The bulletin board for America's public schools. Parents, teachers, students, and staff. One community per school.

Privacy Policy

Last updated: April 19, 2026

allk12 ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit https://allk12.com (the "Website"). By using the Website, you consent to the practices described in this policy.

1. Information We Collect

Information You Provide

  • Name, email address, and username (account registration)
  • Passwords (stored in hashed form only)
  • Profile information you choose to share
  • Posts, comments, school ratings, and any images you submit
  • Newsletter subscriptions and unsubscribe selections
  • School request submissions and communications you send us

Information Collected Automatically

  • IP address and approximate location (country or region)
  • Browser type and version, device type, operating system
  • Pages viewed, time on site, and interaction data
  • Referring website or traffic source
  • Cookies and similar tracking technologies

Information from Third-Party Authentication

If you register or log in using Google or Facebook, we receive limited profile data (name, email address, profile picture URL) in accordance with the provider's policies. We do not access private content, contacts, or unrelated account data.

Automatic Newsletter Enrollment on Signup

When you create an allk12 account, your email address is automatically added to our newsletter list so you can receive periodic updates about new features, site news, and highlights from school communities. You can unsubscribe at any time using the one-click link in any newsletter email or from your account Settings page. Unsubscribing from the newsletter does not affect transactional emails (account verification, password resets, replies, and moderation notices), which are required for the service to function.

2. How We Use Your Information

  • Create and manage user accounts
  • Operate, maintain, and improve the platform
  • Surface relevant school communities and personalize your experience
  • Deliver transactional emails, notifications, and newsletter updates
  • Display advertisements (where enabled) via approved ad networks
  • Analyze usage patterns and platform performance
  • Detect and prevent fraud, abuse, and spam
  • Comply with legal obligations

We do not sell your personal information to third parties.

3. Children's Privacy (COPPA)

allk12 covers US K-12 schools, which means some of our audience may be under 13. We comply with the Children's Online Privacy Protection Act (COPPA). Users under 13 must have verifiable parental consent before creating an account. We do not knowingly collect personal information from children under 13 without such consent. If you believe a child under 13 has created an account without parental consent, contact us at [email protected] and we will delete the account and associated data.

4. Legal Basis for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA) and the United Kingdom, we process data based on: performance of a contract (providing the service); legitimate interests (security, analytics, platform improvement); legal compliance; and consent where required.

5. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights:

  • Right to Know. Request disclosure of what personal information we collect, use, and share about you.
  • Right to Access. Request a copy of the personal information we hold about you.
  • Right to Delete. Request deletion of your personal information, subject to certain legal exceptions.
  • Right to Correct. Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale. We do not sell personal data. You do not need to opt out.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

Requests may be submitted at [email protected] or via our Data Deletion page. We will respond to verifiable requests within 45 days.

6. Cookies, Analytics, and Tracking

We use the following categories of cookies and similar tracking technologies:

  • Essential (strictly necessary): session cookie (ak12_session) for authentication, theme preference (ak12_theme), and CSRF / security tokens. These cannot be disabled without breaking the service.
  • Analytics: aggregated traffic, page-view, and performance metrics via Google Analytics (where enabled by site configuration). These are used to understand usage patterns in aggregate, not to identify individuals.
  • Advertising: where ads are enabled, our approved ad networks may set cookies to serve and measure ads. We do not permit cross-site behavioral profiling of minors.

You can disable non-essential cookies through your browser settings or, in jurisdictions that require it, via a cookie consent banner. Disabling essential cookies will impair core functionality (you will be logged out).

Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal as an opt-out of sharing personal information for cross-context behavioral advertising where applicable. We do not separately respond to Do-Not-Track (DNT) browser signals at this time because there is no industry consensus on implementation.

7. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy or as required by law. Typical retention windows:

  • Account data (email, username, profile): while your account is active, plus up to 30 days after deletion to allow recovery from accidental deletion and to complete abuse investigations.
  • Posts, comments, ratings: indefinitely as part of the public discussion archive. On account deletion, authorship is replaced with a "[deleted]" placeholder and post/comment bodies may be redacted per our Data Deletion flow.
  • Newsletter subscriber records: until you unsubscribe, plus a suppression record (hashed email) retained indefinitely to honor your unsubscribe.
  • Server logs, audit logs, rate-limit records: typically 30 to 90 days, longer if retained as part of a security investigation.
  • Email delivery logs: retained by our email provider per their policy (typically 30 days).
  • Aggregated, anonymized analytics: may be retained indefinitely.

8. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal data, including TLS in transit, password hashing with bcrypt, role-based access controls on administrative systems, private-network-only database connectivity, at-rest storage on provider-managed volumes, Cloudflare-fronted origin, and audit logging for administrative actions. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

9. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users without undue delay, and in any case within the timeframes required by applicable law (for example, within 72 hours for GDPR-covered breaches, or as required by state breach-notification laws in the United States). Notifications will describe the nature of the breach, the categories of data involved, the likely consequences, and the measures we are taking in response.

10. Third-Party Services

We rely on the following categories of processors to operate the service. Each processor handles data under its own published policies, and we share only the minimum data necessary:

  • Hosting / infrastructure (Hetzner, Cloudflare): server hosting, DDoS protection, CDN, and DNS.
  • Email delivery (Resend): transactional and newsletter email sending.
  • Authentication providers (Google, Facebook): identity verification when you choose to sign in with their account.
  • Object storage / CDN (Cloudflare R2): user-uploaded images (avatars, blog heroes, rich-text images).
  • Analytics (Google Analytics, where enabled): aggregate traffic measurement.
  • Anti-abuse (Cloudflare Turnstile, where enabled): challenge-response to block automated abuse.

We do not sell your personal information to third parties, and we do not share personal information with third parties for their own marketing purposes.

11. International Data Transfers

Our primary infrastructure is located in the European Union (Hetzner, Germany). If you access the Website from another country, your personal information may be transferred to, stored in, and processed in the European Union and, where our processors operate globally, in the United States and other jurisdictions. Where required by law, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms. By using the Website, you consent to such transfers to the extent permitted by applicable law.

12. Your Choices

  • Unsubscribe from newsletters: one-click via any newsletter email, or via Settings.
  • Update your profile: via Settings.
  • Delete your account: via the Data Deletion page.
  • Disconnect a social account: contact [email protected], or delete your account and register with email/password.

13. Limitation of Our Responsibility for Third-Party Content and Links

The Website aggregates publicly available data (from NCES, US Census ACS, and similar sources) and hosts user-submitted content. We are not responsible for the accuracy, completeness, or timeliness of third-party data or user-submitted content, and aggregated statistics or community posts should not be treated as official records of any school or agency. External links are provided for convenience only; we do not endorse, control, or assume responsibility for the content, privacy practices, or security of external sites. Please review the privacy policy of any third-party site before providing personal information.

14. No Guarantee of Service

We make no guarantee that the Website will be continuously available, error-free, or that any specific feature will be retained. To the fullest extent permitted by law, we disclaim liability for any inconvenience, loss, or damages arising from service interruptions, data loss, or changes to the platform. See our Terms of Service for warranty disclaimers and limitation-of-liability provisions that apply to this Policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and may provide additional notice (such as an email or in-site banner). Continued use of the Website after changes are posted constitutes acceptance of the updated Policy.

16. Contact

Privacy questions or rights requests: [email protected]. General contact: [email protected]. We aim to acknowledge privacy requests within ten (10) business days and respond substantively within forty-five (45) days, with a possible extension of another forty-five (45) days where permitted by law.