COPPA Compliance
Summary
EMStudio protects children's data with the same rigor as any COPPA-regulated service. Children never use EMStudio directly — teachers enter student data under their school's authorization. We never advertise to students, never sell their data, never build profiles, and never train AI on their information.
1. What Is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a US federal law enforced by the Federal Trade Commission (FTC) that regulates the online collection of personal information from children under 13. It requires operators to obtain verifiable parental consent before collecting, using, or disclosing children's personal information.
COPPA applies not only to websites and apps that children use directly, but also to services that have actual knowledge that they collect data about children — which includes education tools like EMStudio where teachers enter student information. For additional US education privacy protections, see our FERPA compliance page. For EU-specific protections, see our GDPR compliance page.
2. Why COPPA Applies to EMStudio
Children never log in to or directly use EMStudio. It is a tool built exclusively for teachers. However, teachers enter data about their students — including students who may be under 13 — into the platform. Because we have knowledge that some of this data relates to children, COPPA's protections apply.
This is the same situation as virtually every ed-tech platform. The FTC provides a specific framework for how education services like EMStudio can operate under COPPA: the school authorization model.
3. The School Authorization Model
The FTC's COPPA Rule recognizes that requiring individual parental consent for every ed-tech tool a school uses would be impractical. Instead, the FTC provides a school authorization exception: schools can authorize the collection of children's data on behalf of parents, provided the data is used solely for educational purposes.
Under this framework, there are three consent pathways:
| Pathway | How It Works | Who Is Responsible |
|---|---|---|
| Direct parental consent | Parents consent directly to the service | The operator (EMStudio) |
| School authorization | The school consents on behalf of parents for educational use | The school |
| Teacher as school agent | A teacher acts as the school's agent, authorizing the service under the school's policies | The teacher (representing the school) |
EMStudio primarily relies on the third pathway: teachers sign up individually and represent in our Terms of Service that they have authority under their school's policies to enter student data. This is the standard model for ed-tech tools used by individual teachers.
What the school authorization model expects of schools
Under FTC guidance, if a school authorizes teachers to use EMStudio on the school's behalf, the school is expected to:
- Obtain parental consents or provide direct notice under its own process
- Authorize teachers to input student data into educational technology tools
- Notify parents that the school uses EMStudio
These are expectations the FTC places on schools — not demands EMStudio places on teachers. We provide our Data Processing Addendum for schools that want to formalize this relationship.
4. Teacher's Warranty of Authority
In our Terms of Service (Section 5), teachers warrant that:
- They have authority under their school's policies, applicable parental consent laws, or both, to enter student data into EMStudio
- Any required parental consents have been obtained through the school's own process
- They will not enter special category data beyond what is educationally necessary
- They will comply with applicable student privacy laws including FERPA and COPPA
This warranty is the contractual foundation of our COPPA compliance for individual teacher sign-ups. For schools that want a formal agreement, our Data Processing Addendum provides additional contractual protections.
5. What Data We Hold About Children
EMStudio holds only the data that teachers enter about their students. This may include:
- Identity: first name, last name, student ID
- Contact: student email, parent/guardian email, phone number
- Academic: grades, assignments, attendance records
- Notes: behavioral observations, IEP/504 accommodations, teacher notes
We do not independently collect any additional information about children. We never ask students or parents for information directly. The teacher controls exactly what data is entered. For a complete inventory of all data we hold, see our Privacy Policy and Transparency page.
6. How We Use Children's Data
Children's data in EMStudio is used for one purpose only: education. Specifically, we use it to:
- Display student records to the teacher who entered them
- Generate grade reports and attendance summaries
- Organize students into classes and groups
- Store the data securely until the teacher deletes it or closes their account
That is the complete list. There are no other uses. Children's data is never used for analytics, product improvement, marketing, research, or any purpose beyond serving the teacher's educational needs. For a complete mapping of all data uses and their legal bases, see our GDPR legal basis table.
7. Data Minimization
COPPA requires that operators collect no more information than is reasonably necessary. EMStudio applies a four-question data minimization framework to children's data:
| Step | Question | Our Answer |
|---|---|---|
| 1 | Is this data necessary for the educational purpose? | We only store what the teacher enters — we never prompt for or require additional student data |
| 2 | Can we use less data? | All student fields are optional except first name. Teachers decide what to enter. |
| 3 | Can we anonymize it? | Student data must be identifiable to be useful for grading and attendance. We anonymize analytics data instead. |
| 4 | Can we pseudonymize it? | Student IDs can be used as pseudonyms. Teachers can choose how to identify students. |
The key principle: we only accept what the teacher gives us — we never ask for more. EMStudio has no registration form for students, no student-facing features, and no mechanism for collecting data directly from children.
