Company · Legal

Privacy Policy

Effective July 5, 2026 · Sure Step Education LLC · Sacramento, California

The short version: we build software for special education classrooms. Student data belongs to students, their families, and their schools — we're custodians, not owners. We don't run ads, we don't sell data, we don't build profiles of students, and we don't let anyone downstream of us do it either.

Who we are

Sure Step Education LLC is a special-education software company in Sacramento, California, founded by two working SDC classroom teachers. Our products — DailyWins, TransitionReady, ParaScheduler, and the tools that follow them — are sold to school districts and non-public schools ("the Services").

This policy covers two things: this website, and our company-wide commitments for the Services. Products that store student records also carry their own product-level privacy notice (for example, DailyWins at dailywins.school/privacy) with a precise inventory of the data that product touches. Where a signed agreement with a school district — including a California Student Data Privacy Agreement (CSDPA/NDPA) — covers the same ground, the signed agreement controls.

This website

surestepeducation.com is a brochure, and it behaves like one:

That's the whole list.

Student data in our products

Our products handle student information only as directed by the school or district that adopted them, and only as much as the job requires. Each product's exact data inventory lives in its product-level notice and in Exhibit B of the signed CSDPA. Company-wide, four laws shape how we operate:

FERPA

When a district uses our Services, we act as a "school official" with a legitimate educational interest, under the district's direct control, per the Family Educational Rights and Privacy Act (20 U.S.C. §1232g). Pupil records remain the property of, and under the control of, the district at all times.

SOPIPA (Cal. Bus. & Prof. Code §22584)

We do not target advertising to students or anyone else based on student data. We do not build profiles of students for any purpose except the educational purpose the school hired us for. We do not sell or rent student information. Ever.

AB 1584 (Cal. Ed. Code §49073.1)

Our district agreements include the contract terms California requires when a vendor holds pupil records: district ownership and control of records, a path for parents and eligible students to review and correct records through their district, our security and breach-notification obligations, and certified deletion or return of records when the agreement ends.

COPPA

Where students under 13 are served, the school provides consent as the parent's agent under the Children's Online Privacy Protection Act, and we collect no more than the school authorizes for the educational purpose. Our products never collect information from children outside a school's direction.

How data is protected

More detail lives on our Security & Trust page.

Subprocessors

A small number of infrastructure providers help us run the Services. Each is bound by terms at least as protective as our agreements with districts, and signed districts are notified before any new subprocessor handles student data.

Current subprocessors, their purpose, and whether they handle student data
ProviderPurposeStudent data
Supabase (on AWS)Database, authentication, row-level securityYes — system of record, US region
VercelApplication hostingIn transit only; none stored
CloudflareDNS, network security, application hostingIn transit only; none stored
NetlifyHosting for this websiteNo — this site has no student data
ResendTransactional email to staffNo — staff email addresses only
AnthropicAI parsing of school documents (e.g., bell schedules)No — not used on student data; not used for model training
GoogleOptional staff single sign-onNo — staff identity only

There are no analytics SDKs, advertising networks, or tracking pixels in our products. No other third parties receive data of any kind.

Retention and deletion

We keep student records for the term of the district's agreement and handle them as the agreement directs when it ends — certified deletion or return to the district. Records are soft-deleted in normal operation, so a roster change can never silently destroy a student's history; permanent deletion is a controlled, deliberate act.

If something goes wrong

If we determine that student records have been — or are reasonably believed to have been — accessed or disclosed without authorization, we notify each affected district in writing within 72 hours, cooperate fully with the district's own notification duties under Ed. Code §49073.1 and Civ. Code §1798.29, and never bill a district for a breach that arose from our systems. The full commitment is on our Security & Trust page.

Your rights

Parents, guardians, and eligible students: your school district owns and controls your student's records, so review, correction, and deletion requests go through the district — and we support the district in fulfilling them, every time. If you're not sure who to ask, start with your school's front office; that's genuinely the fastest path.

Website visitors: we hold nothing about you unless you emailed us, in which case we hold your email. Ask and it's gone.

Changes to this policy

Updates are posted here with a new effective date. Material changes to how the Services handle student data are communicated to signed districts as our agreements require — not just quietly posted.

Contact

Privacy questions: hello@surestepeducation.com
Security reports: security@surestepeducation.com
Sure Step Education LLC · Sacramento, California

Demo