Privacy Policy

1. Introduction

Kyber Systems LLC ("KyberGate," "we," "us," or "our") operates the KyberGate platform, including KyberFilter and KyberPulse services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services.

We are committed to protecting student privacy and complying with the Family Educational Rights and Privacy Act (FERPA), the Children's Internet Protection Act (CIPA), the Children's Online Privacy Protection Act (COPPA), and applicable state privacy laws.

2. Information We Collect

2.1 School Administrator Information

Name, email address, school/district name, job title, and contact information provided during account creation and support interactions.

2.2 Student Browsing Data

When web traffic is routed through KyberGate, we collect: domain names, URLs, timestamps, content categories, filtering actions (allowed/blocked), and device identifiers. This data is used solely for content filtering, safety monitoring, and reporting.

2.3 Device Information

Device type, operating system, UDID (for MDM-managed devices), IP address, and network information necessary for filtering and device management.

2.4 Safety Monitoring Data

Search queries and browsing patterns that match safety keywords (self-harm, cyberbullying, violence, substance abuse) are flagged and stored as safety alerts. Only flagged content is retained; general browsing content is not stored.

3. How We Use Information

• Provide and maintain content filtering services
• Generate activity reports and analytics for school administrators
• Detect and alert on student safety concerns
• Enable classroom management features
• Improve our filtering accuracy and reduce false positives
• Provide technical support
• Comply with legal obligations including CIPA requirements

4. Data Sharing and Disclosure

We do not sell, rent, or trade student data to any third party. We may share information only in these limited circumstances:

• With your school/district: Administrators can access browsing logs, safety alerts, and device information for their organization.
• Service providers: We use industry-leading cloud infrastructure, email delivery, and billing service providers. These providers process data only as directed by us.
• Legal requirements: We may disclose information when required by law, subpoena, or court order, or to protect safety.
• Safety emergencies: We may disclose information to law enforcement or emergency services when we believe there is an imminent threat to student safety.

5. FERPA Compliance

KyberGate operates as a "school official" under FERPA with a legitimate educational interest in the data we process. We use student data only for the purposes specified by the school district. We do not use student data for advertising, marketing, or any purpose unrelated to providing our educational technology services.

6. COPPA Compliance

We do not knowingly collect personal information directly from children under 13. All student data is collected through the school's use of our services, with the school acting as the agent of consent under COPPA.

7. Student Data Privacy Pledge

KyberGate is committed to the Student Privacy Pledge. We pledge to:

• Not sell student personal information
• Not behaviorally target advertising to students
• Not build personal profiles of students other than for authorized educational purposes
• Not change privacy policies without notice and choice
• Not use student data for purposes other than those authorized by the school
• Enforce strict limits on data retention
• Support access to and deletion of data by authorized parties
• Maintain comprehensive data security standards
• Be transparent about data collection and use practices

We are aligned with the Student Privacy Pledge principles and are actively pursuing formal signatory status with the Future of Privacy Forum.

8. State Privacy Law Compliance

KyberGate is designed to comply with state student privacy laws, including but not limited to:

• New York Education Law §2-d: Student data privacy and security, parent bill of rights
• California (SOPIPA/CalOPPA): Student Online Personal Information Protection Act
• Illinois (ISSPA/BIPA): Illinois Student Online Personal Protection Act
• Connecticut PA 16-189: Student data privacy
• Colorado HB 16-1423: Student data transparency and security (see Section 9 below for detailed compliance)

We are willing to sign Data Processing Agreements (DPAs) with school districts as required by state law. Contact us at privacy@kybergate.com to request a DPA, or view our standard DPA.

9. Colorado Student Data Transparency Act (HB 16-1423)

KyberGate is committed to full compliance with the Colorado Student Data Transparency and Security Act (HB 16-1423). Our commitments include:

• Public Data Transparency Notice: This Privacy Policy serves as our public notice of the types of student personally identifiable information (PII) we collect, process, and store, and the purposes for which it is used.
• Data Processing Agreements: We will execute DPAs with Colorado school districts that include all terms required under HB 16-1423, including data governance and security provisions.
• Data Inventories: We provide data inventories upon request, detailing the specific student data elements collected, the purpose for collection, and any third parties with access.
• Data Deletion: Upon contract termination with a Colorado school district, we will delete all student personally identifiable information within 30 days, unless otherwise required by law.
• Breach Notification: In accordance with Colorado law, we will notify affected school districts within 30 days of discovering a data breach involving student PII (see also Section 12 for our 72-hour internal notification commitment).

10. Data Security

We implement robust, industry-leading security measures to protect student data:

• Encryption in Transit: All data transmitted between devices and our servers is encrypted using TLS 1.3.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption (Google Cloud default).
• Access Controls: Access to student data is controlled via Firebase IAM with the principle of least privilege. Only authorized personnel with a documented need can access student data.
• API Authentication: All API endpoints require authentication. No unauthenticated access to student data is possible.
• Audit Logging: All data access is logged and auditable, including who accessed what data and when.
• Infrastructure Certification: Our infrastructure runs on Google Cloud (Firebase) with SOC 2 Type II certified data centers.

11. Data Retention

We retain data only as long as necessary to provide our services. Specific retention periods include:

• Browsing Logs: Default retention of 90 days, configurable by the school district from 30 to 365 days.
• Safety Alerts: Retained for the school year plus 60 days to support end-of-year reviews and reporting.
• Screenshots: Automatically deleted after 24 hours.
• Account Data: Retained for the duration of the subscription. Deleted within 30 days of contract termination.
• On-Demand Deletion: School districts may request immediate deletion of any or all data at any time by contacting privacy@kybergate.com.

12. Data Breach Notification

In the event of a confirmed data breach affecting student data, KyberGate will:

• Notify affected school districts within 72 hours of discovering a confirmed breach.
• Provide details of the nature of the breach and what data was affected.
• Describe the remediation steps being taken to contain and resolve the breach.
• Designate a point of contact for ongoing communication.
• Cooperate with the school district's incident response procedures.

For Colorado school districts, notification will also comply with the requirements of HB 16-1423, which requires notification within 30 days. Our 72-hour internal commitment exceeds this statutory requirement.

13. Sub-Processors and Third-Party Services

We use the following sub-processors to deliver our services. Each sub-processor is bound by contractual obligations to protect student data:

No sub-processor has access to student browsing data except as strictly needed for infrastructure operations (e.g., network routing). Student data content is encrypted and not accessible to sub-processors.

14. Data Location

All student data is stored and processed in the United States. Our core infrastructure (database, authentication, cloud functions, dashboard) is hosted on Google Cloud Platform in US data centers.

Proxy servers for web filtering operate in US regions: New York City, Atlanta, Chicago, Dallas, San Francisco, and Los Angeles. For international schools, optional proxy regions are available in London and Tel Aviv. International proxy servers process traffic in transit only; all persistent student data remains stored in the United States.

15. Parent and Guardian Rights

We respect the rights of parents and guardians to understand and control how their child's data is used:

• Access: Parents can request access to their child's browsing data and safety alerts through their school district. The school district controls access to student records under FERPA.
• Parent Portal: Where enabled by the school, we support parent portals that give parents direct visibility into their child's filtered browsing activity and safety alerts.
• Deletion: Parents may request deletion of their child's data by contacting their school district, who will coordinate with us to fulfill the request.

16. Your Rights

School administrators can access, export, and delete their organization's data at any time through the KyberGate dashboard. Parents may request access to their child's data through their school district. For data deletion requests, contact us at privacy@kybergate.com.

17. Contact Us

If you have questions about this Privacy Policy, please contact us at: