Privacy Policy
Scholastic Gateway
Effective: July 15, 2026 | Last updated: July 15, 2026
1. Scope
This Privacy Policy explains how Scholastic Gateway ("Gateway," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information through our websites, applications, curriculum tools, school portals, competition and event services, support channels, and related services (collectively, the "Services").
This Policy applies to students, parents and legal guardians, educators, coaches, school and district personnel, event participants, and visitors. It does not govern a third-party game publisher, console network, equipment retailer, or other service that has its own privacy policy.
2. Our role when a School uses the Services
A school, district, college, university, educational program, or other organization that provides access to the Services is an "Institution." For Student Data provided by or collected on behalf of an Institution, the Institution generally controls the educational purpose and Gateway acts as its contracted service provider. "Student Data" means personal information directly related to an identifiable student that is maintained for an Institution or is treated as an education record under applicable law.
If an Institution's instructions conflict with a request made directly to us, we may refer the request to the Institution or ask the Institution to verify the request. Nothing in this Policy changes an Institution's responsibilities under the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children's Online Privacy Protection Act (COPPA), or applicable state student privacy laws.
3. Information we collect
Information provided by Institutions and adults
- Account and contact information. Name, work or parent email, telephone number, role, Institution, team, billing contact, and login or single sign-on information.
- Student roster and eligibility information. A school-issued opaque identifier, grade or age band, team, program, eligibility status, assigned alias, and other data the Institution lawfully directs us to process. We ask Institutions not to provide a student's home address, personal email, full birth date, Social Security number, or other unnecessary data.
- Competition and learning information. Registrations, schedules, attendance, course or activity progress, match data, scores, standings, awards, disciplinary or sportsmanship actions, educator feedback, and authorized submissions.
- Support and communications. Messages sent to our support team, administrative communications, survey responses from adults, and records needed to resolve a request.
- Billing information. Purchase, invoice, tax, and transaction information from Institutions or adults. Payment card details are handled by our payment processor and are not requested from children.
Information collected through use of the Services
- Device and network information. IP address, browser type, operating system, device identifiers, language, approximate region derived from IP address, and security signals.
- Usage and log information. Sign-in time, pages or features used, errors, actions taken, referral source, session information, and audit or security logs.
- Cookies and similar technologies. Essential, functional, security, and limited analytics technologies used to operate and understand the Services. Logged-in student areas do not use third-party targeted advertising cookies.
- Connected services. If authorized by an Institution or adult, identifiers, access tokens, team or match data, and account status from a single sign-on provider, learning system, game publisher, tournament platform, or similar integration.
Information we do not intentionally collect from children
We do not ask children to provide government identification numbers, biometric identifiers, precise geolocation, home addresses, payment card data, or photos, videos, or voice recordings. We do not enable children under 13 to create public posts, open profiles, or unrestricted direct messages. If a feature would materially change these practices, we will provide additional notice and obtain any consent required before collection.
4. How we use information
- Provide and administer accounts, curriculum, team programs, competitions, schedules, standings, awards, and authorized services.
- Authenticate users, prevent fraud and abuse, enforce eligibility and competition rules, moderate conduct, and protect students and the Services.
- Communicate with Institutions, educators, coaches, parents, and eligible students about service, safety, support, and administrative matters.
- Provide reports and records to the Institution that authorized the account and help the Institution respond to access, correction, deletion, or records requests.
- Maintain, troubleshoot, test, and improve the Services using the minimum information reasonably necessary. Student Data is not used to create products or profiles unrelated to the contracted educational service.
- Comply with law, lawful process, contracts, recordkeeping duties, and safety obligations.
- Create de-identified or aggregated information only after taking reasonable measures so an individual student is not identifiable, and contractually prohibit re-identification when such data is disclosed.
5. What we do not do
- No sale. We do not sell or rent personal information, including Student Data or children's personal information.
- No advertising-related sharing. We do not "share" personal information for cross-context behavioral advertising as that term is defined by applicable state privacy law, and we do not use Student Data for targeted advertising.
- No unrelated commercial profiles. We do not build or allow others to build profiles about students for purposes unrelated to the Services or the Institution's authorized educational purpose.
- No student marketing. We do not use Student Data to market products or services to students.
- No general-purpose AI training. We do not use Student Data to train general-purpose artificial intelligence models and do not authorize our service providers to do so.
In ordinary conversation, providing data to a hosting, security, support, or integration vendor may be called "sharing." In this Policy, we call that a disclosure to a service provider. Such providers may process information only to perform contracted services for us or the Institution, must protect it, and may not use it for their own advertising or unrelated purposes.
6. When we disclose information
We disclose personal information only in the following limited circumstances:
- Institutions and authorized users. To the Institution, educators, coaches, team administrators, parents, eligible students, and other authorized users based on role and legitimate need.
