Privacy Policy

Name: The Commons, Inc.
Price range: $

Last Modified: June 2026

Note for Students and Parents: The Commons does not sell, rent, or share student data. We do not advertise to students. Ever.

The Commons App is designed to support classroom focus and reduce distractions during the school day. Here is what we do and don't do:

✓ We block distracting apps & URLs during school hours, as directed by your school.

✓ We report compliance status to authorized school staff.

✓ Your school controls what roster information is shared with us.

✓ The app automatically sends limited operational signals, such as whether it is active and whether the required permissions are on, to support your school's compliance reporting.

✗ We do not see which apps you use or how often.

✗ We do not track where you go or store your location.

✗ We do not read your messages, browsing history, or app content.

✗ We do not store student name or email on the device.

✗ We do not share data with advertisers or data brokers.

If you have questions, contact your school administrator or email us at support@the-commons.app.

The Commons, Inc. and its affiliates (“The Commons,” the “Company”, “we”, “our”, or “us”) respect your privacy and are committed to protecting it through this Privacy Notice (“Privacy Notice”). This Privacy Notice describes the type of information we may collect from you or that you may provide to us when you visit www.the-commons.app the affiliated subdomains (the “Site”), use our Services (as defined in our Terms of Service) that we provide to you or which are available through our Services and our policies and practices regarding how we collect, use, and disclose that information. If you engage in Services offered by us, then you may be subject to other terms and conditions and disclosures relevant to the Services that are not included in this Privacy Notice.

BY ACCESSING OR BROWSING THE SITE OR USING THE SERVICES, YOU CONSENT TO THE COLLECTION AND USE OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY NOTICE, AS MODIFIED FROM TIME TO TIME BY US.

This Privacy Notice applies to information we collect:

From schools and school districts (“Institutions”)
From students of Institutions (“Students”)
From visitors to the Site and our mobile application (“App”) (collectively, with Institutions, and Students, “you” or “user”)
In email, text, and other electronic messages between us.
When you engage with us to use our Services or request information about our Services.

The App does not collect student accounts, passwords, or personally identifiable information directly from students.

To be direct about what we collect and why, and where it lives:

On the student device (AES-256-encrypted local storage), a de-identified device ID, compliance signals, and the school name are stored. Student names or emails are not stored on the device. All data stored locally on the student device is encrypted using AES-256 encryption.

In our secure backend database, student roster information provided by the school — name, email, grade level, and school-assigned ID — is used solely to generate device pairing codes and enable school-level compliance reporting. Access is restricted to authorized school staff via the admin dashboard, and to The Commons technical staff for system administration and support purposes only.

What we never collect anywhere: browsing history, messages, app content, location history, or any personal information students enter themselves. Roster data is provided by the school and used solely under its authority. The app also automatically generates limited operational signals, such as whether it is active and whether permissions are enabled, which are collected by The Commons and made available to authorized school staff via the admin dashboard and to The Commons technical staff for system administration and support purposes only.

Students do not create accounts or credentials specific to The Commons. Access is enabled by a school-issued QR code or through existing school credentials via Single Sign-On. New usernames or passwords are never created for The Commons. It does not include in-app purchases, advertisements, or public posting features. This Privacy Notice references account creation, order processing, or subscription features only for institutional users or website visitors, not to students using the App as part of a school program.

Our public website (the-commons.app) may provide links to non-Company websites or social networks or the ability to connect with non-Company websites, services, social networks, or applications. Clicking on those links or enabling those connections might allow the third-party to collect or share information about you. Those third-party websites or services are beyond the Company’s control. We advise you to check the privacy policies and terms of use of any non-Company websites or services before providing any of your Personal Information to them.

We reserve the right to update this Privacy Notice from time to time. If we make a material change, particularly one that affects how we collect, use, or share personal information, we will notify our school partners directly before those changes take effect. Schools determine how to communicate updates to families in accordance with their own policies. For non-material updates, we will post a revised notice on our Site and update the date at the top. Your continued use of the Services after any change is deemed acceptance of the updated terms.

If you have questions about this Privacy Notice or how your school uses The Commons, please contact your school administrator or email us at support@the-commons.app.

I. THE TYPES OF INFORMATION WE COLLECT.

A. Personal Information

We collect “Personal Information,” which is information that can be used to identify you individually.

We collect the following Personal Information from Institution users, e.g., schools and school districts: full name, mailing address, and email address. As part of onboarding, schools may provide student roster information, including each student's first and last name, grade level, school-assigned student ID, and email address. This roster data is used solely to enable student access to the app and support school-level compliance reporting. QR pairing is used to generate secure device pairing codes. Single Sign-On (SSO) is used for authentication matching with the school's identity provider.

During onboarding for Institution users, we collect administrator login details, including name, role, email address, and credentials to access the school dashboard. Administrators may access the dashboard using secure login credentials or Single Sign-On (SSO), depending on their school’s configuration. SSO integrations are used solely for authentication and do not provide The Commons with access to any additional data beyond what is needed for authorized access.

