Privacy Policy

Tahoe Consulting LLC, operating as My Academy HQ (“Company,” “we,” “us,” or “our”), operates the My Academy HQ platform. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our Service. It applies to school administrators, staff, parents, prospective families, and any other individuals who interact with the Service, including visitors who submit information through public forms (such as contact, application, waitlist, open house, or event registration forms). By using the Service or submitting information through any form on the platform, you agree to the practices described in this policy.

Platform vs. School Policies: This Privacy Policy governs the My Academy HQ platform and applies when My Academy HQ acts as the data controller (for platform accounts and subscriptions) or data processor (for student and school data managed on behalf of schools). Individual schools using the platform may maintain their own privacy policies and SMS terms for their interactions with families. When you interact with a school's website hosted on our platform, the school is the data controller for the information you provide, and My Academy HQ processes that data on the school's behalf.

We collect the following categories of personal information:

• Identifiers: Names, email addresses, phone numbers, mailing addresses, and account credentials.
• Commercial Information: Subscription plans, billing history, transaction records, and payment method details (processed and stored by Stripe; we do not store full payment card numbers).
• Education Records: Student names, dates of birth, enrollment information, classroom assignments, attendance records, developmental assessments, and other information entered by school administrators or staff.
• Internet/Network Activity: IP addresses, browser type and version, device identifiers, operating system, pages visited within the Service, access timestamps, and referring URLs.
• Geolocation Data: Approximate location derived from IP address. We do not collect precise GPS-based location data.
• Professional/Employment Information: Job titles, roles, and organizational affiliations of school staff using the Service.
• Photographs and Uploaded Files: Profile photos of staff, guardians, and families, as well as documents uploaded by school administrators (such as curriculum materials, policy documents, and other attachments).
• Background Check Information: Schools may record background check data for parents, guardians, and staff. This may include pass/fail status, a reference identifier, the date the check was requested, and a link to a document uploaded by the school administrator. We do not conduct background checks, integrate with screening providers, or store background check reports obtained from third parties.
• Electronic Signature Records: When enrollment agreements, policy acknowledgments, or other documents are signed electronically through the Service, we collect and retain the signed document, the signer's name, email address, IP address, user agent, and timestamp of the signature.
• Communications Content: Messages, file attachments, and reactions sent through the in-app chat and messaging features.
• Push Notification Tokens: Device tokens registered when you enable push notifications on your device. These tokens are used solely to deliver notifications and are deleted when you log out or unregister your device.
• Audit Records: Logs of administrative actions taken within the Service, including the action performed, the user who performed it, the affected record, and the timestamp.

We collect information through:

• Direct submission: Information you provide when creating an account, enrolling students, configuring school settings, or contacting us for support.
• Public form submissions: Information submitted by prospective families and visitors through public-facing forms, including application, contact, waitlist, open house registration, event registration, and lead capture forms. You do not need an account to submit these forms.
• Automatic collection: Usage data collected through cookies, server logs, and similar technologies when you interact with the Service.
• Bot detection: We use Cloudflare Turnstile on public forms to distinguish legitimate users from automated bots. This service may collect device and browser characteristics to assess whether a submission is genuine. No personal information is shared with Cloudflare for advertising purposes.
• Third-party sources: Information from payment processors (Stripe) related to transaction status and billing.

We process your information under the following bases:

• Contractual necessity: To provide and maintain the Service as agreed in our Terms of Service.
• Legitimate interest: To improve the Service, ensure security, prevent fraud, and communicate service-related updates.
• Consent: Where required by law, such as for non-essential cookies or marketing communications. You may withdraw consent at any time.
• Legal obligation: To comply with applicable laws, regulations, and legal processes.

We use the information we collect to:

• Provide, operate, maintain, and improve the Service.
• Process transactions and send related information (receipts, invoices, billing alerts).
• Communicate with you about your account and updates to the Service.
• Respond to your requests and support inquiries.
• Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities.
• Comply with legal obligations, including FERPA, COPPA, and state privacy laws.
• Generate aggregated, de-identified analytics to improve the Service (never tied to identifiable students).

We do not use personal information for targeted advertising. We do not use student education records for any purpose other than providing the Service.

