Privacy Policy

Scholastic Gateway

Effective: July 15, 2026 | Last updated: July 15, 2026

The short version: We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not serve targeted ads to students, build commercial profiles about them, or use Student Data to train general-purpose artificial intelligence models. We use and disclose only what is reasonably necessary to provide, secure, support, and improve the Services, follow a School's lawful directions, run authorized competitions, and comply with law.

1. Scope

This Privacy Policy explains how Scholastic Gateway ("Gateway," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information through our websites, applications, curriculum tools, school portals, competition and event services, support channels, and related services (collectively, the "Services").

This Policy applies to students, parents and legal guardians, educators, coaches, school and district personnel, event participants, and visitors. It does not govern a third-party game publisher, console network, equipment retailer, or other service that has its own privacy policy.

2. Our role when a School uses the Services

A school, district, college, university, educational program, or other organization that provides access to the Services is an "Institution." For Student Data provided by or collected on behalf of an Institution, the Institution generally controls the educational purpose and Gateway acts as its contracted service provider. "Student Data" means personal information directly related to an identifiable student that is maintained for an Institution or is treated as an education record under applicable law.

If an Institution's instructions conflict with a request made directly to us, we may refer the request to the Institution or ask the Institution to verify the request. Nothing in this Policy changes an Institution's responsibilities under the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupil Rights Amendment (PPRA), the Children's Online Privacy Protection Act (COPPA), or applicable state student privacy laws.

3. Information we collect

Information provided by Institutions and adults

Information collected through use of the Services

Information we do not intentionally collect from children

We do not ask children to provide government identification numbers, biometric identifiers, precise geolocation, home addresses, payment card data, or photos, videos, or voice recordings. We do not enable children under 13 to create public posts, open profiles, or unrestricted direct messages. If a feature would materially change these practices, we will provide additional notice and obtain any consent required before collection.

4. How we use information

5. What we do not do

In ordinary conversation, providing data to a hosting, security, support, or integration vendor may be called "sharing." In this Policy, we call that a disclosure to a service provider. Such providers may process information only to perform contracted services for us or the Institution, must protect it, and may not use it for their own advertising or unrelated purposes.

6. When we disclose information

We disclose personal information only in the following limited circumstances:

Before launch, Gateway will publish and maintain a child-data provider list identifying each operator or service provider that collects or maintains personal information from children through the Services, the categories of information involved, and the purpose of the disclosure.

7. FERPA and education records

FERPA applies to educational agencies and institutions that receive applicable U.S. Department of Education funds. When an Institution uses Gateway under FERPA's school official exception and the legal conditions are satisfied, Gateway will:

FERPA rights generally transfer from a parent to the student when the student turns 18 or attends a postsecondary institution at any age. An Institution remains responsible for its FERPA notices, legal basis, directory-information decisions, direct control, and responses to parents and eligible students.

8. Children and teenagers

Users ages 13 through 17

Children under 13: school-managed or parent-approved alias accounts

Children under 13 may not independently create a general account. Access is limited to an Institution-managed educational account or a parent-approved account after the required COPPA notice and authorization process. Every under-13 account uses an anonymous, alias-based identity, with no exception. Alias-based accounts are not exclusive to this age group, though: an Institution may also choose one for an older student. Anonymity is a separate account setting that happens to be mandatory for the youngest users, not a mechanism unique to them.

If we learn that we collected personal information from a child under 13 without valid school authorization, parental consent, or another COPPA exception, we will stop processing it and delete it using reasonable measures.

9. PPRA and sensitive surveys

Gateway does not administer student surveys about political beliefs, mental or psychological problems, sexual behavior or attitudes, illegal or self-incriminating behavior, critical family relationships, privileged relationships, religious beliefs, or income unless an Institution has specifically enabled a lawful activity and completed any notice, consent, or opt-out process required by PPRA and other law. We do not collect student information for marketing surveys.

