FERPA & Student Privacy

FERPA & Student Privacy Statement

This statement explains how Fiveish handles student education records, complies with federal and state student privacy laws, and supports schools in meeting their own legal obligations.

Effective date: June 1, 2025 Last updated: June 1, 2025
๐Ÿ›๏ธ
FERPA Compliant
We operate as a School Official with a legitimate educational interest under FERPA
๐Ÿ‘ถ
COPPA Compliant
Students under 13 may only be enrolled by a teacher with appropriate authorization
๐Ÿ”’
No Data Selling
We never sell, rent, or trade student data under any circumstances
๐Ÿ“š
Educational Use Only
Student data is used exclusively to provide the educational service
01

FERPA โ€” Family Educational Rights and Privacy Act

FERPA (20 U.S.C. ยง 1232g) is a federal law that protects the privacy of student education records. It applies to all schools that receive federal funding, and it governs how those schools โ€” and the service providers they authorize โ€” may access and use student records.

Our role under FERPA

When a school or teacher uses Fiveish, we operate as a "school official" under FERPA โ€” specifically, a third-party service provider that has been granted access to education records to perform a service for the school. This is an established legal framework that allows schools to use educational technology tools without obtaining individual parental consent for each one, provided the tool:

Fiveish meets all three conditions. Teachers control which students are enrolled, what assignments are posted, and how grades are recorded. We access student data only to the extent necessary to provide the assignment and grading service the teacher has set up.

What constitutes an education record in Fiveish

The following data generated in Fiveish constitutes an education record under FERPA:

Legitimate educational interest

We access student education records only when there is a legitimate educational interest โ€” specifically, to display assignments to the student, record their scores, show their teacher their progress, and enable the teacher to manage grades. We do not access student records for any other purpose.

02

COPPA โ€” Children's Online Privacy Protection Act

COPPA (15 U.S.C. ยงยง 6501โ€“6506) requires verifiable parental consent before collecting personal information from children under 13. The FTC's COPPA Rule provides a school consent exception: schools may consent on behalf of parents when the data collection is for an educational purpose and the service is used in the school context.

How we handle students under 13

Fiveish does not allow students to self-register. Students are enrolled only by their teacher, either through a class join code or by Google Classroom roster import. By enrolling a student under 13, the teacher represents that:

We do not knowingly collect personal information from children under 13 outside of a school-directed educational context. If we learn that personal information has been collected from a child under 13 without appropriate authorization, we will delete it promptly.

What we collect from students under 13

We collect only the minimum information necessary to operate the educational service: name, email address, and assignment/score data. We do not collect photos, location data, or any other sensitive personal information.

03

What We Do and Don't Do With Student Data

Practice Fiveish
Sell student data to third partiesNever
Share student data with advertisersNever
Use student data to build advertising profilesNever
Use student data to recommend products or servicesNever
Share student data with data brokersNever
Use student data for any commercial purpose beyond the serviceNever
Display scores and progress to the student's own teacherYes โ€” core function
Sync grades to Google Classroom at teacher's requestYes โ€” teacher-initiated
Store data securely using industry-standard practicesYes
Delete data upon request within 30 daysYes
Allow teachers to export student data as CSVYes
04

Google Classroom Integration & Student Data

When a teacher connects their Google Classroom account to Fiveish, the following student data may be imported from Google Classroom:

This data is imported solely to:

The Google OAuth access token used for Classroom is stored only in the teacher's browser session and is never transmitted to or stored on Fiveish servers. It expires automatically after one hour.

Grade data synced to Google Classroom is subject to Google's terms of service and the school's agreement with Google Workspace for Education.

05

Security & Data Protection

We implement the following technical and organizational measures to protect student data:

No system is completely secure. If we become aware of a security incident affecting student data, we will notify affected schools and teachers promptly and take appropriate remediation steps.

06

Parental and Student Rights

Under FERPA, parents and eligible students (students 18 or older) have the right to:

These rights are typically exercised through the student's school. We will cooperate with schools to fulfill any FERPA access or correction requests they direct to us.

Note for schools: If a parent contacts Fiveish directly with a FERPA request, we will refer them to the student's teacher or school, who are the responsible party for the education record. We will cooperate fully with any school-directed request.
07

Sub-Processors

The following third-party services process student data as part of operating Fiveish:

Service Purpose Data processed Location
Google Firebase / Firestore Database, authentication, hosting All user and student data United States
Stripe Payment processing Teacher email address only (payment card data never reaches us) United States
Google Classroom API Roster import and grade sync (teacher-initiated only) Student names and email addresses from linked courses United States

All sub-processors are bound by data processing agreements consistent with applicable law. We do not use any sub-processors that are not listed above for processing student data.

08

State Student Privacy Laws

Several states have enacted student data privacy laws that go beyond FERPA. Our practices are designed to comply with the most comprehensive of these, including:

In general, these laws share common requirements that align with our practices: no selling of student data, no use of student data for commercial profiling, no targeted advertising, data minimization, and data deletion rights. If your state has specific requirements not addressed here, please contact us.

09

Data Processing Agreement

Some districts require a signed Data Processing Agreement (DPA) or Student Data Privacy Agreement before deploying a tool. We are happy to sign standard DPAs.

We are compatible with the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement, which is accepted by participating districts in many states. If your district uses SDPC, contact us and we can execute the agreement through their platform.

For districts that require a custom DPA, contact us at getfiveish@gmail.com with your district's standard form and we will review it.

10

Contact & Questions

For privacy questions, data requests, DPA inquiries, or concerns about student data, contact us directly. We respond to all privacy inquiries within 2 business days.

โœ‰๏ธ
Privacy contact
getfiveish@gmail.com
Include "Student Privacy" in the subject line for fastest routing.

Also see our Privacy Policy and Terms of Service.