1. Who We Are
PageBloom ("we," "us," "our") is a QR-based photo crowdsourcing platform built for schools and educational institutions. We help school administrators collect photos from students, parents, and community members via simple QR code scans — no app download, no account required for contributors.
We take student privacy seriously. PageBloom is built from the ground up to comply with FERPA, COPPA, GDPR, and applicable state and international privacy laws.
2. Data Controller / Processor Relationship
- Schools (Controllers): Determine which events are created, what photos are collected, who may contribute, and how the collection is used. Schools are responsible for obtaining proper consent from parents/guardians before enabling uploads involving student photos.
- PageBloom (Processor): Processes data solely per school direction. Never uses event photos or student data for advertising, profiling, or commercial purposes.
- EU/UK Schools: This relationship is formalized in our Data Processing Agreement, which schools operating under GDPR should sign.
3. Data We Collect
School & Administrator Data
- School name and contact information
- Administrator names and email addresses
- Billing information (processed by Stripe; we store only billing metadata, not card numbers)
- Subscription tier and usage history
Event & Photo Data (Provided by Admins and Contributors)
- Event names and descriptions (created by administrators)
- Photos uploaded by administrators or anonymous QR contributors
- Photo metadata (upload timestamp, file size, image dimensions)
- Admin moderation actions (approved, rejected, flagged)
Contributor Data (QR Upload Flow)
- IP address (for security and abuse prevention — not associated with uploaded photos in public display)
- Temporary session token (issued at QR scan; not stored beyond the session)
- Photos uploaded during the session
- Upload timestamp
Platform Usage Data (Aggregate)
- Admin login timestamps and session durations
- Feature usage patterns (aggregate, school-level analytics only)
- Event and upload counts (used for service improvement, never tied to individual students)
4. Data We Do NOT Collect
- ❌ Biometric facial recognition or facial templates
- ❌ Behavioral profiling or targeting data for advertising
- ❌ Health, medical, or sensitive personal information
- ❌ Browsing history unrelated to PageBloom
- ❌ Individual student engagement or behavior tracking
- ❌ Geolocation beyond IP address (used for security only)
- ❌ Third-party advertising cookies or tracking pixels
- ❌ Social media tracking or cross-site activity
5. How We Use Data
We use collected data for these specific purposes only:
- Service Delivery: Store and display uploaded photos within events, serve event collection pages to authorized viewers, enable admin review and moderation
- Account Management: Authenticate school administrator accounts, manage subscriptions, send service emails
- Aggregate Analytics: Improve the platform using anonymized, school-level usage data
- Security: Detect fraud, unauthorized access, and abuse; rate-limit anonymous uploads; maintain system integrity
- Legal Compliance: Respond to valid legal requests, comply with regulatory obligations
We do not use your data for advertising, to train AI models on identifiable student content, or for any purpose beyond what's listed above.
6. Data Sharing
We Never Sell Your Data
PageBloom does not sell, rent, or share student data with third parties for commercial purposes. This is a hard commitment, not just a policy preference.
Sub-Processors
We use the following sub-processors to deliver the Service. Each has signed a Data Processing Agreement with us:
| Vendor | Function | Student Data? | GDPR DPA |
|---|---|---|---|
| Cloudflare R2 | Photo & media storage | Photos only | ✅ Signed |
| Render | Application hosting | Infrastructure only | ✅ Signed |
| SendGrid | Transactional email | School email only | ✅ Signed |
| Stripe | Payment processing | No student data | ✅ PCI DSS + GDPR |
| Google Cloud Vision | AI photo analysis (Pro tier only) | Photo content only | ✅ GDPR-compliant |
Legal Requests
We may disclose data to comply with a valid subpoena, court order, or legal process. We will notify the affected school before disclosure where legally permitted. For GDPR-covered data, we will challenge overbroad requests.
