Privacy Policy

1. Introduction

My Class Roll ("we," "us," or "our") is a product of Bay Crew Tech LLC, a California limited liability company. This Privacy Policy describes how we collect, use, store, and protect information when you use our student attendance tracking service (the "Service") available at myclassroll.com.

We are committed to protecting the privacy of students, teachers, and administrators who use our Service. We comply with applicable federal and state privacy laws, including the Family Educational Rights and Privacy Act (FERPA).

2. Information We Collect

Account Information (Teachers & Administrators): When an administrator creates an account for a teacher or themselves, we collect: name, email address, and a hashed password. We do not store plaintext passwords.

Student Information: Administrators and teachers enter student data into the system, which may include: first name, last name, and optionally an email address. Students do not create accounts.

Attendance Records: The Service records attendance data including: attendance status (present, absent, late, excused), timestamps of attendance marks, self-check-in timestamps via QR code, and the identity of the person who recorded the mark.

Self-Check-In Data: When a student uses the QR code self-check-in feature, we record their IP address and set a strictly necessary cookie (a check-in token) to prevent duplicate or fraudulent check-ins for the same session. This data is stored in the institution's isolated database and is not used for tracking or analytics purposes.

Technical Information: We collect server-side logs including IP addresses, request timestamps, and user agent strings for security and operational purposes. We do not use frontend analytics, tracking pixels, or third-party cookies.

3. How We Use Information

We use the information we collect solely to:

• Provide and operate the attendance tracking Service
• Generate attendance reports and compliance documentation
• Authenticate users and maintain account security
• Send transactional emails (account invitations, password resets)
• Respond to support requests and contact form submissions

We do not sell, rent, or share personal information with third parties for marketing purposes. We do not use student data for advertising or profiling.

4. FERPA Compliance

When used by an educational institution, attendance records may constitute "education records" under FERPA. In this context, we act as a "school official" with a legitimate educational interest, performing a service that the institution would otherwise perform itself.

We maintain direct control over the use and maintenance of education records. We do not disclose education records to third parties except as directed by the institution or as required by law. Institutions may enter into a Data Processing Agreement (DPA) with us to formalize FERPA obligations.

5. Data Storage and Security

All data is stored on secure, US-based servers. We implement the following safeguards:

• Data is hosted on US-based infrastructure (Ashburn, Virginia)
• Data is encrypted in transit using TLS (HTTPS)
• Data is encrypted at rest using AES-256 full-volume encryption
• Data is stored on dedicated, isolated infrastructure with per-tenant database separation
• Passwords are hashed using bcrypt with a cost factor of 12
• Each institution's data is stored in an isolated database, preventing cross-tenant data access
• Attendance records are stored using an append-only event log, ensuring immutability
• Database backups are performed regularly

6. Data Retention

Attendance records are retained for up to 10 years to support institutional compliance needs, including SEVIS requirements. When a student is removed from a class, their attendance history is preserved — records are never deleted, only marked as inactive. This ensures availability for audits, investigations, and compliance reviews.

Account data for teachers and administrators is retained for the duration of the institution's subscription and for a reasonable period thereafter. Institutions may request deletion of all their data by contacting us.

7. Data Subject Rights

Students (or their parents/guardians, if under 18) have the right to inspect attendance records maintained by their institution. Such requests should be directed to the institution, which controls the data. We will assist institutions in fulfilling these requests.

Teachers and administrators may request access to, correction of, or deletion of their account information by contacting us at the email below.

8. Breach Notification

In the event of a data breach that compromises personal information, we will notify affected institutions promptly and no later than 72 hours after becoming aware of the breach, consistent with the NY SHIELD Act and applicable federal requirements.

9. Children's Privacy

The Service is designed for use by educational institutions and their adult staff. Student data is entered by authorized institutional personnel, not by students themselves. We do not knowingly collect personal information directly from children under 13.

10. Cookies

We use only strictly necessary cookies. We do not use any advertising, analytics, or preference cookies. The cookies we use are:

• Session cookie: Used to authenticate logged-in users (administrators and teachers). Expires when the session ends or after a set inactivity period.
• Self-check-in token: A temporary cookie set when a student checks in via QR code, used solely to prevent duplicate check-ins for the same class session. Not used for tracking.

No cookie consent banner is required because we do not use any non-essential cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify institutional administrators of material changes via email. The "last updated" date at the top of this page reflects the most recent revision.

12. California Resident Rights

If you are a California resident interacting with the Service, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), may grant you rights regarding your personal information. We act as a "service provider" under the CCPA/CPRA when processing data on behalf of an institution; the institution is the "business" responsible for honoring consumer requests directed at education records.

We do not sell or share personal information for cross-context behavioral advertising. We have not sold or shared personal information for monetary or other valuable consideration in the preceding 12 months.

To exercise rights regarding personal information held in an institution's tenant database (including the right to know, delete, correct, or limit processing), please contact the institution directly. For information about personal information we hold as a business in our own right (for example, contact form submissions or vendor inquiries received at our public email addresses), email privacy@myclassroll.com.

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

13. Contact

If you have questions about this Privacy Policy or our data practices, contact us at:

Bay Crew Tech LLC
Email: privacy@myclassroll.com
Web: myclassroll.com