Privacy Policy (FERPA & COPPA Compliance)

This policy governs the SISLMS by NAS application, operated by Neeraj's AI Services (NAS).

1. Our Role and Authorization (FERPA Mandate)

Under FERPA, NAS acts as a school official with legitimate educational interest, meaning we:

• Perform institutional services or functions for which the school would otherwise use employees
• Are under the direct control of the school with respect to the use and maintenance of education records
• Use education records only for authorized purposes and do not disclose them to other parties

2. PII Collected and Purpose

We adhere to the principle of data minimization and only collect the following Personally Identifiable Information (PII) necessary for educational functions:

Personal Data Collected:

• Student Information: Student Name, Date of Birth, Class, Enrollment Information
• Guardian/Parent Information: Guardian Name, Email Address, Phone Number
• Educational Records: Attendance data (Daily Logs), Grades (Assignments), Financial Transactions

Data NOT Collected:

3. Data Sharing and Security

Platform Disclosure:

• Primary Database: Your data is stored securely in the Supabase database (our primary vendor)
• Hosting: Application is delivered via Vercel (our hosting vendor)
• Email Service: Email notifications sent via Resend (email service provider)

Security Measures:

• All data is protected by Role-Based Access Control (RLS), ensuring only authorized users (Admin, Teacher, Guardian) can view specific records
• Row-Level Security (RLS) policies enforced at the database level
• AES-256 encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Comprehensive audit logging of all data access

4. Parental Rights (FERPA Mandate)

Parents and eligible students have the right to:

• Inspect and Review the student's records
• Request Amendment of records they believe are inaccurate
• Opt-out of the disclosure of "directory information"
• File Complaints with the U.S. Department of Education if they believe their FERPA rights have been violated

NAS assists schools in fulfilling these parental rights requests. To exercise these rights, please contact your school administrator.

5. COPPA Compliance (Children Under 13)

Where applicable, NAS complies with the Children's Online Privacy Protection Act (COPPA) for students under 13 years of age:

• Parental consent mechanisms are in place
• Limited data collection (only what's necessary for educational purposes)
• Parental review and deletion rights
• Clear privacy notice to parents
• Reasonable security measures to protect children's data

6. Data Retention

We retain student data:

• For as long as necessary to provide the Services
• As required by applicable law (Wisconsin requires minimum 7-year retention for public educational records)
• As authorized by the school district

Upon termination of service, all student data will be deleted or returned to the school district within 30 days, subject to legal retention requirements.

7. Data Breach Notification

In the event of a data breach affecting personal information, we will:

• Notify affected users and appropriate authorities within 72 hours of discovery
• Provide detailed information about the breach
• Cooperate with schools in investigating and remediating the breach
• Comply with all applicable breach notification laws

8. Contact Information

Last Updated: December 2025