Privacy & Data Safety

Effective date: May 6, 2026 • Last updated: May 15, 2026

BlueBird Alerts will never sell, share, rent, or monetize your personal data — period. Your data exists solely to operate the BlueBird Alerts service for your school or organization.

✓ HTTPS / TLS 1.2+ everywhere ✓ GDPR-aligned practices ✓ FERPA-conscious design ✓ Zero data selling ✓ CIS-hardened infrastructure ✓ 24/7 security monitoring

Who We Are

BlueBird Alerts ("we," "us," or "our") provides an emergency alert platform for schools and organizations. Our service is operated by BlueBird Alerts LLC. For privacy inquiries, contact us at [email protected].

What Data We Collect

We collect only the minimum information necessary to operate the service:

Account information — name, email address, and role (e.g., teacher, administrator) provided during account setup by your school administrator.
Device tokens — push notification tokens issued by Apple (APNs) or Google (FCM) to your device, used solely to deliver emergency alerts.
Location data — only when you voluntarily activate the "Share Location" feature during an active emergency. Location is never collected passively or in the background.
Usage data — basic in-app activity (e.g., alert acknowledgements, hall pass activity) used to operate and improve service reliability for your school.

How We Use Your Data

To send emergency alerts and notifications to your device
To display real-time emergency status to authorized users within your organization
To support hall pass and student accountability features
To troubleshoot technical issues and ensure service availability

We do not use your data for advertising, analytics sold to third parties, or any purpose outside of operating BlueBird Alerts for your school.

Data We Never Collect

Contacts or address book
Photos, camera, or microphone content (except QR scanning within the app)
Passive or continuous location tracking
Financial or payment information
Browsing history or web activity from personal devices — monitoring applies only to school-managed devices where the Guardian add-on has been explicitly deployed by an IT administrator (see BlueBird Guardian section below)

BlueBird Guardian — Chrome Extension

✓ School-managed devices only ✓ IT administrator deployment required ✓ Never sold or shared with third parties ✓ Matched text content is never stored

BlueBird Guardian is an optional Chrome extension available exclusively to schools that have enabled the Guardian add-on. It is deployed by school IT administrators to school-managed Chromebooks and devices — it is never installed on personal devices without explicit administrator action.

What Guardian Collects

When installed on a school-managed device, the Guardian extension may collect the following on behalf of the school:

URLs and domains visited — web addresses accessed in the Chrome browser, recorded to support internet safety policy enforcement and review by school administrators.
Google Workspace account email — the signed-in Google account email address, used to associate browsing activity with a student or staff account within the school's organization.
Device identifiers — a randomly generated installation ID and device hostname, used to identify the device in the school's management console.
Policy match metadata — when a browsing event matches a school-configured safety keyword or content policy, the keyword tier (e.g., "critical" or "standard") and the matched domain are recorded. The actual text entered by the user is never captured, transmitted, or stored.
DLP event metadata — if the school enables Data Loss Prevention rules, metadata about a rule match (rule name, site URL, element type, action taken) is recorded. The content that triggered the match is never stored.
File upload metadata — if exfiltration detection is enabled, the destination domain and filename(s) of files uploaded to external sites are recorded. File contents are never captured.
Extension heartbeat data — version number, last active timestamp, and policy version, used to confirm the device is receiving updated policies.

How Guardian Data Is Used

All collected data is visible only to authorized administrators within the same school organization.
Data is used solely to enforce the school's internet safety policies, flag potential student safety concerns, and generate activity reports for school administrators.
Guardian data is never used for advertising, sold to third parties, or shared with anyone outside the school's authorized staff.
Data is retained according to the school's configured retention period (default 90 days) and permanently deleted upon school account termination.

Guardian Data Is Not Collected When

The Guardian add-on has not been enabled by the school
The extension is not deployed to the device by an IT administrator
The user is signed in to a personal (non-school) Google account
The visited domain belongs to the school's own Google Workspace domain

Data Sharing

We do not sell, rent, or trade your personal information to any third party. Device push tokens are transmitted to Apple (APNs) and Google (FCM) solely for the purpose of delivering notifications, under the terms of their respective developer agreements. Guardian browsing data is shared with no third party and remains within your school's isolated data partition. No other third-party data sharing occurs.

