FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) is a federal law (20 U.S.C. Section 1232g) that protects the privacy of student education records. FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA, schools must have written permission from a parent or eligible student before releasing any information from a student's education record, with certain exceptions.

When a school or district uses Sheelon, Sheelon acts as a "school official" with a "legitimate educational interest" under FERPA. This means:

• We perform functions that the school would otherwise use its own employees to perform
• We are under the direct control of the school with respect to the use and maintenance of education records
• We use education records only for the purposes for which we were given access
• We comply with the re-disclosure requirements of FERPA

What We Collect

When students participate in Sheelon games, the following data may be considered education records when linked to a student:

• Player nickname (chosen by the student at time of joining a game)
• Quiz responses and answer data
• Scores and performance analytics
• Time spent on questions

What We Do NOT Collect

• Student account information (players do not need accounts to join games)
• Student ID numbers, Social Security numbers, or other government identifiers
• Home addresses or phone numbers
• Parent or guardian information
• Disciplinary records, health records, or financial information

Sheelon is designed with data minimization as a core principle:

• No student accounts required. Students join games using only a Game PIN and a self-chosen nickname. No email, real name, or other personal information is required from students.
• Minimal data collection. We only collect the data necessary to run the game and provide analytics to the teacher.
• Teacher controls data visibility. Only the teacher who hosted a game can access detailed player-level analytics and reports.
• No persistent student profiles. Player session data is associated with a game session, not with a persistent student identity across sessions.

Schools and districts using Sheelon have the following controls:

• Teachers can delete game session data, including all player responses and analytics
• Organization administrators can manage teacher accounts within their school
• Schools can request complete data deletion for all accounts associated with their organization
• Schools can request an export of all data associated with their organization

Sheelon will never sell student data. We will never use student data for targeted advertising. We will never build profiles of students for non-educational purposes. Student data is used exclusively for the educational purposes of the Service.

We implement appropriate security measures to protect student education records:

• All data transmitted over the network is encrypted using TLS/HTTPS
• Database access is restricted and requires authentication
• Access to student data is limited to the teacher who hosted the game session
• We conduct regular security reviews and apply updates promptly
• We use industry-standard hosting infrastructure with security certifications

Under FERPA, parents (or eligible students over 18) have the right to:

• Inspect and review their child's education records held by the school
• Request correction of records they believe are inaccurate
• Consent to disclosure of personally identifiable information (with certain exceptions)

If a parent or eligible student wishes to exercise these rights regarding data held by Sheelon, they should contact their school or district, which can work with us to fulfill the request. Parents may also contact us directly at [email protected].

In the event of a data breach that affects student education records, Sheelon will:

• Notify affected schools and districts as promptly as possible, and no later than 72 hours after discovery
• Provide details about the nature of the breach and the data affected
• Describe the steps we are taking to contain and remediate the breach
• Cooperate with schools in notifying affected parents as required by law

Schools and districts may request a Data Processing Agreement (DPA) or Student Data Privacy Agreement (SDPA) that formalizes our commitments under FERPA and applicable state student privacy laws. Contact us to initiate this process.

For questions about FERPA compliance, data privacy, or to request a Data Processing Agreement, please contact:

Email: [email protected]