How we handle student information.

1. Who we are

OneTeam is a product of Foxtide, LLC (“Foxtide,” “OneTeam,” “we,” “us”), a limited liability company organized under the laws of the State of Washington. Our principal place of business is 11615 Holmes Point Drive NE, Kirkland, WA 98034. Privacy questions and data-handling requests go to privacy@oneteam.school.

OneTeam helps schools run a Multi-Tiered System of Supports (MTSS) by consolidating academic performance, attendance, and intervention progress in one place. We are designated by each school we serve as a “school official” under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g; 34 C.F.R. Part 99).

2. Information we collect

OneTeam collects only information needed to support educational decisions:

About students

• Name, grade, and an avatar/color chosen by the school
• Behavioral check-ins logged by teachers (a 1–3 rating, optional note, timestamp)
• Goals, rewards, and strategies recorded by school staff
• MTSS tier history and cycle evaluations (decisions made during 6-week reviews)
• Attendance and academic-score signals when provided by the school

About staff and parent users

• Email, display name, role (teacher, specialist, admin, parent), and language preference
• An optional Microsoft Teams webhook URL for receiving notifications
• Authentication credentials, hashed by Supabase Auth using bcrypt and stored only in Supabase’s identity table; OneTeam servers and OneTeam personnel never see plain-text passwords. OneTeam does not collect authentication credentials from any user under 13 — children do not have OneTeam accounts.
• Standard request logs (IP address, user agent, timestamp) recorded by our hosting provider for security and abuse prevention. These logs are retained for 30 days, then deleted, and are never tied to individual student records.

What we do not collect

• Biometrics, geolocation, browsing history outside the app
• Social-graph or contact-list information
• Health, religious, or political information
• Any information not directly required for the educational decision being supported

3. How we use information

We use student information only to provide the OneTeam service to the school. Specifically:

• Display each student’s record to authorized users (their teachers, the school’s admin, and consenting parents)
• Compute MTSS tier suggestions and progress trends
• Send notifications via Microsoft Teams when a teacher has opted into webhook delivery
• Maintain an audit log of access and changes to student records

We do notuse student information for advertising, behavioral targeting, AI model training, market research, or any commercial purpose unrelated to providing the service. This applies for the duration of the agreement and binds all sub-processors; any change requires advance written notice and the school’s consent. Aggregate, non-identifying usage analytics (e.g., total daily active accounts) may be collected to monitor service health; these analytics never include student identifiers.

MTSS tier assignments are visible only to authorized school administrators and the student’s authorized parent or guardian. Tier is never displayed on classroom-teacher dashboards, on parent screens belonging to other families, or in any surface other students or their families can see.

4. Sub-processors

Three sub-processors handle data on our behalf. Each is bound by an agreement that requires them to handle the data subject to the same restrictions as this policy.

• Supabase — managed Postgres database, authentication, and transactional auth email (signup confirmation, password reset, login OTP). Region: us-west-2 (United States). No student personal information is included in any email — only authentication codes and recovery links sent to the email address the account holder provided. Agreement form: countersigned Data Processing Addendum dated 2026-04-29 (Document Ref 6RUPA-RZ2BS-PWYF8-KGS72); Supabase’s standard DPA at supabase.com/legal/dpa, sub-processor list at supabase.com/legal/subprocessors.
• Vercel — serverless compute and hosting. Region pinned to iad1 (United States East). Agreement form: Vercel’s Data Processing Addendum is incorporated by reference into the Vercel Pro Terms of Service that OneTeam accepted at signup (no countersignature is offered on Pro plans; that is reserved for Vercel Enterprise). DPA at vercel.com/legal/dpa, sub-processor list at vercel.com/legal/sub-processors.
• Microsoft Teams — outbound notifications, only when a teacher has opted in by configuring a webhook. The webhook destination is the school’s own Microsoft 365 tenant; data handling is governed by the school’s existing Microsoft 365 agreement.

Adding or changing a sub-processor requires 30 days’ written notice to schools using OneTeam. Schools may terminate their agreement before a new sub-processor is added if they object.

