Data Security and Privacy Plan

This policy outlines the data security and privacy practices of Teachley to ensure compliance with federal and state laws, including FERPA, COPPA, CIPA, New York Education Law §2-d. 

Our objective is to safeguard student data and personally identifiable information (PII) throughout its lifecycle—collection, use, storage, sharing, and destruction.

Ownership, Collection, and Use of Data. 

  • Minimized Collection: We collect only the data necessary to provide the educational services outlined in contractual agreements. 

  • Data Ownership: All student data and teacher data remain the exclusive property of the educational agency (LEA). Teachley does not claim ownership of any data received.

  • Use of Data: Data is used only for purposes authorized in the agreement. It is never sold, rented, or disclosed for marketing purposes. De-identified student data may be used to inform the research and design of Teachley’s educational sites, services, and/or applications and to demonstrate the effectiveness of the services or as otherwise outlined in contractual agreements. 


Compliance with Parents’ Bill of Rights. 

Teachley complies with the NY Parents’ Bill of Rights for Data Privacy and Security. 

  • A description of the data collected. Teachley does not knowingly collect PII directly from children. LEA officials (e.g., rostering coordinators, principals) provide Teachley with the limited information needed to create classroom accounts. This information is outlined in contractual agreements and includes such details as student ID, name, photo (optional), school, grade level, and classroom name. Teachley also requests teacher-level information to complete the classroom and educator account setup process, such as teacher’s name, role (classroom teacher, intervention teacher, administrator, etc.), email, school, grade level, and classroom name. 

  • The purpose of collection. Student data is collected and used for two primary purposes: 1) to provide students with a personalized experience whereby Teachley keeps track of students’ performance while using the services allowing the program to adapt based on individual performance and for continued access across devices (e.g., iPad, Chromebook, etc.); and 2) to report formative assessment data to LEA officials. 

  • How the data is protected. Handling of all data collected by Teachley is completed in-house by Teachley personnel who have signed agreements with the company, including confidentiality requirements. Access to data is limited to only those employees who require access, as applicable and necessary for their position. Employees who require access to student data complete a background review and training prior to being permitted access to such data. In-house training includes review of applicable state and federal security & privacy laws, best practices for the security and handling of data, and company policies. Subcontractors or independent consultants hired by Teachley for product development do not receive access to students’ Personal Information. In the event Teachley were to hire a subcontractor or independent consultant to handle student data, the contractor would be required to complete a confidentiality agreement and contracting agreement that states agreement and compliance with Teachley’s data security and privacy policies as well as state and federal privacy laws. 

    • Teachley does not sell, rent, or trade Personal Information to third parties. Teachley does not share student Personal Information with third parties other than with service providers that assist Teachley in performing certain services, such as data hosting, storage, and security (e.g., AWS and Heroku). These partners are only provided with the limited information that they need to perform their business function. 

    • Teachley may transfer Personal Information to another company in connection with a merger, sale or acquisition by or of Teachley, in accordance with contractual agreements. Teachley may disclose Personal Information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served to Teachley and/or to protect the rights, property or safety of a third party.

  • How parents may challenge or request deletion of data.  Parents/legal guardians who created an account directly with Teachley may challenge or request deletion of student data at any time by contacting info@teachley.com. If the student has access to the services through their LEA, parents/legal guardians should contact and submit a request directly to their LEA. Upon written notification from the LEA, Teachley will correct or delete data within thirty (30) calendar days of a request or in accordance with the contractual agreements with the LEA.

Data Security Measures. 

The Teachley system was developed under the guidance of an expert on children’s privacy and security regulations to ensure it remains compliant with COPPA, FERPA, New York State, and other state/federal regulations and policies. In addition, it has undergone a third party evaluation review for safety and compliance.  Teachley shall maintain the following administrative, operational and technical safeguards and practices in place to protect PII, which align with the NIST Cybersecurity Framework, including:

a. Technical Safeguards. 

  • Encryption: We use commercially reasonable encryption technologies with respect to the receipt and transfer of PII submitted to Teachley, including using Secure Socket Layer (“SSL”) technology. All student data is encrypted in transit and at rest. 

  • Access Controls: Access to data is role-based and requires background clearance, training, and unique credentials. 

  • Network Security: Firewalls, intrusion detection, and logging mechanisms are implemented.

b. Physical Safeguards. Data is stored on a secure, password-protected server, located within the United States and operated by industry-leading partners (e.g., AWS). Only authorized personnel are granted permission to access the information. 

c. Administrative Safeguards. All employees with access to PII are required to complete confidentiality agreements, background clearance, and training on FERPA, Ed Law §2-d, COPPA, and internal privacy protocols prior to being granted access. Subcontractors and independent consultants, if hired, will be required to demonstrate compliance with these same safeguards in a contracting agreement prior to receiving access to PII.   

Third-Party Contractors and Subprocessors. 

Should Teachley utilize third-party contractors, data access will be limited to only what is necessary for the subcontractor's task as specified in the contracting agreement. Teachley engages with subprocessors to help us do business, such as store our services and data, provide customer support, and process credit card payments, with agreements that safeguard student data. 

Information on subprocessors used can be found here or by contacting us at info@teachley.com.

Data Return/Destruction.

All PII collected will be returned and/or destroyed in accordance with contractual agreements and within a reasonable time, not more than 6 months following the expiration or termination of contractual agreements. Requests for return and/or deletion of student data can be made at any time, a request that will be completed within 30 calendar days or as otherwise outlined in the contractual agreement. Requests can be made by contacting Teachley at info@teachley.com. If the student has access to the services through their LEA, parents/legal guardians should contact and submit a request directly to their LEA.

Data Breach.

Teachley takes the protection of student data and PII seriously. Teachley has instituted the following protocols in the event of an identified breach or unauthorized release of PII and will follow protocols outlined in contractual agreements.

  • Teachley will provide prompt notification to the LEA without unreasonable delay following the date of discovery of a breach or unauthorized release of PII. 

  • Teachley shall cooperate with the LEA and law enforcement to protect the integrity of any investigation of any breach or unauthorized release of PII.

  • Where a breach or unauthorized release is attributed to Teachley, Teachley shall pay for or promptly reimburse the LEA for the cost of the notification of affected individuals. 

How do I contact Teachley?

If you have any questions or would like more information about our practices, policies, sites, services, and/or applications, you can contact us in the following ways:

Email: info@teachley.com 

Mail: Teachley, LLC. ℅ Teach For America, 25 Broadway, 13th Floor New York, NY 10004 

Version: 1.1

Last Updated: May 28, 2025