DailyWins Privacy Policy
1. Introduction
DailyWins is a classroom behavior tracking application designed for use by K–12 educators. DailyWins allows teachers to record daily student behavior scores across customizable categories, generate progress reports, and share behavioral data with parents, guardians, and school administrators.
This Privacy Policy describes how Sure Step Education (“we,” “our,” or “us”), the company behind DailyWins, collects, uses, stores, discloses, and protects student data and other personal information in connection with the DailyWins application and website (collectively, the “Service”).
We are committed to protecting the privacy and security of student information and complying with all applicable federal and state laws, including the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), the California Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code § 22584), and California Education Code § 49073.1 (AB 1584).
2. Definitions
- Local Educational Agency (LEA): A school district, county office of education, or charter school that enters into a contract with DailyWins.
- Pupil Records: Any information directly related to a student that is maintained by the LEA or by DailyWins on behalf of the LEA. This includes behavior scores, attendance data, teacher notes, and any other personally identifiable information (PII).
- Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual student’s identity, either alone or when combined with other information.
- Operator: Sure Step Education, doing business as DailyWins, as a provider of an online service designed and marketed for K–12 school purposes.
- Third Party / Provider: As defined in California Education Code § 49073.1 (AB 1584), the provider of digital educational software or services for the digital storage, management, and retrieval of pupil records — in this case, Sure Step Education, operating the DailyWins application.
3. Information We Collect
DailyWins collects only the information necessary to provide the Service. We collect the following categories of information:
3.1 Student Information (Pupil Records)
- Student name or initials (as entered by the teacher)
- Daily behavior scores across teacher-configured categories (e.g., Arrival, Compliance, Social, On-Task, Phone Away)
- Attendance and absence records (Present, Unexcused Absent, Excused Absent)
- Teacher-written notes associated with specific students, dates, and class periods
- Behavioral trend data (weekly, monthly, and annual aggregations)
3.2 Teacher / Staff Information
- Name and email address (via Google OAuth single sign-on or a passwordless email magic-link sign-in)
- School and district affiliation
- Assigned role within the Service (Teacher, Site Administrator, District Administrator, or Operator)
- Configuration preferences (bell schedules, category settings, progress bar thresholds)
3.3 Technical Information
- Browser type and version
- Device type (for responsive display purposes only)
- Authentication tokens (managed by our authentication provider via Google OAuth or email magic-link; DailyWins does not store passwords)
4. How We Use Information
DailyWins uses collected information solely for the following educational purposes:
- To provide teachers with a tool for tracking and analyzing student behavior
- To generate progress reports (daily, weekly, monthly, annual) for use in parent conferences, IEP meetings, and administrative review
- To enable PDF and chart exports for teacher and school use
- To authenticate authorized users via Google OAuth or email magic-link
- To read uploaded bell-schedule documents using an automated parsing service. Only the school’s bell-schedule PDF is processed for this purpose — no student information is sent to this service
- To maintain and improve the functionality, security, and reliability of the Service
5. Prohibited Uses of Student Information
DailyWins will NEVER:
- Use personally identifiable information from pupil records to engage in targeted advertising directed at students, parents, or teachers.
- Use student information to create or amass a profile of a student for any purpose other than K–12 school purposes as authorized by the LEA.
- Sell, rent, or trade student personal information to any third party.
- Disclose student information to any third party except as required by law, authorized by the LEA, or as described in this Privacy Policy.
- Use student information for any commercial purpose unrelated to the provision of the Service.
6. Ownership and Control of Pupil Records
In accordance with California Education Code § 49073.1 (AB 1584), all pupil records provided to or generated within DailyWins remain the property of and under the control of the Local Educational Agency (LEA). DailyWins acts as a custodian of this data on behalf of the LEA and is considered a School Official with a legitimate educational interest under FERPA.
The LEA retains full authority to direct DailyWins regarding the access, use, modification, and deletion of pupil records.
7. Data Storage and Security
7.1 Where Data Is Stored
All student data is stored on Supabase (PostgreSQL) servers located in the United States (US East region). Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 encryption.
