Legal & Privacy
Privacy Policy
Section 01
Overview
VarsitySync (“we,” “our,” or “us”) provides a digital signage platform that allows users to upload media and display it on screens using Apple TV, Fire TV, web browsers, and other compatible devices through a simple access code system.
This Privacy Policy explains how we collect, use, store, and protect information across all VarsitySync platforms and services. By creating an account or using VarsitySync, you agree to the practices described in this policy.
The safest data is the data we never collect. VarsitySync is intentionally designed to minimize data collection. We do not require student accounts, do not track viewers, and do not collect personal information directly from students. Schools may upload content that includes student information, and VarsitySync acts solely as a storage and display platform for that content. Our platform is a content display tool — not a data platform.
Section 02
Information We Collect
What we collect depends on how you interact with VarsitySync. We describe each category below.
A. Account Information (Web Platform Only)
When you create an account at varsitysync.com, we collect:
| Data Type | Purpose | Collected |
|---|---|---|
| Name | Account identification | Yes |
| Email address | Login, notifications, support | Yes |
| Password | Authentication (securely hashed — never stored in plain text) | Yes |
| Account role | Access control (e.g. teacher, admin, coach) | Yes |
B. Media Content
Users may upload images (PNG, JPEG) and videos (MP4) to the platform. We store the file data and metadata (file name, size, upload date) for the purpose of delivering that content to authorized display devices.
We do not analyze, mine, sell, or use uploaded media content for any purpose other than delivering it to your authorized displays.
C. Device & Usage Data
To operate and secure the platform, we may collect:
| Data Type | Purpose |
|---|---|
| Device type (Apple TV, Fire TV, browser) | Display compatibility and troubleshooting |
| Anonymous screen identifiers | Active screen tracking and plan enforcement |
| IP address | Security, abuse prevention, and fraud detection |
| Basic usage logs (display access, heartbeats) | Performance monitoring and system reliability |
D. Payment Information
All payments are processed by Stripe, a PCI-DSS compliant payment processor. VarsitySync does not store or have access to your credit card number or banking information.
We retain only: customer email, subscription plan, and transaction reference IDs — the minimum required for billing management and support.
E. Apple TV App — No Personal Data Collected
The VarsitySync tvOS application does not collect personal information from users. It operates using only a display code that tells the app which media files to load. No account credentials, user details, or identifiers are transmitted through the Apple TV app.
F. What We Never Collect
| Data Type | Collected |
|---|---|
| Student personally identifiable information collected directly from students | Never directly |
| Student academic records, grades, health records, or education files | Never |
| Behavioral tracking or profiling data | Never |
| Location data | Never |
| Biometric data | Never |
| Social security numbers | Never |
| Government-issued ID numbers | Never |
| Medical or health records | Never |
| Credit card or banking information | Never |
Section 03
How We Use Information
We use the information we collect only for the following purposes:
- Providing, operating, and maintaining the VarsitySync platform
- Authenticating users and managing accounts
- Delivering uploaded media to authorized display devices
- Enforcing plan limits (screens, storage, projects)
- Processing subscriptions and managing billing through Stripe
- Monitoring and improving system performance and reliability
- Preventing abuse, fraud, and unauthorized access
- Responding to support requests
We do not sell user data to third parties. We do not use user data for advertising. We do not build behavioral profiles of our users.
Section 04
Data Storage & Security
We implement industry-standard technical and organizational measures to protect your data:
| Measure | Details |
|---|---|
| Encryption in transit | HTTPS across all endpoints — all data transmitted to and from VarsitySync is encrypted |
| Authentication | Secure login with hashed passwords — plain-text passwords are never stored |
| Access controls | Role-based access control — account-protected editing, no public write access |
| Media storage | Backblaze B2 cloud storage (SOC 2 Type II, ISO 27001, HECVAT documentation available) |
| Payment processing | Stripe (PCI-DSS compliant) — VarsitySync does not store card data |
| Platform hosting | GoDaddy managed infrastructure with continuous monitoring |
No system is 100% secure. While we work hard to protect your data, we cannot guarantee absolute security. We actively monitor and continuously improve our security practices.
