How Bright After School Handles Student Data and COPPA Compliance
After-school programs collect sensitive data about children. Here's exactly what data Bright After School stores, how it's protected, and how we comply with COPPA.
When we tell people that Bright After School deals with children's data, the first question they ask is: "How do you handle COPPA?"
It's the right question. COPPA — the Children's Online Privacy Protection Act — sets strict rules about collecting, using, and storing personal information from children under 13. After-school programs are a natural target for scrutiny because they deal with both children and their families.
Here's exactly how we handle it.
What data we collect
For students, we store: - First and last name - The program they're enrolled in - Check-in and check-out timestamps - Which parent or guardian picked them up
We do not store social security numbers, medical information, home addresses, or any information beyond what's necessary to operate the pickup verification system.
For parents and guardians, we store: - Name and email address - Phone number - Government ID photo (for identity verification) - A selfie taken during the verification process - Their designated 4-digit pickup PIN
How data is protected
All data is encrypted at rest using AES-256 encryption. All data in transit is encrypted using TLS 1.3. Our infrastructure runs on cloud providers that maintain SOC 2 Type II compliance.
Access to student data is strictly role-based. A parent can only see their own children. A school administrator can only see their school's students. District administrators can see their district's schools.
Government ID photos are stored in isolated, access-controlled storage. They are accessible only to authorized program administrators for identity verification purposes and are never shared with third parties.
COPPA compliance
Our platform is designed for use by programs serving children, but the personal accounts in our system belong to adults — parents, guardians, and staff. We do not create accounts for children, and children do not interact with our platform directly.
For the student records we do maintain (name, program enrollment, check-in log), these records:
- Are created by school administrators on behalf of the program
- Are not shared with advertisers or third parties
- Are retained only as long as the program maintains an active account
- Can be deleted on request
We are not in the business of advertising. We never sell data to anyone, for any purpose.
Retention and deletion
When a program cancels their account, student records are purged within 30 days. Parent identity documents are deleted within 7 days of account closure. Audit logs (timestamps, pickup records) are retained for 12 months for program accountability purposes, then deleted.
If you have specific questions about compliance for your district or program, our contact form goes directly to our team.