Effective Date: June 2, 2025
SECTION I. GENERAL PROVISIONS
1.1. PURPOSE
This K-12 Data Privacy Addendum (the “Addendum”) describes Coachbit’s privacy and data handling commitments for K-12 educational institution, school, and school district customers (each, an “Educational Agency” or “EA”) that use Coachbit’s platform and services.
1.2. RELATIONSHIP TO OTHER TERMS
This Addendum supplements Coachbit’s main Privacy Policy and applies specifically to Student Data and related school account data processed in connection with services provided to an EA. In the event of a conflict between this Addendum and Coachbit’s main Privacy Policy regarding Student Data, this Addendum shall control.
Where a separate Student Data Privacy Agreement (“DPA”), state addendum, or other written agreement with an EA imposes stricter requirements, the applicable DPA, state addendum, or written agreement shall control.
1.3. SCOPE
This Addendum applies to Student Data and related Teacher Data or school staff data processed by Coachbit on behalf of an EA in connection with educational services.
SECTION II. DEFINITIONS
2.1. EDUCATIONAL AGENCY (EA)
“Educational Agency” or “EA” means a school, school district, educational institution, or other authorized educational entity that uses Coachbit’s services.
2.2. STUDENT DATA
“Student Data” means student records, personal information, and other information provided by or on behalf of an EA, or collected in the course of providing services to the EA, to the extent such information is protected by applicable law or contract.
2.3. TEACHER DATA
“Teacher Data” means personal information relating to teachers or school staff to the extent processed by Coachbit in connection with services provided to an EA.
2.4. COVERED DATA
“Covered Data” means Student Data and Teacher Data collectively, as used in this Addendum.
SECTION III. COMPLIANCE WITH APPLICABLE LAW
3.1. LEGAL COMPLIANCE COMMITMENT
Coachbit shall comply with applicable federal and state laws and regulations governing the privacy and security of Covered Data, as applicable to the services provided and the EA relationship.
3.2. FEDERAL LAW FRAMEWORKS
Coachbit’s K-12 privacy and security practices are designed to support compliance with applicable federal law requirements, including, as applicable:
- The Family Educational Rights and Privacy Act (“FERPA”)
- The Children’s Online Privacy Protection Act (“COPPA”), where applicable
3.3. STATE LAW AND STATE-SPECIFIC REQUIREMENTS
Coachbit will comply with applicable state student privacy and security requirements as incorporated through law, contract, or state-specific addenda, including examples such as New York Education Law Section 2-d, the Illinois Student Online Personal Protection Act (SOPPA), and the Colorado Student Data Transparency and Security Act, where applicable.
SECTION IV. FERPA SCHOOL OFFICIAL STATUS AND EA CONTROL
4.1. SCHOOL OFFICIAL ROLE
When providing services to an EA under an applicable agreement, Coachbit may operate as a “school official” (or equivalent service provider role) with a legitimate educational interest, as contemplated by FERPA and the applicable agreement.
4.2. SERVICES PERFORMED FOR THE EA
Coachbit provides services to the EA that the EA may otherwise perform directly or through its own personnel or vendors, as described in the applicable agreement.
4.3. EA CONTROL OVER STUDENT DATA
Coachbit processes and maintains Student Data subject to the EA’s direction and the terms of the applicable agreement, including restrictions on use, disclosure, retention, and disposition.
4.4. USE LIMITATION CONSISTENT WITH FERPA AND CONTRACT
Coachbit shall use Student Data only for authorized educational and service delivery purposes, and not for unrelated commercial purposes, subject to applicable law and the governing agreement.
SECTION V. OWNERSHIP, AUTHORIZED USE, AND PROHIBITED USES
5.1. OWNERSHIP OF STUDENT DATA
As between Coachbit and the EA, Student Data remains the property of the EA (or as otherwise provided by applicable law). Coachbit acquires no ownership rights in Student Data by virtue of processing such data on behalf of the EA.
5.2. AUTHORIZED USE ONLY
Coachbit shall access, use, and disclose Student Data only as necessary to provide, maintain, support, and improve the educational services for the EA, as permitted by the applicable agreement and law.
5.3. PROHIBITED COMMERCIAL USES
Coachbit shall not sell Student Data or use Student Data for targeted advertising or for building commercial profiles of students unrelated to the authorized educational purposes of the services.
5.4. DATA MINIMIZATION
Coachbit seeks to collect and process Covered Data that is relevant and reasonably necessary for the educational services provided, subject to product functionality, EA configuration, and applicable legal or contractual requirements.
SECTION VI. PRIVACY AND SECURITY SAFEGUARDS
6.1. INFORMATION SECURITY PROGRAM
Coachbit maintains an information security program designed to protect Covered Data through administrative, technical, and organizational safeguards appropriate to the nature of the data and the risks presented by processing activities.