We also collect personal and organizational contact information from school or district representatives who engage in commercial transactions (including billing, contracting, and other similar transactions) with The Commons. This may include names, roles, email addresses, mailing addresses, billing contacts, and billing details such as ACH, purchase orders, or payment processing credentials. This information is never linked to student usage and is handled in accordance with applicable data privacy and security standards.

The Commons does not collect personal information directly from students through self-registration or user-generated input. Under QR pairing, the student app requires no login, account creation, or password entry. Under SSO, students authenticate using existing school credentials; no account or password specific to The Commons is ever created. In both cases, the app does not access messages, browsing history, or app content. The app does generate limited device-level operational signals such as compliance status and school-hours distraction-reduction metrics which are transmitted to The Commons and made available to authorized school staff under the school's authority. All student data processed by The Commons is done so under the direction of the participating school, solely to support student focus and school phone policy compliance.

Students connect to The Commons via one of two methods, determined by the school: (1) a time-bound QR code generated by the school admin dashboard, or (2) Single Sign-On (SSO) using existing school credentials via Google, Microsoft, or Classlink. No student username or password specific to The Commons is ever created. For QR pairing, schools upload a student roster to generate pairing codes. For SSO, roster data is received automatically from the school's identity provider. In both cases, roster data, typically first name, last name, grade level, school-assigned ID, and email, is used solely for the purposes described below.

This information is used solely to:

For QR pairing schools: Generate secure QR codes that pair student devices with the school's administrative dashboard. These QR codes do not store or transmit any personal student data and are used solely to activate the app within the school's secure system.
Enable school-level reporting of individual compliance status and school-hours distraction-reduction metrics, based on the school-provided roster.
If enabled by the school, send service-only emails to students (and/or parents, if provided by the school) for setup, compliance, and app reliability. These messages are operational in nature and not used for advertising or profiling. We use a third-party email service provider acting as our data processor under standard contractual terms that require confidentiality, security, and compliance with applicable student-privacy laws.

The Commons does not log or access app content, browsing history, precise location, or personal communications. Reporting is viewable by authorized school staff via the admin dashboard, and by The Commons technical staff for system administration and support purposes only. It is not used for profiling or advertising purposes.

B. Registration and Transactional Data for School and District Administrators

Students do not create accounts or login credentials specific to The Commons. Under SSO, students authenticate using existing school credentials; no new account or password is created for The Commons. Any user registration described in this section applies only to school or district administrators who access secure dashboards or contract with The Commons for services.

If you are using our Site or Services, you are required to submit an email address, password, and additional Personal Information. We may collect and store access information related to your account.

When you have an account with us, the combination of your username and your password is the key to your account with our Services. We recommend that you use a unique combination of letters, numbers, and special characters to create your password. You are responsible for all actions taken in the name of your account. You should not disclose your password to anyone. You may be subject to legally binding actions taken on your behalf. Therefore, if your password has been compromised for any reason, you should immediately notify us at support@the-commons.app and, if available, login to your account at the Site and change your password.

We may also track and retain the details of all transactions and communications between Customers, target audiences, and other visitors on our Site and Services such as emails, feedback, ratings, sale and purchase of Services, and any other forms of communications. We may use and display your name when you send an email or other communication through our Site or Services.

C. Payment Information

If you use our Services as an Institution, we may collect information related to your transaction. This information includes your payment method (ACH, credit card or debit card number, account, and authentication information), billing information, and shipping and delivery details.

To the extent the Services or any portion thereof is made available for any fee or through a subscription, your access will be granted following payment of the applicable fees to Company. Your account and access to the Services may be suspended in the event of non-payment of applicable fees. We may, but are not obligated to, cancel inactive, or unpaid subscriptions.

You agree to provide accurate and complete billing information, including valid credit card information (if applicable), your name, mailing address, and email address, and to provide The Commons or other third party processor with any changes in such information.

D. Contact Us Information and Feedback

We may collect information from individuals (including Students) when they voluntarily provide personal information via the Site, such as submitting a support request, signing up for a newsletter, completing a feedback form, or when you submit comments, questions, or suggestions to us using the Contact Us form or by email, including attached files in an email sent to us. These activities are purely optional and occur outside of the App. We do not knowingly collect personal data from children under 13 without verified school consent (which includes parental consent) and a clearly defined educational purpose. Any comments, questions, or emails we receive from you are subject to the terms of this Privacy Notice.

E. Computer and Device Information

We collect information from or about the computers and devices that you use to access the Services, as determined and allowed by the personal settings you have for the computer and device. This includes operating system, device configuration, web log files, and limited technical data.

The Commons does not track where students go. Zone detection is handled by the device's operating system (Apple or Google), which sends the app only a simple yes/no signal: is this device inside or outside the school zone? The Commons never receives, sees, or stores GPS coordinates, precise location, or location history.