Section 05
Data Retention
We retain data only as long as necessary to provide our services or as required by law:
| Data Type | Retention Period |
|---|---|
| Account data (name, email, role) | Retained while account is active. Deleted within 30 days of account cancellation upon request. |
| Media files (images, videos) | Retained until deleted by the user or until account cancellation. |
| Usage logs | Retained for up to 90 days for diagnostics and security purposes, then purged. |
| Billing records | Retained for 7 years as required for financial, legal, and tax compliance. |
| Display codes and device sessions | Active session data retained while in use. Cleared on disconnect or account cancellation. |
Users may request account deletion at any time by contacting support@varsitysync.com. We will process deletion requests within 30 days.
Section 06
Data Sharing
We share data only with the third-party services that are strictly necessary to operate VarsitySync:
| Subprocessor | Purpose | Compliance |
|---|---|---|
| Stripe | Payment processing and subscription management | PCI-DSS compliant |
| Backblaze B2 | Cloud storage for uploaded media files | SOC 2 Type II, ISO 27001, HECVAT |
| GoDaddy | Platform hosting and infrastructure | Managed infrastructure |
We do not sell data. We do not share data for advertising purposes. We do not provide data to any third party unrelated to the operation of VarsitySync.
Section 07
Platform Behavior (Important for IT Review)
VarsitySync operates as a code-based display system. Understanding how the platform works technically is important for IT directors and procurement reviewers:
| Behavior | Detail |
|---|---|
| Display access | Screens are accessed via short, unique codes — not open URLs |
| Viewer interaction | Display devices are read-only — viewers cannot submit, upload, or input data |
| Content editing | Requires authenticated login — no anonymous editing is possible |
| Student accounts | Not required — students never create accounts or log in |
| Data collection from viewers | None — viewers are not tracked, identified, or profiled |
| Third-party tracking | No analytics, advertising, or tracking scripts embedded in display output |
Section 08
Data Breach Policy
In the unlikely event of a data security incident, VarsitySync will:
- Investigate immediately — all available resources will be directed to assessing the scope and impact of the incident
- Notify affected users within 72 hours of discovery, where feasible — notification will be sent via the email address on file
- Take corrective action — all necessary steps to contain, remediate, and prevent recurrence
- Comply with all applicable legal reporting requirements — including state breach notification laws and any applicable federal requirements
If notification within 72 hours is not feasible due to the nature or complexity of the incident, we will notify as soon as reasonably possible and provide the reasons for delay.
Section 09
FERPA & School Use
This section is written specifically for school procurement and IT review. It addresses the questions most commonly asked by district technology officers and privacy coordinators.
Does VarsitySync collect or store student data?
VarsitySync is not designed to collect personal information directly from students or to operate as a student information system. Schools may choose to upload content that includes student information — such as recognition displays or event announcements — and in those cases VarsitySync acts solely as a storage and display platform while the school remains responsible for permissions and legal compliance.
VarsitySync does not connect to or receive data from student record systems. Students do not create accounts, do not log in, and do not submit any information through the platform.
What data does VarsitySync actually handle in a school context?
| Data Type | Handled by VarsitySync |
|---|---|
| Staff account information (email, name) | Yes — account holders only |
| Uploaded media (slides, graphics, videos) | Yes — school-controlled content |
| Student academic records, grades, or education files | Never — VarsitySync has no connection to academic record systems |
| Student personally identifiable information | Not collected directly from students; may appear only in school-uploaded content controlled and managed by the school |
| Student behavioral data | Never |
| Viewer data from display screens | Never collected |
School responsibility for uploaded content
Schools control all content uploaded to VarsitySync. VarsitySync is intended for general informational displays such as announcements, event promotions, athletic content, menus, and schedules.
If schools upload content featuring student names, photos, or other identifying information (for example, “Player of the Game” recognition slides), the school is responsible for ensuring:
- Appropriate parental or guardian consent has been obtained in accordance with FERPA and applicable state law
- The content qualifies as permissible “directory information” disclosure or has explicit written consent
- The school’s own FERPA policies and annual notifications cover such use
VarsitySync stores uploaded content securely and does not access, analyze, or share it beyond what is necessary to display it on authorized screens.
