Privacy Policy
Last updated 2026-05-14
1. Who we are
Chalk is an open-source SIS sync platform for K-12 schools and districts. We connect SIS platforms such as PowerSchool, Skyward, and Infinite Campus to the downstream applications schools rely on. Chalk is available as a hosted service at usechalk.xyz and as self-hosted software under AGPL-3.0. This policy covers the hosted service.
2. Data we collect
- Administrator data. Name, work email, district name, chosen URL slug, plus server-side logs (IP, user agent, timestamps) for security and abuse prevention.
- School data processed on behalf of districts. Student rosters, staff records, classes, enrollments, and (if opted in) demographics. This data belongs to the district; we process it solely to deliver the service.
3. Why we collect it
Administrator data lets us provision tenants, authenticate users, send transactional email, and maintain audit logs. Student and staff data is processed exclusively to perform the sync, provisioning, and identity functions the district has configured. We do not use student data for advertising, profiling, or any unrelated commercial purpose.
4. Where it lives
Hosted Chalk runs in US-based data centers. Credentials, tokens, SAML keypairs, and OIDC JWKs are encrypted at rest with AES-256-GCM. Per-tenant database schemas isolate one district's data from another's. Encrypted backups age out on a rolling 30-day window.
5. Sub-processors
We use the following sub-processors. Each is bound by written agreement to protect data consistent with this policy. When we add or replace a sub-processor, we notify district administrators at least 30 days before the change takes effect; districts may object during that window.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, and Turnstile bot challenge during signup. | Global edge network |
| Postmark | Transactional email (verification, password resets, audit notices). | United States |
| Hosting provider [placeholder — confirm with counsel] | Compute, managed Postgres, and object storage for the hosted offering. | United States |
6. FERPA and COPPA
Chalk acts as a school official with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)). The district remains in control of student records at all times. We do not disclose personally identifiable information from student records to any third party except the sub-processors listed above.
For students under 13, Chalk does not collect data directly from children. Districts are responsible for COPPA-compliant parental notice and consent; Chalk processes data on the school's behalf under the COPPA school-authorization framework.
We never sell student data. We never use it for advertising. We never train AI models on it.
7. Retention and deletion
Roster data is retained for as long as the tenant is active. Districts may export their data at any time and may request deletion within 30 days of service termination. Encrypted backups age out on a 30-day rolling window. Security audit logs are retained for 13 months for incident-response purposes.
8. Data-subject rights
Data subjects (e.g., parents, students, staff) have the right, where applicable law provides one, to access, correct, delete, restrict, port, or object to processing of their personal data. Because Chalk processes school data on behalf of the district, requests should be directed to the district first. If a request reaches Chalk directly, we will forward it to the relevant district without undue delay and assist the district in responding within the timeframes required by applicable law.
Districts themselves can access, export, correct, and delete their data from the admin console at any time.
9. Security incident notification
If we confirm a security incident affecting district data, we will notify affected districts without undue delay and in any case within 72 hours of confirmation. Notification will describe what is known about the scope, the categories of data involved, and remediation steps.
10. International transfers
The hosted service operates from data centers in the United States. Where personal data is transferred from a jurisdiction that requires a transfer mechanism, the parties agree to incorporate Standard Contractual Clauses or equivalent safeguards by reference.
11. Children's privacy
Chalk is not directed to children as a consumer product. All processing of data about children under 13 occurs at the direction of, and under the authorization of, the district acting in loco parentis consistent with COPPA.
12. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced to district administrators at least 30 days before they take effect. The "Last updated" date above always reflects the current version.
13. Contact
Privacy questions, data-subject requests, and incident reports: privacy@usechalk.xyz.