For visitors to our public website and administrators accessing the dashboard, we collect operating system, device settings, web log files, and similar technical data. You can turn off and adjust settings on your computers and devices that will not allow us to collect information. For example, in many cellular devices, you can turn off location settings by selecting the "Settings" feature, choosing "Privacy" and turning off "Location."

Note: The Commons student app requires certain device permissions (such as location and VPN) to function properly in accordance with school policy. These permissions allow the app to activate during school hours, block distracting content, and ensure compliance reporting. Although these settings may be adjustable in your device's system preferences, disabling them may result in the app not working as intended. Schools may notify students and families if required permissions are missing.

F. How the VPN works

The Commons VPN is a content-filtering and policy-enforcement layer, not a surveillance tool. When a student device enters a school zone during school hours, the app requests a policy profile from The Commons backend. That profile is dynamically generated based on the school's rules, including any district-level restrictions, school-level settings, and individual student accommodations (such as medical or IEP exceptions). The VPN then applies the least-privileged configuration for that student, blocking restricted content and allowing whitelisted domains and apps.

Once an allowed website or app is accessed, traffic behaves like a normal internet connection. The Commons does not inspect or monitor the content of permitted browsing sessions.

The VPN logs only operational and system-level information: whether a connection was successfully initiated, connection health metrics, and system load indicators. It does not log URLs visited, content accessed, or app-level activity within permitted apps.

Device Permissions Required by the App
The Commons student-facing app requires several device permissions to function in accordance with school policy:

Location Permission – Allows the app to detect whether a student's device is inside or outside the school zone. The Commons does not track where students go. Zone detection is handled by the device's operating system (Apple or Google), which sends the app only a simple yes/no signal: is this device inside or outside the school zone? The Commons never receives, sees, or stores GPS coordinates, precise location, or movement information. The app does store a timestamp of when a device entered or exited the school zone. This timestamp is used solely to determine whether school-hours restrictions should be active or inactive. No GPS coordinates, movement history, or location path is associated with this timestamp.

Note: Apple periodically displays a notification informing device owners how many times an app has accessed location. This reflects the number of times the app checked whether the device was inside or outside the school zone. It does not mean The Commons is tracking or storing your child's location.

VPN Permission – Establishes a secure connection used to enforce school-defined content restrictions during school hours. The VPN functions as a permissions and filtering layer: it identifies the student's school and applies the applicable policy profile, determining which domains and apps are allowed or restricted. It does not inspect, log, or store browsing content, URLs, or detailed activity. The only information logged at the VPN level is operational and system-level, such as whether a connection was successfully established, connection health metrics, and system load indicators. No personally identifiable information is intentionally transmitted through the VPN beyond what is technically required to establish the connection itself (such as a remote IP address, which is required by any VPN protocol and is not used to identify or track students). Once school hours or the school zone end, the VPN deactivates automatically.
App Blocking Permission (iOS — Screen Time / FamilyControls) – On iOS devices, the app uses Apple's FamilyControls framework to block distracting apps during school hours. When this permission is granted, app and category selections are made entirely on the student's device and enforced by Apple directly. The Commons never sees which apps or categories were selected or blocked. The Commons receives only an encrypted token (unreadable by anyone outside Apple's framework) confirming the student's restriction selection, and a binary active/inactive signal confirming whether restrictions are on or off.
App Blocking Permission (Android — Usage Access) – On Android devices, the app uses a foreground app detection permission to identify when a blocked app is running. The app name is observed only in that instant to determine whether to display the blocking screen — it is never written to storage and never transmitted anywhere. Android's default system text for this permission states "Allow apps to monitor which other apps you use and how often" — this describes what the permission technically allows, not what The Commons does with it.
Notification Permission – Enables the app to send alerts about compliance status or missing permissions. This permission is optional — the app functions without it, but you may not receive important reminders if a required setting needs attention.
Motion Permission – Helps the app optimize performance and battery life while at school. This permission is optional and does not affect core app functionality.

A note on Face ID and passcode prompts: During onboarding, when a student enables VPN or Screen Time controls, Apple requires the device owner to authenticate via Face ID or passcode before granting those permissions. This is Apple's own security requirement — identical to the prompt shown when approving an App Store purchase. No biometric data is transmitted to or received by The Commons at any point. Apple's Secure Enclave processes Face ID entirely on the student's device. The Commons has no access to and never receives any biometric information.

Operational Signals — When the app is active, it automatically sends limited signals to our backend to support your school's compliance reporting. These signals include whether the app is running, whether required permissions are enabled, whether the device is within the school zone, and a periodic confirmation that the device is connected. This data is generated by the app automatically — it does not require any action from the student. No browsing history, app names, message content, or personal communications are included in these signals. Your school uses these signals to confirm the app is working as intended and to identify devices that may need attention.

