Privacy Policy
The short version: We collect only what we need to run the Service. We do not sell your data. We do not show ads. Student data is treated with extra care in accordance with FERPA. You can delete your account and your data at any time.
Contents
1. What We Collect
We collect information you provide directly, information generated by your use of the Service, and limited technical data.
Account information: First name, last name, preferred name, email address, date of birth (optional), password (hashed — we never store it in plain text), role (student, parent, school admin, etc.), and school or organization affiliation.
Activity records: Activity titles, roles, organizations, dates, hours, descriptions, outcomes, and any evidence files you upload.
Verification data: Verification requests, approver decisions, notes, and timestamps.
Usage data: Pages visited, features used, timestamps of actions. We do not use third-party analytics trackers.
Technical data: IP address (stored temporarily for security and rate-limiting), browser type, and session identifiers.
2. How We Use Your Data
We use your data solely to provide and improve the Service. Specifically:
- To create and manage your account
- To store and display your activity records
- To send verification requests to your chosen verifiers
- To generate exports (PDF, Word, Common App format)
- To send transactional emails (verification notifications, password resets, parent digests)
- To enforce our Terms of Service and prevent abuse
- To improve the Service based on aggregated, anonymized usage patterns
We do not use your data to serve advertisements. We do not build advertising profiles. We do not sell your data.
3. How We Store and Protect Data
Your data is stored on servers in the United States. We use the following measures to protect it:
- Encryption at rest: Email addresses are encrypted using AES-256. Passwords are hashed using bcrypt and never stored in recoverable form.
- Encryption in transit: All connections to Zipadoo are served over HTTPS/TLS.
- Access controls: All data queries are scoped to the authenticated user's account. No cross-account data access is permitted.
- Audit logging: Administrative actions are logged for security review.
- File storage: Uploaded evidence files are stored outside the web root and served only through authenticated, time-limited signed URLs.
No security system is perfect. If you believe your account has been compromised, contact us immediately at [email protected].
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
- With verifiers you choose: When you submit an activity for verification, the verifier receives your name, activity details, and a one-click approval link. They do not receive your email address or account credentials.
- With linked parents: If you invite a parent or guardian, they receive read-only access to your activity record as you configure it.
- With school administrators: If your school is on Zipadoo, school admins can view student activity records and verification requests scoped to their school.
- With service providers: We use a small number of third-party services (hosting, email delivery) that process data on our behalf under confidentiality agreements.
- For legal compliance: We may disclose data if required by law, court order, or to protect the safety of users or others.
5. Student Privacy and FERPA
Zipadoo is designed for use by students, including minors. We take student privacy obligations seriously.
- Student activity records are the student's own records — not education records generated or maintained by a school for its own purposes. As such, FERPA applies to the extent schools use Zipadoo as part of their official processes.
- We do not share student records with colleges, employers, or any third party without explicit student consent (e.g., via a share link the student generates).
- Parents of students under 18 may request to view, correct, or delete their child's records by contacting us.
- We do not use student data for targeted advertising or data mining.
6. Children Under 13 (COPPA)
Zipadoo is not directed at children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware that a user is under 13 without parental consent, we will promptly delete their account and data.
If you believe your child under 13 has created an account without your consent, please contact us at [email protected].
7. Cookies and Tracking
Zipadoo uses only essential cookies required for the Service to function:
- Session cookie: Keeps you logged in during your browser session.
- CSRF token: Protects against cross-site request forgery attacks.
We do not use advertising cookies, third-party tracking pixels, or analytics services that track you across other websites. We do not use Google Analytics or similar services.
8. Your Rights and Choices
You have the following rights regarding your data:
- Access: You can view all your activity data from your dashboard at any time.
- Correction: You can edit your profile and activity records from your dashboard.
- Deletion: You can delete your account from your account settings. Deletion removes your personal data from our active systems. Some data may be retained in backups for up to 90 days.
- Export: You can export your folio as a PDF or Word document at any time.
- Revocation: You can revoke parent access or share links at any time from your profile settings.
To exercise any of these rights or to request a data export in machine-readable format, contact us at [email protected].
9. Data Retention
We retain your data for as long as your account is active. If you delete your account:
- Your profile and activity records are removed from active systems immediately.
- Verification request records associated with your account are anonymized.
- Audit log entries referencing your account may be retained for up to 12 months for security and compliance purposes.
- Backup copies may persist for up to 90 days before being purged.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact
If you have questions, concerns, or requests related to this Privacy Policy, please contact us:
Zipadoo — Privacy
Email: [email protected]
Please include "Privacy" in your subject line. We aim to respond within 5 business days.