← Back to Hallwise

Privacy Policy

Last updated: April 25, 2026

Overview

Hallwise ("we", "us", or "our") operates hallwise.com. We are committed to protecting the privacy of students, teachers, and school administrators who use our service. This policy explains what data we collect, how we use it, and your rights regarding that data.

Hallwise is designed to help schools meet their obligations under the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and applicable state student data privacy laws. We act as a data processor on behalf of schools, which are the data controllers. The school (not Hallwise) is responsible for obtaining any necessary parental consent before allowing students to use this service.

Data We Collect

From Google Sign-In (teachers and admins)

  • Name and email address
  • Google profile photo (optional, displayed in dashboard)
  • Google account ID
  • Google OAuth access token (used during your session to call Google Classroom; not permanently stored)

From Google Classroom (teachers only, via roster sync)

  • Class names and section information
  • Student names, email addresses, and Google profile photos from class rosters

We request read-only access to course and roster data only. We do not request access to grades, assignments, announcements, or any other Classroom features.

Hall Pass Records

  • Student name and which class the pass was issued from
  • Pass destination (e.g. Bathroom, Nurse, Office)
  • Time the pass was issued and returned
  • Duration of each pass

Dashboard Usage (teachers and admins only)

  • Login timestamps
  • Which dashboard tabs were accessed during each session
  • Approximate session duration

This data is used solely for internal product analytics by the service owner. It is never shared with third parties. Student accounts are not tracked in this way — only teacher and admin accounts.

Billing Information (school admins only)

  • School admin email address (for billing communications)
  • Stripe payment records (credit card data is processed and stored by Stripe, not by us)

Website Analytics (public pages only)

We use Google Analytics on our public marketing pages (homepage, pricing, etc.) to understand how visitors find and use our website. Google Analytics is disabled on all authenticated pages and on the student kiosk. It never sees student names, pass records, or any other student data. The data collected on public pages is standard web analytics: pages visited, time spent, and approximate geographic region.

How We Use Data

  • To provide the hall pass service to your school
  • To display pass history and reports to teachers and administrators at the same school
  • To sync class rosters from Google Classroom
  • To send billing-related emails to school administrators
  • To send real-time pass notifications to teachers (via web push, if enabled)
  • To understand how the product is being used so we can improve it (dashboard activity tracking, teachers/admins only)

We never sell student data. We never use student data for advertising. We never build profiles of students for any commercial purpose. Student data is used solely to provide the hall pass service.

Student Data, FERPA, and COPPA

FERPA

Student data accessed through Google Classroom (names, rosters, pass records) constitutes educational records under FERPA. We operate as a "school official" with a legitimate educational interest under FERPA's school official exception — meaning the school has designated us as a service provider acting on the school's behalf. We do not disclose student records to any third party without school authorization, except as required by law.

Student data is scoped to each school. No student data is visible to other schools or to the general public. Teachers and admins can only view data from their own school.

COPPA (Children Under 13)

Hallwise may be used by students under the age of 13. We rely on the COPPA school consent exception: the school (not parents individually) provides consent on behalf of students for the narrow purpose of managing hall passes. This means:

  • Student data is used only for the educational purpose of hall pass management
  • We do not collect more data from students than is reasonably necessary for this purpose
  • We do not sell student data or use it for advertising or any commercial purpose
  • Schools are responsible for notifying parents of this service use in accordance with their own FERPA/COPPA obligations

If you are a parent and wish to review, correct, or delete your child's data, please contact your school administrator. The school can submit a deletion request to us at hello@hallwise.com.

State Laws

We are designed to comply with applicable state student privacy laws, including SOPIPA (California), SOPPA (Illinois), New York Education Law 2-d, and similar laws in other states. These laws generally prohibit selling student data, targeted advertising, and require reasonable security — all of which we follow.

Sub-processors (Third-Party Services)

We use the following third-party services to operate Hallwise. Each sub-processor is contractually bound to protect your data.

ServicePurposeStudent Data?Certifications
Supabase / AWSDatabase hosting (US East region)Yes — all application dataSOC 2 Type II, ISO 27001
VercelApplication hosting and CDNIn transit only (not stored)SOC 2 Type II, ISO 27001
GoogleAuthentication and Classroom roster syncSource only (not stored by Google on our behalf)ISO 27001, FERPA-aligned (Workspace for Education)
StripePayment processingNo — billing only (school admin email + payment)PCI DSS Level 1
ResendContact form email deliveryNo — contact form messages onlySOC 2 Type II
Google AnalyticsWebsite analytics (public pages only)No — disabled on all authenticated and student-facing pages

Data Storage and Security

  • All data is stored in Supabase (PostgreSQL) hosted on AWS infrastructure in the United States (US East region)
  • Supabase holds SOC 2 Type II and ISO 27001:2022 certifications; data is encrypted at rest
  • All data is transmitted over encrypted HTTPS connections (TLS 1.2+)
  • Database access is controlled by row-level security policies — teachers and admins can only query data belonging to their own school
  • Production database access is restricted to the application service account and the service owner
  • Vercel (our hosting provider) holds SOC 2 Type II and ISO 27001:2022 certifications

Data Retention and Deletion

  • Active subscription: All school data is retained for the duration of the active subscription period.
  • After cancellation or expiration: Student data (names, pass records, roster enrollments) is permanently deleted within 30 days of subscription termination. Backup copies are purged within 90 days.
  • On request: Schools can request immediate deletion of all their data at any time by emailing hello@hallwise.com. We will confirm deletion within 5 business days.
  • Anonymized aggregate statistics (e.g. total passes issued across the platform) may be retained indefinitely. These contain no personally identifiable information.
  • Dashboard activity logs (teacher/admin login sessions) are retained for 30 days on a rolling basis.

Data Breach Notification

In the event of a security incident involving unauthorized access to student data, we will:

  • Notify affected school administrators by email within 72 hours of discovering the breach
  • Provide a description of what data was accessed, how, and what steps we have taken to contain and remediate the incident
  • Cooperate with any school investigation and provide records as required

To report a security vulnerability or concern, contact us immediately at hello@hallwise.com.

Your Rights

Schools, parents, and eligible students (age 18+) have the right to:

  • Request a copy of data we hold about a student
  • Request correction of inaccurate data
  • Request deletion of all data for a student or an entire school
  • Object to any data processing not strictly necessary to provide the service

Parents of students under 18 should direct requests through their school administrator. Schools may submit requests directly to hello@hallwise.com. We respond within 5 business days.

Cookies and Analytics

We use a single session cookie to keep teachers and admins signed in. This is a functional cookie required for the service to work — you cannot opt out of it while using the product.

On public marketing pages (homepage, pricing, etc.), we use Google Analytics to understand how visitors find and use our website. This analytics is disabled on all authenticated pages and the student kiosk — Google Analytics never receives student data.

We do not use advertising cookies, retargeting pixels, or any other tracking technology on authenticated or student-facing pages.

Data Processing Agreements

We are willing to sign a Data Processing Agreement (DPA) with schools or districts that require one. We support the National Data Privacy Agreement (NDPA) framework published by the Student Data Privacy Consortium (SDPC). To request a DPA, email hello@hallwise.com with your district name and we will respond within 3 business days.

Changes to This Policy

We will notify school administrators by email of any material changes to this privacy policy at least 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

Contact

For privacy questions, data requests, or to request a Data Processing Agreement:

Hallwise
hello@hallwise.com

For our full security and trust documentation, visit the Security & Trust page.