Skip to main content
synthEd
Log inOpen School Planner
Version 1.1.0

Terms of Service

Effective Date: 2026-05-26 Version: 1.1.0 Provider: synthEd ("we," "us," "Provider") Customer: The school, district, or other educational institution that accepts these Terms ("School," "you")

1. Acceptance and Scope

These Terms of Service (the "Terms") govern use of the synthEd platform, including any associated websites, applications, and APIs (collectively, the "Service").

Institutional acceptance. These Terms create a binding agreement between the Provider and the School as an institution. The Terms are accepted on the School's behalf only by a School administrator who represents and warrants that they have actual authority to bind the School — for example, a head of school, district administrator, or other officer with contracting authority under the School's procurement rules. Institutional acceptance is recorded during school finalization, with the accepting individual's name, role, version of these Terms, timestamp, and the IP/user-agent of the acceptance session. A teacher or staff member who merely creates an individual account does not thereby bind the School to these Terms; an institutional acceptance from an authorized administrator must be on file.

Individual user acknowledgement. Each Authorized User who accesses the Service must separately acknowledge an Acceptable Use commitment (the "Acceptable Use Acknowledgement") covering credential security, prohibited content, and the user's obligation to follow the School's policies. Individual users do not enter into the institutional agreement; they access the Service under the School's account and the School's policies, subject to the Acceptable Use Acknowledgement.

Versioned re-acceptance. Material changes to these Terms require renewed acceptance. When a new version is published, the School's designated administrator will be prompted to re-accept on behalf of the institution, and Authorized Users will be prompted to re-acknowledge the Acceptable Use commitment, before continuing to use the Service.

2. Definitions

  • "Authorized User" — an employee, contractor, or designated representative of the School who is granted login credentials to the Service by a School administrator.
  • "Student Data" — any personally identifiable information ("PII") relating to a student, as that term is defined under FERPA, COPPA, and applicable state laws, that is provided to or generated within the Service.
  • "Education Records" — records directly related to a student that are maintained by or on behalf of the School, as defined under 20 U.S.C. § 1232g (FERPA).
  • "Linked Content" — any external document, file, web page, or other resource referenced by hyperlink from within the Service but hosted, stored, or controlled by a third party (including but not limited to Google Drive, Microsoft OneDrive, Dropbox, district file servers, and public websites).
  • "Customer Content" — all content uploaded, entered, or generated by the School or its Authorized Users in the Service, including task titles, notes, attachments, messages, and uploaded files. Customer Content does not include Linked Content.
  • "School Official" — has the meaning given in 34 C.F.R. § 99.31(a)(1)(i)(B) under FERPA.
  • "DPA" — a separately executed Data Processing Agreement between the School and the Provider that governs the handling of Student Data. Where a DPA exists, its terms control over these Terms with respect to data-handling matters.

3. The Service

We provide a planning and task-management platform for school administration. The Service allows Authorized Users to create events, assign tasks, attach files and links, send notifications, and communicate with one another. The Service is not designed for the storage of, and the School agrees not to store, the following categories of data:

  • Student grades, transcripts, disciplinary records, IEPs, 504 plans, or other formal Education Records as primary records of original;
  • Social security numbers;
  • Health information governed by HIPAA;
  • Payment card data subject to PCI-DSS;
  • Personal information of students under 13 beyond what is strictly necessary to schedule events and tasks involving them.

The Service may reference, by name or by Linked Content, items that touch on the above categories — but it is not the system of record for any of them.

4. License and Restrictions

We grant the School a non-exclusive, non-transferable, revocable license to access and use the Service during the term, solely for the School's internal educational and administrative purposes. The School agrees not to:

(a) resell, sublicense, or make the Service available to any party other than its Authorized Users; (b) reverse-engineer, decompile, or attempt to extract source code, except to the extent permitted by law; (c) use the Service to develop a competing product; (d) upload malware, attempt to circumvent access controls, or interfere with other customers' use of the Service; (e) use the Service for any purpose that violates applicable law, including the privacy rights of students and their families.

5. FERPA — School Official Designation

The School designates the Provider as a "School Official" with a "legitimate educational interest" in the Student Data processed within the Service, as those terms are used in FERPA at 34 C.F.R. § 99.31(a)(1)(i)(B). The Provider:

(a) performs an institutional service for the School that the School would otherwise perform itself; (b) is under the direct control of the School with respect to the use and maintenance of Education Records; (c) is subject to the requirements of 34 C.F.R. § 99.33(a) governing the use and re-disclosure of personally identifiable information from Education Records.

