ChapterOps

Privacy Policy

Effective date: May 12, 2026

1. Who we are

ChapterOps is a chapter management and competition trip operations platform built for CTSO advisors (DECA, FBLA, HOSA, SkillsUSA, BPA, FCCLA, TSA, FFA, and similar organizations). When we say “ChapterOps,” “we,” “us,” or “our,” we mean the team operating the ChapterOps service. Questions? Email ben@chapterops.com.

2. Who this policy covers

This policy applies to four groups of people:

  • Advisors — teachers or staff who create and manage a ChapterOps chapter account.
  • Members (students) — chapter members who are invited to create an account or whose records are managed by an advisor.
  • Parents / guardians — parents or guardians who access the parent portal or sign permission slips.
  • Chaperones — adults who accompany trips and access the chaperone dashboard via a scoped token.

3. What data we collect and why

Advisors

  • Account data: name, email, password (hashed by Supabase Auth). Used to authenticate you and associate you with your chapter.
  • 2FA tokens: stored by Supabase Auth if you opt in.
  • Chapter metadata: school name, state, CTSO type, chapter settings. Used to configure the chapter experience.
  • Audit log entries: records of privileged actions (roster edits, year rollover, data exports). Retained indefinitely for accountability.

Members (students)

  • Identity: first name, last name, grade, email. Required to build your chapter roster.
  • Contact: parent email, parent phone, home address. Used for permission slips and emergency communication.
  • Trip participation: trip assignments, room/bus, payment status, permission slip signature, check-in timestamps.
  • Competition data: event assignments, results, eligibility status.
  • Attendance: meeting check-in records.
  • Health and safety (sensitive): dietary restrictions, allergies (plain text, encryption at rest); medical notes (app-layer AES-256-GCM encrypted when the operator has configured an encryption key). Only advisors, the member themselves, and chaperones on shared trips can access health fields. Officers cannot.
  • Eligibility notes: advisor-entered notes on why a member is or is not eligible for competition (app-layer AES-256-GCM encrypted when the operator has configured an encryption key). We will not enable production access for any chapter without confirming the key is set.
  • Photo: optional, parent-uploaded only. Visible only on the emergency screen, the parent portal, and to chaperones during a shared trip.
  • SMS consent: phone number and timestamp of consent. Collected at permission-slip signing or first login. Required before any SMS is sent.
  • Date of birth: collected to enforce our minimum age requirement (see COPPA section).

Parents / guardians

  • Contact: email, phone (from advisor import or parent self-entry).
  • Permission slip data: e-signature, timestamp, IP address, or uploaded scan for wet signatures.
  • Payment: Stripe processes payment card details directly. We receive only payment status and transaction metadata — never raw card numbers.

Chaperones

  • Email: provided by the advisor to send the token link.
  • Access log: recorded when the chaperone token is used. Token expires when the trip ends.

4. How data is stored

All chapter data is stored in Supabase (Postgres database + file storage), hosted in the United States. Supabase encrypts data at rest by default. Sensitive medical and eligibility notes are encrypted at the application layer using AES-256-GCM when the operator has configured an encryption key. We will not enable production access for any chapter without confirming the key is set. Uploaded files (permission slips, member photos) are stored in Supabase Storage with per-file access control.

All data is transmitted over TLS. Chapter data is isolated by row-level security (RLS) — advisors and members can only access data belonging to their own chapter.

5. Who we share data with

We do not sell your data. We share data only with the sub-processors necessary to operate ChapterOps. See our Security & Sub-processors page for the full list and what each processor receives.

We may disclose data if required by law, court order, or to protect the safety of students or staff.

6. Your rights — access, correction, and deletion

Parents, guardians, students, and advisors may submit any of the following requests using our Data Request page or by emailing ben@chapterops.com:

  • Access / copy: receive a machine-readable copy (CSV or JSON) of all personal data we hold about you or your child. We fulfill access requests within 45 days (extendable by 45 days for complex requests).
  • Correction: request correction of inaccurate records. We fulfill correction requests within 30 days.
  • Deletion: request deletion of your data or your child's data. We fulfill deletion requests within 45 days. Backup data may be retained for up to 30 additional days after deletion from live systems before the backup rotation cycle purges it.

Chapter advisors may delete their chapter and all associated data by contacting us (full in-app chapter deletion is planned for a future release).

7. Retention

We retain chapter data while an account is active to support year-over-year reporting and audit requirements for advisors. Chapters inactive for more than 24 months will receive a deletion notice; student data will be purged after a 90-day grace period. When a chapter is deleted, we purge associated member, trip, and messaging data within 30 days. Audit log entries — with any student PII replaced by anonymized identifiers — are retained for an additional 12 months after deletion for accountability purposes.

