Privacy, FERPA & COPPA

We act as a 'school official' under FERPA §99.31(a)(1)(i)(B). All student records remain under the educational agency's control. Signed DPA available.

For students under 13, the school provides consent on behalf of parents (FTC-permitted). We never collect personal info beyond what schools authorize.

AES-256 at rest, TLS 1.2+ in transit. Database backups are encrypted and geographically isolated.

Row-level security policies enforce that one district cannot read another district's data — verified by automated tests.

We do not sell, rent, or share student data with advertisers. No behavioral ad tracking pixels run on student pages.

Parents may request review, correction, or deletion of their child's records by contacting their school's designated official; we respond within 30 days.

MyFeelingsMatter operates as a "school official" with legitimate educational interest under FERPA §99.31(a)(1)(i)(B). The educational agency retains full ownership and control of all education records we process.

• Authorized use only: we use student data only for SEL instruction and reporting the district has approved.
• No re-disclosure: we never share PII with third parties without explicit district consent.
• District access: districts can view, export, correct, or delete student records on demand.
• End-of-contract: student data is returned or destroyed within 90 days of termination, or sooner on request.
• Parent inspection: parents exercise FERPA rights through their school's designated official, who can pull records on our platform.

For students under 13, the school provides consent on behalf of parents under the FTC's school-consent exception to COPPA. This is the standard model used by EdTech across the country.

• Minimum data: we collect only first/chosen name, grade, and SEL responses — no email, phone, or address required for students.
• No advertising: we never serve behavioral ads or build marketing profiles of children.
• No third-party tracking: no ad-tech pixels or cross-site trackers on student-facing pages.
• No public profiles: students cannot make their data public or contact strangers through the platform.
• Parent rights: parents can request review or deletion of their child's data at any time via the school.
  

From students: First name (or chosen name), grade level, daily mood/journal entries, SEL self-assessment responses, activity progress.

From staff: Name, work email, role, school assignment, case notes they author.

Never collected: Social Security numbers, home addresses, biometric data, geolocation, behavioral ad profiles, photos/video without explicit teacher action.

Student records are retained for the duration of the district's license plus 90 days, then permanently deleted. Districts may request earlier deletion at any time.

Aggregate, de-identified outcomes data may be retained for product improvement and research; this data cannot be re-linked to individual students.

Hosting & database: Supabase (US-East, SOC 2 Type II)

Email delivery: Resend (transactional only; no marketing to students)

AI coaching: Google Gemini & OpenAI (via Lovable AI Gateway; student inputs are never used for model training)