The Provider will not use Student Data for any purpose other than providing the Service to the School, and will not re-disclose Student Data to any party except as expressly authorized by the School or required by law. Where the Provider engages a subcontractor or sub-processor that may access Student Data, the Provider will bind that subcontractor in writing to use and re-disclosure restrictions no less protective than those that apply to the Provider under this Section 5 and under 34 C.F.R. § 99.33(a), and the Provider remains responsible for the acts and omissions of its subcontractors with respect to Student Data.

6. COPPA — Children Under 13

The Service is intended exclusively for School staff and other authorized adults. The Service is not directed at children, does not knowingly accept student accounts, and is not a child-directed online service within the meaning of the Children's Online Privacy Protection Act ("COPPA"). All Authorized Users must be adults acting in a staff or administrative capacity.

To the extent any Student Data concerning a child under 13 is incidentally processed in the Service in connection with planning a school activity:

(a) The School relies on the Federal Trade Commission's longstanding guidance permitting a school to provide consent on behalf of parents for educational online services used solely for school purposes (see FTC COPPA FAQ Section N, "COPPA and Schools"). The Provider's collection and use of any such data is limited to the educational purpose specified by the School and is permitted only where that purpose qualifies under that guidance.

(b) The Provider remains responsible for its own obligations as an operator within the meaning of COPPA, including the prohibitions on using the data for any commercial purpose unrelated to the educational service, advertising, profile-building, or transfer to third parties except as expressly permitted by these Terms. School-provided consent under FTC guidance does not relieve the Provider of operator-level obligations.

(c) On parental request communicated through the School, the Provider will assist the School in reviewing or deleting any personal information of a child under 13 that the Provider has collected through the Service.

7. State Student-Data-Privacy Laws

The Provider acknowledges that state laws — including California SOPIPA, New York Education Law § 2-d, Illinois SOPPA, Colorado SB 16-187, Connecticut Public Act 16-189, and others — may impose additional obligations on the handling of Student Data. The Provider will:

(a) comply with applicable state laws governing Student Data; (b) on request, sign a state-specific data privacy agreement or addendum, including the Student Data Privacy Consortium's National Data Privacy Agreement, where the School operates in a state that requires one.

Where a state-specific addendum is signed, its terms control over these Terms with respect to that state's requirements.

8. Linked Content — School Responsibility

This section is critical. Read it carefully.

The Service allows Authorized Users to attach hyperlinks to external resources. The Provider does not host, store, scan, index, or control the content of any linked resource. The School acknowledges and agrees that:

(a) The Provider is not a custodian of Linked Content. Linked Content is the sole responsibility of the third party that hosts it and of the School that chooses to reference it.

(b) URLs themselves can carry PII. A URL such as https://drive.example.com/files/student-johndoe-IEP.pdf reveals the existence and nature of an Education Record through the URL string alone, even if the linked file is not accessible without authentication. The School agrees not to embed Student Data, student names, or other PII in URLs, file names, or query parameters of Linked Content where reasonably avoidable.

(c) Third-party platforms must be covered. Where Linked Content is hosted by a third party (e.g., a cloud storage provider), the School represents that it has its own appropriate agreements with that provider — including, where applicable, a FERPA-compliant data processing agreement — covering the handling of any Student Data in that linked resource. The Provider has no obligation to verify the existence of such agreements.

(d) Access control is the School's job. The School is responsible for ensuring that Linked Content is configured with appropriate access controls at the third-party platform. The Provider's role is limited to controlling who within the Service can see the link itself.

(e) No warranty as to Linked Content. The Provider makes no representations and provides no warranties about the availability, accuracy, legality, or security of any Linked Content.

The Provider will treat the URL strings and metadata of Linked Content stored within the Service (i.e., the url, name, and related fields of attachment records) as Customer Content subject to the same data-security obligations described in Section 10, but the underlying linked resource is outside the scope of the Service.

9. Authorized Users and Account Security

The School is responsible for:

(a) creating and managing Authorized User accounts; (b) ensuring Authorized Users keep their credentials confidential and use strong authentication where available (including multi-factor authentication and passkeys); (c) promptly deactivating accounts of users who leave the School or change roles; (d) the acts and omissions of its Authorized Users with respect to the Service.

The Provider will make reasonable account-security features available, including role-based access controls, audit logs, and session management.