6.2. SECURITY FRAMEWORK ALIGNMENT
Coachbit’s security program is designed to align with recognized security practices, including the NIST Cybersecurity Framework (CSF) Version 1.1, as applicable to Coachbit’s size, systems, and risk profile.
6.3. ENCRYPTION IN TRANSIT AND AT REST
Coachbit employs encryption and secure transport protections for Covered Data consistent with its security program, including encryption in transit (for example, TLS) and encryption at rest where supported and appropriate to the storage system and service architecture.
6.4. ACCESS CONTROLS
Coachbit restricts access to Covered Data to authorized personnel and service providers with a legitimate Need to Know and applies access control measures, including least privilege and authentication controls, appropriate to the risk.
6.5. STAFF TRAINING AND CONFIDENTIALITY
Coachbit requires personnel with access to Covered Data to be subject to confidentiality obligations and to complete privacy and security training appropriate to their role consistent with its security program and policy, or as otherwise required by contract.
6.6. TRACKING TECHNOLOGIES FOR K-12 SCHOOL ACCOUNTS
For K-12 school-issued accounts, Coachbit does not use third-party advertising cookies or tracking technologies for non-educational targeted advertising purposes. Any analytics or operational technologies used in school contexts are limited to service delivery, security, reliability, product performance, or other permitted purposes consistent with applicable law and contract.
SECTION VII. SUBPROCESSORS AND SERVICE PROVIDERS
7.1. USE OF SUBPROCESSORS
Coachbit may use subprocessors to support the delivery of services, provided such subprocessors are subject to appropriate contractual obligations regarding confidentiality, security, and data handling.
7.2. SUBPROCESSOR OVERSIGHT
Coachbit maintains a process for evaluating and managing subprocessors that process Covered Data, including reasonable steps to address material non-compliance with applicable privacy or security obligations.
SECTION VIII. DATA RETENTION, RETURN, AND DESTRUCTION
8.1. RETENTION LIMITATION
Coachbit retains Covered Data only for as long as necessary to provide the services, fulfill contractual obligations, and comply with applicable legal requirements.
8.2. RETURN, TRANSFER, OR DESTRUCTION UPON REQUEST OR TERMINATION
Upon termination of services or upon written request from the EA, Coachbit will return, transfer, delete, or destroy Covered Data as required by the applicable DPA, state addendum, or other governing agreement.
8.3. TIMELINES GOVERNED BY APPLICABLE AGREEMENT
Coachbit will complete disposition actions within the timelines required by the applicable agreement and law. Where state-specific requirements apply (for example, 30-day or 90-day timelines), Coachbit will follow the applicable contractual or legal requirement.
8.4. BACKUPS AND TECHNICAL LIMITATIONS
Where Covered Data exists in backups or archived systems, Coachbit will apply appropriate safeguards and complete deletion or rendering inaccessible in accordance with applicable contractual requirements, backup lifecycle controls, and technical feasibility.
SECTION IX. SECURITY INCIDENTS AND BREACH NOTIFICATION
9.1. INCIDENT RESPONSE PROGRAM
Coachbit maintains a written incident response process designed to identify, contain, investigate, remediate, and document security incidents affecting Covered Data.
9.2. NOTICE TO EDUCATIONAL AGENCY
In the event of a confirmed unauthorized release, disclosure, or acquisition of Student Data (or other reportable security incident involving Covered Data, as defined by the applicable agreement or law), Coachbit will notify the affected EA within the timeframe required by the applicable DPA, state addendum, or governing agreement, which may include notification within seventy-two (72) hours of confirmation.
9.3. CONTENT AND COOPERATION
Coachbit will provide notice content and cooperation as required by the applicable agreement and law, including available information regarding the nature and scope of the incident and steps taken to contain and remediate it.
SECTION X. CHANGES, CONTACT, AND ADDITIONAL TERMS
10.1. CHANGES TO THIS ADDENDUM
Coachbit may update this Addendum from time to time to reflect changes in law, regulations, security practices, or services. Material changes affecting K-12 privacy commitments will be reflected in an updated effective date and, where required by contract, communicated to affected EAs.
10.2. QUESTIONS AND CONTACT
Questions regarding this Addendum or Coachbit’s K-12 privacy practices may be directed to Coachbit through the contact methods provided in Coachbit’s main Privacy Policy or through the designated privacy or security contact identified in the applicable EA agreement.
10.3. NO LIMITATION OF STRONGER CONTRACTUAL RIGHTS
This Addendum does not limit any stronger privacy, security, audit, notice, or data handling obligations that Coachbit has agreed to in a DPA or other written agreement with an EA.
