Built for schools
that take student data seriously.
Plain-language pledges, a published list of every sub-processor, and a Data Processing Agreement we can sign in a day. No dark patterns, no “contact sales,” no fine print that says we own your students' photos.
We don't sell student data
Not to data brokers, not to advertisers, not to AI companies for training. Not for any reason.
We don't profile or target
No behavioural advertising, no “personalised” recommendations driven from student records, no tracking pixels in the app.
AI doesn't learn from your data
Our AI features (scan-a-card-to-template, photo enhance) call third-party vision APIs with zero-retention contracts. Your photos are not training data.
Compliance posture
We list what we're aligned with today, what's in progress, and what's out of scope. No hand-waving.
FERPA
When a school engages BadgeBadger, we act as a “school official” with a legitimate educational interest under 34 CFR §99.31(a)(1). Education records are used only for the contracted service — designing, capturing, printing, and managing student ID cards. We don't disclose them to anyone outside the sub-processors below.
COPPA
For students under 13, we rely on the FTC's school-authorization exception (FTC, July 2014 guidance). The school authorises data collection on parents' behalf, strictly for the educational service. We collect only the minimum data needed to print the badge.
State student-privacy laws
California SOPIPA, New York Education Law §2-d, Illinois SOPPA, Connecticut PA 16-189, and 20+ similar state statutes. The pledges above (no sale, no targeting, no profiling) cover the substantive requirements; the DPA covers the contractual ones.
SOC 2 Type II
Not yet started. We'll begin Type II evidence collection (Vanta or Drata) concurrent with our first paid school-district contract — at our current scale a $30k+/yr audit is hard to justify before there's revenue to fund it. Districts that need an interim attestation: ask, and we'll discuss what we can offer in the meantime (security questionnaire, code-access audit, deployment topology).
GDPR / UK GDPR
We're a US company with US-hosted infrastructure. For EU/UK customers we'll execute Standard Contractual Clauses (SCCs) and an Article 28 DPA on request. EU-region hosting available for orgs that require it.
HIPAA
BadgeBadger isn't designed to store Protected Health Information (PHI). If your use case involves health records on the badge — for example, allergy or medication information — talk to us first so we can scope a Business Associate Agreement before you upload anything.
Sub-processors
The complete list of vendors we send your data to. We notify you 30 days before adding a new sub-processor; existing customers can object and terminate without penalty if a new vendor doesn't meet your bar.
| Sub-processor | Purpose | Hosting | Compliance |
|---|---|---|---|
| Supabase | Authentication, primary Postgres database, photo + asset storage. | United States (us-east-1, AWS) | SOC 2 Type II, HIPAA-ready BAA available |
| Vercel | Web app hosting, serverless compute for PDF rendering and API routes. | United States (multi-region edge, primary iad1) | SOC 2 Type II, ISO 27001, GDPR DPA |
| Cloudflare | DDoS protection, DNS, edge caching for the marketing site and login pages. | Global edge network (US fallback) | SOC 2 Type II, ISO 27001, GDPR DPA |
| Resend | Transactional email (password resets, invitations, weekly reports). | United States | SOC 2 Type II, GDPR DPA |
| Polar | Subscription billing and payment processing. | United States (Stripe-backed) | PCI-DSS compliant via Stripe |
| Anthropic (AI features) | Vision-LLM calls for scan-a-card-to-template. Only invoked when an operator explicitly clicks an AI feature; never on every photo upload. | United States | SOC 2 Type II. Anthropic does not use API traffic to train models. Default API tier retains inputs for up to 30 days for trust-and-safety review; we don't ship to the Zero Data Retention tier yet (it's an Enterprise contract). Districts that require ZDR before adoption: ask, and we'll either disable the AI features for your tenant or scope an Anthropic ZDR agreement into the contract. |
Operational guarantees
The boring-but-important stuff that protects you when things go sideways.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Photos and PDFs stored in Supabase Storage with bucket-level RLS scoped to your organization.
US-only data residency
Default region is AWS us-east-1 (Supabase) and Vercel iad1. EU residency is available for European customers on request.
Deletion on request
Email privacy@badgebadger.app to request export (JSON) or deletion. Operator-side employee deletion + photo purge is a one-click action in the app today. We commit to a 30-day end-to-end purge SLA (including backups) in our DPA. Automated retention windows are on the roadmap — for now, deletion is operator-driven or via a support request.
