Skip to main content
synthEd
Log inOpen School Planner
Version 1.0.0

Privacy Policy

Effective Date: 2026-05-26 Version: 1.0 Provider: synthEd ("we," "us," "Provider")

1. Overview

This Privacy Policy describes how synthEd collects, uses, shares, and protects information when a School, District, or other educational institution ("School") and its Authorized Users use the synthEd planning platform (the "Service").

The Service is designed for use by School staff to plan and coordinate events, tasks, and communications. We act as a service provider to the School and as a school official for purposes of FERPA, processing School data exclusively under the School's direction and for the educational purposes the School designates.

This Policy is provided alongside our Terms of Service and our Sub-Processors page. Defined terms used here have the meanings given in the Terms of Service.

2. Information We Collect

We collect only what is necessary to operate the Service. The categories below describe what we store and where it comes from.

2.1 Account information

When an Authorized User signs in, we store:

  • Name, email address, role, and School/Department assignment;
  • A hashed password (when password authentication is used);
  • Passkey/WebAuthn credentials (when passkeys are enrolled);
  • Two-factor authentication secrets (when TOTP 2FA is enabled);
  • OAuth identifiers and access tokens (when a user links a GitHub account for sign-in);
  • Notification preferences (in-app, email, daily digest time, scope).

We never see or store plaintext passwords. Passkey private keys never leave the user's device.

2.2 Customer Content

Authorized Users create and store content in the Service, including:

  • Task titles, descriptions, statuses, and due dates;
  • Subtask assignments and notes;
  • Event information and calendar entries;
  • File attachments uploaded to the Service;
  • Hyperlinks to external resources ("Linked Content");
  • After-Action Report links and notes;
  • Messages and notifications generated within the Service.

This content belongs to the School. We process it solely to provide the Service and at the School's direction.

2.3 Files and attachments

When an Authorized User uploads a file, it is stored in encrypted object storage operated by our hosting sub-processor and is addressable only by signed URLs scoped to authenticated users in the same School. File names and metadata are stored alongside the file. We do not scan or inspect file contents except as necessary to deliver them to authorized requesters.

2.4 Linked Content (URLs only)

When an Authorized User attaches a hyperlink (for example, to a Google Drive or OneDrive document), we store the URL string and a label — not the contents of the linked resource. The linked resource remains hosted by the third party that controls it. The Service does not fetch, cache, scan, or index the contents of Linked Content. As noted in our Terms of Service §8, URLs themselves can carry personally identifiable information; Schools are responsible for ensuring URLs and file names do not embed student PII where avoidable.

2.5 Technical and operational data

To operate and secure the Service we automatically collect:

  • IP address (used for session security, abuse prevention, and audit logs; retained on Terms-of-Service acceptance records);
  • Browser user-agent string;
  • Cookies and session identifiers (see Section 6);
  • Server-side logs of requests, errors, and security events. Logs are scrubbed of personally identifying values (email addresses, names, attachment URLs) before being transmitted to error-monitoring sub-processors.

2.6 Product analytics

We collect product-usage analytics — feature adoption, page views, aggregate counts — through PostHog. Analytics events are limited to user identifiers, event names, and non-PII properties (e.g., task counts, attachment types, School IDs). Customer Content — task titles, notes, attachment URLs — is never transmitted to our analytics provider.

2.7 What we do not collect

We do not knowingly collect:

  • Student grades, transcripts, disciplinary records, IEPs, or 504 plans as primary records of original;
  • Social Security numbers;
  • Health information governed by HIPAA;
  • Payment-card data subject to PCI-DSS;
  • Personal information of students under 13 beyond what is strictly necessary to schedule events and tasks that involve them.

The Service is not designed to be a system of record for any of the above. The School agrees not to store such records in the Service, as set out in Terms of Service §3.

3. How We Use Information

We use the information described above only to:

(a) provide, maintain, and improve the Service;

(b) authenticate users, secure sessions, and prevent abuse;

(c) deliver notifications and emails that users have opted into;

(d) respond to support requests from Authorized Users and School administrators;

(e) generate aggregated, de-identified statistics about platform usage, following the de-identification standard in 34 C.F.R. § 99.31(b);

(f) comply with our legal obligations and enforce our Terms of Service.

We do not:

  • Display advertising of any kind in the Service;
  • Sell, rent, or share Student Data for advertising, marketing, or any other commercial purpose unrelated to providing the Service;
  • Build behavioral profiles of students or School staff for any purpose other than providing the Service;
  • Use Student Data to train machine-learning models, except for models that operate exclusively within the School's own tenant and serve the School's stated educational purposes.

4. FERPA, COPPA, and Student Privacy

4.1 FERPA — School Official designation

For data the Service processes on behalf of the School, synthEd operates as a "school official" with a legitimate educational interest under FERPA, 34 C.F.R. § 99.31(a)(1)(i)(B). This means:

  • We are under the direct control of the School with respect to the use and maintenance of Education Records;
  • We are subject to the same restrictions on the redisclosure of personally identifiable information from Education Records as the School itself;
  • We will not disclose Education Records except to the School or as the School directs.

4.2 COPPA — School-authorized consent

The Service is not directed at children under 13. Where a child under 13 appears in Student Data, the School represents that it either operates under the school-authorization exception (16 C.F.R. § 312.5(c)(10)) or has obtained verifiable parental consent. We use such data only for the educational purposes the School specifies and never for commercial purposes such as advertising or profile-building.