Your data is stored on secure servers located in the United States. We use Vercel for application hosting and content delivery, and Neon for database services, both of which operate data centers within the United States. Uploaded files (photos, documents, signed PDFs) are stored in Vercel Blob Storage in the United States. We do not intentionally transfer personal information outside the United States.

Tenant isolation: The platform serves multiple schools on shared infrastructure. Each school's data is logically isolated and accessible only to that school's authorized users. School administrators cannot access another school's data. Role-based access controls enforce separation at the application level.

We implement industry-standard security measures including encryption of data at rest and in transit (TLS 1.2+), role-based access controls, regular security assessments, and automated threat monitoring. While we use commercially reasonable measures to protect your information, no method of electronic transmission or storage is completely secure.

We use the following categories of third-party service providers to operate the platform:

• Payment processing: Stripe processes all payment transactions and stores payment method details in accordance with PCI-DSS standards.
• Hosting and infrastructure: Vercel provides application hosting, serverless compute, content delivery, and file storage (Vercel Blob).
• Database: Neon provides PostgreSQL database services with encryption at rest.
• Email delivery: Transactional email is delivered via SMTP. Schools may configure their own SMTP provider for school-branded communications.
• SMS delivery: My Academy HQ uses Telnyx to deliver two-factor authentication codes and app install links on its own behalf, and invoice and meeting reminders on behalf of schools using the platform. Each Telnyx toll-free number is registered under Telnyx Toll-Free Verification with My Academy HQ declared as the ISV/reseller for school traffic.
• Analytics: Schools may optionally enable Google Analytics on their school website. When enabled, Google receives browsing data (pages visited, device information, approximate location) from visitors to that school's website. Google Analytics is not loaded on pages where it has not been enabled by the school. Google's privacy policy governs its processing of this data.
• Bot protection: Cloudflare Turnstile provides CAPTCHA and bot detection on public forms. Cloudflare may collect device and browser characteristics for this purpose. Cloudflare's privacy policy governs its processing of this data.
• AI-assisted content generation: Anthropic provides AI language model services used by school staff to generate draft observation narratives, portfolio captions, and to extract structured data from charter documents. When a teacher initiates an AI-assisted feature, the student's first name and the teacher-authored notes for that specific request are transmitted to Anthropic. No broader student records are sent. Anthropic does not retain data beyond the duration of the API request and does not use it to train models. Anthropic's privacy policy governs its processing of this data.
• Push notifications: Firebase Cloud Messaging (Google) delivers push notifications to devices that have opted in. Device tokens are transmitted to Firebase for delivery purposes only.
• Real-time messaging: Centrifugo provides real-time message delivery infrastructure for the in-app chat feature. Message content passes through Centrifugo for delivery to connected clients.

Each sub-processor is contractually bound to process personal information only as necessary to provide services to us, to maintain appropriate security measures, and to not use personal information for their own purposes. We will notify school administrators at least thirty (30) days before adding a new sub-processor that processes student data. A current list of sub-processors is available upon request at contact@myacademyhq.com.

Certain features of the Service make information visible to other authorized users within the same school:

• Class photo albums: Photos uploaded to a class album are visible to all parents who have a child enrolled in that class. Albums may contain photos of multiple children. Parents who do not wish their child to appear in shared photos may indicate this through the media consent option in the enrollment agreement; schools are responsible for honoring these preferences when uploading photos.
• Kiosk check-in devices: Schools may deploy kiosk devices for student check-in and check-out. These devices display student and family names to facilitate the check-in process. Schools are responsible for placing kiosks in appropriately controlled areas.
• Newsletters: Automated and manual newsletters sent to parents may contain names of school staff and families in schedule-related content.
• Data export: School administrators may export school data (including student records, family information, billing records, and staff records) in CSV format. Exports contain the full records accessible to the administrator and are secured behind authentication. Only administrators can initiate exports.

We do not sell, rent, or trade your personal information to third parties. We do not share personal information for cross-context behavioral advertising.

We may disclose information in the following circumstances:

• Service providers: With sub-processors described in Section 8 as necessary to operate the Service.
• Legal requirements: When required by law, subpoena, court order, or governmental request.
• Safety and rights: To protect the rights, property, or safety of My Academy HQ, our users, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets. In such an event, we will notify you before your personal information is transferred and becomes subject to a different privacy policy.
• With your direction: School administrators may direct us to share data with other parties (such as state reporting systems) through features of the Service.