Location, VPN, and app blocking permissions are required for the app to function as intended. Disabling them may prevent school policy enforcement and will be flagged to school administrators. Notification and motion permissions are optional; disabling them does not affect core functionality.

G. Transactions & Communications with Third Parties

PUBLIC WEBSITE ONLY — The following section does not apply to the student app or school dashboard. If you are a parent or student, this section is not relevant to how The Commons handles your data. The student app does not contain advertising, third-party tracking tools, social networking integrations, or behavioral analytics of any kind. No student data is shared with or accessible to any third-party advertising or analytics provider.

The Site and Services may contain applications to enable you to connect to and from social networking sites and we may collect information about you from such social networking sites in order to provide you with a more personalized experience.

Some content, email, or text message marketing campaigns from our Site and Services may be served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our Services. The information they collect may be associated with your Personal Information or they may collect information, including Personal Information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We may enable third parties to serve advertisements available through our Services, Site, or on third-party websites or other media (e.g., social networking platforms) that enable us and third parties to target advertisements to you for products and services in which you might be interested. Third-party ad network providers, advertisers, sponsors, or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third-party’s specific privacy statement, not this one. For more information on each of these third parties’ privacy practices and to learn how to opt out, please visit each of their websites and contact them directly.

We may also receive your personal information if you follow us or any of our brands on social media sites, for example, Meta, Instagram, X, LinkedIn, TikTok, or Pinterest. This applies only to users engaging with our corporate accounts. The Commons student-facing App does not link to, access, or collect data from social media platforms, and no student App data is shared with or influenced by these channels. We may collect personal information when you communicate with us on these social media sites or use functionalities, widgets, tools, or plugins from social media platforms or networks in connection with our Site and Services. This includes, but is not limited to, when you log into an account, share purchases or content with your friends and followers on social media, or when you click “Like.” You understand and agree that if you make a post on social media or identify us in your social media by tagging us or using a hashtag (#) or “at” (@), your personal information may be publicly available and is subject to the privacy policy of the applicable social media platform. For more information on each of these third parties’ privacy practices and to learn how to opt out, please visit each of their websites and contact them directly.

To be clear: none of the third-party marketing or analytics tools described in this section have access to student data, the student app, or the school dashboard. Their scope is strictly limited to visitors of our public website at the-commons.app.

H. School Partnership Participation

In connection with school partnerships, including but not limited to pilot programs, we may collect limited feedback, usage metrics, and testimonials (written, video, or otherwise) from administrators, educators, and students. We will not publicly share any personally identifiable information (PII) without your or your institution’s express written consent. Any marketing, case study, or promotional use of pilot results will be fully reviewed and approved by participating institutions in advance.

I. App Blocking — What We See and Don't See

The Commons blocks distracting apps during school hours on both iOS and Android devices. The Commons does not see, store, or transmit which specific apps a student opens, how often they are used, or how long they are used. App selections on iOS remain entirely on the student's device and are enforced by Apple directly. On Android, app detection occurs only in the moment needed to display a blocking screen — nothing is stored or transmitted.

A note on Android permission language: Android displays the following default system text during setup: "Allow apps to monitor which other apps you use and how often." This describes what the permission technically allows — not what The Commons does with it. We use this permission only to display a blocking screen when a restricted app is opened. We do not monitor, store, or transmit app usage data.

II. HOW WE USE AND SHARE INFORMATION.

A. Provide our Services

We use Personal Information to operate, maintain, and improve the features available through our Site and school-facing services. This may include responding to inquiries submitted through contact forms, facilitating school onboarding, delivering requested materials, and managing curriculum licensing. In the future, we may offer e-commerce functionality for school administrators to purchase curriculum or related services directly through our website.

When enabled by a school, The Commons may send service-only emails directly to students (and/or parents, if supplied by the school) to support setup, compliance, and reliability of the school’s program. These messages are operational in nature and are not used for advertising or profiling. These emails are delivered via a third-party email service provider acting as our data processor under its standard contractual terms, which include confidentiality, security, and compliance with applicable student-privacy laws.

For the App, in limited cases, such as when a technical support request is submitted, we may use voluntarily provided information to investigate compliance or performance issues through the school’s administrative dashboard. This information is used solely for troubleshooting and is not linked to App usage beyond the scope of the specific support request.

The app uses a zone-level signal from the device's operating system solely to determine whether a device is inside or outside the school zone, in order to activate or deactivate app restrictions. No GPS data, precise location, or location history is collected or stored.

The app reports compliance status and school-hours distraction-reduction metrics to authorized school staff to help administrators support student focus. We do not access browsing history, social media content, or in-app behavior. Aggregate compliance data may be reviewed internally by The Commons solely to improve platform reliability and support school outcomes. These features operate within a privacy-first, school-directed framework and do not involve behavioral advertising or profiling.

