Privacy Policy
We take the privacy of children, families, and educators seriously. This policy explains what data we collect, how we use it, your rights under global privacy regulations, and your consent to receive SMS and email communications.
Notice Regarding SMS & Email Communications
By registering for and using SafePickup, you consent to receive transactional SMS text messages and emails related to your account and pickup activity. Message & data rates may apply. Reply STOP to any SMS to opt out, or click Unsubscribe in any email. For full details, see the SMS & Email Communications section below.
Information We Collect
Account & Registration Information
When you create an account, we collect your full name, email address, phone number, and role (parent, teacher, or administrator). For parents and guardians, we also collect the names and grade levels of your children solely to facilitate safe pickup. This data is collected pursuant to Article 6(1)(b) of the GDPR (contractual necessity), Section 1798.100 of the California Consumer Privacy Act (CCPA), and equivalent provisions under Australia's Privacy Act 1988 (Cth) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
Location Data
When you initiate a pickup session, we collect GPS coordinates from your device to validate your arrival within the school's designated geofence. Location data is processed only for the duration of an active pickup session and is not retained after session completion except where required by school safety audit obligations. Collection of precise geolocation constitutes Sensitive Personal Information under the CCPA and a Special Category under GDPR — it is processed only on the basis of your explicit consent and the legitimate interest of child safety.
Device & Usage Data
We automatically collect technical information including your IP address, browser type, operating system, device identifiers, session timestamps, and interaction logs. This information is used for security monitoring, fraud prevention, and platform performance. Under the EU ePrivacy Directive and equivalent national laws (e.g., UK PECR, Australia's Spam Act 2003), we rely on legitimate interest for analytics and strictly necessary operation.
Communications Consent Data
We record your consent to receive SMS and email communications, including the timestamp, consent method, and the specific disclosures presented at the time of opt-in. This record is maintained as required by the U.S. Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, Australia's Spam Act 2003, and the GDPR's accountability principle under Article 5(2).
SMS & Email Communications — Consent & Opt-Out
Your Consent to Receive Communications
By creating an account and using SafePickup, you expressly consent to receive transactional and operational communications from SafePickup via SMS (text message) and email. These include: pickup session confirmations, child-ready and pickup-completed notifications, security alerts, account verification messages, and service announcements. Message frequency varies based on your pickup activity. Standard carrier message and data rates may apply. Consent to receive SMS is not a condition of purchasing any goods or services.
How We Send SMS Messages
SMS notifications are delivered using automated telephone dialing technology to the mobile number you provide at registration. By providing your mobile number, you confirm you are the account holder or have the authority of the account holder for that number. SafePickup complies with the Telephone Consumer Protection Act (TCPA, 47 U.S.C. § 227), the CTIA Messaging Principles and Best Practices, Australia's Spam Act 2003 (Cth), the UK's Privacy and Electronic Communications Regulations (PECR), and the EU ePrivacy Directive as implemented in applicable EU member state law.
How We Send Email Communications
Transactional emails (pickup notifications, account security, policy updates) are sent to the address you provide at registration. Where required, we obtain separate explicit consent before sending any promotional or non-transactional email. All emails include a clear identification of SafePickup as the sender, a valid physical postal address, and an unsubscribe mechanism, in compliance with the CAN-SPAM Act (15 U.S.C. § 7701), Canada's Anti-Spam Legislation (CASL), Australia's Spam Act 2003, and GDPR Article 6(1)(a).
How to Opt Out
You may withdraw your consent to SMS communications at any time by replying STOP to any SafePickup text message. You will receive a single confirmation message and no further SMS will be sent. To opt out of email communications, click the 'Unsubscribe' link in any email or update your preferences in your profile settings. Note: opting out of transactional safety notifications (e.g., pickup confirmations) may affect your ability to use core SafePickup features. To re-subscribe to SMS, reply START; to re-subscribe to email, update your notification preferences in-app.