10. Data Security

The Provider will maintain administrative, physical, and technical safeguards appropriate to the sensitivity of Student Data, including:

(a) encryption of Customer Content in transit (TLS 1.2 or higher) and at rest; (b) role-based access controls and least-privilege access for Provider personnel; (c) audit logging of administrative actions; (d) regular security updates and dependency management; (e) periodic internal review of the security program by reference to a recognized framework (e.g., SOC 2 or ISO 27001).

Certification status. The Provider does not currently hold SOC 2, ISO 27001, or equivalent third-party security certification. The commitment in clause (e) is to operate the security program by reference to those frameworks; nothing in this Section 10 represents that the Provider holds, has applied for, or is in active audit against any such certification. The Provider will update this section when its certification status changes.

11. Sub-processors

The Provider uses third-party services to deliver the Service (e.g., hosting, email delivery, error monitoring, analytics). A current list of sub-processors is available at /sub-processors. The Provider will:

(a) ensure each sub-processor is bound by contractual obligations no less protective than those in these Terms with respect to Student Data; (b) notify the School at least thirty (30) days before adding a new sub-processor that materially changes the categories of data processed; (c) remain liable for the acts and omissions of its sub-processors.

12. Breach Notification

If the Provider becomes aware of any unauthorized access, acquisition, or disclosure of Student Data ("Security Incident"), the Provider will:

(a) notify the School without undue delay, and in no event later than seventy-two (72) hours after confirming the Security Incident; (b) provide a written description of the Incident, the categories and approximate number of records affected, and the remediation steps taken; (c) cooperate reasonably with the School's investigation and any required parent or regulator notifications under applicable law.

Notification will not be delayed for purposes of internal investigation beyond what is required to confirm the Incident occurred.

13. Data Portability, Return, and Deletion

The School may export Customer Content at any time during the term using the then-available export tools provided in the Service. Exported Customer Content is delivered in a structured, machine-readable format covering the data categories supported by those tools at the time of export.

Scope of self-service export during beta. The Provider's self-service export tools currently cover schools, departments, tasks, subtasks, and the URL/name metadata of task attachments. Categories not yet covered by self-service tools — including, where applicable, internal messages, after-action report content, uploaded file binaries, import records, user/role records, and audit logs — are available on written request by the School's designated administrator and will be assembled by the Provider on a commercially reasonable basis. The Provider will continue to expand self-service export coverage during the beta period and will update this section as that coverage changes.

On termination or written request, the Provider will:

(a) make Customer Content available for export, in the categories described above, for thirty (30) days following termination; (b) delete Customer Content from active systems within thirty (30) days after the export window closes; (c) delete Customer Content from backups within ninety (90) days, or within the next regularly scheduled backup-retention cycle, whichever is later (subject to the beta-period limitation in §23(b)); (d) provide written confirmation of deletion on request. Deletion of database records is committed; deletion of stored file binaries (e.g., S3 objects) is attempted at the time of deletion, and where an object cannot be removed on the first attempt the Provider will retry and will record the final disposition.

The Provider may retain Customer Content beyond these periods only to the extent required by law, and any such retained data remains subject to the confidentiality and security obligations of these Terms.

14. No Advertising; No Sale of Data; No Model Training

The Provider will not:

(a) display advertising to any user of the Service; (b) sell, rent, or share Student Data for advertising, marketing, or any commercial purpose unrelated to providing the Service; (c) build profiles of students or School staff for any purpose other than providing the Service; (d) use Student Data or Customer Content to train any general-purpose machine-learning model, and will not permit any sub-processor or third-party AI vendor to do so.

Third-party AI providers. The Service may include AI-assisted features (for example, suggested tasks or summaries) that send prompts and/or Customer Content to a third-party model provider. Any such third-party AI provider (i) is disclosed on the Sub-Processors page before the corresponding feature is enabled in any School's tenant, (ii) is bound by contract to use inputs and outputs solely to deliver the requested inference and not to retain them for the provider's own model training, and (iii) is treated as a sub-processor for all purposes of these Terms, including Sections 5, 10, and 11.

15. Aggregated and De-identified Data

The Provider may generate and use aggregated, de-identified data derived from use of the Service (for example, total number of tasks across the platform, or aggregate adoption metrics) provided that such data cannot reasonably be used to identify any individual or School. De-identification will follow the standard described in 34 C.F.R. § 99.31(b).

16. Confidentiality

Each party will keep confidential any non-public information disclosed by the other party in connection with the Service. Student Data is treated as the School's Confidential Information regardless of how marked.