The Commons uses a limited number of third-party service providers to operate the platform. Providers that handle student data are contractually bound to use that data only as directed by The Commons and in accordance with applicable student privacy laws. The following providers may process student-related operational data:

Sentry — App performance and error monitoring. Receives error logs and device-level operational signals: zone status changes (inside/outside school zone), VPN connection status, app foreground/background state, and compliance status pings. Sentry does not receive student names, emails, IP addresses, browsing history, or app usage content. Screenshot capture is disabled. SOC 2 certified.

SendGrid — Operational email delivery at school direction. Receives student name and email address for delivery purposes only. Does not receive behavioral data, browsing history, or app usage information. SOC 2 Type II certified.

Ednition— Roster sync and SSO integration layer between the school's student information system and The Commons. Receives student name, grade level, student ID, email, and parent email as provided by the school. Does not receive behavioral data, browsing history, app usage, location history, or Screen Time information. SOC 2 and ISO/IEC 27001 certified.

No third party receives student browsing history, app usage data, location history, or Screen Time information. A full subprocessor list is available to school partners upon request — contact support@the-commons.app.

We may also use third-party services on our public-facing website for analytics or advertising purposes (e.g., remarketing ads or campaign performance tracking). These services may use their own cookies or tracking technologies, which we do not control. If you have questions about targeted content served to you outside of our platform, please contact the responsible provider directly.

Note: The Commons student-facing App does not include advertising, third-party tracking tools, or personalized marketing. It does not collect personal communications, browsing history, or user-generated content.

B. Consent to Contact By Mobile Phone

By providing us with your mobile phone number, you hereby expressly consent to receive automated text messages (including SMS and MMS) from us at the mobile phone number you provided. You represent that you are 21 years of age or older and you have the consent of the wireless account holder associated with the mobile phone number you provided. You are responsible for all charges and fees associated with text messaging imposed by your wireless provider. Message and data rates may apply.

Text messages may be sent using an automatic telephone dialing system or other technology. Your consent to receive autodialed marketing text messages is not required as a condition of purchasing any goods or services. If you have opted in, we may provide updates, special offers, inside news, access to events, ways to enter sweepstakes, instant win games and other marketing offers via text messages through your wireless provider to the mobile number you provided. Message frequency varies.

Note: The Commons App does not collect phone numbers, request mobile device contact information, or send SMS messages. Any texting functionality applies only to individuals who voluntarily provide their number through external channels such as our website, newsletter forms, or support interactions. We do not collect or use phone numbers from students through the App, and no SMS features are used within student-facing services.

C. Internal Analysis and Promotions

We may use non-personal, de-identified, or aggregate information to evaluate and improve our Services. This includes internal analysis for system performance, infrastructure reliability, user experience, and understanding usage patterns across our partner schools. For example, we may use anonymized metrics to estimate general engagement, measure feature usage, or assess platform stability.

We may also use limited Personal Information from school administrators and authorized staff (such as names, roles, email addresses, and login credentials) who access our administrative dashboard to monitor account activity, improve user experience, support training and onboarding, and ensure the security and functionality of the platform.

We work with secure, education-aligned third-party providers to support hosting, identity management, diagnostics, and analytics. These platforms may process limited technical telemetry, such as device type, app version, or crash reports, for the sole purpose of improving platform stability. Where school dashboards display student-level analytics (e.g., compliance and school-hours distraction-reduction metrics), those insights are based on roster data uploaded by the school and are visible only to authorized school staff within an encrypted environment.

The Commons does not access student content, browsing history, or communications. Usage trends may be provided to administrators to support student well-being or guide interventions. The App may also deliver supportive nudges, such as reminders to stay focused, prompts to re-enable a missing permission, or positive feedback when a student meets expectations, to encourage healthy digital habits and reinforce school policy. These nudges are driven by simple usage metrics, not behavioral modeling or prediction, and are solely controlled by the school. These features are never used for advertising, commercial targeting, or profiling.

In some cases, we may securely outsource infrastructure, analytics, or related services to trusted third-party vendors. These providers are contractually bound by strict confidentiality and FERPA/COPPA compliance obligations and are only granted access to the minimum data necessary for their role.

We may also use contact information submitted via our public-facing website (e.g., through demo requests, support forms, or newsletter signups) to respond to inquiries and improve engagement with institutional users.

D. Marketing Purposes

If you provide us with feedback, we will collect that information and we may use it in our marketing materials, use it on our Site or Services, or disclose it for any purpose we choose. Your Personal Information will not be disclosed or associated with any feedback that we use or disclose unless you have given us permission to use your Personal Information for this purpose. We may use computer and device information for marketing purposes, to examine traffic to the Site and Services and improve the Site and Services to provide you a better experience.