- Operational service providers. To contracted providers for hosting, storage, authentication, cybersecurity, communications, support, analytics limited to our own Services, payments for adults and Institutions, and similar internal operations. Providers receive only the information reasonably necessary for their task and are bound by written privacy and security obligations.
- School-directed integrations and competitions. To a game publisher, tournament administrator, learning platform, or other integration when an Institution or authorized adult directs the connection and the disclosure is necessary to provide the requested service. Public results for minors use an Institution-approved display name; children under 13 use a system-generated alias and are not identified by real name.
- Safety and legal compliance. When reasonably necessary to protect the health or safety of a person, investigate fraud or abuse, protect rights and systems, comply with law or valid legal process, or respond to an emergency. For FERPA-protected records, we act only as directed by the Institution or as otherwise permitted by law.
- Business transition. If Gateway is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred subject to this Policy, applicable school contracts, and law. Student Data will not be transferred for advertising or unrelated commercial use, and we will provide notice when required.
- With consent or direction. When the Institution, parent, eligible student, or other authorized person gives valid consent or direction.
Before launch, Gateway will publish and maintain a child-data provider list identifying each operator or service provider that collects or maintains personal information from children through the Services, the categories of information involved, and the purpose of the disclosure.
7. FERPA and education records
FERPA applies to educational agencies and institutions that receive applicable U.S. Department of Education funds. When an Institution uses Gateway under FERPA's school official exception and the legal conditions are satisfied, Gateway will:
- Perform only the institutional service or function described in the agreement for which the Institution would otherwise use employees.
- Remain under the Institution's direct control regarding the use and maintenance of education records.
- Use education records only for authorized purposes and not redisclose personally identifiable information except as directed by the Institution and permitted by FERPA.
- Limit access to personnel and providers with a legitimate need to perform the Services.
- Assist the Institution in providing parents and eligible students access to records, correction procedures, and required records of disclosures.
- Return or delete Student Data when the agreement ends or when lawfully directed, subject to documented legal retention duties and secure backup deletion cycles.
FERPA rights generally transfer from a parent to the student when the student turns 18 or attends a postsecondary institution at any age. An Institution remains responsible for its FERPA notices, legal basis, directory-information decisions, direct control, and responses to parents and eligible students.
8. Children and teenagers
Users ages 13 through 17
- A school-managed account must be authorized by the Institution. A direct account must be authorized by a parent or legal guardian when required by law or our enrollment process.
- An Institution may choose to issue a student in this age group either a named account or an anonymous, alias-based account. That choice belongs to the Institution and is a separate account setting, not something reserved for children under 13.
- Profiles are private by default. Public standings use an Institution-approved display name, team, and limited competition information, not contact information.
- We do not sell their information, use it for targeted advertising, market to them using Student Data, or enable unrestricted public posting.
- A parent may exercise applicable privacy rights for a minor unless the law gives the right directly to the student, including when FERPA rights have transferred to an eligible student.
Children under 13: school-managed or parent-approved alias accounts
- Anonymous display. Gateway assigns a random or school-approved alias. The child's real name, personal email, telephone number, full birth date, photo, voice, home address, and precise location are not displayed and should not be entered.
- Minimum account record. Gateway may maintain a school-issued opaque identifier, age or grade band, Institution and team assignment, alias, competition or learning activity, login and device security data, and an approved game or platform token when necessary.
- No open social features. Under-13 accounts have no public profile, open chat, unrestricted direct messaging, or user-uploaded photo, video, or voice content. Communications are limited to structured service functions and authorized adult-led channels.
- Third-party game accounts. A parent or Institution is responsible for approving and creating any separate publisher, console, or game account. Gateway receives only the identifier or token reasonably necessary for the authorized activity and does not expose the child's real-world identity.
- School authorization. Where permitted by COPPA, an Institution may authorize collection on a parent's behalf only for a school-authorized educational purpose and not for advertising or another commercial purpose. Gateway provides the Institution the required notice of our collection, use, disclosure, and retention practices. The Institution is responsible for any notice to families required by its policies or law.
- Direct parental consent. If an account is not school-authorized for an educational purpose, or if information will be used beyond that purpose, Gateway must provide direct notice and obtain verifiable parental consent before collecting personal information from the child.
- Parent choices. After reasonable verification, a parent may review the categories and specific personal information collected from the child, request correction or deletion, refuse further collection or use, and withdraw consent. Withdrawal may require the account or feature to be closed if the information is necessary to provide it.
- No extra-data condition. A child is not required to provide more personal information than is reasonably necessary to participate in an authorized activity.
If we learn that we collected personal information from a child under 13 without valid school authorization, parental consent, or another COPPA exception, we will stop processing it and delete it using reasonable measures.