We retain personal information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account data: Retained for the duration of the subscription plus thirty (30) days after termination or cancellation.
• Student education records: Retained for the duration of the subscription and deleted within thirty (30) days of account termination, unless the school requests earlier deletion or data export.
• Billing records: Retained for seven (7) years as required by tax and accounting regulations.
• Server logs: Retained for ninety (90) days for security and troubleshooting purposes.
• Prospect and lead data: Information submitted through public forms (applications, contact forms, waitlist entries, open house registrations, and event registrations) is retained by the school for as long as the school's account is active. Prospects may request deletion of their information by contacting the school or by emailing us at contact@myacademyhq.com.
• Electronic signature records: Signed documents and signature metadata are retained for the duration of the school's subscription and through the post-termination data retention window.
• Rate limiting records: Records containing IP addresses and identifiers used for abuse prevention are retained temporarily and automatically purged.
• Audit logs: Logs of administrative actions are retained for the duration of the school's subscription and through the post-termination data retention window.
• Chat messages: In-app messages and attachments are retained for the duration of the school's subscription and deleted within thirty (30) days of account termination.

When data is no longer needed, we delete or de-identify it using commercially reasonable methods. Backup systems may retain encrypted copies for up to ninety (90) additional days before automatic purging.

We recognize that our Service processes student education records that may be protected by the Family Educational Rights and Privacy Act (“FERPA”). When we receive student education records from a school, we function as a “school official” with a “legitimate educational interest” under FERPA. We commit to the following:

• Student education records are used solely to provide the Service as directed by the school.
• We do not disclose student education records to any third party except as directed by the school, required by law, or permitted by FERPA.
• We do not use student education records for advertising, marketing, profiling, or any non-educational purpose.
• Schools retain ownership and control of all student education records.
• We return or delete student education records upon request or upon termination of the relationship, subject to our data retention policy.
• We maintain reasonable safeguards to protect student education records from unauthorized access, disclosure, or misuse.

The Service is designed for use by school administrators, staff, and parents. Children under 13 do not create accounts or directly interact with the Service. Student data is entered into the system solely by authorized school personnel and parents.

We comply with the Children's Online Privacy Protection Act (“COPPA”), including the updated rule effective April 22, 2026, and take the following measures:

• Data minimization: We collect only student information that is reasonably necessary for the educational services provided through the platform.
• No advertising: We do not use children's personal information for behavioral advertising or targeted marketing of any kind.
• No profiling: We do not create behavioral profiles of children or use children's data for purposes unrelated to the educational service.
• School consent: Schools act as agents of parents for the purpose of consenting to the collection of student information in the educational context, as permitted under COPPA.
• Deletion: Children's personal information is deleted when it is no longer necessary for the educational purpose for which it was collected, or upon request from the school or parent.
• Parental access: Parents may review their child's information through the parent portal or by contacting the school. Parents may request that we delete their child's information by contacting us at contact@myacademyhq.com.
• AI-assisted features: The Service includes optional AI-assisted tools that school staff may use to draft observation narratives and portfolio captions. These tools are initiated solely by authorized school personnel (not children) and process only the teacher-authored notes and student first name provided in each request. Children do not interact with or provide input to AI features. The school, acting as agent of the parent under COPPA, authorizes this processing as part of the educational service. AI outputs are drafts for teacher review and are not used for profiling, advertising, or automated decision-making about children.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of your personal information, subject to legal retention requirements and our obligations under FERPA.
• Right to correct: Request correction of inaccurate personal information.
• Right to data portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
• Right to opt out: Opt out of the sale or sharing of personal information. Note: we do not sell or share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: Request that we limit our use and disclosure of your sensitive personal information to only what is necessary to provide the Service. Note: we already limit our use of sensitive personal information to providing and improving the Service and do not use it for advertising, profiling, or other secondary purposes.
• Right to non-discrimination: We do not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at contact@myacademyhq.com. We verify your identity before fulfilling requests by matching information you provide with information we have on file. We respond within forty-five (45) days, with an option to extend by an additional forty-five (45) days for complex requests with prior notice. You may also designate an authorized agent to make requests on your behalf with proper written authorization. For requests to know, we provide information covering the twelve (12) month period preceding the request.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), provides you with specific rights regarding your personal information:

• Categories collected: Identifiers, commercial information, education records, internet/network activity, geolocation data, and professional/employment information (see Section 2 for details).
• Business purposes: Providing the Service, processing transactions, communicating with you, maintaining security, and complying with legal obligations.
• Sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Sensitive personal information: We may process account login credentials and information about minors (student records). We use this sensitive personal information only to provide the Service and do not use it for profiling or advertising.

Right to limit: You have the right to request that we limit the use and disclosure of your sensitive personal information to only what is necessary to provide the Service. Because we already restrict our use of sensitive personal information to this purpose, no additional action is required on your part. If our practices change, we will provide a “Limit the Use of My Sensitive Personal Information” link or equivalent mechanism.

Financial incentives: We do not offer financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of your personal information.

California residents may exercise their rights as described in Section 14. You may also contact us at contact@myacademyhq.com to submit a request. We do not use or disclose sensitive personal information for purposes beyond providing the Service.

In addition to California, numerous other states have enacted comprehensive privacy laws, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, Delaware, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota, and others. While the specific rights vary by state, we honor the core privacy rights granted under each applicable state law, including the rights to access, delete, and correct personal information, as well as the right to opt out of the sale of personal information and targeted advertising.

State student data privacy laws: We comply with state laws that impose obligations on operators of educational technology services, including the California Student Online Personal Information Protection Act (“SOPIPA”), the Illinois Student Online Personal Protection Act (“SOPPA”), the New York Education Law § 2-d, and similar statutes in other states. In accordance with these laws:

• We do not use student data for targeted advertising or commercial profiling.
• We do not sell student data or use it for purposes unrelated to the educational service.
• We delete student data upon request from the school or upon termination of the relationship, subject to our data retention policy.
• We are prepared to execute state-required Data Processing Agreements with schools and school districts. Our Data Processing Agreement is available for review and execution.

If you are a resident of a state with a comprehensive privacy law, you may exercise your rights as described in Section 14. We process all privacy requests in compliance with the most protective applicable standard. If your state law provides additional rights beyond those listed in Section 14, we will honor those rights upon request.

The Service sends SMS in two categories: (1) platform-sent messages from My Academy HQ on its own behalf — two-factor authentication codes and app install links a user has just requested; and (2) school-operated messages from My Academy HQ on behalf of a school — invoice and meeting reminders, plus a one-time transactional invite SMS sent alongside the email invite when a school administrator adds a parent or teacher to the platform.

• Opt-out: Recipients may opt out of text messages at any time by replying STOP to any message. Opt-out requests are honored at the carrier level and processed promptly.
• Message frequency: Message frequency varies based on school communications. Standard message and data rates may apply depending on your mobile carrier and plan.
• Data use: Phone numbers collected for SMS messaging are used solely for delivering the communications described above and are not sold or shared with third parties for marketing purposes.

School-operated SMS and recipient consent: Before My Academy HQ sends any non-transactional SMS on a school’s behalf, the recipient must have an active SMS consent decision for the shared school sender. Consent is captured through one of four paths: (1) the user enters or confirms their phone number on a My Academy HQ form that includes the SMS disclosure; (2) the user confirms an attestation dialog shown on their first login after a phone number is on file; (3) the user replies YES to a one-time double-opt-in SMS sent at the school administrator’s request; or (4) for a limited set of schools that gather written SMS consent off-platform (for example, on enrollment paperwork), the school administrator records that prior consent on the user’s behalf when adding them to the platform. My Academy HQ stores this decision at the phone-number level and blocks all non-transactional SMS to phones without an active attestation. Because school-operated SMS shares one sender number, replying STOP applies across all school-operated messages sent from that number until the phone is re-subscribed.

Transactional invite SMS: When a school administrator adds a parent or teacher to the platform, My Academy HQ also sends a single one-time SMS containing the same account-setup link the email invite contains. This message is transactional — it is tied to the school’s enrollment of the recipient and does not opt the recipient into ongoing school SMS. Replying STOP suppresses future SMS from the school sender; replying HELP returns help text. Future invoice or meeting reminders still require explicit opt-in through one of the four paths above.

