Data Use & Privacy

The Basics (TLDR Version)

Student Data:The student data is used to provide you, and only you and your designated recipients, with the reports you've requested.

Data Disposition:We will immediately remove all the data you provide upon request. After 1 year we will expire and remove all of the data you have uploaded as well as the reports generated from that data.

Data transfers:Your data will never be sold, shared, or transferred to any third-party without your prior consent.

Security:We take this stuff seriously. All of the data you provide is encrypted when stored and only transfered by secure means.

Agreements:Our standard CA Data Privacy Agreement is currently registered with the California Student Privacy Alliance . You can view/download a copy here.

If you're unsure how to proceed or your district requires their own data sharing agreement, contact the SHAPE Support Team at

The Details (long version)

Compliance:SHAPE Education, LLC. (SHAPE) complies with all applicable state and federal laws and regulations pertaining to data privacy and security, including FERPA, COPPA, PPRA, SOPIPA, AB 1584, and all other California and Federal privacy statutes.

Authorized Use:The data shared with SHAPE, including persistent unique identifiers, shall be used for the purpose of providing the LEA with the reports and services available through this application. SHAPE also acknowledges and agrees that it shall not make any re-disclosure of any Student Data or any portion thereof, including without limitation, meta data, user content or other non-public information and/or personally identifiable information contained in the Student Data, without the express written consent of the LEA.

Employee Obligation:SHAPE requires all employees and agents who have access to Student Data to comply with all applicable provisions of this policy with respect to the data provided.

No Disclosure:De-identified information may be used by SHAPE for the purposes of development, research, and improvement of educational sites, services, or applications, as any other member of the public or party would be able to use de-identified data pursuant to 34 CFR 99.31(b). SHAPE agrees not to attempt to re-identify de-identified Student Data and not to transfer de-identified Student Data to any party unless (a) that party agrees not to attempt re-identification, and (b) prior notice has been given to the LEA and the LEA has provided consent for such transfer. SHAPE shall not copy, reproduce or transmit any data obtained, except as necessary to fulfill the services requested.

Disposition of Data:Upon request and in accordance with the applicable terms in subsection (a) or (b), below, SHAPE shall dispose or delete all Student Data obtained it is no longer needed for the purpose for which it was obtained. Disposition shall include (1) Erasing; or (2) Otherwise modifying the personal information in those records to make it unreadable or indecipherable by human or digital means. Nothing in this policy authorizes SHAPE to maintain Student Data obtained beyond the time period reasonably needed to complete the disposition. The duty to dispose of Student Data shall not extend to data that has been de-identified, pursuant to the other terms of this policy.

a. Partial DisposalThe LEA may request partial disposal of any Student Data obtained that is no longer needed.
b. Complete DisposalThe LEA may request complete disposal of any Student Data obtained. If no request is made by the LEA to retain the data, SHAPE will dispose of all data obtained through this application 1 year after the data was provided.

Advertising Prohibition:SHAPE is prohibited from using or selling Student Data to (a) market or advertise to students or families/guardians; (b) inform, influence, or enable marketing, advertising, or other commercial efforts by a SHAPE; (c) develop a profile of a student, family member/guardian or group, for any commercial purpose other than providing Service to LEA; or (d) use the Student Data for the development of commercial products or services, other than as necessary to provide Service to LEA.

Data Security:SHAPE abides by and maintains adequate data security measures, consistent with industry standards and technology best practices, to protect Student Data from unauthorized disclosure or acquisition by an unauthorized person. The general security duties of SHAPE are set forth below.

a. Passwords and Access:SHAPE shall secure user names, passwords, and any other means of gaining access to Services or to Student Data, at a level suggested by the applicable standards. SHAPE shall only provide access to Student Data to employees or contractors that are performing Services. Employees with access to Student Data shall have signed confidentiality agreements regarding said Student Data. All employees with access to Student Records shall be subject to criminal background checks in compliance with state and local ordinances.
b. Security Protocols:SHAPE agree to maintain security protocols that meet industry standards in the transfer or transmission of any data, including ensuring that data may only be viewed or accessed by parties legally allowed to do so. Provider shall maintain all data obtained or generated pursuant to this policy in a secure digital environment and not copy, reproduce, or transmit data obtained, except as necessary to fulfill the purpose of data requests by LEA.
c. Security TechnologyWhen the service is accessed using a supported web browser, SHAPE shall employ industry standard measures to protect data from unauthorized access. The service security measures shall include server authentication and data encryption. Provider shall host data pursuant to this policy in an environment using a firewall that is updated according to industry standards.