Privacy Policy

DormTracker is operated by Theo Popper, based in the United States. References to "DormTracker", "we", "us", or "our" refer to this operator.

This Privacy Policy describes how DormTracker ("DormTracker", "we", "us", or "our") collects, uses, stores, and discloses information in connection with your use of the DormTracker room inspection management platform (the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this policy.

If you are using DormTracker on behalf of a school or educational institution (the "Customer"), this policy applies to the Customer's use of the Service and to the personal data of students, staff, and other individuals whose information the Customer enters into the Service.

1. Data Controller and Processor

DormTracker acts as a service provider with respect to personal data about students and staff that your school enters into the Service. Your school (the Customer) is responsible for determining the purposes and means of processing that personal data.

With respect to account-level data (such as administrator usernames and login credentials), DormTracker is responsible for how that data is handled.

If your school is subject to the Family Educational Rights and Privacy Act (FERPA) or other applicable US federal or state education and data protection laws, your school bears primary responsibility for ensuring it has an appropriate legal basis to collect and process student and staff data using a third-party tool such as DormTracker.

Additional data protection terms may be provided separately through agreements with schools or institutions. Contact us at privacy@dormtracker.app to request a Data Processing Addendum.

2. Information We Collect

We collect the following categories of information:

2.1 Information your school provides

• Student and contact records — names, email addresses, dorm and room assignments, and roles (e.g. "student", "dorm parent"), as entered by your school's staff.
• Inspection records — room scores (1–5), written notes, photographs, dorm and room identifiers, the name of the inspecting staff member, and the date and time of each inspection.
• Staff account information — usernames, email addresses, and one-way hashed passwords for staff members with a DormTracker login. We cannot recover plaintext passwords.
• School configuration — school name, dorm names, email notification preferences, branding settings (accent colour, logo), and other settings configured during onboarding or in the settings panel.

2.2 Information generated by use of the Service

• Email delivery logs — records of automated emails sent through the Service, including recipient addresses, subject lines, send timestamps, and delivery status.
• Authentication tokens — cryptographically signed session tokens used to keep you logged in between sessions.
• Server logs — standard server-side request logs (IP addresses, request paths, timestamps, HTTP status codes) generated by Vercel's hosting infrastructure. These logs are retained according to Vercel's data retention policies.

2.3 Information we do not collect

• Payment card numbers or bank account details (we do not process payments directly).
• Sensitive personal data categories such as health data, biometric data, or political opinions.
• Cookies for advertising, behavioural tracking, or analytics purposes.
• Data from social media platforms or third-party advertising networks.

3. How We Use Your Information

We use the information we collect exclusively to provide, maintain, and improve the Service for your school. Specifically:

• To store inspection records and make them accessible to authorised staff.
• To send automated email notifications to students, dorm parents, and administrators as configured by your school.
• To provide analytics and reporting within the dashboard.
• To authenticate staff logins and maintain session security.
• To respond to support requests submitted by your school.
• To diagnose technical issues and maintain service reliability.

We do not use your school's data to train machine learning models, to develop other products, or for any purpose unrelated to operating the Service for your school.

4. Legal Basis for Processing

We process personal data only to the extent necessary to provide the Service to your school. Specifically:

• Contractual necessity — processing staff account data (usernames, emails, passwords) is necessary to provide the Service under our agreement with your school.
• Legitimate operational interests — processing server logs and authentication tokens is necessary for the security and reliability of the Service.
• School instructions — we process student and contact data solely on your school's instructions and only for the purpose of operating the Service.

5. Disclosure of Information

We do not sell, rent, or share your school's data with third parties for their own purposes. We may disclose information only in the following limited circumstances:

• Infrastructure providers — we use Supabase (database and file storage), Vercel (application hosting), and an email delivery provider to operate the Service. These providers process data solely on our instructions and are contractually prohibited from using it for other purposes. See Section 6 for details.
• Legal obligations — we may disclose information if required to do so by applicable law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers — if DormTracker is acquired by or merged with another entity, your data may be transferred as part of that transaction. We will provide notice and, where required by law, seek consent before any such transfer.