72-hour breach notification
If we detect a security incident affecting your data, we notify you within 72 hours of confirming the impact. The detection and escalation procedure is documented in our internal incident-response runbook; a copy is available under NDA.
Founder-only production access
BadgeBadger is currently a small team. Production credentials are limited to founders, gated behind hardware keys (WebAuthn / YubiKey) and provider-enforced MFA. Database queries against tenant data are auditable at the Supabase tier and we'll never query your data without a support ticket from your side.
Audit log
Every login, template change, employee write, and print event lands in your tenant's audit log, exportable as CSV from /settings/audit. Photo-read auditing is on the roadmap — currently we audit writes but not signed-URL reads on every photo view.
Honest about where we are.
We're a small team building toward the K-12 segment. The pledges and operational guarantees on this page are the ones we keep today. The big-ticket vendor checklist items — SOC 2 audit, $2M+ cyber policy, third-party pen test — we're scoping to land concurrent with our first paying district. Below is what we'll deliver on day one of a contract conversation, and what we commit to land before go-live.
- Draft DPA covering FERPA + COPPA + state law (counsel-reviewed before first signature)
- SDPC NDPA v2 accepted as a starting point; redlines reviewed within 5 business days
- Documented incident-response & deletion runbooks (available under NDA)
- Cyber liability insurance & SOC 2 Type II audit scoped to your contract start
What we can send today
DPA draft
FERPA + COPPA + state-law aligned. We'll counsel-review and counter-sign once a real contract is in motion.
Security questionnaire
CAIQ Lite + a written narrative of our controls.
Sub-processor list
Same one above, formatted as a CSV — and a 30-day notification commitment for changes.
Runbook summaries
Incident response, data deletion, access review — under NDA on request.
Data Processing Agreement
We have a draft DPA aligned with FERPA, COPPA, and the substantive provisions of US state student-privacy laws. It's not a finalised template yet — counsel review is scoped to land before our first signed school contract. We accept the SDPC's National Data Privacy Agreement (v2) as a starting point and will turn around redlines within five business days. Email privacy@badgebadger.app to start the conversation.
Common questions
Do you sell or share student data with anyone?
No. We don't sell student data, ever. We share data only with the sub-processors listed above, only for the specific purpose listed (hosting, billing, email delivery, AI features that you explicitly invoke), and only the minimum needed for that purpose. We have no advertising business, no data-broker relationships, and no plans to add either.
Where is student data stored?
By default in AWS us-east-1 via Supabase, and on Vercel's iad1 region for application compute. Data does not leave the United States in normal operation. EU-region hosting is available on request for European customers.
What happens to a student's data when they leave the school?
Today: an admin can delete the student record from the employee detail page or via bulk action; the photo + cropped/thumbnail variants are removed at the same time. Automatic retention-window purges (30 / 60 / 90 days) are on the roadmap — until they ship, deletion is operator-driven or via a support request. We commit to a 30-day end-to-end deletion SLA (including database backups) under the DPA.
Do AI features train on our students' photos?
No. Anthropic does not use API traffic to train models — that's a contractual commitment under their API terms. The AI features are also opt-in: they only run when an operator explicitly clicks them. Important caveat about retention: Anthropic's default API tier retains inputs for up to 30 days for trust-and-safety review (abuse detection). We don't ship to the Zero Data Retention tier yet because it's an Enterprise contract that's not feasible at our current scale. Districts that require ZDR before adoption: ask, and we'll either disable AI features for your tenant or scope an Anthropic ZDR agreement into the contract.
Are you GDPR-compliant?
We're a US company hosted in the US, but we'll execute Standard Contractual Clauses (SCCs) and a GDPR Article 28 DPA on request for European customers. EU-region hosting is available for orgs that need data residency in the EU.
What's your incident-response playbook?
Internal detection within 24 hours via automated monitoring, customer notification within 72 hours of confirmed impact, written post-incident report within 30 days, and remediation tracking visible to affected customers until close-out. The DPA documents our exact obligations.
Talk to a real person
Privacy questions, DPA redlines, security questionnaires, breach drills, audit requests — all go to one inbox staffed by humans.