E. Legal Requirement

We may disclose Personal Information, non-personal information, and aggregate information:

(a) to comply with laws, cooperate and respond to requests and claims, or comply with legal process served on us (e.g., a lawful subpoena, warrant, or court order);

(b) to enforce or apply our Terms of Service, policies, or agreements (including to initiate, render, bill, and collect for amounts owed to us);

(c) to protect and defend us or our user's rights or property, the Site, Services, our employees, visitors, or the public (including protecting and defending from fraudulent, abusive, or unlawful use of the Site or Services); or

(d) if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of communications or justifies disclosure of records without delay.

When applicable, disclosures of student-related information are strictly limited to authorized school personnel and made in accordance with FERPA, COPPA, and other relevant privacy regulations.

F. Company Sale

We may disclose certain information we collect during negotiations of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. Any such purchaser will be subject to all applicable federal and state laws, including student privacy laws. If we decide to move forward with a transaction, we will also ensure that any successor entity echoes our commitment to student privacy.

III. HOW YOU CAN MANAGE YOUR INFORMATION

When you browse our Site, we automatically receive your computer’s IP Address in order to provide us with information that helps us learn about your browser and operating system. With the exception of your IP Address, you may choose not to provide us with any Personal Information. In that case, you can still visit and browse our Site, but you will not have access to or be able to use our Services.

A. Account Settings

Individuals who set up an account with us may elect to receive or stop receiving information from us or any third-party as described by this Privacy Notice. If you receive email communications from our Services, you may use the unsubscribe link contained in the email. Please contact us at support@the-commons.app if you need assistance.

Recipients of school-directed service emails may use the unsubscribe link in any message to opt out of future email delivery from The Commons. Opting out of email will not affect in-app or school-dashboard notices. Schools can also request campus-wide suppression at any time.

B. Request Changes

Schools and authorized institutional representatives may request updates, corrections or deletions of Personal Information by sending an email with the request and a detailed description of the specific content or information to support@the-commons.app. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.

Parents or students wishing to review, modify, or remove any student-related information must contact their school directly, as the schools hold all Student personal information. We honor such requests when submitted by an authorized school official in accordance with applicable privacy laws.

Please be aware that we cannot always delete records of past interactions and transactions. For example, we are required to retain records relating to previous sales and purchases for financial reporting and compliance reasons.

C. Manage Your Security Settings

We (and our service providers) may use cookies and similar technologies on the public website to improve performance and user experience. You can manage how your browser handles cookies and related technologies through its privacy and security settings. Because browsers differ, please refer to your browser’s help pages for instructions. You can also opt out of interest-based advertising from many third-party companies at: https://www.networkadvertising.org/choices/ and https://optout.aboutads.info/.

You may manage how your mobile browser handles cookies and related technologies by adjusting your mobile device privacy and security settings. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn how to adjust your settings.

Users in the United States may opt out of many third-party ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and your choices regarding how information is used by DAA companies. You may also go to the Network Advertising Initiative’s (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and your choices regarding having information used by NAI members. The NAI’s main webpage is located at www.networkadvertising.org.

Opting out from one or more companies listed on the DAA Consumer Choice Page or the NAI Consumer Opt-Out Page will opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through the Services. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt-out on the DAA or NAI websites, your opt-out may not be effective. Additional information is available on the DAA’s website at www.youradchoices.com or the NAI’s website.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible third party provider directly.

D. Links to Other Websites

Please be aware that, on our Site, we may provide links to third-party websites as a service to our visitors, and that we are not responsible for the content or information collection practices of those pages. Please note that these websites' privacy policies may differ from our Privacy Notice. We encourage you to review and understand the privacy practices at third-party websites before providing them with information.

E. Opt Out

You may opt out of receiving emails or text messages from us at any time either by texting the word “STOP” to any text message using the mobile device that is receiving the messages, by using the unsubscribe link contained in the email, or by contacting the sender. If you are unable to resolve this through these means, contact us at support@the-commons.app. Despite your election to opt-out, we may send you emails or contact you by other means regarding your account, transactions, and your activities with the Services.

F. Changes to the Service

We may change any short code or telephone number we use to operate the texting services at any time and will notify you of these changes. You acknowledge that any messages, including any STOP requests, you send to a short code or telephone number we have changed may not be received and we will not be responsible for honoring requests made in such messages. Please contact us at support@the-commons.app if you need assistance.

IV. WHAT ELSE SHOULD YOU KNOW ABOUT OUR PRIVACY PRACTICES

A. Security

We follow generally accepted industry standards to protect Personal Information, including your email address, submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Services.

We use TLS encryption in transit and industry-standard encryption at rest for data exchanged between the App, our servers, and school dashboards. Also any data stored on our systems—such as student roster data provided by schools, QR code mappings, and compliance records—is encrypted.
Access to student-related data is restricted to authorized school personnel using secure authentication and role-based access controls (RBAC).
The Commons student-facing App does not store or transmit personal communications, browsing history, GPS data, or any sensitive personal information.
All access is logged and monitored for security, and we conduct regular security reviews and audits to ensure compliance with education privacy standards.
The Commons uses industry-standard VPN infrastructure to enforce content restrictions. We periodically update our VPN technology to maintain security, reliability, and compliance with evolving standards. These infrastructure updates do not change our data collection practices or privacy posture.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. Administrator login credentials for the school dashboard are encrypted in transit and at rest, and access is restricted to authorized personnel using secure authentication protocols.