6. Third-Party Service Providers

The following infrastructure providers process data on our behalf:

• Supabase, Inc. (United States) — PostgreSQL database and object storage. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase is SOC 2 Type II certified. See supabase.com/privacy.
• Vercel, Inc. (United States) — application hosting and serverless compute. See vercel.com/legal/privacy-policy.
• Email delivery provider — automated notification emails (inspection results, digest summaries) are sent via a third-party transactional email service. Recipient email addresses and email content are transmitted to this provider solely for delivery purposes.

We do not use third-party analytics services (e.g. Google Analytics), advertising networks, session recording tools, or social media tracking pixels.

7. Data Location

DormTracker's infrastructure is hosted in the United States. All data collected through the Service is stored and processed in the United States by our infrastructure providers (Supabase and Vercel). The Service is intended for use by US-based schools and institutions.

8. Data Retention

We retain data for the following periods:

• Inspection records and contact data — retained for the duration of your school's active subscription. You may delete individual records or all school data at any time via the Settings panel. Upon cancellation, your school's data will be retained for 30 days to allow for reinstatement, then permanently deleted. You may request earlier deletion at any time by contacting us.
• Staff account information — retained until the account is deleted by an administrator, or for 90 days following cancellation of your subscription, whichever is earlier.
• Email delivery logs — retained for up to 12 months for troubleshooting and audit purposes.
• Server logs — retained according to Vercel's standard log retention policy (typically up to 14 days).

You can request deletion of all your school's data at any time by using the data deletion feature in Settings or by contacting us directly.

9. Your Rights

You and individuals whose data your school has entered into DormTracker may have the following rights:

• Right of access — the right to request a copy of the personal data we hold about you or your students.
• Right to correction — the right to request correction of inaccurate or incomplete data.
• Right to deletion — the right to request deletion of personal data, subject to any overriding legal obligations.
• Right to data portability — the right to receive data in a structured, machine-readable format.

Because your school is the data controller for student and staff data, requests from students, parents, or staff members regarding their personal data should ordinarily be directed to your school in the first instance. Your school may then contact us to action the request. We will fulfil confirmed deletion or access requests within 30 days.

To exercise any of these rights, contact us at privacy@dormtracker.app.

10. Children's Privacy

The Service is designed for use by school staff. The Service processes student information only as provided by authorised school staff — students do not create accounts or enter their own data. If you believe that a child's personal information has been entered into the Service without appropriate authority, please contact us and we will take prompt action to investigate and, where appropriate, delete the data.

Schools using DormTracker to process data relating to students should ensure they have obtained any necessary consents and have appropriate safeguarding policies in place under applicable US federal and state law, including FERPA.

11. Security

We implement the following security measures:

• Encryption in transit — all data transmitted between your browser and our servers is encrypted using industry-standard protocols.
• Encryption at rest — all data stored in Supabase is encrypted at rest using industry-standard encryption. Supabase is SOC 2 Type II certified.
• Password hashing — staff passwords are stored as one-way cryptographic hashes. We cannot retrieve or view plaintext passwords.
• Session authentication — session tokens are cryptographically signed and have a limited lifetime to help maintain session security.
• Multi-tenancy isolation — each school's data is logically separated at the database level. A user authenticated to one school cannot access another school's data.
• Access controls — role-based access controls (RBAC) limit which staff members can view or modify different categories of data within the Service.

While we take reasonable and industry-standard precautions to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. In the event of a data breach that affects your school, we will notify affected customers in accordance with applicable US federal and state law.

12. Cookies and Local Storage

DormTracker does not use cookies for tracking, advertising, or analytics. The Service uses browser storage to maintain your login session between visits. Clearing your browser data will log you out of the Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. When we make material changes, we will update the "Last updated" date at the top of this page and, for active schools, send notice to the school administrator's email address on file. Continued use of the Service following the effective date of an updated Privacy Policy indicates acknowledgment of the revised policy.

We encourage you to review this page periodically.

14. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your school's data, please contact us:

• Email: privacy@dormtracker.app
• Response time: We aim to respond to all privacy-related enquiries within 48 hours.