Mobile information sharing: Mobile phone numbers and SMS opt-in consent data are not shared with third parties or affiliates for marketing or promotional purposes. Phone numbers are shared only with our SMS sub-processor (Telnyx) solely to transmit the messages described in this section.

We comply with the Telephone Consumer Protection Act (“TCPA”) and applicable Federal Communications Commission regulations regarding text messaging.

The Service enables schools to send email communications to parents and staff, including newsletters, announcements, billing notifications, and system alerts. We comply with the Controlling the Assault of Non-Solicited Pornography And Marketing Act (“CAN-SPAM”) and applicable regulations:

• All marketing and newsletter emails include a clear unsubscribe mechanism. Recipients can opt out by clicking the unsubscribe link in any email or by updating their communication preferences in the parent portal.
• Opt-out requests are honored promptly, and no further marketing emails are sent after unsubscription.
• Transactional emails (such as billing receipts, account notifications, and security alerts) are not subject to unsubscription as they are necessary for the operation of the Service.
• All emails accurately identify the sender and include the school's contact information.

Essential cookies: We use strictly necessary cookies to maintain your authenticated session and remember your preferences. These cookies are required for the Service to function and cannot be disabled.

Analytics cookies: Schools may optionally enable Google Analytics on their school website, which sets cookies to understand how visitors interact with the site in aggregate. When enabled, Google Analytics collects browsing data subject to Google's privacy policy. Analytics data is not linked to individual student records. You can control analytics cookie preferences through your browser settings or by using the Google Analytics opt-out browser add-on. Google Analytics is not active on schools that have not enabled it.

Do Not Track: We honor the Global Privacy Control (“GPC”) signal. If your browser sends a GPC signal, we treat it as a request to opt out of the sale or sharing of personal information, as required by the CCPA/CPRA. We do not currently respond to traditional “Do Not Track” browser signals, as there is no industry-standard protocol for compliance, but this does not affect GPC signal handling.

No tracking for advertising: We do not use tracking pixels, third-party advertising cookies, or any technology that tracks users across websites for the purpose of advertising.

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. No enrollment, grading, behavioral, or disciplinary decisions are made by automated systems.

AI-assisted content tools: The Service includes optional AI-assisted features that help school staff draft educational documentation. These features use a third-party AI language model (Anthropic Claude) and include:

• Observation narrative expansion: Teachers may submit brief observation notes and a student's first name to generate a draft developmental narrative. The teacher reviews and edits the draft before it becomes part of the student's record.
• Portfolio caption generation: Teachers may submit a work sample title and student name(s) to generate a draft caption describing the work. The teacher reviews and edits the draft before saving.
• Charter document extraction: School administrators may submit charter voucher PDF documents to extract structured billing data. This feature processes financial document text and does not involve student records.

These AI features share the following characteristics: they are initiated solely by authorized school staff (never by children or parents); only the specific data points provided by the teacher in each request are transmitted to the AI provider (not the broader student record); all AI outputs are presented as editable drafts for human review; no AI output is saved to a student's record without explicit staff action; and the AI provider does not retain submitted data beyond the duration of the request. See Section 8 for details on the AI sub-processor.

Rule-based automations: The Service includes rule-based automations configured by school administrators, such as automatic application of late fees, recurring billing, contribution reminders, and newsletter scheduling. These automations execute based on rules and schedules set by the school administrator and can be modified or disabled at any time by the school. They do not involve profiling or autonomous decision-making about individuals.

In the event of a security breach that affects your personal information, we will:

• Notify affected school administrators within seventy-two (72) hours of confirming the breach.
• Provide a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken to address the breach.
• Cooperate with affected schools to fulfill their notification obligations to parents and regulatory authorities under applicable state breach notification laws.
• Report the breach to applicable regulatory authorities as required by law.

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:

Tahoe Consulting LLC, operating as My Academy HQ
Email: contact@myacademyhq.com

For FERPA-related inquiries or to report a student data concern, please contact us at the email address above with “FERPA Inquiry” in the subject line.