What data flows to Microsoft Teams when a school enables it

When a teacher has configured a Microsoft Teams webhook, OneTeam transmits the following fields to the school’s own Microsoft 365 tenant: student first name, check-in rating and timestamp, and (where applicable) goal or reward titles. From the moment the data is delivered into the school’s tenant, the school’s existing agreement with Microsoft governs that copy. OneTeam is responsible for transmitting securely; the school is responsible for the access controls on the receiving Teams channel.

5. Where information is stored

All compute and primary storage are pinned to United States data centers (Supabase us-west-2 for the database and authentication; Vercel iad1 for compute). Recipient mail servers (Gmail, Outlook, etc.) may be located anywhere outside OneTeam’s control. No part of the request path or stored OneTeam payload leaves the United States. We will only change this with prior written notice to schools and only if equivalent contractual protections are in place.

6. How long we keep information

• Behavioral records (check-ins, tier history, cycle evaluations, reward log) — automatically purged by a daily retention job after 2 academic years unless the school configures a shorter window. Records do not persist beyond the configured window.
• Roster records (student names, grades, goals, strategies) — kept while the student is enrolled. Deleted on school request or parent request within 7 days; deleted within 30 days when the school terminates its agreement.
• Audit log — retained for at least 7 years to support OneTeam’s incident response and the school’s FERPA disclosure-tracking obligations under 34 C.F.R. § 99.32. The minimum retention is contractual; the audit log is append-only and is not automatically purged after 7 years (deletion at the end of the window is an operations action, not an automated job). Audit entries referencing a deleted student retain only the student’s internal record ID, not the student’s name or other identifying information.
• Account information (staff and parent users) — kept while the account is active. Deleted on user request or 12 months after the account becomes inactive.
• Encrypted database backups — Supabase retains the three most recent daily snapshots for disaster recovery, so deleted data may persist in an encrypted backup for up to 3 days before being overwritten in the rotation. Backups are not accessed for any purpose other than disaster recovery.

Two deletion windows apply: 7 days for an individual student deletion request (database cascade plus paired audit-log entries), and 30 days for the full instance after a school terminates its agreement (includes a grace period for the school to export data).

7. How we protect information

OneTeam relies on layered, in-product controls — not promises:

• Postgres Row-Level Security (RLS) on every table holding student data — RLS is the default access boundary, not application-level filtering
• Two-factor authentication (TOTP) required for admin-only destructive actions like permanent deletion
• Append-only audit log capturing every roster change, access-control change, data export, and deletion event — server-captured user identity that cannot be spoofed
• Parent informed-consent gate before any of a student’s data renders in the app
• Encryption at rest (managed by Supabase) and in transit (TLS 1.2+ for all client and sub-processor connections)
• Rate-limiting on data export to cap blast radius of credential theft
• Microsoft Teams webhook URLs stored in a separate own-only RLS table so no other user can read them

8. Your rights

Right to inspect

Parents and eligible students may at any time download a complete copy of the student’s record as a multi-section CSV file (opens directly in Excel, Numbers, or Google Sheets). The export is rendered live from the database, not a manually prepared report. The OneTeam app surfaces this directly in the parent’s Settings; no email request is required.

Right to correct

If you believe information about a student is inaccurate, contact the school directly to correct it. The school controls the underlying record; we update it on the school’s instruction. We will respond to a school’s correction request within 7 days.

Right to delete

Parents and schools may request permanent deletion of a student’s record at any time. Deletion is implemented as a transactional cascade across every table holding data tied to that student, plus paired audit-log entries proving the deletion happened. We complete deletion within 7 days and provide written confirmation including row counts.

Right to know who has accessed

On request, we will provide an audit trail showing every read of a student’s exported record, every roster or access-control change, and every deletion event affecting the student.

Right to withdraw consent

A parent may withdraw consent for OneTeam to display their child’s data at any time. Withdrawal immediately blocks further rendering of the student’s data to the parent’s account, removes the parent’s access link to the student, and is logged in the audit trail. Withdrawing consent does not by itself delete the student’s record from the school’s instance — that requires a separate deletion request.

9. Children under 13 (COPPA)

OneTeam is intended for use by schools, not directly by children. Where OneTeam is used in a K–8 setting, the school provides consent on parents’ behalf for educational use, as permitted under the Children’s Online Privacy Protection Act (COPPA) school-authorization rule (16 C.F.R. § 312.5(c)(1)) and interpreted in the FTC’s COPPA FAQ Section M. We do not sell or rent children’s data. We do not deliver behaviorally-targeted advertising. Parents may at any time request access, correction, or deletion of their child’s data using the rights described in Section 8. See our COPPA Notice for the full school-authorization mechanism.

