FERPA / COPPA Privacy Notice

Last updated: 2026-03-14

This FERPA / COPPA Privacy Notice applies when a school, district, college, university, or educator (“Institution”) uses Koalendar in connection with students or student scheduling data.

This notice supplements our Privacy Policy and our Data Processing Addendum. It describes how Koalendar supports education customers that use the Service under the Family Educational Rights and Privacy Act (“FERPA”) and the Children’s Online Privacy Protection Act of 1998 (“COPPA”). FERPA is administered by the U.S. Department of Education.

1. Applicability

This notice applies only when an Institution uses the Service for education-related scheduling workflows involving students.

Depending on how the Institution uses the Service, information submitted through Koalendar may constitute an “education record” under FERPA.

In this context, Koalendar generally processes limited scheduling information such as:

• Student or invitee name
• Email address or phone number
• Appointment date, time, and duration
• Booking form responses and optional notes that the Institution chooses to collect

Koalendar is not intended to be used by students to create accounts, and Institutions should avoid collecting more student information through booking forms than is reasonably necessary for the scheduling purpose.

Institutions should avoid collecting sensitive student data such as grades, transcripts, health information, or disciplinary records through booking forms unless strictly necessary.

2. Role of the Institution

The Institution remains responsible for deciding whether and how to use Koalendar with students.

The Institution:

• Controls what student information is shared through the Service
• Determines whether information submitted through the Service constitutes an education record or other protected student data
• Retains direct control over the education records made available to Koalendar through the Service
• Remains responsible for its own compliance with FERPA, COPPA, and other applicable student privacy laws

3. Koalendar as Service Provider

When the Service is used by an Institution in connection with student data, Koalendar acts as a service provider to the Institution.

To the extent FERPA applies, Koalendar performs institutional services or functions on behalf of the Institution and operates under the direct control of the Institution with respect to the use and maintenance of education records.

Koalendar functions as a school official with legitimate educational interests for the limited purpose of providing the scheduling, booking, communication, support, and security functions requested by the Institution. The Institution retains direct control over the education records shared through the Service.

Koalendar processes student-related information only on behalf of and under the instructions of the Institution, as necessary to provide the Service.

Koalendar does not claim FERPA certification. The availability of this notice, the Service, or any FERPA-related settings does not replace the Institution’s responsibility to evaluate whether Koalendar is appropriate for its legal and policy requirements.

4. Student Accounts and Participation

Students may participate in meetings or bookings as invitees, attendees, or other participants designated by the Institution, but students may not register for Koalendar accounts directly.

Children under 13 may not create Koalendar accounts.

Only teachers, staff members, administrators, or other authorised representatives of the Institution should create and administer Koalendar accounts used for education-related workflows.

5. How Student Information Is Used

Koalendar uses student-related information only as necessary to provide and secure the Service for the Institution, including to:

• Schedule and manage appointments and availability
• Send booking-related emails, reminders, and notifications
• Provide customer support requested by the Institution
• Maintain the security, integrity, and reliability of the Service
• Improve and maintain the functionality and reliability of the Service, provided such processing does not involve building profiles of students for unrelated purposes
• Prevent spam, fraud, abuse, and technical misuse

Koalendar does not use student information:

• To sell student personal information
• For targeted advertising
• To build profiles unrelated to providing the Service to the Institution

Koalendar does not redisclose student information except as permitted by applicable law and as necessary to operate the Service, including:

• To the Institution and its authorised users
• To subprocessors and service providers that help us operate the Service under confidentiality and data protection obligations
• When required by law or legal process

6. School Notice and Consent Responsibilities

Institutions are responsible for determining what notices, permissions, or consents are required before students use the Service.

This includes responsibility for:

• Providing any required FERPA notices
• Obtaining any parental or guardian consent required under COPPA or other applicable law
• Determining whether a student may use the Service as an invitee
• Handling parent, guardian, or student requests regarding records, access, correction, or deletion where required by law

Koalendar will provide reasonable assistance to the Institution where appropriate, but the Institution remains responsible for managing its relationship with students, parents, and guardians.

7. Safeguards for Student Data

Koalendar maintains reasonable technical and organisational safeguards designed to protect student-related information processed through the Service, including:

• Encryption in transit
• Access controls for production systems
• Confidentiality obligations for personnel with access to relevant systems
• Logging, monitoring, and security processes designed to detect and address misuse

No security measure can guarantee absolute security, but Koalendar applies safeguards appropriate to the nature of the data and the Service.

8. Relationship to the DPA

For Institutions using Koalendar as a processor or service provider, our Data Processing Addendum describes the general controller / processor relationship, subprocessor framework, security commitments, and deletion or return obligations.

Institutions that require additional contractual assurances may contact Koalendar to discuss institution-specific agreements.

9. Contact

If you have questions about this notice or Koalendar’s handling of student scheduling data, contact us at dpo@koalendar.com.