17. Warranties and Disclaimers

The Provider warrants that it will provide the Service in a workmanlike manner consistent with industry standards. EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICE IS PROVIDED "AS IS" AND THE PROVIDER DISCLAIMS ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. The Provider does not warrant that the Service will be uninterrupted, error-free, or free of harmful components.

18. Limitation of Liability

Liability is structured in three tiers: a general cap, a supercap for data-handling claims, and a set of uncapped exceptions.

(a) General cap. Except as set out in (b) and (c) below, each party's total liability under these Terms will not exceed the greater of (i) the fees paid or payable by the School to the Provider in the twelve (12) months preceding the event giving rise to the claim, or (ii) one thousand U.S. dollars ($1,000).

(b) Data and security supercap. For claims arising from a breach of Sections 5–8 or 10–13 (the data-handling, security, sub-processor, and breach-notification obligations), each party's total liability is capped at the greater of (i) three (3) times the fees paid or payable by the School to the Provider in the twelve (12) months preceding the event, or (ii) fifty thousand U.S. dollars ($50,000). During the beta period, where no fees have been paid, this supercap is fifty thousand U.S. dollars ($50,000). This supercap is intended to give Schools meaningful recovery on data-handling claims while keeping exposure proportional to the beta nature of the engagement; it does not limit any liability described in (c).

(c) Uncapped exposure. No cap applies to liability arising from (i) intentional misconduct or gross negligence, (ii) the Provider's sale or unauthorized sharing of Student Data in breach of Section 14, (iii) the Provider's display of advertising or use of Student Data or Customer Content to train a third party's general-purpose model in breach of Section 14, (iv) misuse of the other party's Confidential Information under Section 16, or (v) a party's indemnification obligations under Section 19.

(d) Consequential damages. Neither party will be liable for indirect, incidental, consequential, or punitive damages, except where such damages fall within (c)(i) through (c)(iv) above.

THE PARTIES ACKNOWLEDGE THAT THESE LIMITS ARE A MATERIAL PART OF THE BARGAIN AND THAT THE FEES (OR THE ABSENCE OF FEES DURING BETA) WOULD BE MATERIALLY DIFFERENT WITHOUT THEM.

19. Indemnification

(a) By the Provider. The Provider will defend, indemnify, and hold harmless the School against any third-party claim that the Service, as provided by the Provider, infringes a third party's intellectual property rights or that the Provider has materially breached its obligations under Sections 5–8 or 10–14.

(b) By the School. The School will defend, indemnify, and hold harmless the Provider against any third-party claim arising from (i) Customer Content the School uploads, (ii) Linked Content the School references in violation of Section 8, (iii) the School's failure to obtain consents required under FERPA, COPPA, or state law, or (iv) the School's misuse of the Service.

(c) Procedure. Indemnification is conditioned on prompt written notice, sole control of defense by the indemnifying party (subject to the indemnified party's right to participate at its expense), and reasonable cooperation.

20. Term, Termination, and Suspension

These Terms remain in effect until terminated. Either party may terminate (a) for material breach not cured within thirty (30) days of written notice, or (b) immediately on written notice if the other party becomes insolvent. The Provider may suspend access (with notice where practicable) to prevent harm to the Service or its users, but will not use suspension as a workaround to terminate without cause.

Sections that by their nature should survive termination — including Sections 12, 13, 16, 17, 18, 19, and 22 — survive.

21. Changes to These Terms

The Provider may update these Terms from time to time. Material changes will be communicated to the School at least thirty (30) days before they take effect, by email to the School's designated administrator and by notice within the Service. The School's continued use of the Service after the effective date constitutes acceptance. If the School does not accept, its sole remedy is to terminate as set out in Section 20, with a pro-rated refund of any pre-paid fees.

22. Order of Precedence

If the School and the Provider have signed a separate Data Processing Agreement, Master Service Agreement, or state-specific privacy addendum, those agreements control over these Terms with respect to the subject matter they cover. Otherwise, these Terms govern.

23. Beta Period Limitations

The Service is currently offered in a beta program. During the beta period — which extends until the Provider gives the School written notice that the Service has exited beta — the Provider's ability to operationally honor certain commitments in these Terms is best-effort, as follows:

(a) Advance notice of material changes (§21). Material changes to these Terms may take effect with less than thirty (30) days' notice where required by security, legal, or critical product needs. The Provider will use reasonable efforts to provide as much advance notice as is practicable, and will document the reason for any abbreviated notice in the change announcement.

