Company · Legal
Privacy Policy
Effective July 5, 2026 · Sure Step Education LLC · Sacramento, California
The short version: we build software for special education classrooms. Student data belongs to students, their families, and their schools — we're custodians, not owners. We don't run ads, we don't sell data, we don't build profiles of students, and we don't let anyone downstream of us do it either.
Who we are
Sure Step Education LLC is a special-education software company in Sacramento, California, founded by two working SDC classroom teachers. Our products — DailyWins, TransitionReady, ParaScheduler, and the tools that follow them — are sold to school districts and non-public schools ("the Services").
This policy covers two things: this website, and our company-wide commitments for the Services. Products that store student records also carry their own product-level privacy notice (for example, DailyWins at dailywins.school/privacy) with a precise inventory of the data that product touches. Where a signed agreement with a school district — including a California Student Data Privacy Agreement (CSDPA/NDPA) — covers the same ground, the signed agreement controls.
This website
surestepeducation.com is a brochure, and it behaves like one:
- No accounts, no forms, no cookies set by us, no analytics, no trackers. We don't know who visits this site and haven't installed anything that would tell us.
- Fonts are self-hosted — nothing is fetched from font networks.
- Demo videos load from YouTube only when you click play. At that moment YouTube's own privacy terms apply, the same as watching any video there.
- Contact links open your own email app. What you send us is used to reply to you, and for nothing else.
That's the whole list.
Student data in our products
Our products handle student information only as directed by the school or district that adopted them, and only as much as the job requires. Each product's exact data inventory lives in its product-level notice and in Exhibit B of the signed CSDPA. Company-wide, four laws shape how we operate:
FERPA
When a district uses our Services, we act as a "school official" with a legitimate educational interest, under the district's direct control, per the Family Educational Rights and Privacy Act (20 U.S.C. §1232g). Pupil records remain the property of, and under the control of, the district at all times.
SOPIPA (Cal. Bus. & Prof. Code §22584)
We do not target advertising to students or anyone else based on student data. We do not build profiles of students for any purpose except the educational purpose the school hired us for. We do not sell or rent student information. Ever.
AB 1584 (Cal. Ed. Code §49073.1)
Our district agreements include the contract terms California requires when a vendor holds pupil records: district ownership and control of records, a path for parents and eligible students to review and correct records through their district, our security and breach-notification obligations, and certified deletion or return of records when the agreement ends.
COPPA
Where students under 13 are served, the school provides consent as the parent's agent under the Children's Online Privacy Protection Act, and we collect no more than the school authorizes for the educational purpose. Our products never collect information from children outside a school's direction.
How data is protected
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Access rules enforced in the database with row-level security — not just in the interface — so a misbehaving client can't widen its own access.
- Student data is stored only in the United States.
- Products that hold student records keep an append-only audit log of record access and exports.
- Student data never appears in email.
- Our own staff cannot read student records in normal operation; maintenance access is an explicit, logged exception.
More detail lives on our Security & Trust page.
Subprocessors
A small number of infrastructure providers help us run the Services. Each is bound by terms at least as protective as our agreements with districts, and signed districts are notified before any new subprocessor handles student data.
| Provider | Purpose | Student data |
|---|---|---|
| Supabase (on AWS) | Database, authentication, row-level security | Yes — system of record, US region |
| Vercel | Application hosting | In transit only; none stored |
| Cloudflare | DNS, network security, application hosting | In transit only; none stored |
| Netlify | Hosting for this website | No — this site has no student data |
| Resend | Transactional email to staff | No — staff email addresses only |
| Anthropic | AI parsing of school documents (e.g., bell schedules) | No — not used on student data; not used for model training |
| Optional staff single sign-on | No — staff identity only |
There are no analytics SDKs, advertising networks, or tracking pixels in our products. No other third parties receive data of any kind.
Retention and deletion
We keep student records for the term of the district's agreement and handle them as the agreement directs when it ends — certified deletion or return to the district. Records are soft-deleted in normal operation, so a roster change can never silently destroy a student's history; permanent deletion is a controlled, deliberate act.
If something goes wrong
If we determine that student records have been — or are reasonably believed to have been — accessed or disclosed without authorization, we notify each affected district in writing within 72 hours, cooperate fully with the district's own notification duties under Ed. Code §49073.1 and Civ. Code §1798.29, and never bill a district for a breach that arose from our systems. The full commitment is on our Security & Trust page.
Your rights
Parents, guardians, and eligible students: your school district owns and controls your student's records, so review, correction, and deletion requests go through the district — and we support the district in fulfilling them, every time. If you're not sure who to ask, start with your school's front office; that's genuinely the fastest path.
Website visitors: we hold nothing about you unless you emailed us, in which case we hold your email. Ask and it's gone.
Changes to this policy
Updates are posted here with a new effective date. Material changes to how the Services handle student data are communicated to signed districts as our agreements require — not just quietly posted.
Contact
Privacy questions: hello@surestepeducation.com
Security reports: security@surestepeducation.com
Sure Step Education LLC · Sacramento, California