8. Our Commitments for Children's Data
What we never do with children's data
- Behavioral advertising or targeted ads based on student data
- Building marketing profiles or behavioral profiles of students
- Selling, renting, or trading student data to any third party
- Training AI models on student data — ours or any third party's
- Using student data for research unrelated to the educational purpose
- Conditioning a child's participation on providing more information than necessary
These commitments are permanent and unconditional. They are formalized in our Terms of Service and our 12 Privacy Commitments. For the full list of every vendor that processes data on our behalf, see our Sub-Processors page — most vendors never receive student data at all.
9. AI & Children's Data
EMStudio's AI features assist teachers with lesson planning. Here is exactly how children's data relates to our AI:
- Student data is never sent to any AI provider. Our AI privacy guard strips all student-identifiable information before any data leaves our servers. The AI only receives lesson metadata: title, subject, class name, and a sanitized content preview.
- Student data is never used for AI training. No data in EMStudio — children's or otherwise — is used to train, fine-tune, or improve any AI model.
- Zero-retention AI processing. Our AI provider (OpenRouter, routing to Google Gemini) operates under a zero-retention policy — prompts and responses are not stored after the request completes.
- Teachers can opt out. AI features can be disabled entirely from profile settings.
For the complete technical details of what data reaches the AI and how we protect it, see our Transparency page and the AI Features & Data section of our Privacy Policy.
10. How Long We Keep Children's Data
COPPA requires that children's data be retained only as long as necessary for the educational purpose. EMStudio's retention approach:
- Active accounts: Student data is retained as long as the teacher keeps it in the app. Teachers can delete individual students, classes, or records at any time.
- Soft-deleted records: When a teacher deletes a student or class, the data enters a 30-day soft-delete period (allowing undo), then is permanently purged.
- Account deletion: When a teacher deletes their account, all student data is permanently erased from our systems and all sub-processors within 30 days.
- School requests: If a school requests data return or destruction (via our DPA or by contacting us), we comply within 30 days.
For the complete retention schedule across all data types, see our Privacy Policy retention table.
11. Parental Rights
Under COPPA, parents have the right to:
- Review their child's data — request through the school or teacher, who can export the data from EMStudio
- Delete their child's data — request through the school or teacher, who can delete student records directly in the app
- Refuse further collection — request through the school or teacher, who can remove the student from EMStudio
Because EMStudio operates under the school authorization model, parental requests flow through the school or teacher — this is how the FTC expects the process to work for school-authorized services.
Parents who wish to contact EMStudio directly can reach us at info@emstudio.pro. We will direct them to the appropriate school or teacher and cooperate fully with any parental request. For information about data rights under the GDPR or CCPA, see the relevant sections of our other policies.
12. Security
COPPA requires operators to maintain reasonable security for children's data. EMStudio protects all data — including children's — with multiple layers of security:
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Row-Level Security: Database policies ensure each teacher can only access their own data — no teacher can see another teacher's students
- Authentication: Secure auth via Supabase with OAuth and email/password
- Rate limiting: Protection against brute-force and automated attacks
- Content Security Policy: Strict CSP headers to prevent injection attacks
- PII scrubbing: Error logs and monitoring data are scrubbed of personally identifiable information
For complete details on our technical and organizational security measures, see our Security page. For breach notification procedures, see our Privacy Policy and FERPA breach notification section.
13. Contact
For questions about COPPA compliance, children's data, or to report a concern:
Education Management Studio
d/b/a EMStudio
Email: info@emstudio.pro
Parents can also learn more about children's online privacy at the FTC's Protecting Your Child's Privacy Online resource.
Related Policies
- Privacy Policy — our full privacy notice
- Terms of Service — teacher authority and student data warranties
- FERPA Compliance — US education records law
- GDPR Compliance — EU data protection (includes Art. 8 children's consent)
- Sub-Processors — every vendor that handles data, with student data breakdown
- Data Processing Addendum — formal agreement for schools
- Security — technical safeguards
- Transparency — complete data inventory and flow diagram
- Our Commitments — 12 privacy promises we stand behind