(b) Backup deletion timing (§13(c)). Full deletion of Customer Content from backups may take longer than the ninety (90) days stated in §13(c) while backup-retention policies and tooling are being finalized. The Provider commits to documenting actual backup-retention timing on the Sub-Processors page and to complete deletion as promptly as the underlying infrastructure allows.

(c) Sub-processor change notice (§11(b)). Sub-processors may be added or changed with less than thirty (30) days' advance notice during beta. The Sub-Processors page will be updated promptly when such changes occur, and the Provider will notify the School's designated administrator by email of any addition that materially expands the categories of data processed.

(d) Service availability and SLAs. No uptime or performance service-level agreement applies during the beta period. The Provider will use commercially reasonable efforts to maintain availability and will communicate planned and unplanned outages through the Provider's status page or by direct notice.

(e) Incident-response maturity. The Provider's incident-response program is operationally maturing during beta. The seventy-two (72) hour breach-notification commitment in §12 remains in effect and is not softened by this Section 23. The initial seventy-two (72) hour notice during beta may, however, be a preliminary notice — that is, it may identify the existence and general nature of a confirmed Security Incident without yet containing full forensic detail, exact record counts, or final remediation steps. The Provider will follow up with updates as the investigation progresses and will not delay the initial notice for purposes of completing forensic detail.

(f) Export tooling maturity. The categories of Customer Content covered by self-service export under §13 will expand during the beta period. Where a School requests export of a category not yet covered by self-service tools, the Provider will assemble that data on a commercially reasonable basis; the thirty (30) day export window in §13(a) is measured from when the Provider acknowledges the request to the extent the School requests categories beyond self-service coverage at termination.

For clarity: the beta-period limitations in this Section 23 apply only to the specific subsections identified. All other obligations in these Terms — including the prohibitions on advertising, selling Student Data, and using Student Data or Customer Content for purposes other than providing the Service — remain in full effect during beta with no best-effort qualifier.

When the Provider exits beta, the Provider will send the School's designated administrator written notice. From the effective date of that notice, the limitations in this Section 23 no longer apply and the full obligations of these Terms govern.

24. Governing Law and Disputes

These Terms are governed by the laws of the State of Oregon, without regard to conflict-of-laws principles. The parties agree to resolve disputes first by good-faith negotiation, then by mediation, and finally by binding arbitration in Ashland, Oregon under the rules of the American Arbitration Association ("AAA"). Either party may seek injunctive relief in court for misuse of intellectual property or Confidential Information.

Public schools, districts, and governmental entities. Where the School is a public school district, public charter school, state or local educational agency, or other governmental entity that is prohibited by applicable law or procurement policy from agreeing to one or more of the following — (i) governing law of a state other than the School's home state, (ii) venue outside the School's home jurisdiction, (iii) binding arbitration or any waiver of access to the courts, (iv) indemnification of a private vendor, or (v) waiver of sovereign immunity — the conflicting provision of these Terms does not apply to that School to the extent of the prohibition. In such case, the parties will resolve disputes in a court of competent jurisdiction in the School's home state under that state's law, the indemnification obligation under §19(b) is limited to the maximum extent permitted by applicable law, and the remainder of these Terms continues in full effect. The School should identify any such required carveouts in writing at the time of acceptance; absent such notice, the Provider may treat any later assertion of a public-procurement carveout as a request to amend the agreement under §21.

25. General

(a) Assignment. Neither party may assign these Terms without the other's consent, except to a successor in a merger, acquisition, or sale of substantially all assets. (b) Notices. Notices must be in writing and sent to the addresses on file for the School's administrator and the Provider's designated contact. (c) Entire Agreement. These Terms, together with any signed DPA or addendum, constitute the entire agreement and supersede prior agreements on the same subject. (d) Severability. If any provision is held unenforceable, the rest remain in force. (e) No Waiver. A party's failure to enforce a provision is not a waiver of future enforcement.

Designated contacts:

For the Provider:

  • Alexander Black, CTO — privacy@synthed.co for security, privacy, technical, FERPA, COPPA, and data-handling notices.
  • Jeremy Hamasu, CEO — legal@synthed.co for legal and contractual notices.
  • Mailing address: synthEd, Ashland, Oregon

For the School: notices will be sent to the School administrator or other notice contact designated in the Service, in an order form, in a DPA, or by written notice to the Provider. The School is responsible for keeping its notice contact current.

End of Terms of Service.