B. FERPA

The Commons may disclose Student information to fulfill the purpose for which you provide it and to enforce or apply agreements with The Commons. When schools provide contact emails and enable service emails, The Commons processes that data as a school official for a school-directed educational purpose.

The Commons adheres to the Family Educational Rights and Privacy Act (FERPA), as applicable, when it is providing Services to Institutions in the United States and acting as an authorized “school official” through its relationships with the Institutions as an educational partner. The Commons works with Institutions to ensure compliance with FERPA and applicable privacy laws, including by designing its App in a privacy-forward manner such that it only contains de-identified data concerning students. FERPA is a federal law that affords students (or parents/guardians for students under 18 or not enrolled in a post-secondary Institution) certain rights with respect to their education records.

C. COPPA

The Commons complies with the Children's Online Privacy Protection Act (COPPA). The Commons offers its Services to Students at K-12 Institutions, but only through partnerships with Institutions (not through any accounts with Students directly). Institutions hold all Student Personal Information, and The Commons does not collect any Personal Information from Students, including any personal information from Students under the age of 13. In fact, Students do not create accounts specific to The Commons, enter personal data independently, or access the App without school authorization — a school-issued QR code or school-managed Single Sign-On (SSO) activates the App, and usage is governed entirely by the school's policy and authority. Such Institutions also work with parents to obtain any necessary consents needed. The Commons does not collect email addresses directly from children; any student contact used for service emails is supplied by the school with appropriate consent under FERPA/COPPA.

If The Commons learns it has collected or received Personal Information from an individual who was ineligible to access or use the Sites or Services, The Commons will take steps to remove such information. If you believe The Commons might have any information from or about a user who is ineligible to use the Sites or Services, please contact us immediately at support@the-commons.app.

D. SOPIPA

We comply with the Student Online Personal Information Protection Act (SOPIPA). Specifically, we do not use any student information for targeted advertising or behaviorally profiling a student for non-educational purposes. We do not sell, share, rent, or lease student personal information to third parties. Student data is used solely for educational purposes as authorized by the school or educational institution. We implement reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure. We do not create a student profile unless it is required to provide the service or is authorized by the school. Any third-party service providers engaged by us are contractually bound to comply with SOPIPA’s requirements.

E. CalOPPA

In compliance with the California Online Privacy Protection Act (CalOPPA), we post this Privacy Notice clearly on our website, including a link to it on our homepage. This Privacy Notice identifies the types of Personal Information we collect, how the information is used and with whom it may be shared, how users can review and request changes to their information, the effective date of this policy and how we will notify users of any material changes. We do not permit third-party behavioral tracking in the student app or school dashboards. Our public website may use limited analytics or advertising tools; see Section II and the opt-out resources in Section III.C. We may use de-identified analytics and crash diagnostic tools solely to improve Site performance and user experience. The Commons collects only the limited, school-directed compliance and distraction-reduction metrics needed to support educational outcomes, and these are visible only to authorized school staff.

V. CALIFORNIA PRIVACY RIGHTS; CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) AS AMENDED BY THE CALIFORNIA PRIVACY RIGHTS ACT (“CPRA”), AND OTHER STATE PRIVACY LAWS

A. Categories of Personal Information Collected

Under the CCPA, as amended by the CPRA, California created a variety of privacy rights for California consumers. Additional states have also passed laws extending similar privacy rights to their consumers. We use this notice to make disclosures required by these state laws.

You have the right to know what personal information we have collected about you, including the categories of Personal Information, the categories of sources from which the personal information is collected, the business or commercial purposes for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of Personal Information we have collected about you. Note: These disclosures apply to Site visitors, school administrators, or individuals engaging directly with The Commons, not to student data provided by schools under FERPA or other educational privacy laws.

We collect the following categories of information: identifiers (such as your name and email address), Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (such as your name and contact information), internet or other similar network activity, geolocation data, and inferences drawn from the collected Personal Information. This information is collected directly from you when you provide it to us (for example when you submit a form requesting more information) or automatically as you navigate through the Services. We use this information for one or more legitimate business purposes, including to improve our Services, offer information about our Services to you, and allow you to purchase and use our Services. The specific pieces of information we have collected about you vary, depending on whether you are browsing the website or are a customer, but we explained these different types of Personal Information in Section 1.A of this Privacy Notice.

We do not sell Personal Information as defined under California, Colorado, Nevada, Virginia, Utah, Connecticut, or California state laws. Further, we do not share your Personal Information as that term is defined under California and other applicable U.S. state laws. We do not sell or “share” (for cross-context behavioral advertising) student contact data. We do not use student contact emails for marketing. We may use aggregate, de-identified statistics (not linked to any individual) to describe service performance, and we may send marketing communications to institutional contacts or website visitors who have opted in. We use only aggregate, de-identified statistics (not linked to any individual) for service insights and external reporting.

