Why This Matters
Last year an EdTech company got caught selling student behavioral data to an advertising network. The data included which students were flagged as "at-risk" and their attendance patterns. Parents were furious. The company's defense was that their terms of service technically allowed it.
Students can't choose whether their school uses Autotend. They can't read a terms of service document and make an informed decision. They're kids. That means we have to be more careful with their data than we'd be with a SaaS product for adults who signed up voluntarily.
What We Actually Collect
- Student name and school-issued ID (provided by the school, not collected from the student)
- Check-in timestamps
- Check-out timestamps (if applicable)
- Class/session association
- GPS coordinates at check-in time (only if enabled, only at the moment of check-in)
That's it. We don't know what phone they're using, what apps they have installed, what websites they visit, or who their friends are.
What We Don't Do
No advertising. No data sales. No behavioral profiling. No sharing with third parties for any purpose other than operating the service.
If a school stops using Autotend, we delete their data within 90 days.
FERPA and COPPA
FERPA governs how schools handle student records. In practice this means: role-based access controls, audit logs for every data access, parent right to inspect records, and no disclosure without consent.
COPPA applies because some of our users are under 13. We don't collect personal information directly from children — the school provides enrollment data, and the check-in process collects only a timestamp and optional location.
Security
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We run on AWS in US-East-1. Access to production systems requires MFA and is logged. Passwords are handled by AWS Cognito, not by us.