B
BusBeat

Bus Beat Privacy Policy

Last updated: May 2, 2026 Effective date: Pilot launch (Q3 2026)

1. Who we are

Bus Beat ("we", "us") is a software service that helps private K-12 schools coordinate athletic transportation. Bus Beat is operated by [Legal Entity Name TBD], a [State] [LLC / corporation], headquartered at [Address].

For privacy questions or to exercise your rights, contact: privacy@busbeat.app

2. Who this policy covers

This policy describes how we handle information about:

  • School staff (Athletic Directors, assistants, coaches) who hold a Bus Beat user account at a contracting school
  • Bus vendors and drivers whose contact information is recorded by school staff for trip coordination
  • Visitors to our public marketing site

This policy does not cover student information. Bus Beat is intentionally designed to avoid collecting personally identifiable student data (see §6).

3. What we collect

3.1 Account information (school staff)

  • Full name, email address, role at the school, school affiliation
  • Phone number, if a coach (required for SMS bus updates)
  • Authentication metadata (sign-in timestamps, IP address of sign-in)

3.2 Trip data entered by school staff

  • Sport, team, opponent, destination, dates and times
  • Vendor name, driver name (free text), bus number, passenger count
  • Internal notes the AD chooses to record

3.3 Coach location during active trips (optional)

If a coach opts in to location sharing for a trip, we collect their device GPS coordinates only during the trip's active window (from 15 minutes before scheduled departure to 30 minutes after scheduled return). The coach can revoke this at any time.

We collect: latitude, longitude, accuracy, speed, heading, and a client-side timestamp.

We do not collect location at any other time. We do not collect location from any device other than the consenting coach's.

3.4 SMS metadata

  • The phone numbers we send messages to and from
  • Message contents (operational updates only — never marketing)
  • Delivery status returned by our SMS carrier
  • Inbound STOP / HELP / START messages, for opt-out compliance

3.5 Vendor contact information

  • Vendor business name, dispatch contact name, phone, email — entered by school staff for trip assignment.

3.6 Diagnostic and usage data

  • Browser type, OS, page views, error reports
  • Aggregated, non-identifying usage metrics for product improvement

4. How we use this information

  • To deliver the Bus Beat service (display schedules, send SMS, show live ops to ADs)
  • To authenticate users via emailed magic links
  • To send operational SMS to opted-in coaches (trip assignments, schedule changes, weekly digest)
  • To audit changes for the school's own records (every trip change is logged)
  • To respond to support requests
  • To detect and prevent abuse of the service
  • To improve product reliability through aggregated diagnostics

We do not use any data to:

  • Sell to third parties
  • Target advertising
  • Train AI models on identifiable data
  • Share with the school's competitors or vendors' competitors

5. SMS specifically

By accepting a coach invite, you consent to receive operational SMS messages from your school's Bus Beat account about your team's transportation. Message frequency varies (typically 1–5 messages per week during your sport's season).

  • Reply STOP at any time to stop all messages from your school's Bus Beat number
  • Reply HELP for support contact info
  • Opting out has no effect on your access to the Bus Beat coach app
  • Standard message and data rates from your carrier may apply
  • We use Twilio as our SMS carrier (see §9)

We do not send marketing SMS, and we do not share your phone number with anyone outside your school's Bus Beat account.

6. Student data — what we do NOT collect

Bus Beat is intentionally architected to not store personally identifiable student information. Specifically:

  • We do not store student names, ID numbers, dates of birth, addresses, parent contacts, grades, IEP/504 information, or any other educational record covered by FERPA.
  • Trip records include a passenger count (a number) and a free-text "rider notes" field. School staff are instructed not to write student names in rider notes; we recommend "Varsity boys + 2 managers" rather than names.
  • Location data we collect during trips is a coach's (an employee's) device location, recorded with that coach's consent. The coach happens to be on a bus carrying students; we do not record student-specific positions.

If your school has reason to believe FERPA-protected information has been entered into Bus Beat, contact us immediately at privacy@busbeat.app and we will purge the affected fields.

7. Data retention

| Data | Retention | |---|---| | Account information | For the life of the account; deleted within 30 days of account closure | | Trip records | For the life of the school's account, plus exportable archive | | Trip event audit log | 7 years (operational + financial audit) | | Coach location pings | 30 days, then automatically deleted by a nightly job | | Coach check-in records | For the life of the school's account | | SMS message contents | 2 years | | SMS consent events (STOP/START audit) | 7 years (legal compliance) | | Diagnostic / error logs | 90 days |

Schools can request earlier deletion of any data they own at any time.

8. Who controls the data

Bus Beat is a data processor acting on behalf of each contracting school, which is the data controller for its users' and trip information. Each school's data is logically isolated from every other school's via tenant ID enforced at the database level.

Schools can:

  • Export their full dataset to CSV at any time (/ad/settings → Export)
  • Request deletion of their tenant and all associated data within 30 days of contract termination
  • Designate which staff have access at which permission level

A Data Processing Addendum (DPA) is available on request and is signed alongside the master service agreement.

9. Third parties we share data with

We share the minimum necessary data with the following service providers, under contractual confidentiality obligations:

| Provider | Purpose | Data shared | |---|---|---| | Supabase (Amazon RDS, US East) | Database, authentication | All user account + trip data | | Vercel (US) | Application hosting | Service traffic + diagnostics | | Twilio | SMS delivery | Recipient phone numbers + message bodies | | Mapbox / MapTiler | Map rendering and geocoding | Destination addresses entered by ADs | | Sentry | Error reporting | Stack traces (may include user email of the affected user) | | PostHog | Anonymous product analytics | Page views, feature usage; no message contents |

We do not sell or rent personal information to anyone.

10. Where data lives

All Bus Beat data is processed and stored on infrastructure located in the United States. We do not transfer Bus Beat data outside the United States.

11. Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access to production data is restricted to a small operational team, all under non-disclosure obligations.
  • We use multi-tenant database isolation enforced via row-level security at every query.
  • Authentication is via emailed one-time links — no passwords are stored.
  • Service-role database credentials are restricted to specific server-side code paths and are never exposed to the browser.
  • We log all administrative actions for audit purposes.

We will notify affected schools without undue delay (and in any event within 72 hours) of any confirmed data breach affecting their data, consistent with applicable state breach-notification laws.

12. Your rights

Depending on your jurisdiction (Maryland, DC, Virginia, and other state privacy laws may apply), you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Delete your information (subject to school recordkeeping needs)
  • Object to certain processing
  • Port your data to another service in a machine-readable format

To exercise any of these rights, contact your school's Athletic Director (the data controller) first. If your school cannot resolve your request, contact us at privacy@busbeat.app and we will respond within 30 days.

13. Children

Bus Beat accounts are issued only to school staff (employees and contractors of the school). We do not knowingly create accounts for individuals under 18. Students do not have Bus Beat accounts.

14. Changes to this policy

We will post material changes here and notify school administrators by email at least 30 days before the new terms take effect. Continued use of the service after the effective date constitutes acceptance of the updated terms.

15. Contact

  • Privacy questions: privacy@busbeat.app
  • Security issues: security@busbeat.app
  • Mailing address: [Address TBD]
  • Data Protection Inquiries (Schools): Refer to your DPA