9. PPRA and sensitive surveys
Gateway does not administer student surveys about political beliefs, mental or psychological problems, sexual behavior or attitudes, illegal or self-incriminating behavior, critical family relationships, privileged relationships, religious beliefs, or income unless an Institution has specifically enabled a lawful activity and completed any notice, consent, or opt-out process required by PPRA and other law. We do not collect student information for marketing surveys.
10. Cookies and analytics
We use technologies reasonably necessary for authentication, preferences, load balancing, fraud prevention, security, diagnostics, and limited first-party service analytics. We do not place third-party behavioral advertising trackers in logged-in student areas. Browser settings may block some technologies, but essential cookies are required for secure account functions.
11. Data retention and deletion
We retain personal information only as long as reasonably necessary for the stated purpose, the Institution's lawful instructions, security, dispute resolution, and legal obligations. Children's personal information is not retained indefinitely. The table below describes our general approach to retention by category. We will publish specific retention periods as our deletion, backup, and log-retention systems are finalized.
| Category | Purpose | Deletion timeframe |
|---|---|---|
| Student account, roster, learning, and competition records | Provide the contracted service and Institution records | While the account or Institution agreement is active, then deleted or returned within a reasonable period after it ends, unless the Institution lawfully directs a shorter period or law requires limited retention |
| Under-13 alias and associated activity | Provide the authorized activity | Same as the student account; delete sooner if consent or school authorization is withdrawn and the data is no longer needed |
| Security and audit logs | Detect abuse, secure accounts, and investigate incidents | Retained only as long as reasonably necessary for security purposes, or longer only for an active security, legal, or fraud matter |
| Support records containing Student Data | Resolve requests and document service | Retained only as long as reasonably necessary to resolve the request and document the service, then deleted or de-identified |
| Consent and authorization records | Demonstrate compliance | Retained only as long as reasonably necessary to demonstrate compliance, or the period required by applicable law |
| Deleted-data backups | Disaster recovery and system integrity | Removed from active systems promptly and allowed to expire from encrypted backups within a reasonable period, unless restoration is required for disaster recovery |
| Institution and adult financial records | Accounting, tax, and contract administration | Retained only as long as reasonably necessary for accounting, tax, and contract purposes; these records should not contain child gameplay or learning content |
We may retain properly de-identified information that cannot reasonably identify a student, provided we do not attempt to re-identify it and require the same from any recipient.
12. Security
We maintain administrative, technical, and physical safeguards designed for the nature and sensitivity of the information. These include role-based access, encryption in transit and at rest where appropriate, logging, secure development and change controls, incident response, employee confidentiality duties, vendor review, and regular risk assessment and testing. We require written assurances from child-data providers that they will maintain reasonable privacy and security measures. No system is perfectly secure, and we cannot guarantee absolute security.
If we discover a security incident affecting personal information, we will investigate, mitigate, preserve necessary evidence, notify affected Institutions, individuals, or authorities as required by law and contract, and take reasonable steps to prevent recurrence.
13. Your privacy rights
Depending on your relationship with an Institution and the law where you live, you may have the right to access, know, correct, delete, or obtain a portable copy of personal information; withdraw consent; restrict certain processing; appeal a denied request; and receive equal service without unlawful discrimination. Because we do not sell personal information or share it for cross-context behavioral advertising, there is no sale or advertising-related sharing to opt out of.
- Institution-controlled Student Data. Contact the Institution first. We will assist the Institution and will not change an education record contrary to its lawful instructions.
- Parent or under-13 request. A parent may contact the Institution or Gateway. We will take reasonable steps to verify identity and authority before disclosing or deleting a child's information.
- Direct adult or eligible-student account. Contact Gateway using the privacy contact below. We may request information needed to verify the account and request.
Authorized agents may submit requests where applicable. Some information may be retained or a request may be limited when permitted by law, including for security, fraud prevention, legal claims, required records, or an Institution's FERPA duties.
14. U.S. service and state protections
The Services are designed for users in the United States. We apply this Policy together with applicable federal and state privacy and student-data laws and any controlling Student Data Privacy Addendum. Some states provide additional rights or impose stricter contract, security, deletion, advertising, or profiling limits. Where a valid state or Institution requirement provides greater protection, the greater protection controls.
15. Changes to this Policy
We may update this Policy to reflect changes in the Services or law. We will post the revised Policy with a new last-updated date. Before materially changing how Student Data or children's personal information is collected, used, or disclosed, we will provide additional notice and obtain consent or Institution authorization when required. We will not use a policy update to weaken rights promised in an existing school agreement.
16. Contact us
Attn: Privacy
4809 NW Northwood Rd, Riverside, MO 64150
(913) 279-0843
support@scholasticgateway.com