7.2 Security Measures
DailyWins implements and maintains reasonable security procedures appropriate to the nature of the student information collected, including:
- Row-Level Security (RLS) enforced at the database layer on every read and write, so access is restricted by the database itself — not only by application code. Each teacher can access only their own students’ data.
- Role-based access across four tiers (Teacher, Site Administrator, District Administrator, and Operator), each scoped to the minimum data its function requires (see Section 7.3).
- Approval-gated access: a new account can view no student data until it is explicitly approved by the Operator. Unapproved accounts are held in a pending state with no data access.
- Google OAuth 2.0 or passwordless email magic-link for authentication (DailyWins never stores or handles user passwords)
- An append-only audit log recording sensitive administrative actions (see Section 7.4)
- HTTPS / TLS encryption for all data in transit; AES-256 at rest
- Access controls limiting data access to authorized personnel only
- Regular review of security practices and infrastructure
7.3 Role-Based Access and the Operator’s Limited Visibility
DailyWins is built so that the people who operate the Service cannot casually browse student data. Row-Level Security at the database layer scopes every read to the requesting user’s role:
- Teachers can access only the students in their own classes — their behavior scores, notes, and records.
- Site Administrators can access student records for the specific school(s) they administer, for legitimate school-administration purposes.
- District Administrators act on behalf of the LEA, and the LEA owns every record created on the Service it has purchased. A District Administrator can therefore review the complete record for their own district — including all teacher notes, shared and private — through the district records tools (the notes archive). Because these records may be produced in records requests or legal proceedings, each use of the records tools is documented in the audit log (who, when, and the stated purpose), preserving a clean chain of access for the district’s own files. Day-to-day district dashboards otherwise show aggregate usage, keeping casual exposure of student data to a minimum.
- The Operator (Sure Step Education) administers the system but, through its role-based access in the application, cannot view individual student behavior records or teacher notes. The database’s Row-Level Security policies do not grant the Operator ambient read access to pupil records; its access is limited to the operational and aggregate information needed to run the Service.
Two limited exceptions to the Operator’s blindness exist and are handled transparently:
- Supervised “act-as” support sessions. An administrator may, when necessary to provide support or troubleshoot, operate the Service as a specific user. Every such session is recorded in the audit log with the administrator’s identity, the affected user, the stated reason, and a time limit; it is visible to the affected user and automatically expires.
- Engineering and database maintenance. Routine operation and maintenance of the underlying database may require privileged technical access by authorized Sure Step Education personnel. Such access is used solely to operate, secure, and maintain the Service and never for the purposes prohibited in Section 5.
7.4 Administrative Transparency and Audit Logging
DailyWins maintains an append-only audit log of sensitive administrative actions — including access approvals, “act-as” support sessions (together with changes made to student records during those sessions), district records access through the notes archive, and revocation of family/team access links. Each entry records who performed the action and when. This log supports accountability and enables an LEA to review how administrative access to its data has been used.
7.5 Designated Responsible Individual
DailyWins designates the following individual as responsible for ensuring the security and confidentiality of pupil records:
Name: Devin Farren
Title: Co-Founder, Sure Step Education
Email: devin@surestepeducation.com
8. Breach Notification
In the event of an unauthorized disclosure of pupil records, DailyWins will:
- Notify the affected LEA within 72 hours of discovering the breach
- Provide a description of the nature of the breach, the types of information involved, and the number of individuals affected
- Describe the steps DailyWins is taking to investigate and mitigate the breach
- Notify affected parents, legal guardians, or eligible pupils as directed by the LEA and in accordance with applicable law
9. Parental Rights: Access, Review, and Correction
In compliance with FERPA and AB 1584, parents, legal guardians, or eligible pupils (students 18 years of age or older) have the right to:
- Review their child’s personally identifiable information stored in DailyWins by contacting their child’s teacher or school administration.
- Request correction of erroneous information. Requests should be directed to the LEA, which will coordinate with DailyWins to make the correction.
- Request deletion of their child’s data by contacting their school district.
In addition, a teacher or school may provide a parent or guardian with a secure, read-only link to view their own child’s behavior data. Such links are scoped to a single student, do not permit any changes to records, and can be revoked by the teacher or school.