Data Retention for Consent Records
Records of your SMS and email consent — including the date, time, and method of consent — are retained for a minimum of five (5) years or as otherwise required by applicable law, including TCPA regulations and GDPR Article 7(1) (demonstrating lawful basis for processing).
How We Use Your Information
Core Service Delivery
We process your personal data to operate the SafePickup platform, including managing pickup sessions, verifying guardian identity, sending operational notifications, and maintaining audit logs for school safety compliance. This processing is necessary for the performance of our contract with you under GDPR Article 6(1)(b), and constitutes a business purpose under CCPA Section 1798.140(d).
Safety, Security & Fraud Prevention
We use personal data to detect, investigate, and prevent unauthorized pickups, fraudulent activity, account compromise, and other security threats. This processing is based on our legitimate interest under GDPR Article 6(1)(f), and constitutes a security business purpose under the CCPA. We conduct data protection impact assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35.
Legal Compliance & Regulatory Obligations
We may process and disclose your data as required to comply with applicable law, court orders, regulatory investigations, or governmental requests, including obligations under FERPA (20 U.S.C. § 1232g), COPPA (15 U.S.C. § 6501), the GDPR, the UK Data Protection Act 2018, Australia's Privacy Act 1988, and other applicable national and state-level privacy laws.
International Data Transfers
Cross-Border Transfer Mechanisms
SafePickup is headquartered in the United States. If you access our platform from outside the U.S. — including from the European Economic Area (EEA), the United Kingdom, Australia, or Canada — your personal data may be transferred to and processed in the U.S. For transfers from the EEA and UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c) and the UK's International Data Transfer Agreements (IDTAs). For Australian users, transfers comply with Australian Privacy Principle 8 (APP 8) and the cross-border disclosure requirements of the Privacy Act 1988 (Cth).
Adequacy & Supplementary Safeguards
Where a transfer destination country lacks an adequacy decision, we implement supplementary technical and organizational measures (encryption in transit and at rest, access controls, contractual protections) to ensure a level of protection equivalent to that required in your home jurisdiction, in accordance with the EDPB's Recommendations 01/2020.
Data Sharing & Disclosure
Within Your School
Your personal information is shared with authorized school staff (teachers and administrators) only to the extent necessary to facilitate a safe and verified pickup. School administrators can access pickup logs for their own institution only. This disclosure is consistent with FERPA's school official exception (34 C.F.R. § 99.31(a)(1)) and COPPA's operator-school relationship provisions.
Service Providers & Sub-Processors
We engage trusted third-party service providers as data processors, including Amazon Web Services (infrastructure and SMS via AWS SNS), Supabase (database hosting), and transactional email providers. All sub-processors are bound by Data Processing Agreements (DPAs) that impose GDPR-equivalent obligations, including confidentiality, data minimization, and security requirements. A current list of sub-processors is available upon request at privacy@safepickup.com.
No Sale or Sharing of Personal Data
SafePickup does not sell, rent, trade, or share your personal information — or your child's information — to third parties for commercial, advertising, or marketing purposes. This applies to all users, including California residents under CCPA/CPRA Section 1798.121 (right to opt out of sale/sharing), and Virginia residents under the Consumer Data Protection Act (CDPA), Colorado residents under the Colorado Privacy Act (CPA), and Connecticut residents under the Connecticut Data Privacy Act (CTDPA).
Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections described in this Policy. We will notify you via email and in-app notice at least 30 days before your data becomes subject to a materially different privacy policy.
Children's Privacy — COPPA, FERPA & Global Standards
Student Data — Strict Minimization
SafePickup collects the minimum student data necessary to operate: student name, grade level, and school enrollment status. We do not build behavioral profiles on children, do not use student data for advertising or commercial profiling, and do not disclose student information beyond the school's authorized staff. These practices comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501), FERPA (20 U.S.C. § 1232g), the Student Online Personal Information Protection Act (SOPIPA) where applicable, and equivalent protections under the GDPR and Australia's Privacy Act 1988.
Parental Consent & School Authority
Student records are managed by schools acting as FERPA-covered institutions. Schools provide consent on behalf of parents for the school official exception. Parents may request access to their child's pickup history and records through their school administrator. For direct parental data subject requests, contact privacy@safepickup.com.
No Targeted Advertising to Minors
Consistent with COPPA, the UK Age Appropriate Design Code (Children's Code), and the GDPR's heightened protections for children's data under Recital 38, SafePickup does not serve targeted advertising to minors or knowingly use children's data for any commercial purpose beyond safe pickup facilitation.
Your Privacy Rights
Rights Under GDPR (EEA & UK Users)
If you are located in the EEA or UK, you have the right to: access your personal data (Article 15); correct inaccurate data (Article 16); request erasure ('right to be forgotten', Article 17); restrict processing (Article 18); data portability (Article 20); object to processing (Article 21); and withdraw consent at any time without affecting prior lawful processing. To exercise any right, contact privacy@safepickup.com. We will respond within 30 days (extendable to 60 days for complex requests with notice).
Rights Under CCPA/CPRA (California Residents)
California residents have the right to: know what personal information we collect and how it is used; access and receive a portable copy of their data; correct inaccurate personal information; delete personal information (subject to legal exceptions); opt out of the sale or sharing of personal information (we do not sell data); limit the use of Sensitive Personal Information; and not be discriminated against for exercising these rights. To submit a verifiable consumer request, email privacy@safepickup.com or call our toll-free number. We will respond within 45 days.
Rights Under Other U.S. State Laws
Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), and other states with comprehensive privacy laws have equivalent rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising and profiling. To exercise these rights, submit a request to privacy@safepickup.com. We apply these rights to all U.S. residents, regardless of state, as a matter of policy.
Rights Under Australia's Privacy Act & APPs
Australian users have the right to access the personal information we hold about them and to request correction of inaccurate, incomplete, or outdated information, under Australian Privacy Principles 12 and 13 of the Privacy Act 1988 (Cth). Requests may be submitted to privacy@safepickup.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Notification Preferences
You may manage your SMS, email, and push notification preferences at any time via your profile settings or by following the opt-out instructions in any communication. Withdrawing consent to non-essential communications will not affect your access to the platform.
Data Security & Retention
Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration, including TLS 1.3 encryption in transit, AES-256 encryption at rest, multi-factor authentication for administrator accounts, role-based access controls, and regular penetration testing. These measures are consistent with GDPR Article 32, NIST Cybersecurity Framework guidelines, and Australia's notifiable data breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).
Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, including compliance with legal obligations, resolution of disputes, and enforcement of agreements. Account data is retained for the duration of your account plus 3 years following account closure. Pickup session logs are retained for 7 years for school safety audit compliance. Location data is not retained beyond the active session unless required for audit purposes.
Data Breach Notification
In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay and within 72 hours of becoming aware of the breach where required by GDPR Article 33, the UK DPA 2018, Australia's notifiable data breaches scheme, and applicable U.S. state breach notification laws.
Contact, Complaints & Policy Updates
Privacy Team
For all privacy inquiries, data subject requests, or complaints, contact our Privacy Team at privacy@safepickup.com or write to: SafePickup Inc., 123 Education Lane, Austin, TX 78701, United States. For EEA/UK users, our EU Representative (per GDPR Article 27) can be reached at eurepresentative@safepickup.com.
Supervisory Authority Complaints
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your applicable supervisory authority: in the EU, your local Data Protection Authority (DPA); in the UK, the Information Commissioner's Office (ICO) at ico.org.uk; in Australia, the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au; in Canada, the Office of the Privacy Commissioner (OPC) at priv.gc.ca.
Updates to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or regulatory guidance. We will provide at least 30 days' prior notice of material changes via email and in-app notification. Continued use of SafePickup after the effective date of an updated policy constitutes acceptance of the revised terms. The date of the most recent revision is always displayed at the top of this page.