Montessori Makers Group

MMAP Compliance

Privacy Policy

Effective Date: April 15, 2026 · Version 2.0

Montessori Makers Alignment Map ("MMAP," "we," "our," or "the Platform") is operated by Montessori Makers Group LLC. We provide a school management platform that Montessori schools use to run their operations: student records, classroom documentation, attendance, family communication, billing, and related educational functions.

MMAP is designed from the ground up to comply with the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and state student data privacy laws. If you have questions, contact privacy@montessorimakersalignmentmap.com.

1. Who this policy applies to

This policy applies to everyone who interacts with MMAP:

  • Schools that license MMAP (our direct customers)
  • Students whose records are maintained in MMAP by their school
  • Parents and guardians accessing records via the family portal
  • Teachers, guides, administrators, and staff of licensed schools
  • Visitors to this marketing site

When a school licenses MMAP, the school is the data controller. MMAP is a data processor acting on the school's behalf. The school decides what data to enter, who can see it, and how long it is kept.

2. FERPA: We act as a "school official"

Under FERPA (20 U.S.C. § 1232g; 34 C.F.R. § 99.31(a)(1)(i)(B)), schools may share student education records with a "school official" who has a "legitimate educational interest." When a school signs a Data Processing Agreement with us, the school designates MMAP as a school official performing a function the school would otherwise perform in-house.

As a school official, we:

  • Use student records only for school-authorized educational purposes
  • Are under the direct control of the school
  • Do not re-disclose records except as permitted by FERPA
  • Do not use student records for advertising, marketing, or profiling

3. Information we collect

We collect only what is necessary to run the services the school has licensed. Data is entered by the school, authorized staff, or parents. We do not knowingly collect information directly from children.

  • Student data: Name, DOB, grade, classroom, attendance, observations, lesson progress, assessments, health records, photos, and signed consents.
  • Family data: Guardian names, contact info, household relationships, preferences, signed permission slips, billing contact.
  • Staff data: Names, roles, employment records (where the HR module is used), appraisals, PTO.
  • Technical data: IP address, user agent, session timestamps, school-level feature usage analytics.

We do not collect biometric data, precise geolocation, social media profiles, or full credit card numbers (handled by Stripe under their own controls).

4. How we use information

We use data only for school-authorized purposes:

  • Operating the platform — store, retrieve, display, and export records
  • Communication between staff and families on the school's behalf
  • Reporting and insights for school staff
  • AI-assisted features (opt-in per school), run only on the school's own data
  • Security, fraud prevention, and customer support
  • Compliance with law and the school's written instructions

We do not sell or rent personal data, use student data for advertising, share with advertising networks, build advertising profiles, train external ML models on school data, or provide data to data brokers.

5. AI processing

MMAP uses Anthropic's Claude API for optional features like summaries, translation, insights, and draft generation. When a school enables AI features: only the minimum data necessary is sent per request; AI providers do not retain or train on school data (contractually guaranteed via Anthropic's API terms); schools may disable AI features entirely at any time.

6. How we share information

  • With school-authorized users. Role-based access enforced at the database level.
  • With sub-processors. Listed in our public Sub-processor List. Each is contractually bound to terms no less protective than this policy. Schools get 30 days' notice before we add or replace a sub-processor.
  • When legally required. We verify requests and, where legally permitted, notify the school before disclosure.
  • With school consent. When the school explicitly directs us.

7. Data security

  • TLS 1.2+ encryption in transit; AES-256 at rest
  • Row-level security enforced at the database level for tenant isolation
  • Multi-factor authentication required for admin accounts
  • Nine distinct roles with scoped permissions
  • Role-aware idle session timeout (30–120 minutes)
  • Audit logging of write actions on student records
  • Background checks on all personnel with production access
  • SOC 2 Type II hosting (Supabase, Vercel); US data residency
  • Daily backups with 7+ day retention

8. Data retention and deletion

Schools control retention. On termination, we will (at the school's election) return data in a structured format and/or delete it within 30 days (production) / 90 days (backup rotation). A certificate of destruction is provided on completion.

9. Parent rights (FERPA)

Parents and eligible students have the right to:

  1. Inspect and review their child's education records
  2. Request corrections to inaccurate records
  3. Consent (or decline) to disclosures beyond FERPA exceptions
  4. File a complaint with the U.S. Department of Education Student Privacy Policy Office

How to exercise these rights: contact your school. Schools are the custodians of education records under FERPA. If your school is unresponsive, contact us at privacy@montessorimakersalignmentmap.com.

10. Children under 13 — COPPA

Children under 13 cannot create their own MMAP accounts. Under COPPA § M.1, schools may act as the parent's agent for consent when data collection is for school-authorized educational use. Parents retain the right to revoke consent by contacting the school.

11. State student privacy laws

  • New York Education Law § 2-d and 8 NYCRR Part 121
  • California SOPIPA (Ed Code § 22584) and AB 1584
  • Colorado HB 16-1423
  • Connecticut student data privacy law

12. Cookies and analytics

We use authentication cookies to maintain your session. We do not use advertising cookies, tracking pixels, Google Analytics, or Meta Pixel.

13. Changes to this policy

For material changes, we will notify each licensed school at least 30 days in advance and update the Effective Date.

14. Contact

Privacy and FERPA requests: privacy@montessorimakersalignmentmap.com
Designated Privacy Officer: Hannah Richardson, Founder
FERPA complaints may also be filed with: U.S. Department of Education, Student Privacy Policy Office, 400 Maryland Avenue SW, Washington DC 20202-8520 · privacy@ed.gov

See also: Terms of Service · Sub-processors · Security & Compliance

MMAP · Built for schools

Privacy PolicyTerms of ServiceSecurity & FERPASub-processors