Privacy Policy

Privacy practices built for districts and families.

Effective Date: April 1, 2026 | Last Reviewed: April 29, 2026

FERPA Compliant
COPPA Compliant
Student Data Privacy Consortium
No Data Selling. Ever.
01 — Overview

Privacy for school communities and website visitors

Effective Date: April 1, 2026 | Last Reviewed: April 29, 2026

This Privacy Policy describes how K12 ARLO LLC (“Arlo,” “we,” ”us,” or “our”) collects, uses, and shares information. It covers both our public-facing website and the Arlo platform used by school districts and other educational agencies.

The policy is divided into two parts:

  • Part 1 – Website Privacy Policy: how we handle information collected from visitors to k12arlo.com and individuals who interact with us as prospective or current customers.
  • Part 2 – Services Privacy Notice: how we handle information about students, teachers, and other school users through our Services. We process that information solely on behalf of our District customers under the terms of our agreements with them.

Districts retain ownership of their data. If there is a conflict between this Notice and a signed Data Privacy Agreement (DPA), the DPA controls.

02 — Information We Collect

What we collect

We collect different categories of information depending on whether we are serving website visitors or District customers using the Arlo platform.

Website and business contact information

  • Contact details: name, organization, role, email address, phone number, and related information provided when requesting a demo, contacting us, or subscribing to communications.
  • Communications: message content, support requests, feedback, and other correspondence.
  • Marketing preferences: opt-in status and preferences for receiving our emails.
  • Device and usage data: IP address, browser type, operating system, pages viewed, referring URL, and roughly estimated location derived from IP.

Services data for District users

When we provide the Arlo platform, we may process the following categories of information on behalf of our District customers:

  • Identifiers: name, email, school and district name, District-assigned student or staff IDs, state IDs, Arlo-assigned user IDs, app username, and password.
  • Roster and enrollment: grade level, school enrollment, homeroom, schedule, teacher names, curriculum programs, and graduation year.
  • Demographics: date of birth, place of birth, gender, ethnicity/race, language status, ELL status, low-income status, IEP/504 status, and similar indicators provided by the District.
  • Attendance and assessment: attendance records, standardized test scores, observation data, and other District-provided assessment information.
  • Behavior and support records: conduct incident records, intervention plans, progress notes, referrals, counseling notes, and related workflow data.
  • Student-generated content: student work, uploads, posts, survey responses, and in-platform communications.
  • Parent and guardian contacts: names, addresses, emails, phones, and relationships to students.
  • Health-related flags: medical alerts, health notifications, and similar education support information.
  • Technical metadata: IP address, device type, browser type, log data, pages or features accessed, and other system-generated usage data.

A complete list of data elements collected by the Arlo platform is maintained in the Schedule of Data (Exhibit B) attached to each District’s DPA and is available upon request.

03 — How We Use It

Why we collect information

We use information collected through our website and Services to operate, improve, and support our business and products.

Website uses

  • Operate, maintain, and improve our website.
  • Respond to inquiries, demo requests, and support questions.
  • Send service-related communications and, with permission, marketing emails.
  • Analyze website usage to improve content and offerings.
  • Comply with legal obligations and enforce our terms.

Services uses

  • Provide, maintain, and support the Services contracted for by the District.
  • Communicate with authorized users, respond to support requests, and notify users of service issues.
  • Analyze, improve, and develop the Services, including through de-identified or aggregated data.
  • Comply with applicable law, contractual obligations, and District instructions.

We do not use student data for targeted advertising, profiling, or any commercial purpose beyond providing the Services to the District.

04 — How We Share It

Who we share information with

We share information only as necessary to support our website and Services.

  • Service providers: vendors that help us operate our business, such as hosting, analytics, email delivery, and CRM providers. These providers are bound by confidentiality and data protection obligations.
  • Districts: authorized District users have access to data pertaining to their students, staff, and schools.
  • Authorities and legal process: when required by law, subpoena, warrant, or to protect our rights and the safety of others.
  • Business successors: in connection with a merger, acquisition, or sale of assets, with a requirement that the successor honor our commitments under this policy and any applicable DPA.
  • Health or safety disclosures: only when an authorized District employee invokes FERPA health-or-safety emergency provisions, or as otherwise permitted by law.

We do not sell information collected through our website or the Services.

05 — Student Data

How we handle student information

When we provide the Arlo platform, our District customers are the controllers of student and educational data, and we act as a service provider or processor on their behalf.

With respect to FERPA-regulated data, we operate as a “school official” performing functions the District would otherwise perform under District control. We use educational data only for purposes authorized by the District and this policy.

Districts retain ownership of their data. In the event of a conflict between this Notice and a signed DPA, the DPA controls.

COPPA

We may process information for students under 13 only where the District has authorized collection on behalf of parents or guardians consistent with COPPA and applicable state law. Districts are responsible for required notices and parental consent.

What we will not do

  • Sell student data or any information processed through the Services.
  • Use student data for targeted advertising or to build a profile for non-educational purposes.
  • Disclose student data except as described in this Notice or as directed by the District.
  • Use student data for any commercial purpose other than providing the Services to the District.
06 — Retention

How long we keep data

We retain information processed through the Services as long as the District has an active agreement with us, or as otherwise instructed by the District.

Upon written request or at contract termination, we will dispose of or return all student data within sixty (60) days, in accordance with our DPA. The District may provide special disposition instructions at any time, such as deleting data for graduating students.

Our standard retention and destruction schedule is available to Districts upon request.

07 — Security

How we protect your data

Our security program is aligned with the NIST Cybersecurity Framework (NIST CSF) 2.0, organized around Govern, Identify, Protect, Detect, Respond, and Recover.

  • Governance: written security policies, defined roles, and management oversight.
  • Risk identification: asset inventories, periodic risk assessments, and subprocessor review.
  • Protective controls: encryption in transit and at rest, role-based access, multi-factor authentication for administrative access, least privilege, confidentiality agreements, and security awareness training.
  • Detection: logging, monitoring, and vulnerability scanning to identify suspicious activity.
  • Response: a written incident response plan with defined roles, communications, and breach workflows.
  • Recovery: regular backups and procedures for restoring service and data after an incident.

We conduct security audits or assessments at least annually and after any breach. Audit reports are available to Districts on request, subject to confidentiality.

All Services data is hosted in the United States. We do not store or transfer Services data internationally.

08 — Your Rights

What rights you have

Website visitors may unsubscribe from marketing emails at any time using the link in our emails. You may also contact us to request access to, correction of, or deletion of your personal information, subject to applicable law.

Districts are responsible for responding to requests from parents, guardians, and eligible students regarding educational records. If we receive a direct request, we will refer it to the District and support the District in responding in accordance with FERPA and applicable state law.

We will generally respond to verified requests within thirty (30) days or within the timeframe required by applicable law.

09 — Contact

How to contact us

If you have questions about this Privacy Policy or our handling of personal information, please contact:

K12 ARLO LLC
Attention: Privacy Officer

Questions?

We're here to help

Privacy questions, data requests, or DPA inquiries — reach out directly to our team.

Email Privacy