Your rights about your child’s data.

1. A student’s personally identifiable information cannot be sold or released for any commercial purpose.

OneTeam does not sell, rent, lease, or otherwise share student data with advertisers, data brokers, researchers, or any third party for commercial purposes. This applies for the lifetime of OneTeam under current ownership. If OneTeam is acquired, the new owner must obtain affirmative re-consent from each parent before continuing data processing — see Privacy Policy §13 for the full mechanism.

2. Parents have the right to inspect and review the complete contents of their child’s education record.

Parents can download a complete copy of their child’s OneTeam record as a multi-section CSV file at any time, directly from the OneTeam app’s Settings screen. The CSV opens in Excel, Numbers, or Google Sheets, and is rendered live from the database — what you see is exactly what we hold. No charge, no email request needed.

3. State and federal laws protect the confidentiality of personally identifiable information.

OneTeam complies with FERPA (20 U.S.C. § 1232g), COPPA (15 U.S.C. § 6501 et seq.), and applicable state student-data-privacy laws including (depending on your state) New York Education Law § 2-d, California SB 1177 (SOPIPA), Illinois 105 ILCS 85 (SOPPA), Colorado HB 16-1423, and Washington RCW 28A.604. Safeguards including encryption, role-based access control, and Row-Level Security in our database are detailed in our Data Privacy Agreement (available at request).

4. A complete list of all student data elements collected by the State is available for review.

The New York State Education Department maintains a complete list of student data elements collected from school districts at nysed.gov/data-privacy-security. OneTeam does not push student data to NYSED or any other state agency. The data elements OneTeam itself collects appear in Section 2 of our Privacy Policy and are summarized in plain language in the parent informed-consent screen shown in the app before any of your child’s data appears.

5. Parents have the right to have complaints about possible breaches of student data addressed.

Complaints may be submitted to OneTeam directly at privacy@oneteam.school, or to your school’s designated data privacy officer. OneTeam acknowledges complaints within 3 business days and responds substantively within 14 days. Parents may also file complaints with the United States Department of Education’s Family Policy Compliance Office at studentprivacy.ed.gov, or — if your child’s school is in New York — the New York State Education Department’s Chief Privacy Officer at privacy@nysed.gov.

6. Educational agency workers and contractors must receive training on privacy laws and best practices.

All OneTeam personnel with access to student data complete documented annual training covering FERPA, COPPA, applicable state laws, and OneTeam’s incident-response procedures. Training records are maintained for the duration of personnel access plus 3 years. Sub-processors are contractually required to maintain equivalent training programs for their personnel.

7. Parents have the right to know how their child’s data will be protected if it is shared with a third-party contractor.

OneTeam uses three sub-processors: Supabase (Postgres database, authentication, and transactional auth email; us-west-2), Vercel (web hosting and serverless compute, iad1), and Microsoft Teams (notifications, only when a teacher opts in to a school-controlled webhook). Each sub-processor is bound by a written agreement requiring them to handle data subject to the same restrictions as our Privacy Policy and is contractually prohibited from using the data for any other purpose. No student information is ever included in any authentication email. The full list, with each sub-processor’s purpose and storage region, appears in Section 4 of our Privacy Policy. OneTeam provides 30 days’ written notice before adding or changing any sub-processor.

8. Parents have the right to review the signed contract between OneTeam and the school.

The full Data Privacy Agreement between OneTeam and your school — including any state-specific exhibits, the sub-processor list, the security commitments, and the audit rights — is available from your school’s data privacy officer or by emailing privacy@oneteam.school.

Supplemental information (Ed Law 2-d § 5)

The following details are required by New York Education Law § 2-d when a third-party contractor handles student data on behalf of an educational agency.

Exclusive purposes for which student data will be used

OneTeam uses student data only to provide the OneTeam service to the school: displaying records to authorized users, computing MTSS tier suggestions and progress trends, sending school-configured Microsoft Teams notifications, and maintaining an audit log. No other use, ever.

Subcontractor oversight

Each sub-processor is bound by a written agreement requiring them to handle student data subject to FERPA, COPPA, applicable state laws, and the restrictions in our Privacy Policy and DPA. We review sub-processors’ security posture annually.

Duration of the agreement and what happens at expiration

When a school’s agreement with OneTeam ends, the school may request export of all data within 30 days. After 30 days, we delete or de-identify all student data within the school’s instance and provide written confirmation. We do not retain student data after agreement termination unless required by law.

How parents may challenge accuracy

Parents who believe information in their child’s record is inaccurate should contact their school directly. The school controls the underlying record; OneTeam corrects it on the school’s instruction. OneTeam completes corrections within 7 days of the school’s confirmation. If the school cannot accommodate a correction request, the parent may file an appeal with the school’s data privacy officer and ultimately — for New York schools — with the New York State Education Department’s Chief Privacy Officer at privacy@nysed.gov.

Where data will be stored and how it is protected

All student data is stored in Supabase’s us-west-2 (United States) region. Compute is pinned to Vercel’s iad1 (United States East) region. Data is encrypted in transit (TLS 1.2+) and at rest. Access is gated by Postgres Row-Level Security policies enforced at the database level — not application-level filtering — so a bug in one part of the app cannot expose data outside its scoped role. Admin-only destructive actions in the OneTeam app are gated behind two-factor authentication. MTSS tier assignments are visible only to authorized administrators and the student’s authorized parent or guardian.

Encryption

Data in transit between users’ devices, OneTeam servers, and sub-processors uses TLS 1.2 or higher. Data at rest in Supabase is encrypted using AES-256 managed keys.

Washington State (RCW 28A.604)

Parents and guardians of students in Washington schools have additional rights under the Student User Privacy in Education Rights Act (the “SUPER Act”):

OneTeam will not sell your child’s personal information.

RCW 28A.604.030(2) prohibits the sale of student personal information by school service providers. OneTeam commits to this in writing and applies the same restriction to every sub-processor.

Authorized purposes only.

OneTeam may collect, use, and share your child’s personal information only for purposes authorized by your district or teacher, or with your written consent. (RCW 28A.604.030)

You will be notified before privacy policies change.

Material changes to OneTeam’s Privacy Policy require at least 30 days’ prominent notice to your district before they take effect. (RCW 28A.604.020)

You can access and correct your child’s information.

OneTeam provides direct in-app access to download your child’s complete record at any time, and we will correct inaccurate information within 7 days of confirmation by your district. (RCW 28A.604.020)

Your child’s data is deleted when the agreement ends.

When a Washington district’s service agreement with OneTeam ends, all student personal information is deleted within 30 days, except as required by law. (RCW 28A.604.040)

How to exercise these rights

Parents have two paths to exercise the rights described above:

From inside the OneTeam app

Open the OneTeam app on your iPhone → Settings → choose “Export my child’s data” (CSV download), “Withdraw consent,” or “Delete account.” These actions are immediate and self-service; no email request is required.

By email

If you do not have access to the OneTeam app, email privacy@oneteam.school with your child’s name and the school name. OneTeam acknowledges within 3 business days and responds substantively within 14 days.

Non-discrimination

OneTeam will not retaliate against parents who exercise these rights, deny service, charge different fees, or provide a different level of quality based on a parent’s exercise of any right described above.