FERPA Compliance

How OnTrack protects student privacy under federal law.

The Family Educational Rights and Privacy Act (FERPA) governs access to student educational records. OnTrack Schools takes FERPA compliance seriously and has built it into the architecture of our platform from day one.

Our Role Under FERPA

OnTrack Schools operates as a "school official" with a "legitimate educational interest" in student records, as those terms are defined under FERPA (34 CFR ยง 99.31(a)(1)). This means:

  • We may access student records only to perform services on behalf of your school
  • We are subject to FERPA's requirements in the same way as any school official
  • We do not disclose student records to unauthorized parties
  • We use student data only for the purpose of providing the OnTrack service

Data Processing Agreements

Districts and schools requiring a formal Data Processing Agreement (DPA) may request one by contacting us at privacy@ontrackschools.com. Our DPA specifies:

  • The categories of student data processed
  • The purposes for which data is processed
  • Data retention and deletion schedules
  • Security measures in place
  • Breach notification procedures

What Data We Process

OnTrack processes only the student data that you explicitly provide:

  • Roster data: Student names and any other identifiers you choose to include in your CSV import
  • Behavior logs: Behavior categories, timestamps, and optional notes entered by authorized teachers

We do not collect data about students from any source other than what you directly input.

Access Controls

OnTrack enforces role-based access controls:

  • Teachers see only their own class roster and behavior logs
  • Administrators see aggregated school-wide data with appropriate privacy protections
  • No third parties have access to student data without your explicit permission

No Data Selling or Sharing

OnTrack Schools does not:

  • Sell student data to any third party
  • Share student data with advertisers or data brokers
  • Use student data for any purpose other than providing the OnTrack service
  • Build profiles of students for commercial purposes

Data Retention and Deletion

  • Free plan: 90-day behavior history
  • School Plan: 3-year behavior history
  • Accounts can be deleted at any time; all associated data is deleted within 30 days
  • Schools may request immediate deletion of all records by contacting support

Security Measures

  • All data transmitted over encrypted HTTPS/TLS connections
  • Data at rest encrypted using AES-256
  • Access to production systems restricted to authorized personnel
  • Regular security reviews and penetration testing
  • Incident response procedures with breach notification protocols

Parental Rights

Under FERPA, parents and eligible students (18+) have rights to inspect and request amendment of education records. If a parent contacts you regarding records stored in OnTrack, please contact us at privacy@ontrackschools.com and we will assist you in fulfilling these requests.

Contact

For FERPA-related questions, DPA requests, or data deletion requests:
privacy@ontrackschools.com