Privacy Policy
FERPA-Compliant Student Data Handling
Last updated: February 26, 2026
FERPA Compliance Statement
Homeroom is designed to comply with the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g). We treat all student educational records with the highest level of privacy and security.
1. What Data We Collect
Teacher Account Data
- Name, email address, school affiliation
- Login timestamps and session data
- FERPA consent acknowledgment and timestamp
Student Educational Records
- Student name, grade level, student ID
- Academic performance (grades, attendance, participation)
- At-risk assessment flags and intervention recommendations
- Assignment tracking data
Parent/Guardian Information
- Parent name and email (for communication purposes)
- Communication preferences and consent status
2. How We Use Data
| Purpose |
Data Used |
Legal Basis |
| At-risk student identification |
Academic performance, attendance |
Legitimate educational interest (FERPA) |
| Parent communication |
Student progress, parent email |
FERPA school official exception |
| Lesson plan generation |
Grade level, subject (no student PII) |
Teacher consent |
| Audit logging |
Teacher ID, action, timestamp |
FERPA compliance requirement |
3. How We Protect Data
- Encryption in transit: All data transmitted over TLS/HTTPS
- Encryption at rest: Database encryption via Neon PostgreSQL
- Password security: bcrypt hashing with cost factor 12
- Session security: Server-side sessions with httpOnly, secure cookies
- Access control: Role-based access - teachers only see their own students
- Account lockout: Automatic lockout after 5 failed login attempts
- Session timeout: 30-minute inactivity timeout
- Audit trail: All data access logged with teacher ID, action, and timestamp
- Security headers: Helmet.js for CSP, HSTS, X-Content-Type-Options
4. Who Can Access Data
Strict access controls are enforced:
- Teachers can only access data for students enrolled in their own classrooms
- No student PII is exposed in URLs or client-side storage
- All access is logged for FERPA compliance auditing
- No third-party data sharing without explicit consent
5. Data Retention
- Student records: Retained for the current academic year plus one year, then automatically anonymized
- Audit logs: Retained for 2 years per FERPA requirements
- Session data: Deleted after 30 minutes of inactivity
- Anonymized data: May be retained indefinitely for aggregate analytics
6. Your Rights
Parents/Guardians Have the Right To:
- Inspect and review their child's educational records
- Request amendment of records believed to be inaccurate
- Consent to disclosure of personally identifiable information
- Request deletion of student records (right to be forgotten)
- File a complaint with the U.S. Department of Education concerning FERPA violations
Teachers Have the Right To:
- Export all student data for their classrooms
- Request deletion of student records
- View audit logs of their data access history
- Control parent communication preferences per student
7. Data Export & Deletion
Teachers can request data export or deletion through the dashboard. Deletion requests are processed within 30 days. When student data is deleted:
- Personal identifiers (name, email, student ID) are permanently anonymized
- Academic performance data may be retained in anonymized form for school reporting
- Audit logs recording the deletion are preserved per FERPA requirements
8. AI-Generated Content
Homeroom uses AI to generate lesson plans. Important notes:
- No student PII is sent to AI models
- Only grade level, subject, and topic are used for lesson plan generation
- AI-generated content is stored associated with the teacher, not students
9. Contact & Complaints
For privacy inquiries or to exercise your data rights:
← Back to Teacher Dashboard