8. COPPA — Children under 13

ChapterOps hard-blocks member account creation for anyone under 13 years old. Advisors may still maintain records for under-13 members, but those members cannot sign in or receive an account invitation. Parent portal access (token-based, no account required) remains available for parents of under-13 children.

We do not knowingly collect personal information directly from children under 13. For advisor-managed records of under-13 members, data collection is authorized by the school acting as COPPA operator proxy under the executed DPA. Advisors should enter health and medical data for under-13 students only when necessary for trip safety.

If you believe a child under 13 has created an account without authorization, contact us immediately at ben@chapterops.com and we will delete it within 5 business days.

8a. COPPA — Parental rights

If your child's records are maintained in ChapterOps by their school advisor, you have the following rights as a parent or guardian:

  • Review: request a copy of all personal information we hold about your child. Email ben@chapterops.com with subject “COPPA Review Request.” We will respond within 30 days.
  • Correction: request correction of inaccurate information. We will work with the chapter advisor to correct records within 30 days.
  • Deletion: request deletion of your child's information. Submit a request on our Data Request page. We will fulfill within 45 days and confirm by email.
  • Opt out of SMS: reply STOP to any ChapterOps text or contact us to remove your child's phone number from our SMS list.

ChapterOps relies on the school (the chapter advisor's employing institution) as the COPPA “operator proxy” for advisor-managed student records. The DPA between ChapterOps and the district documents this authorization. Parents who have questions about how their district authorized ChapterOps should contact their district data privacy officer.

9. FERPA

ChapterOps is designed to operate as a “school official” under FERPA when a school district has executed a Data Processing Agreement (DPA) with us. In that context, the school or district — not ChapterOps — is the record custodian. Advisors are responsible for ensuring that their use of ChapterOps complies with their district's student data policies.

If your district requires a DPA before permitting use, you can download our DPA template on the DPA page.

FERPA parent-access and amendment procedure

The student records maintained in ChapterOps (competition results, attendance, eligibility determinations, health and contact data) qualify as “education records” under FERPA when maintained by a school-official vendor. Parents of students under 18 (and eligible students 18 or older) have the right to:

  • Inspect and review: request access to your child's education records held in ChapterOps within 45 days of the request.
  • Request amendment: if you believe records are inaccurate or misleading, you may request amendment by emailing ben@chapterops.com. We will refer amendment requests to the chapter advisor, who is the record-keeper of record. If the amendment is denied, you may request a hearing through your school district per FERPA procedures.
  • Consent to disclosure: ChapterOps does not disclose student education records to non-school-official third parties without parental consent, except as permitted by FERPA (e.g., court order, health/safety emergency).

To understand whether your district has issued a FERPA directory-information notice that covers the data fields collected by ChapterOps (name, grade, email), contact your district data privacy officer before your advisor imports student records.

10. SMS consent

We send SMS messages only to individuals who have explicitly opted in. Opt-in occurs at permission-slip signing (parents) or first login modal (members). SMS messages sent by ChapterOps are transactional in nature: trip reminders, bus times, permission-slip alerts, and emergency notifications. ChapterOps does not send marketing SMS. You can opt out at any time by replying STOP to any ChapterOps text message. Message and data rates may apply. Consent is recorded along with the consent source and, where possible, the IP address at the time of opt-in.

11. Cookies and analytics

ChapterOps uses cookies necessary for authentication (session cookies set by Supabase Auth). We do not use third-party advertising cookies or cross-site tracking. Sentry may set a session identifier used only for error correlation — this does not personally identify you and is not used for advertising. See our Cookie Policy for the full list of cookies we set.

11a. California residents — Do Not Sell or Share

ChapterOps does not sell or share your personal information with third parties for cross-context behavioral advertising. California residents may submit a CCPA request (access, deletion, or opt-out of sale/sharing) using our Data Request page or by emailing ben@chapterops.com with subject “CCPA Request.” We will respond within 45 days (extendable by 45 days with notice). No account is required to submit a request. We will not discriminate against you for exercising your CCPA rights.

12. International users

ChapterOps is designed for US schools and primarily serves advisors, students, and parents located in the United States. We do not affirmatively direct our services at users in the European Economic Area (EEA), United Kingdom, or Switzerland. If you are accessing ChapterOps from outside the US (for example, a student on an exchange program), please be aware that your data will be stored in the United States. By using ChapterOps, you consent to this transfer. If you believe GDPR applies to your use, contact ben@chapterops.com.

13. Changes to this policy

We will update this page when our practices change and update the effective date at the top. For material changes that affect student data, we will notify advisors by email at least 30 days before the change takes effect.

14. Contact

For privacy questions, data access requests, or deletion requests:
Email: ben@chapterops.com
Subject line: “Privacy Request”