10. Cookies and analytics

We use technologies reasonably necessary for authentication, preferences, load balancing, fraud prevention, security, diagnostics, and limited first-party service analytics. We do not place third-party behavioral advertising trackers in logged-in student areas. Browser settings may block some technologies, but essential cookies are required for secure account functions.

11. Data retention and deletion

We retain personal information only as long as reasonably necessary for the stated purpose, the Institution's lawful instructions, security, dispute resolution, and legal obligations. Children's personal information is not retained indefinitely. The table below describes our general approach to retention by category. We will publish specific retention periods as our deletion, backup, and log-retention systems are finalized.

CategoryPurposeDeletion timeframe
Student account, roster, learning, and competition recordsProvide the contracted service and Institution recordsWhile the account or Institution agreement is active, then deleted or returned within a reasonable period after it ends, unless the Institution lawfully directs a shorter period or law requires limited retention
Under-13 alias and associated activityProvide the authorized activitySame as the student account; delete sooner if consent or school authorization is withdrawn and the data is no longer needed
Security and audit logsDetect abuse, secure accounts, and investigate incidentsRetained only as long as reasonably necessary for security purposes, or longer only for an active security, legal, or fraud matter
Support records containing Student DataResolve requests and document serviceRetained only as long as reasonably necessary to resolve the request and document the service, then deleted or de-identified
Consent and authorization recordsDemonstrate complianceRetained only as long as reasonably necessary to demonstrate compliance, or the period required by applicable law
Deleted-data backupsDisaster recovery and system integrityRemoved from active systems promptly and allowed to expire from encrypted backups within a reasonable period, unless restoration is required for disaster recovery
Institution and adult financial recordsAccounting, tax, and contract administrationRetained only as long as reasonably necessary for accounting, tax, and contract purposes; these records should not contain child gameplay or learning content

We may retain properly de-identified information that cannot reasonably identify a student, provided we do not attempt to re-identify it and require the same from any recipient.

12. Security

We maintain administrative, technical, and physical safeguards designed for the nature and sensitivity of the information. These include role-based access, encryption in transit and at rest where appropriate, logging, secure development and change controls, incident response, employee confidentiality duties, vendor review, and regular risk assessment and testing. We require written assurances from child-data providers that they will maintain reasonable privacy and security measures. No system is perfectly secure, and we cannot guarantee absolute security.

If we discover a security incident affecting personal information, we will investigate, mitigate, preserve necessary evidence, notify affected Institutions, individuals, or authorities as required by law and contract, and take reasonable steps to prevent recurrence.

13. Your privacy rights

Depending on your relationship with an Institution and the law where you live, you may have the right to access, know, correct, delete, or obtain a portable copy of personal information; withdraw consent; restrict certain processing; appeal a denied request; and receive equal service without unlawful discrimination. Because we do not sell personal information or share it for cross-context behavioral advertising, there is no sale or advertising-related sharing to opt out of.

Authorized agents may submit requests where applicable. Some information may be retained or a request may be limited when permitted by law, including for security, fraud prevention, legal claims, required records, or an Institution's FERPA duties.

14. U.S. service and state protections

The Services are designed for users in the United States. We apply this Policy together with applicable federal and state privacy and student-data laws and any controlling Student Data Privacy Addendum. Some states provide additional rights or impose stricter contract, security, deletion, advertising, or profiling limits. Where a valid state or Institution requirement provides greater protection, the greater protection controls.

15. Changes to this Policy

We may update this Policy to reflect changes in the Services or law. We will post the revised Policy with a new last-updated date. Before materially changing how Student Data or children's personal information is collected, used, or disclosed, we will provide additional notice and obtain consent or Institution authorization when required. We will not use a policy update to weaken rights promised in an existing school agreement.

16. Contact us

Scholastic Gateway LLC
Attn: Privacy
4809 NW Northwood Rd, Riverside, MO 64150
(913) 279-0843
support@scholasticgateway.com