Privacy Policy
Plain language. No legalese. Here's exactly what happens with your data.
Last updated: March 28, 2026
Who we are
SchoolScope is a California school performance analysis tool built for parents. We're at schoolscope.co. When this policy says "we," "us," or "our," it means SchoolScope.
What we collect
We keep this list short on purpose.
If you visit without signing in
Almost nothing. Cloudflare, our hosting provider, processes your request to serve the page. This includes your IP address and basic request metadata (browser type, page visited). Cloudflare provides us with aggregated, anonymous analytics — we see page view counts and general traffic patterns, not individual visitors. No cookies are set. No tracking pixels load. No fingerprinting happens.
If you sign in with Google
When you create an account, Google shares the following with us:
- Your name — so we know what to call you
- Your email address — so we can identify your account and contact you if needed
- Your Google profile photo URL — so we can show your avatar in the app
That's it. We don't request access to your contacts, calendar, files, or anything else from Google.
If you use the service
- Saved schools and preferences — if you bookmark or compare schools, we store those choices tied to your account
- Session data — a session cookie to keep you logged in
If you subscribe (future)
Payments are processed by Lemon Squeezy, our Merchant of Record. They handle your payment information (card number, billing address) directly. We never see or store your full card number. Lemon Squeezy shares with us: your name, email, subscription status, and transaction IDs.
What we don't collect
This is just as important as what we do collect:
- No tracking pixels — no Facebook Pixel, no Google Analytics, no retargeting tags
- No advertising identifiers — we don't participate in ad networks
- No data about individual students — ever. All school data on this site is aggregate, school-level data published by the state of California.
- No location tracking — we don't use GPS or fine-grained location data
- No third-party data enrichment — we don't buy data about you from data brokers
- No selling of your data — never have, never will. This isn't a privacy-washing line; it's a structural choice. Our revenue comes from subscriptions, not from monetizing your information.
Why we collect it
Every piece of data we collect has a specific purpose:
Who sees your data
We use a small number of service providers to run SchoolScope. Each one only gets the data they need to do their job:
- Cloudflare — hosts and serves the site. Processes requests (including IP addresses) to deliver pages. Cloudflare's privacy policy and data processing addendum apply to their processing.
- Google — provides sign-in via OAuth. Google receives confirmation that you signed in to our site but not what you do on it.
- Resend — sends transactional emails (account confirmation, notifications). Receives your email address and email content only.
- Lemon Squeezy (future) — processes payments as our Merchant of Record. Receives payment details directly. Their privacy policy governs payment data.
That's the complete list. We don't share data with anyone else. No data brokers, no advertisers, no "partners" doing vague things with your information.
About school data
The school performance data on SchoolScope comes entirely from public records published by the California Department of Education. This data includes aggregate, school-level test scores, absenteeism rates, and suspension rates. It contains no personally identifiable information about any individual student, teacher, or parent.
Our composite scores, rankings, and analysis are computed by SchoolScope from this public data. The methodology is fully documented on our methodology page.
Cookies
We use exactly one cookie: a session cookie that keeps you logged in after you sign in with Google. It's a first-party, httpOnly, secure cookie. It expires after 30 days or when you log out.
We don't use advertising cookies, tracking cookies, or third-party cookies of any kind. Cloudflare may set a strictly necessary cookie (__cf_bm) for bot protection — this is a security measure, not tracking.
When we add analytics in the future (such as Google Analytics), we'll load those scripts only after checking your cookie preferences below.
Manage cookie preferences
You can control which optional cookies are active. Strictly necessary cookies (authentication, security) can't be disabled — they're required for the site to work.
Help us understand how visitors use the site. Currently not active — this toggle will apply when we add analytics.
How long we keep it
- Account data (name, email, photo URL) — kept as long as your account is active. Deleted within 30 days of account deletion.
- Session cookies — expire after 30 days or on logout.
- Saved schools and preferences — kept as long as your account is active. Deleted with your account.
- Server logs — Cloudflare retains request logs per their retention policy, typically no more than 72 hours for detailed logs.
We don't keep data "just in case." If there's no reason to store it, we don't.
Security
SchoolScope runs on Cloudflare Workers, which provides:
- HTTPS everywhere — all connections are encrypted in transit
- DDoS protection at the network edge
- No origin server to attack — the application runs at Cloudflare's edge
Authentication is handled through Google's OAuth 2.0, which means we never handle or store your password. Session tokens are cryptographically signed and httpOnly.
Your California privacy rights
If you're a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights. Even though we may not yet meet the revenue thresholds that make CCPA compliance mandatory, we honor these rights for all users:
- Right to know — you can ask what personal information we have about you. This page tells you most of it, but you can email us for a complete accounting.
- Right to delete — you can request deletion of your personal information. We'll confirm within 10 business days and complete the deletion within 45 days.
- Right to correct — you can ask us to fix inaccurate personal information.
- Right to opt out of sale/sharing — we don't sell or share your personal information with third parties for advertising. There's nothing to opt out of, but we honor Global Privacy Control (GPC) signals from your browser as a formal opt-out signal.
- Right to non-discrimination — we won't treat you differently for exercising any of these rights.
To exercise any of these rights, contact us. We'll verify your identity before processing the request.
Children's privacy
SchoolScope is a tool for parents and guardians researching schools. It's not designed for, directed at, or intended to be used by children under 13.
We don't knowingly collect personal information from children under 13. Google OAuth, which we use for authentication, requires users to be at least 13 years old. If you believe a child under 13 has created an account, please contact us and we'll delete the account promptly.
To be clear: SchoolScope does not collect, store, or display any data about individual students of any age. All school data on this site is aggregate, publicly available data at the school level.
Your rights
Regardless of where you live, you can:
- Access your data — email us and we'll send you everything we have
- Delete your account — go to your profile settings or email us. We'll delete your account and all associated data within 30 days.
- Export your data — request a copy of your data in a portable format
- Correct your information — email us to fix anything that's wrong
Changes to this policy
If we change this policy in a meaningful way, we'll notify you by email (if you have an account) and post a notice on the site. We won't sneak changes in. You can always find the current version at schoolscope.co/privacy.
Contact us
Questions, concerns, or requests about your privacy:
- Contact: Send us a message (we respond within 3 business days)
We aim to respond within 3 business days.