DailyWins will cooperate with the LEA in fulfilling all such requests in a timely manner.
10. Pupil-Generated Content
DailyWins does not currently collect pupil-generated content. All data in DailyWins is entered by teachers or school staff. Should a future version of DailyWins allow students to enter their own content, this policy will be updated to describe how students may retain possession and control of their pupil-generated content, including options to transfer such content to a personal account.
11. Data Retention and Deletion
DailyWins retains pupil records only for as long as necessary to fulfill the purposes described in this policy or as required by the LEA’s contract.
Upon termination or expiration of a contract with an LEA, or upon request by the LEA, DailyWins will:
- Return all pupil records to the LEA in a standard, machine-readable format (e.g., CSV or JSON)
- Delete all pupil records from DailyWins systems, including backups, within 60 days of the request or contract termination
- Provide written certification to the LEA confirming that all pupil records have been deleted and are no longer available to DailyWins
12. FERPA Compliance
DailyWins operates as a “School Official” with a legitimate educational interest under FERPA (34 CFR § 99.31(a)(1)). DailyWins and the LEA will jointly ensure compliance with FERPA by:
- Limiting access to student education records to authorized school personnel and DailyWins staff with a legitimate educational interest
- Maintaining appropriate administrative, technical, and physical safeguards to protect the confidentiality of student records
- Not redisclosing personally identifiable student information except as authorized by FERPA or directed by the LEA
- Cooperating with the LEA to respond to parental requests to inspect, review, or amend student records
13. SOPIPA Compliance
As an operator of an online service designed and marketed for K–12 school purposes, DailyWins complies with the California Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code § 22584) by:
- Not engaging in targeted advertising on the Service or using student information for advertising purposes
- Not using student information to amass profiles for non-educational purposes
- Not selling student information
- Not disclosing student information except for legitimate educational or authorized purposes
- Implementing and maintaining reasonable security procedures appropriate to the nature of the student information
- Deleting student information when no longer needed for its collected purpose or upon request
14. COPPA Compliance
DailyWins is designed for use by teachers and school staff, not directly by students. Teachers and staff are the sole users who enter data into the Service. DailyWins does not collect personal information directly from children under the age of 13.
In the event that DailyWins introduces any student-facing features in the future, we will obtain verifiable parental consent or rely on the school consent exception under COPPA (16 CFR § 312.5(c)(1)) before collecting any information directly from students under 13.
15. Third-Party Services and Subprocessors
DailyWins uses the following third-party services to operate:
| Service | Purpose | Data Processed |
|---|---|---|
| Supabase (PostgreSQL) | Database hosting and storage | All student and teacher data |
| Google OAuth 2.0 | User authentication | Teacher email address and name |
| Vercel | Application hosting and delivery | No student data stored; serves application code only |
| Anthropic (Claude API) | Automated reading of uploaded bell-schedule documents | Bell-schedule PDFs only — no student information. Submitted content is not used to train models. |
DailyWins does not share, sell, or disclose student information to any additional third parties beyond those listed above. We will update this list if additional subprocessors are added and will notify LEAs of material changes.
16. Changes to This Privacy Policy
DailyWins reserves the right to modify this Privacy Policy. If we make material changes that affect the handling of pupil records, we will notify all LEAs with active contracts at least 30 days prior to the changes taking effect. The updated policy will be posted at https://dailywins.school/privacy with the revised effective date.
17. Data Processing Agreements
DailyWins is prepared to enter into a Data Processing Agreement (DPA) with any LEA as required by California Education Code § 49073.1 (AB 1584). We also support the California Student Data Privacy Agreement (CSDPA) template developed by CITE (California IT in Education, formerly CETPA) and the Student Data Privacy Consortium’s National DPA template. LEAs may contact us to initiate the DPA process.
18. Contact Information
For questions, concerns, or requests related to this Privacy Policy or DailyWins’ data practices, please contact:
Sure Step Education
Devin Farren, Co-Founder
Email: devin@surestepeducation.com
Website: https://dailywins.school