Privacy Policy

Welcome to Attendance Genius. Your privacy and the security of your data are our highest priorities. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

Our policies are designed to meet the high standards of the 1EdTech Data Privacy Certification and to comply with key privacy regulations, including the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA).

1. Information We Collect

We collect only the minimum information necessary to provide and improve our service.

A. Information You Provide (Direct Collection):

Data explicitly entered by school staff (e.g., typing in a student name) or imported via integrations (e.g., syncing a roster from Clever).

Account Information: When you register, we collect your name, email address, and a password (which is immediately hashed and is not visible to us).

School Staff/Admin Data: Name, email address, and password for account creation.

Student Data: Student names, identification numbers, attendance records, and related educational records uploaded by School Staff.

User Content: Any other data, files, or information you create, upload, or submit.

Support Communications: If you contact us for support, we retain a record of that communication.

B. Information We Collect Automatically (System Usage):

Data generated automatically by your interaction with the service, such as Log Data and Cookies, to ensure security and performance.

Log Data: Like most web services, we collect log data when you use our application. This data is anonymized, and we take specific measures to scrub all Personally Identifiable Information (PII) from our logs before storage.

Cookies: We use a minimal number of cookies. See Section 7 for a full breakdown.

2. How We Use Your Information

We use your information for the following purposes:

To Provide the Service: To operate, maintain, and provide the features of our application.

To Secure Your Account: To verify your identity and protect your account with features like Two-Factor Authentication (2FA).

To Communicate With You: To send you essential service-related (transactional) emails, such as password resets or security alerts. We will only send you marketing or newsletter emails if you explicitly opt-in, and you can unsubscribe at any time.

To Improve Our Service: We may use anonymized and aggregated data to understand how our service is used, but only after you have given explicit consent via our cookie consent banner.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We only share it with the following third-party service providers (sub-processors). These vendors are utilized strictly for the purpose of operating, securing, and improving the functionality of the Service. They are contractually prohibited from using any Student Data for their own marketing or advertising purposes.

We restrict data sharing strictly to the following infrastructure providers necessary to deliver the service. We only share the minimum data required for these providers to perform their functions:

Cloudflare, Inc.: Network security, WAF, and CDN. Data Shared: User IP address, web request metadata (browser type, device info), and encrypted traffic logs for security monitoring.

DigitalOcean, LLC: Infrastructure hosting and database management. Data Shared: All encrypted application data (including Student Data and User Content) and file storage.

Google Analytics (Marketing Site Only): Visitor analytics for attendancegenius.com. Data Shared: Anonymized IP address, browser type, and page usage data. (Note: Google Analytics is NOT present on our logged-in application attgeni.us).

We do not share data with any other third parties.

We require all third-party vendors to enter into written agreements that bind them to at least the same level of data privacy and security protection as defined in this policy and our agreements with educational institutions. We remain responsible for our sub-processors' compliance with these obligations.

4. Your Data Rights & Choices

You have full control over your data.

Access & Export: You can download a complete copy of your personal data directly from your account dashboard at any time.

Deletion: You can request the permanent deletion of your account and all associated data. We use a deletion process that permanently removes all PII, including account profile data, user content, and logs, from our active databases and file storage immediately. Data contained in our secure, encrypted backups is deleted automatically after 30 days in accordance with our backup retention cycle.

Cookie Control: You control which non-essential cookies are set. Please see Section 7.

5. How We Protect Your Information

We have implemented a comprehensive, multi-layered security program to protect your data.

Encryption in Transit: All data sent between your device and our servers is encrypted using end-to-end TLS 1.3, enforced by Cloudflare (SSL/TLS "Full (Strict)" mode). All connections to our database also require encrypted SSL.

Encryption at Rest: Your data is encrypted at rest. Our database (DigitalOcean Managed Database) and file storage (DigitalOcean Spaces) are fully encrypted on disk.

Application-Level Encryption: As an additional layer of security, sensitive Personally Identifiable Information (PII) stored in our database is encrypted at the application level before it is saved.

Network & Server Security: Our servers are protected by a DigitalOcean Cloud Firewall that blocks all public-internet access. Web traffic is only permitted from Cloudflare's IP addresses. All other ports (including database and SSH) are closed to the public internet and accessible only via a private VPC network.

Access Control: Access to our production servers is restricted to authorized personnel, requires secure SSH key authentication, and all password-based server logins are permanently disabled.

Account Security:

You are responsible for safeguarding the password that you use to access the Service. We enforce strict password complexity requirements: passwords must be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols. We are not liable for any loss or damage arising from your failure to comply with the above.

We support Two-Factor Authentication (2FA) for all user accounts. To ensure the security of Student Data, we require and enforce 2FA for all administrator and staff accounts upon login.

Backups: Our database is automatically backed up, and all backups are encrypted.

6. Data Retention

We retain your personal data only as long as your account is active. We have an automated data retention policy that permanently deletes user data from our systems 90 days after account deactivation or termination, unless a different retention period is required by law or contract with an educational institution.

7. Cookies and Tracking

We use the following cookies on our service:

Cookie Name	Provider	Purpose	Duration	Type
laravel_session	Attendance Genius	Maintains your logged-in session state.	Session (Expires on browser close)	Strictly Necessary
XSRF-TOKEN	Attendance Genius	Protects against Cross-Site Request Forgery attacks.	Session	Strictly Necessary
cookie_consent	Attendance Genius	Remembers your cookie consent preferences.	1 Year	Strictly Necessary
_ga	Google Analytics	Distinguishes unique users for analytics (Marketing Site Only).	2 Years	Non-Essential (Analytics)
_gid	Google Analytics	Distinguishes users (Marketing Site Only).	24 Hours	Non-Essential (Analytics)

Opt-Out Choices:

Essential Service Providers: You cannot opt out of data sharing with essential infrastructure sub-processors (such as Cloudflare and DigitalOcean) or school-mandated integrations (such as Clever), as this data sharing is strictly necessary to operate the Service and provide the functionality required by your Educational Institution.

Non-Essential Sharing: You may opt out of non-essential third-party data sharing (specifically Google Analytics on our public marketing website) at any time by using the 'Cookie Preferences' link in our footer.

8. Children's Privacy (COPPA & FERPA)

Our service is intended for educational use. We comply with COPPA and FERPA. We do not knowingly collect personal information from children under 13 without verifiable parental consent. In cases where our service is used by a school or district, we rely on the school to act as the parent's agent and provide consent for data collection, as permitted by FERPA.

9. Changes to This Policy & Sub-Processors

We may update this policy from time to time. If we make a significant change, we will notify you via email or through an in-app notification at least 30 days prior to the change taking effect.

Notification of Vendor Changes: We will provide notice to users and Educational Institutions before engaging any new third-party sub-processor that accesses Student Data. We warrant that any new sub-processor will be bound by written data privacy and security obligations no less protective than those set forth in this Policy and our agreements with you.

10. Contact Us