← Back to home

Privacy Policy

Last updated: May 19, 2026 · Status: in private build, no public users yet

1. Who we are

SofaOps (“we,” “us”) is a K-12 classroom-management application operated by Highland Creates. This policy describes how we collect, use, and protect information when teachers, school administrators, students, and parents use the application at sofaops.com.

We are currently in private build with a single pilot classroom. Public sign-ups are not open. This policy describes our intended practices at launch; we will update it materially before any public release and notify pilot users in advance.

2. Information we collect

  • Teachers, school administrators, district administrators, parents: Email address, name, and authentication identity managed by Clerk. Sign-in events, IP addresses, and user-agent strings for security auditing.
  • Students under 13: Display name and avatar only. No email, no password. Students log in via a per-classroom code plus their display name; we do not collect personally identifiable information beyond what the teacher enters when adding a student to the roster.
  • Students 13 and over: If a school enables older-student email accounts, the email address and school-issued display name. The school remains the controller of those records.
  • Classroom content: Assignments, links posted by teachers, student submissions (text, files, photos), grades, and comments between teachers, students, and parents.
  • Activity logs: When assignments are posted, submitted, graded, and returned; when parents view their child’s dashboard.

3. How we use information

  • To run the application: deliver assignments, track submission status, send grades
  • To send transactional email (parent invites, weekly digests, password resets) via Resend
  • To detect abuse and unauthorized access via security audit logs
  • To respond to direct support requests from authorized administrators

We do not: sell personal data, share it with advertisers, use it to train machine-learning models, or expose one tenant’s data to another tenant.

4. COPPA & FERPA

For users under 13, SofaOps relies on the school exception under the Children’s Online Privacy Protection Act (COPPA): when a school directs us to collect information from students under 13 as part of the school’s educational programs, the school acts as the parents’ consent agent. We collect the minimum necessary to operate the application and never use that data for commercial purposes.

Student records are education records under the Family Educational Rights and Privacy Act (FERPA). The school or district remains the FERPA-defined custodian; SofaOps acts as a school-authorized service provider. Our data processing agreement (DPA) is available to school and district customers on request.

5. Third-party services

  • Clerk: authentication for teachers, administrators, and parents.
  • Supabase: Postgres database and file storage, US-East region, encrypted at rest.
  • Resend: transactional email.
  • Stripe: billing for teacher and school licenses.
  • Vercel: application hosting; processes HTTP requests and access logs.

6. Storage & security

  • All traffic uses TLS (HTTPS) and HSTS
  • Database rows are isolated per-tenant via Postgres row-level security
  • Authentication credentials are managed by Clerk; we never see passwords
  • File uploads are stored in Supabase Storage with per-tenant access policies
  • Service-role database access is restricted to a small number of named endpoints

7. Retention & deletion

Active classroom data is retained for the duration of the school’s active license. When a license ends or a school requests deletion, all associated records are removed within 30 days. Schools and districts may request earlier deletion through their data processing agreement. Deactivated user accounts have all sessions revoked immediately; account data is retained for 90 days for audit purposes before permanent deletion.

8. Your rights

Users may request access to, correction of, or deletion of their personal data through the school administrator. Parents acting on behalf of a student under 13 may exercise the same rights through the school. We respond to verified requests within 30 days.

9. Contact

Reach us at info@highlandcreates.com for privacy questions, DPA requests, or to exercise the rights described above.