FERPA Compliance

Effective date: March 20, 2026

1. Our Commitment

BookPulse, operated by Baarstad Consulting Services, is committed to protecting student education records in accordance with the Family Educational Rights and Privacy Act (FERPA). This page describes how we handle student data, our role as a school official, and the controls available to teachers and administrators.

2. School Official Designation

BookPulse operates as a “school official with a legitimate educational interest” under FERPA (34 CFR 99.31(a)(1)). We provide educational services — interactive reading comprehension tasks, student progress tracking, and optional AI-powered feedback — under the direction and control of the school. Student records within BookPulse are education records used solely for the instructional purposes for which we were engaged by the teacher.

3. Data Minimization

We collect the minimum student information necessary to provide the educational service:

  • Collected: First name, last initial, and a password (cryptographically hashed)
  • Not collected: Email addresses, full last names, dates of birth, home addresses, Social Security numbers, photos, biometric data, or any other personally identifiable information

Students join classes using a teacher-provided code and create a simple account with only the information listed above. This minimal data footprint significantly reduces privacy risk.

4. No Re-Disclosure

Student education records are never shared with third parties for non-educational purposes. We do not sell, rent, or trade student data. We do not use student data for advertising, profiling, marketing, or any purpose unrelated to the instructional service.

5. AI Data Handling

When a teacher enables AI-powered feedback for their class (available on the Plus plan), student written responses are processed by Anthropic's Claude API to generate educational feedback. Here is exactly what happens:

  • What is sent: The task prompt (e.g., “Analyze the symbolism in Chapter 3”) and the student's written response text
  • What is NOT sent: Student names, last initials, email addresses, class names, teacher names, school names, or any identifying information
  • How it is processed: The de-identified text is evaluated against educational rubrics and feedback is returned to BookPulse
  • Data retention by Anthropic: Anthropic retains API submissions for up to 30 days for safety monitoring and abuse detection only. Anthropic does not use API data to train its models. Student responses are de-identified before transmission — Anthropic receives only the task text and response text, never any student names or identifiers.
  • Teacher control: Teachers may enable or disable AI feedback for each class at any time via class settings
  • Auto-gradable task types: Vocabulary matching, drag-and-drop ordering, and self-check tasks are graded automatically by BookPulse without any API call to Anthropic. No data is sent to Anthropic for these task types — only open-ended written response tasks use the AI API.

6. Teacher and Administrator Controls

Teachers have full control over student data within their classes:

  • View all student data associated with their classes
  • Reset student passwords when students are locked out
  • Remove individual students and all their associated response data
  • Delete entire classes and all associated student data
  • Disable or enable AI feedback per class

School administrators or districts may request bulk deletion of all student data associated with their teachers by contacting support@readbookpulse.com. Deletion requests are honored within 30 days.

7. Data Processing Agreement (DPA)

BookPulse offers a Data Processing Agreement for schools and districts that require one. A DPA formalizes our obligations regarding student data handling, security practices, breach notification, and data deletion.

Note on AI sub-processor: BookPulse uses Anthropic's Claude API for AI-powered feedback. A formal DPA with Anthropic (as our AI sub-processor) is currently pending execution. Our existing BookPulse DPA covers the data handling protections we directly control. Schools with strict sub-processor DPA requirements should contact us to discuss current status before signing.

To request a DPA, contact us at support@readbookpulse.com or use our contact form.

8. Data Security

Student data is protected by multiple layers of security:

  • All data transmitted over HTTPS/TLS encryption
  • Database encrypted at rest (hosted by Supabase, US-East region)
  • Row-Level Security (RLS) policies ensure teachers can only access their own students' data
  • Student passwords are cryptographically hashed — never stored in plaintext
  • Server-side authentication enforcement via middleware
  • Admin access restricted to whitelisted email addresses

For complete details about our security practices, see our Security page.

9. Breach Notification

In the event of a data breach affecting student education records, we will notify affected schools and teachers within 72 hours of discovery. Notification will include the nature of the breach, the data affected, steps taken to contain it, and recommended actions.

10. COPPA Compliance

BookPulse also complies with the Children's Online Privacy Protection Act (COPPA). Teacher consent serves as the parental consent mechanism under COPPA's school exception. Because we collect only first name, last initial, and a hashed password — and no email addresses or other identifiers — our data collection is well within COPPA's requirements for minimal necessary information.

11. Contact

For FERPA-related questions, data deletion requests, or to request a Data Processing Agreement, contact us at support@readbookpulse.com or visit our contact page.

Privacy PolicyTerms of ServiceSecurity Practices