7. Data Retention & Deletion
| Data Type | During Subscription / After Downgrade | Post-Account-Deletion | Legal Hold |
|---|---|---|---|
| Event photos | Full access (active events); read-only if over plan limits | 60 days then deleted | Per legal requirement |
| Event collection data & metadata | Full access (active events); read-only if over plan limits | 60 days then deleted | Per legal requirement |
| Admin accounts | Full access | 30 days then deleted | Per legal requirement |
| Anonymous contributor session data | Session duration only | Immediately purged at session end | N/A |
| Billing records | Retained | 7 years (tax compliance) | N/A |
| System logs (IP, security) | 90 days rolling | Deleted | Per legal requirement |
| Backup copies | Retained | 30 days then securely deleted | Per legal requirement |
8. International Data Transfers
PageBloom operates on US infrastructure (Render, Cloudflare). Schools outside the US should be aware:
- EU/EEA Schools: Transfers are covered by Standard Contractual Clauses (SCCs) with supplementary Schrems II safeguards — AES-256 encryption at rest, TLS 1.2+ in transit. See our DPA for details.
- UK Schools: UK GDPR-compliant DPA available. UK server option available on request.
- Nigerian Schools (NDPR): Data of Nigerian residents is protected in accordance with the Nigeria Data Protection Regulation. Breach notifications are made to the NDPC within 72 hours.
- South African Schools (POPIA): Consent-based processing with lawful basis documentation.
- Canadian Schools (PIPEDA): Consent required; access and correction rights apply; breach notification per applicable law.
9. Your Rights
Rights for Schools & Parents (All Jurisdictions)
| Right | Timeline | How to Exercise |
|---|---|---|
| Access your data | 30 days | Email privacy@pagebloom.app |
| Correct inaccurate data | 30 days | Admin dashboard or email |
| Delete your data | 30 days | Admin dashboard or email |
| Export your data | 30 days | Admin dashboard (CSV/PDF) |
| Object to processing | 30 days | Email privacy@pagebloom.app |
| Withdraw consent | Immediate | Admin dashboard settings |
Parental Rights (COPPA – Children Under 13)
Parents of students under 13 may:
- Review personal information collected about their child
- Request deletion of their child's photos and personal information
- Revoke consent for future collection
Contact: privacy@pagebloom.app with subject "Parental COPPA Request."
10. Security
- Encryption: AES-256 at rest; TLS 1.2+ in transit
- Access Control: Role-based access (school admin, advisor, contributor); session timeouts
- Photo Moderation: Admin review workflow — school administrators approve, reject, and manage all uploaded photos before the collection is finalized
- Monitoring: Logging and alerting for suspicious access patterns
- Breach Response: Schools notified within 24 hours; regulatory authorities notified within 72 hours (GDPR)
- Audits: Annual security reviews and penetration testing planned
12. Children's Privacy (COPPA)
PageBloom takes special care with student privacy:
- PageBloom's contributor upload flow is designed to require no account creation. Contributors scan a QR code and upload directly — we do not collect names or email addresses from QR contributors, minimizing personal data collection from young contributors.
- We do not knowingly collect personal information directly from children under 13
- Admin accounts are for school staff only and require an email address; students do not create admin accounts
- IP addresses are logged for security purposes only and are not displayed publicly or associated with uploaded photos in any user-facing view
- If we discover we have collected information directly from a child under 13 without proper school authorization, we will delete it promptly
Schools using PageBloom are responsible for ensuring they have obtained appropriate parental consent before enabling photo uploads for events involving students under 13. See our Photo Consent Guidance for recommended consent language.
13. Policy Updates
We may update this Privacy Policy when we change our data practices. For material changes, we will:
- Provide 30 days' notice by email before the change takes effect
- Display a prominent notice on the platform
- For significant changes affecting GDPR-covered data: require affirmative re-consent or provide opt-out rights
Previous versions of this policy are available on request.
14. Contact Us
For privacy questions, data requests, or concerns:
- Privacy inquiries: privacy@pagebloom.app
- COPPA parental requests: privacy@pagebloom.app — Subject: "Parental COPPA Request"
- Data deletion requests: privacy@pagebloom.app — Subject: "Data Deletion Request"
- GDPR/DPA inquiries: privacy@pagebloom.app — Subject: "GDPR Inquiry"
We aim to respond to all privacy inquiries within 10 business days, and to complete data deletion requests within 30 days.
EU/UK users may also lodge a complaint with their national data protection supervisory authority.