We may collect general location data solely to determine presence within a designated school zone. This is used to activate or deactivate school-directed functions within the app. The Commons does not use GPS tracking or collect continuous location information.

B. Rights

If you are a resident of California or any other state which has passed laws extending similar privacy laws to their consumers, you have rights under your respective states’ consumer privacy statutes:

Right of Access: You can access your collected personal information by contacting us at support@the-commons.app.
Right to correct, update, or delete: You can request to correct, update, or delete your personal information by contacting us at support@the-commons.app. We cannot make changes to or delete your information in some situations where it is necessary for us to maintain your information, for example if we need the information to comply with applicable law.
Right to Request Disclosure of Information Collected: Please contact us at support@the-commons.app to request further information about the categories of personal information we have collected about you, where we collected your personal information, and for what purpose we use your personal information.
Right to Disclosure of Information Sold or Shared and Right to Opt-Out of the Sale or Sharing of your Personal Information: You have the right to know what information of yours we have sold, and you have the right to opt-out of any sale of your information. We do not sell or share any of your information. If you have any questions about these rights, please contact us at support@the-commons.app.
Rights to Disclosure of Sensitive Information: You have a right to know how we collect, process, and disclose “Sensitive Personal Information” (SPI). SPI includes highly sensitive data such as: social security number; driver’s license; passport number; financial account information and log-in credentials; precise geolocation data; genetic data; and ethnic origin. We do not collect and process any SPI. Please note that Company does not directly collect payment information and is not a money-services business. If this functionality is made available in the Services, it is provided by an unaffiliated third party, and like any other third-party service, subject to their terms of use. Notwithstanding the foregoing, Company may send you invoices according to an applicable agreement between you and the Company. If you have any questions about the disclosure of SPI, please contact us at support@the-commons.app.
Right to Retention Details: You have a right to know the length of time we retain each category of Personal Information or if that is not feasible, the criteria we will use to determine that retention period. If you have any questions about this right or our data retention protocol, please contact us at support@the-commons.app. Company stores and retains data including Personal Information for so long as may be required under the terms of an applicable agreement, or for so long as may be required to comply with a legal obligation, resolve disputes, maintain security, prevent fraud and abuse, enforce our terms of service, or fulfill your request to “unsubscribe” from further messages from us. Questions regarding data storage, recovery, and deletion should be directed to: support@the-commons.app.
Right to Non-Discrimination: We do not and will not discriminate against you if you exercise your rights under the CCPA, CPRA, or any other state statute extending similar privacy rights to their consumers.

When you contact us regarding any of your rights, we will verify your identity before we provide any information. If you have any questions or comments about your rights, please contact us at support@the-commons.app.

VI. EXERCISING YOUR RIGHTS UNDER THE CCPA, CPRA, and other state privacy laws

A. Submitting a Request

To exercise the rights described in this Privacy Notice, please submit a verifiable consumer request to us via email to: support@the-commons.app.

Only you, or someone legally authorized to act on your behalf (if in California, the person legally authorized to act on your behalf must be registered with the California Secretary of State), may make a verifiable consumer request related to your Personal Information. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows Company to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include the user’s:

First name;
Last name;
Email address; and
Any other information that the Company deems necessary.

Please describe your request with sufficient detail that allows Company to properly understand, evaluate, and respond to your request.

B. Verifying Requests

Company cannot respond to your request or provide you with Personal Information if Company cannot verify your identity or authority to make the request and confirm the Personal Information that relates to you. If Company cannot initially verify your identity or authority, Company will follow internal procedures to verify your identity and authority. Company attempts to respond to a verifiable consumer request within forty-five (45) days of its receipt. If Company requires more time (up to 45 days), Company will inform you of the reason and extension period in writing.

If you have an account with Company, Company will deliver Company’s written response to that account. If you do not have an account with Company, Company will deliver Company’s written response by mail or electronically, at your option.

Any disclosures Company provides will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response Company provides will also explain the reasons Company cannot comply with a request, if applicable. For data portability requests, and to the extent that Company is able, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the Personal Information from one entity to another entity. If we are not able to do so, we will let you know.

Company does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If Company determines that the request warrants a fee, Company will tell you why Company made that decision and provide you with a cost estimate before completing your request.

If you have any questions or comments about your rights under the CCPA, CPRA, or any other state’s consumer privacy statute, please contact us at support@the-commons.app.

C. State Privacy Rights

You may have rights under your respective state’s consumer privacy statutes. The exact scope of these rights may vary by state to state. To exercise any of these rights, please contact us via email at support@the-commons.app.

VII. CONTACT US

To learn more about our privacy practices or this Privacy Notice, you may contact us at support@the-commons.app.