4.3 State student-data-privacy laws

We comply with applicable U.S. state student-data-privacy laws (including California SOPIPA, New York Education Law § 2-d, Illinois SOPPA, Colorado SB 16-187, and Connecticut Public Act 16-189). On request, we will sign a state-specific data privacy agreement or the Student Data Privacy Consortium's National Data Privacy Agreement where required.

5. How We Share Information

We share information only with the parties below, and only as needed to provide the Service:

5.1 With your School

Authorized Users within the School can see information consistent with the School's role and department structure. Super-administrators within the School can access all School data.

5.2 With our sub-processors

We rely on a limited set of vetted third-party providers for hosting, email delivery, error monitoring, analytics, and file storage. Each is bound by a Data Processing Agreement requiring confidentiality and data-protection obligations no less protective than those in our Terms of Service.

A current list of sub-processors — including the data each one accesses and a link to its DPA — is published at /sub-processors. We provide advance notice of material changes to that list as described there.

5.3 For legal reasons

We may disclose information when required by law, court order, or valid legal process; to enforce our Terms of Service; or to protect the rights, property, or safety of the School, our users, or the public. Where we receive a legal demand for School data, we will notify the School unless legally prohibited from doing so.

5.4 In a business transfer

If synthEd is acquired, merged, or reorganized, the acquiring entity will be bound by this Policy with respect to information transferred. We will notify the School in advance of any such transfer.

5.5 With your consent

We share information for other purposes only with the explicit consent of the School or, where applicable, the individual user.

6. Cookies and Local Storage

The Service uses cookies and similar technologies for:

  • Authentication and session management — keeping you signed in, protecting against session theft, and remembering 2FA verification;
  • User preferences — remembering theme (light/dark), task-view settings, and other UI state;
  • Security — CSRF protection and honeypot detection;
  • Compliance — recording acceptance of these Terms.

We do not use third-party advertising cookies. We do not participate in cross-site advertising networks.

Browser local storage may be used to cache application data for performance and offline support; this data lives in the user's browser and is cleared on sign-out.

7. Data Retention

Active data. We retain Customer Content for as long as the School's account is active.

Export window. On termination or written request, we make Customer Content available for export in a structured, machine-readable format for thirty (30) days.

Active-systems deletion. After the export window closes, Customer Content is deleted from active systems within thirty (30) days.

Backups. Customer Content is deleted from backups within ninety (90) days of the active-systems deletion, or within the next regularly scheduled backup-retention cycle, whichever is later. During the beta period the timeline for backup deletion may be longer; we publish actual timing on the Sub-Processors page.

Logs and analytics. Server logs and analytics events are retained for operational purposes for up to ninety (90) days, after which they are deleted or aggregated beyond the point of re-identification.

Compliance records. Records of Terms-of-Service acceptance (including IP address and user-agent at acceptance time) are retained for the life of the account and a reasonable period thereafter to evidence consent.

We retain information beyond these periods only where required by law, and such retained data remains subject to the confidentiality and security obligations of our Terms of Service.

8. Security

We maintain administrative, physical, and technical safeguards appropriate to the sensitivity of the information we process, including:

  • Encryption of Customer Content in transit (TLS 1.2 or higher) and at rest;
  • Role-based access controls and least-privilege access for synthEd personnel;
  • Audit logging of administrative actions;
  • Regular security updates and dependency management;
  • Annual review of our security program against a recognized framework (SOC 2, ISO 27001, or equivalent);
  • Multi-factor authentication (including passkeys and TOTP) available to all Authorized Users.

No system is perfectly secure. If we become aware of a Security Incident affecting Student Data, we will notify the School in accordance with Terms of Service §12 — without undue delay and in no event later than seventy-two (72) hours after confirming the Incident.

9. Your Choices and Rights

9.1 Access and correction

Authorized Users can view and update most of their profile information from the Settings area of the Service. For information not editable in-product, write to the contact below.

9.2 Export and deletion

The School controls export and deletion of Customer Content. Authorized Users should direct requests to their School administrator. Schools may at any time:

  • Export their data in a structured format;
  • Request deletion of specific records or of the entire account.

The School-administrator self-service deletion flow is available in the Settings area. Full deletion timing is described in Section 7.

9.3 Notification preferences

Users can disable in-app notifications and email notifications independently from Settings. Transactional emails required to operate the account (such as password resets and security alerts) are not subject to opt-out.

9.4 Cookies

Users can clear cookies through their browser. Some cookies are required for the Service to function; clearing them will sign the user out and reset preferences.

9.5 State-specific rights

Where applicable state law (including California, Colorado, Virginia, Connecticut, and others) grants additional individual rights, those rights are available to residents of those states. Because the Service is provided to the School and we act as service provider / processor, individual rights requests should ordinarily be directed to the School. We will assist the School in responding to verified requests.

10. Children's Privacy

The Service is not directed at children and is intended to be used by School staff. We do not knowingly collect personal information from children under 13 outside the school-authorization framework described in Section 4.2.

If a parent or guardian believes a child under 13 has provided personal information to the Service outside that framework, please contact us at the address below and we will investigate and, if appropriate, delete the information.

11. International Users

synthEd operates the Service from the United States. The Service is intended for use by U.S.-based Schools, and our sub-processors are located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection rules than your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to the School at least thirty (30) days before they take effect, by email to the School's designated administrator and by notice within the Service. The "Effective Date" at the top of this Policy reflects the most recent update. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Where this Policy and our Terms of Service conflict on a privacy-related question, the Terms of Service control.

13. Contact

Questions, requests, or concerns about this Policy may be directed to:

synthEd — Ashland, Oregon

For a Security Incident affecting your School, please follow the breach notification procedure in our Terms of Service §12.