FERPA & COPPA Compliance

Last updated: March 16, 2026

PlayPath is built from the ground up to comply with federal student privacy laws. This page explains how we meet the requirements of FERPA, COPPA, and GDPR, and what that means for schools, parents, and students.

COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) requires websites and online services to obtain verifiable parental consent before collecting personal information from children under 13. PlayPath exceeds these requirements.

What we collect from students

PlayPath collects the minimum data necessary for the educational service to function:

• Challenge responses: Answers to educational questions, stored under anonymous hash IDs that cannot be traced back to the student.
• Mastery scores: Skill progression data used to adapt difficulty.
• Session metadata: Start/end times and zone progression, used for teacher reporting.

We do not collect:

• Student names or email addresses (LTI students use pseudonymous IDs from the school LMS)
• Photos, videos, or audio recordings
• Location data, device identifiers, or advertising IDs
• Social media information or contact lists

How we obtain consent

PlayPath uses a dual-path consent model:

1. School-authorized access (LTI):When students access PlayPath through their school's learning management system, the school acts as the authorized agent under FERPA and provides consent on behalf of parents for legitimate educational purposes. Schools agree to our Terms of Service and Privacy Policy as part of the integration process.
2. Direct parental consent: When students access PlayPath outside of a school context, we require verifiable parental consent before any data collection begins. Parents manage consent through the Parent Portal, where they can grant, review, or revoke consent at any time.

Parental rights under COPPA

Parents have the right to:

• Reviewtheir child's data through the Parent Portal
• Request deletionof their child's data at any time
• Revoke consent for future data collection (note: revoking consent means the child can no longer use the service)
• Exporttheir child's data in a machine-readable format (JSON or CSV)

No tracking, no advertising

We never use analytics tracking, behavioral advertising, or third-party cookies for students under 13. Our analytics service (PostHog) is configured to exclude all student sessions. AI services (used to generate educational content) never receive student data during live sessions — all content is pre-generated before the student begins playing.

FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records maintained by schools. When PlayPath is used as part of a school's educational program, we operate under FERPA's "school official" exception.

How PlayPath operates under FERPA

• School official designation:PlayPath acts as a "school official" with a legitimate educational interest when integrated with a school through LTI. This means we can access education records as needed to provide the educational service, without separate parental consent.
• School control: The school maintains ultimate control over all education records. PlayPath processes data only as directed by the school.
• Limited use: We use education record data solely for the purpose of providing the educational service. We never use education records for marketing, advertising, or any non-educational purpose.
• Data return and deletion:Schools can request the return or deletion of all education records at any time. Upon termination of a school's account, we delete all identifiable education records within 30 days.

What schools agree to

Schools using PlayPath through LTI integration agree to:

• Act as the FERPA-authorized agent for their students
• Obtain any necessary parental consent for the use of PlayPath
• Notify PlayPath if a parent objects to the disclosure of their child's education records
• Ensure that PlayPath's use is consistent with the school's annual FERPA notification to parents

Parent access to education records

Parents can access their child's education records through:

• Parent Portal: View learning progress, mastery data, session history, and teacher-assigned content.
• School LMS:Grade data passed back to the school's system is accessible through the school's standard parent access tools.
• Data export:Request a full export of their child's data by contacting us at privacy@playpath.app.

GDPR Compliance

For users in the European Economic Area (EEA) and the United Kingdom, we comply with the General Data Protection Regulation (GDPR). Key provisions include:

• Lawful basis: We process data under legitimate educational interest (for school-authorized use) or explicit consent (for direct users).
• Data minimization: We collect only the data necessary to provide the educational service.
• Rights of data subjects: Users can access, correct, delete, or export their data. See our Privacy Policy for full details.
• Data protection by design: Our hash-ID architecture ensures that learning data is structurally decoupled from user identity, providing privacy protection beyond what most platforms offer.

Our Data Architecture

PlayPath uses a hash-ID anonymization architecture that goes beyond standard compliance requirements:

1. Identity layer: User accounts (names, emails, authentication) are stored in one system.
2. Learning layer: All educational data (responses, scores, progress) is stored under a one-way cryptographic hash that cannot be reversed.
3. Mapping layer: A secure mapping connects identity to learning data. This mapping is deleted when an account is deleted, permanently severing the link.

This means that even in the unlikely event of a data breach, learning records cannot be traced back to individual students. Teachers see student progress through the secure mapping, which exists only within the platform.

Data Retention

Contact Us

If you have questions about our compliance practices, need to report a concern, or want to exercise your data rights, contact us at:

privacy@playpath.app

For full details on data collection and your rights, see our Privacy Policy and Terms of Service.