10. School official designation (FERPA)

Each school using OneTeam designates us as a “school official” with a legitimate educational interest, as defined in 34 C.F.R. § 99.31(a)(1)(i)(B). We use education records only for the purpose for which the school engages us. We are subject to the school’s direction and control regarding the use and maintenance of education records. We do not disclose education records to any third party except as authorized by the school or required by law.

11. Security incident notification

We will notify the affected school’s designated contact within 72 hours of having a reasonable basis to believe a security incident affecting student data has occurred, even if confirmation is pending. The notification will include: a description of what happened, the categories of information affected, the approximate number of records involved, the steps we have taken in response, and the contact for the school to follow up. Subsequent updates will follow as the investigation progresses. State-specific notification windows (e.g., New York Education Law § 2-d’s requirements) take precedence where applicable.

12. Changes to this policy

Material changes to this policy will be communicated to schools using OneTeam at least 30 days before they take effect. Prior versions are kept on file and available on request to privacy@oneteam.school. Changes that affect the categories of information collected, the sub-processors used, or the rights of parents and students will be paired with a versioned re-consent prompt for parents — implemented today by storing a consent-version identifier alongside each parent consent and surfacing a fresh prompt when the stored version is older than the policy version in effect.

13. Change of control

If OneTeam is acquired, sold, or transferred to a different organization, that organization will be required to obtain affirmative re-consent from each parent within 60 days of the transfer. Within 30 days of the transfer, each parent will receive a re-consent prompt with at least 30 days to respond. Parents who have not responded by the end of the 60-day window will receive a final 14-day notice to a verified contact method before deletion. Records belonging to parents who do not re-consent within that window will be permanently deleted, not migrated.

14. Washington State compliance (RCW 28A.604)

For schools and districts in Washington State, OneTeam additionally complies with the Student User Privacy in Education Rights Act (RCW 28A.604, the “SUPER Act”):

• Authorized use only. We collect, use, and share student personal information only for purposes authorized by the district or teacher, or with parent/guardian consent. (RCW 28A.604.030)
• No sale of student information. We do not sell student personal information under any circumstance. (RCW 28A.604.030(2))
• Comprehensive information security program. We maintain administrative, technological, and physical safeguards designed to protect security, privacy, confidentiality, and integrity of student personal information. (RCW 28A.604.040) The technical implementation is summarized in Section 7 above.
• Notice of material changes. We provide prominent notice to schools at least 30 days before any material change to this Privacy Policy or to our school services. (RCW 28A.604.020)
• Access and correction. Parents, guardians, and eligible students may access and correct student personal information either directly through the OneTeam app (export endpoint, Section 8) or by request to the district. (RCW 28A.604.020)
• Subcontractor flow-down. Our agreements with sub-processors contractually prohibit them from using student personal information for any purpose other than providing the contracted service, prohibit further disclosure, and require equivalent compliance with this chapter. (RCW 28A.604.030(3))
• Deletion on agreement termination. When a Washington district’s service agreement with OneTeam ends, all student personal information will be deleted within 30 days, except records retained as required by law. (RCW 28A.604.040)

14a. Other state student-data-privacy laws

OneTeam complies with applicable state student-data-privacy laws including, depending on your state, California SB 1177 (SOPIPA), Illinois 105 ILCS 85 (SOPPA), New York Education Law § 2-d, Colorado HB 16-1423, and Washington RCW 28A.604 (covered separately in Section 14 above). State-specific exhibits are added to the signed Data Privacy Agreement on a per-district basis and reflect the same underlying commitments described in this Privacy Policy.

14b. International data subjects

OneTeam is a US-only service. We do not direct our services to data subjects in the European Union, United Kingdom, or other jurisdictions outside the United States. If you are accessing OneTeam from outside the United States, you do so on your own initiative and consent to the transfer of your data to the United States for processing under the privacy practices described in this policy.

15. Contact

Privacy questions, data-handling requests, and incident reports go to privacy@oneteam.school. We acknowledge privacy requests within 3 business days and respond substantively within 14 days. For urgent matters, schools should contact their assigned account representative directly.