Effective Date: March 30, 2026 | Last Updated: April 9, 2026
Overview
Story Bridge LLC (“StoryBridge”) is committed to protecting the privacy and security of student data. This compliance statement explains how StoryBridge meets the requirements of the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) and the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506), including the April 22, 2026 COPPA amendments (16 CFR Part 312), in the operation of our therapeutic storybook platform.
StoryBridge is designed exclusively for use by school counselors, social workers, and educators (“Authorized Users”) to create personalized Social-Emotional Learning (SEL) stories for students in grades K–8. The platform operates within the school context under the supervision of qualified school personnel.
FERPA Compliance
School Official Exception (34 CFR § 99.31(a)(1))
StoryBridge operates under the “school official” exception to FERPA. When a school district contracts with StoryBridge, we function as a school official with a legitimate educational interest in the student data we process. We:
- Perform an institutional service or function that the school would otherwise perform itself (therapeutic story creation for SEL interventions).
- Are under the direct control of the school with respect to the use and maintenance of education records.
- Use education records only for the purposes for which access was granted.
- Meet the criteria set forth in the school’s annual notification of FERPA rights regarding the use of contractors.
Education Records We Process
StoryBridge processes the following education records on behalf of schools:
| Record Type | Data Elements | Purpose |
|---|---|---|
| Student Profile | First name, last name, grade level, school, external ID (optional) | Story personalization and session tracking |
| Reading Sessions | Session timestamps, story read, quiz responses, points earned | Progress monitoring and SEL skill assessment |
| Skill Check-ins | SEL skill prompted, student response (tried it / not yet / need help) | SEL skill practice tracking and counselor follow-up |
| Story Assignments | Assigned story/series IDs, assignment date, completion status | Counselor-directed intervention delivery |
Parental Rights Under FERPA
FERPA grants parents (and eligible students aged 18+) the right to:
- Inspect and review their child’s education records. Parents should contact their school’s counselor or administrator, who can export student data from StoryBridge at any time using the built-in data export function.
- Request amendment of records they believe are inaccurate. Authorized Users can update any student information directly in the platform.
- Consent to disclosure. StoryBridge does not disclose student records to any third party outside the school’s direct control without prior written consent, except as permitted under FERPA.
- Request deletion. Schools can request deletion of student records at any time. Individual student records can be deleted immediately by Authorized Users with Admin privileges. Organization-wide data deletion requests are processed within 30 days.
Data Minimization
StoryBridge collects only the minimum student information necessary to deliver the service:
- We require only first name, last name, and grade level to create a student profile.
- We do NOT collect home addresses, parent contact information, Social Security numbers, medical records, disciplinary records, or behavioral diagnoses.
- Story themes and therapeutic goals are entered by the counselor, NOT linked to specific student diagnoses.
- Student names are used for story personalization only and are not transmitted to external AI services.
Data Security Safeguards
Encryption at Rest
AES-256 via Google Cloud Platform
Encryption in Transit
TLS 1.2+ on all connections
Access Controls
Role-based (Creator, Admin, Super Admin) with organization/school isolation
Authentication
Firebase Auth with Google, Microsoft, and ClassLink SSO
Audit Trail
All data access, export, and deletion events logged with timestamps
Backup & Recovery
Daily/weekly backups, 7-day PITR, 30-day file recovery
Infrastructure
Hosted on GCP (SOC 2 Type II, ISO 27001, FedRAMP)
Incident Response
Schools notified within 72 hours of any data breach
Data Retention and Disposal
- Student data is retained for the duration of the school’s active subscription.
- Upon subscription termination, all student data is deleted within 30 days.
- Individual student records can be deleted immediately by Authorized Users.
- Encrypted backups containing deleted data are automatically purged after 98 days.
- Audit logs are retained for 1 year, then permanently deleted.
COPPA Compliance
School Consent Exception (16 CFR § 312.5(c)(1))
StoryBridge relies on the COPPA “school consent exception,” under which schools may consent to the collection of student personal information on behalf of parents when the data is used solely for educational purposes.
Under FTC guidance, schools can provide consent on behalf of parents when the online service is used solely for an educational purpose and for no other commercial purpose. StoryBridge meets this criteria as its sole purpose is to deliver therapeutic SEL interventions under the direction of school counselors.
April 2026 COPPA Amendments (16 CFR Part 312)
The FTC’s amended COPPA Rule, effective April 22, 2026, introduces three new operator requirements. StoryBridge compliance with each:
Written Information Security Program (§312.8)
Operators must maintain a written information security program documenting administrative, technical, and physical safeguards. StoryBridge maintains a comprehensive WISP covering risk assessment, personnel security, vendor management, access control, encryption (AES-256 at rest, TLS 1.2+ in transit), audit logging, incident response, and backup/disaster recovery. Available upon request to contracting districts.
Written Data Retention Policy (§312.10)
Operators must publish a written data retention policy specifying retention periods, deletion triggers, and parent request procedures. StoryBridge maintains a detailed retention schedule covering all data categories, with defined retention periods, deletion triggers, cascade deletion procedures, and a documented parent deletion request process (acknowledged within 2 business days, completed within 30 days). Available upon request to contracting districts.
Third-Party Disclosure Notice (§312.4)
Operators must provide parents explicit notice when personal information is shared with new third parties. StoryBridge provides districts a ready-to-use parent notice template and ClassLink roster sync opt-out form for distribution to K–8 parents. Contact privacy@thestorybridge.app to request the template.
How We Comply with COPPA’s Requirements
1. No Direct Collection from Children
StoryBridge does not have any student-facing registration, login, or data entry forms. All student data is entered by Authorized Users (adults). Students interact with the platform only through a supervised kiosk mode where no personal information is collected directly from the child.
2. Limited Data Collection
We collect only the information reasonably necessary to deliver the educational service: student name, grade level, and reading activity. We do not collect photos, videos, voice recordings from students, location data, device identifiers, or any data beyond what is needed for story personalization and progress tracking.
3. No Advertising or Third-Party Sharing
StoryBridge contains no advertising. We do not share, sell, or rent student data to any third party for marketing or commercial purposes. Data is shared only with service providers necessary to operate the platform (see Privacy Policy).
4. Parental Access and Deletion
Parents can request to review their child’s data or request its deletion by contacting their school’s counselor or administrator. Authorized Users can export and delete student data through the platform’s built-in tools. Deletion requests are honored promptly.
5. Data Security
We maintain reasonable security procedures to protect children’s personal information from unauthorized access, use, or disclosure. See the Security Safeguards section above for details.
6. Data Retention Limits
We retain children’s personal information only as long as necessary to fulfill the educational purpose for which it was collected. Data is deleted upon school request or subscription termination.
AI-Generated Content and Student Data
StoryBridge uses AI (Google Vertex AI / Gemini) to generate story content. Key safeguards:
- No student PII sent to AI models. Story generation prompts include only the theme, character descriptions, and educational goals provided by the counselor. Student names are NOT included in AI prompts.
- Content safety review. All AI-generated stories pass through a QA safety review that checks content for age-appropriateness, therapeutic alignment, and potential harms before publication.
- Human review required. Authorized Users must review and explicitly publish stories before they are available to students. The platform does not auto-publish AI-generated content.
- No AI training on student data. StoryBridge does not use student data, reading session data, or any PII to train, fine-tune, or improve AI models. Google Vertex AI’s data processing agreement prohibits Google from using customer data for model training.
Student Data Privacy Agreement (DPA)
StoryBridge is prepared to execute a Student Data Privacy Agreement (DPA) with school districts that require one. Our standard DPA covers:
- Data ownership (the school owns all student data)
- Permitted uses and restrictions
- Data security requirements
- Breach notification procedures (within 72 hours)
- Data return and destruction upon contract termination
- Subcontractor restrictions
- Compliance with applicable state student privacy laws
To request a DPA or discuss specific compliance requirements for your district, please contact us at privacy@thestorybridge.app.
State Student Privacy Laws
In addition to FERPA and COPPA, StoryBridge is designed to comply with state-level student data privacy laws, including but not limited to:
- Wisconsin Act 143 (Wis. Stat. § 118.125) — Student records privacy and parental access rights
- SOPIPA (California) — Student Online Personal Information Protection Act
- NY Education Law § 2-d — Student data privacy and security requirements
- SDPC National Data Privacy Agreement — StoryBridge supports the Student Data Privacy Consortium framework
If your state has specific student data privacy requirements not listed above, please contact us to discuss compliance.
Compliance Summary
| Requirement | Status | Implementation |
|---|---|---|
| FERPA: School official exception | Compliant | District DPA designates StoryBridge as school official |
| FERPA: Parental access rights | Compliant | Data export function available to Admin users |
| FERPA: Data amendment | Compliant | Authorized Users can edit student records directly |
| FERPA: Data deletion | Compliant | Delete function available to Admin users; org-wide deletion within 30 days |
| FERPA: Audit trail | Compliant | All data access/export/deletion events logged |
| FERPA: Data security | Compliant | AES-256 encryption, RBAC, GCP SOC 2 / ISO 27001 infrastructure |
| COPPA: School consent exception | Compliant | Service used solely for educational purpose under school direction |
| COPPA: No direct child data collection | Compliant | All data entered by adult Authorized Users only |
| COPPA: No advertising | Compliant | Zero advertising or tracking in the platform |
| COPPA: No third-party data sharing | Compliant | No data sold or shared for marketing purposes |
| COPPA: Parental review/deletion | Compliant | Parents can request access/deletion via school administrator |
| COPPA: Data minimization | Compliant | Only name, grade, school, and reading activity collected |
| COPPA: Security safeguards | Compliant | Industry-standard encryption, access controls, and monitoring |
| COPPA §312.8: Written Information Security Program | Compliant | WISP maintained with admin, technical, and physical safeguards; annual review |
| COPPA §312.10: Written Data Retention Policy | Compliant | Published retention schedule with deletion procedures and parent request process |
| COPPA §312.4: Third-Party Disclosure Notice | Compliant | Parent notice template and ClassLink opt-out form provided to districts |
| AI safety: No PII in prompts | Compliant | Student names excluded from AI generation prompts |
| AI safety: No model training on data | Compliant | Google Vertex AI DPA prohibits customer data for training |
| AI safety: Human review required | Compliant | Stories must be explicitly published by Authorized Users |
Rows highlighted in blue represent new requirements under the April 22, 2026 COPPA amendments.
Contact for Compliance Inquiries
For questions about our FERPA/COPPA compliance, to request a Data Privacy Agreement, parent notice template, or to report a concern:
Story Bridge LLC — Privacy & Compliance
Email: privacy@thestorybridge.app
Website: thestorybridge.app