FERPA alignment
Because VarsitySync does not collect or solicit student records directly, does not integrate with SIS systems, and does not track or profile students, it typically falls outside the scope of FERPA-regulated systems. Schools using VarsitySync solely for staff-managed display content operate with minimal FERPA risk exposure from the platform itself.
Data Processing Agreements
VarsitySync supports school procurement by providing Data Processing Agreements upon request. Schools and districts may contact us at support@varsitysync.com to initiate a DPA or to request HECVAT documentation for vendor review.
Bottom line for IT directors
- VarsitySync is not intended for sensitive student data and does not operate as a repository for education records, grades, health records, or student files
- VarsitySync does not collect personal information directly from students
- VarsitySync does not process educational records as a student information system
- VarsitySync functions as a storage and display platform — schools control and are responsible for all uploaded content
- Display access requires no student accounts or logins
- DPAs and HECVAT documentation available upon request
Section 10
Children’s Privacy (COPPA) Updated 2026
VarsitySync is not directed to children and is not intended for direct use by children under 13. The platform is designed for use by adult staff, administrators, teachers, and coaches who manage display content.
What about students who view screens?
Students may view content displayed on screens in school hallways, gyms, cafeterias, and other locations. In those cases:
| Scenario | Personal Data Collected from Student Viewer |
|---|---|
| Student walks past a display screen | None |
| Student views a display URL in a browser | None |
| Student sees their name on a slide uploaded by school staff | None — display is read-only; VarsitySync does not collect viewer data |
| Student creates a VarsitySync account | Not applicable — accounts are for staff only |
VarsitySync does not collect personal information directly from students who view displays. Viewing requires no account, no login, and no data submission. Schools may upload content containing student names or images; in those cases the school controls that content and is responsible for applicable consent and compliance obligations.
We do not knowingly collect personal information directly from children under 13. If we become aware that personal information from a child under 13 has been inadvertently collected through our account registration process, we will take prompt steps to delete it.
Section 11
Your Rights
Account holders have the following rights with respect to their personal data:
| Right | How to Exercise |
|---|---|
| Access — view the personal data we hold about you | Email support@varsitysync.com |
| Correction — update inaccurate or incomplete information | Update in account settings or email support |
| Deletion — request deletion of your account and associated data | Email support@varsitysync.com |
| Data portability — request a copy of your data in a portable format | Email support@varsitysync.com |
| Objection — object to specific uses of your data | Email support@varsitysync.com |
We will respond to all data rights requests within 30 days. Deletion requests apply to personal data not required to be retained for legal, financial, or tax compliance purposes. Billing records retained under legal obligation are excluded from deletion requests but remain protected under this policy.
VarsitySync does not sell or share personal information as defined under the California Consumer Privacy Act (CCPA/CPRA) or any applicable state privacy law. No opt-out mechanism is required because we do not engage in the sale or sharing of personal data.
Users in certain states (including California, Virginia, Colorado, and other jurisdictions with applicable privacy laws) may have additional rights beyond those listed above. Where applicable local law provides greater protections, those protections apply.
Section 12
Changes to This Policy
We may update this Privacy Policy from time to time as our platform evolves or legal requirements change. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page
- Send an email notification to all active account holders for significant changes
- Maintain the current version accessible at varsitysync.com/privacy-policy
VarsitySync will never collect personal data in new ways without providing clear, advance notice.
This Privacy Policy should be read in conjunction with VarsitySync’s Terms of Use, which govern your use of the platform and contain binding acceptable use obligations including restrictions on uploading student-identifiable content without appropriate consent.
Section 13
Jurisdiction
This Privacy Policy is governed by and interpreted in accordance with the laws of the United States. Users in certain states may have additional rights under state privacy laws including the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act, Colorado Privacy Act, and other applicable state frameworks. Where applicable local law provides greater privacy protections than those described in this policy, those protections apply.
Section 14
Contact Us
For any questions about this Privacy Policy, to exercise your data rights, or to request compliance documentation: