, hashed login credentials, account settings, and records of actions taken in the Service (which support the audit and accountability features Schools rely on).
C. Prospect and visitor information
If you book a demo, fill out a form, or email us: your name, role, school or district, email address, and the contents of your message.
D. Information collected automatically
Like most websites, we and our service providers collect log data (IP address, browser type, pages visited, timestamps, referring URLs) and use cookies. We use:
- Essential cookies for sign-in sessions and security (for example, CSRF protection). These cannot be disabled.
- Analytics cookies (Google Analytics 4, provided by Google LLC) on our public marketing Site only, to understand how visitors use it. We use no third-party analytics inside the signed-in application, and our Content Security Policy does not permit analytics or advertising scripts to load there.
We do not use advertising cookies or trackers anywhere on the Site or Service.
3. How we use information
- To provide the Service: operating daily check-ins, incident workflows, case files, dashboards, reports, and AI Features for Schools; authenticating users; enforcing role-based access.
- Student Data is used solely to provide the Service to the School that supplied it, at that School's direction. We do not use Student Data for any other purpose.
- To support and communicate: responding to inquiries, scheduling demos, providing support, and sending Service-related announcements (such as security or feature notices) to School staff.
- To improve the Service: analyzing how the Service performs and is used. Where this involves student information, we use only de-identified, aggregated data as described in Section 6.
- To protect the Service: detecting, investigating, and preventing security incidents, abuse, and fraud.
- To comply with law.
4. AI features and Student Data
The Service includes AI features that help educators draft summaries, support ideas, family messages, and behavior goals, and that help leaders analyze trends ("AI Features"). Here is exactly how it works:
- Provider. AI Features are powered by Google's Gemini models via the Gemini API, with Google acting as our subprocessor under terms that restrict use of your data.
- What is sent. A request includes the relevant behavior records and notes, the student's name, and instructional context the School has recorded — grade level, English-learner status, IEP/504 status, and disability category. A student's or staff member's race, ethnicity, and gender are never included in AI processing, and custom fields a School defines are excluded unless the School explicitly marks them as AI-shareable.
- No training on Student Data. Neither we nor our AI provider uses Student Data to train AI models.
- Transient processing. Data sent to the AI provider is used only to generate the requested output and is not retained by the provider beyond 55 days for abuse monitoring.
- Educator review. Every AI output is a draft. Nothing generated by AI Features is sent to a family, entered into a student's record, or acted on automatically; an educator reviews and approves first.
5. Our commitments for Student Data
These commitments apply to all Student Data, for every School, in every state. We will never:
- Sell or rent Student Data.
- Use Student Data for targeted advertising, or permit anyone else to. (There is no advertising of any kind in the Service.)
- Build a profile of a student except in furtherance of K-12 school purposes — that is, the support purposes the School uses the Service for.
- Use Student Data to train AI models.
- Disclose Student Data except: (a) to subprocessors bound by this policy's protections to help us provide the Service; (b) as directed or permitted by the School; (c) as required by law (see Section 9); or (d) as needed to protect the safety of a student or others, consistent with applicable law.
These commitments are designed to meet or exceed California's Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code § 22584) and similar state student privacy laws, and they apply to every School we serve regardless of location.
6. De-identified and aggregated data
We may create and use data that has been de-identified and aggregated so that it cannot reasonably be used to identify any student — for example, to understand which features help schools, to improve the Service, and to report aggregate usage (such as "schools using daily check-ins log incidents 30% faster"). We will not attempt to re-identify de-identified data, will not sell it, and will contractually prohibit any recipient from re-identifying it.
7. FERPA: our role as a "school official"
Where Student Data includes education records protected by FERPA, we act as a "school official" with a "legitimate educational interest" under 34 C.F.R. § 99.31(a)(1). In that role, we:
- perform services for the School that it would otherwise perform with its own employees;
- remain under the School's direct control with respect to the use and maintenance of education records;
- use education records only to provide the Service; and
- do not re-disclose personally identifiable information from education records except as directed by the School or as permitted by law (34 C.F.R. § 99.33).
Education records remain the property of, and under the control of, the School at all times. Parents and eligible students exercise their FERPA rights — to inspect, review, and seek amendment of education records — through their School, and we promptly assist Schools in fulfilling those requests, including by providing the School copies of a student's records in the Service.
8. Children's privacy (COPPA)
The Service is designed for use by School staff; students do not have accounts, and we do not knowingly collect personal information directly from children.
Where a School provides Student Data about children under 13, we rely on the School to provide consent on behalf of parents consistent with the Federal Trade Commission's guidance on COPPA in the school context. In that context:
- We collect and use children's information solely to provide the Service for the School's educational purposes, and for no other commercial purpose.
- We never use children's information for advertising or marketing.
- Schools may review children's information through the Service and may direct us to delete it at any time, and we will comply as described in Section 11.
- We provide this policy so that Schools can share it with parents, and we will make our data practices available to parents through their School on request.
If you are a parent and believe information about your child was provided to us without proper authorization, contact us at [email protected] and we will work with you and the School to investigate and resolve the issue.
9. How we share information
We share information only as follows:
Subprocessors. Service providers that help us operate the Service, each bound by contracts requiring confidentiality, security, and use of data solely to provide services to us:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Cloud Run, Cloud SQL) | Application hosting and database | United States |
| Google (Gemini) | AI Feature processing (see Section 4) | United States |
| Google (Gmail SMTP) | Transactional email (verification, password resets, invitations) | United States |
| Google Analytics 4 (Google LLC) | Site analytics on the public marketing Site only | United States |
We will keep this list current and, for Schools with a DPA, provide notice of subprocessor changes as the DPA requires. All Student Data is stored and processed in the United States.
Legal requirements. If we receive a subpoena, court order, or other legal demand for Student Data, we will (unless legally prohibited) promptly notify the School and, where appropriate, redirect the requester to the School, so the School can respond or seek protective measures. We disclose only what we are legally required to disclose.
Safety. We may disclose information if we believe in good faith it is necessary to prevent imminent and serious harm to a student or another person, consistent with applicable law, and we will notify the School.
Business transfers. If Classroom Insight is involved in a merger, acquisition, or sale of assets, Student Data may be transferred only to a successor that agrees in writing to be bound by commitments at least as protective as this policy. We will notify affected Schools before any such transfer, and Schools may request export and deletion of their data first.
We never share information with data brokers, and we never share Student Data for any party's marketing.
10. Security
We maintain a security program designed to protect the information we handle, including:
- Encryption of data in transit (TLS, enforced by HTTP Strict Transport Security) and at rest (AES-256 via Google Cloud SQL).
- Role-based access controls, so each School staff member sees only the students within their assigned scope — and school-to-school isolation is enforced automatically at the data layer on every query, verified by automated regression tests.
- Least-privilege internal access: our personnel access Student Data only when necessary to provide support or maintain the Service.
- Operational safeguards: CSRF protection on all forms, strict browser security headers, rate limiting on sensitive operations, immutable audit records of account and access changes, encrypted automated backups, and application processes that run without elevated privileges.
- Vendor diligence for all subprocessors.
No method of transmission or storage is perfectly secure, but we work to protect your information and to be transparent about how we do it. To report a security concern, contact [email protected].
11. Data retention and deletion
- Student Data is retained for the duration of the School's subscription or pilot. When a subscription or pilot ends, the School has 30 days to request an export, after which we delete the School's Student Data within 60 days. A School may also direct us to delete some or all of its Student Data at any time, and we will do so within 30 days and confirm in writing on request.
- Backups containing deleted data are purged on our standard backup cycle of no more than 7 days.
- Staff account information is retained while the account is active and deleted or de-identified within 90 days after the School's relationship with us ends, except records we must keep for legal or financial purposes.
- Prospect information is retained while relevant to our communications; you may request deletion at any time at [email protected].
- De-identified data (Section 6) may be retained, since it does not identify any student.
- Records we are legally required to retain are kept only as long as required and remain protected by this policy.
12. Your choices and rights
- Parents, guardians, and eligible students: your School controls Student Data. Requests to access, correct, or delete a student's records should go to the School, and we will help the School respond (Sections 7 and 8).
- School staff: you can update your account information in the Service or by contacting [email protected].
- Prospects and Site visitors: you can unsubscribe from our emails via the link in any message, and request deletion of your information at [email protected].
- Cookies: you can control cookies through your browser. Blocking essential cookies will prevent sign-in.
- Do Not Track: our Site does not currently respond to "Do Not Track" browser signals.
- California residents: Classroom Insight does not sell or share personal information as those terms are defined under California law.
13. Changes to this policy
When we update this policy, we will post the new version here with an updated date. For material changes, we will notify School administrative contacts by email at least 30 days before the change takes effect. We will not make changes that materially weaken the protections for Student Data described in Sections 4-11 during a School's subscription or pilot without the School's consent.
14. Contact us
Classroom Insight, LLC (d/b/a Classroom Insight) 19177 Carlton Ave. Castro Valley, California 94546
Email: [email protected]