Data Retention

Your account data is retained for as long as your school's subscription is active. Upon account termination, personal data is deleted within 30 days. Emergency incident records may be retained for up to 1 year for auditing purposes, then permanently deleted.

Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting your school administrator or emailing us at [email protected]. We will respond within 30 days.

Security

All data is transmitted over encrypted HTTPS connections (TLS 1.2+), routed through Cloudflare's global network for DDoS and WAF protection before reaching our servers. We use industry-standard security practices including bcrypt password hashing, session token authentication, and optional biometric/passkey authentication on mobile devices.

Technical Safeguards — In Detail

We go beyond basic compliance checkboxes. The following technical controls are active on our production infrastructure:

Network & Edge

Cloudflare WAF & DDoS protection — all inbound traffic is filtered at the network edge before reaching servers. Malicious requests, known attack signatures, and volumetric floods are blocked automatically.
TLS 1.2+ enforced — all connections use modern encryption. HTTP is redirected to HTTPS; no plaintext traffic is accepted.
Allowlist firewall (UFW) — only ports 80, 443, and a restricted SSH port are open. All other inbound connections are rejected by default. Port 443 accepts connections exclusively from Cloudflare IP ranges.

Server Hardening

CIS Ubuntu 24.04 Benchmark — our server is actively hardened against the CIS benchmark, with continuous scanning and remediation of configuration gaps.
AppArmor mandatory access controls — system processes run under AppArmor profiles that restrict what files and resources each service can access.
Kernel module restrictions — unused and potentially exploitable kernel modules (unused filesystems, network protocols) are blacklisted at boot.
Hardened SSH — root password login is disabled; only cryptographic key authentication is accepted. Brute-force attempts trigger automatic account lockout via PAM faillock.
Core dumps disabled — memory dumps that could expose sensitive data are disabled system-wide.

Monitoring & Audit

Wazuh SIEM — a real-time Security Information and Event Management system monitors all server activity 24/7. Critical events (unauthorized access attempts, privilege escalations, file integrity violations) trigger immediate alerts.
Kernel-level auditd logging — the Linux audit daemon records every privileged system call, file modification to sensitive paths, login/logout event, and permission change at the kernel level — creating a tamper-evident, non-bypassable record.
GDPR article monitoring — Wazuh's GDPR-tagged rule engine tracks compliance-relevant events against GDPR articles including data integrity (IV_35.7.d), with automated grading of our security posture.
Application audit log — every action inside BlueBird Alerts (alert activations, user changes, role assignments, setting edits) is logged with actor identity, timestamp, and before/after values in an immutable audit trail.

Application Security

bcrypt password hashing — passwords are never stored in plaintext. A one-way bcrypt hash with per-user salt is used; we cannot recover your password, only reset it.
Session token authentication — web sessions use signed, server-side-validated tokens with configurable inactivity timeouts. Sessions are invalidated on logout.
Biometric / passkey authentication — the mobile app supports Face ID, Touch ID, and FIDO2 passkeys as a second factor for sensitive actions.
Role-based access control — six distinct roles (teacher, staff, building admin, district admin, law enforcement, super admin) enforce the principle of least privilege. Access is enforced at the API level, not just the user interface.
Multi-tenant data isolation — each school's data is stored in fully isolated database partitions. API-level checks ensure no cross-tenant data leakage is possible, even in the event of a misconfiguration.
Input validation — all API endpoints validate and sanitize inputs. SQL injection, XSS, and command injection protections are applied throughout.

Backups & Availability

Automated daily backups — full database and configuration backups run automatically. Backups are encrypted and stored off the primary server.
Tested restore procedures — backup restoration is tested to ensure data can be recovered within a defined recovery time objective.

GDPR & Student Data Protection

While BlueBird Alerts is a US-based service, we align our data practices with GDPR principles as a baseline standard for all users:

Data minimization — we collect only what is strictly necessary to operate the service. No behavioral profiling, no advertising data, no third-party analytics.
Purpose limitation — data collected for emergency alert delivery is not repurposed for any other use.
Right of access — you may request a copy of all personal data we hold about you at any time.
Right to rectification — incorrect personal data will be corrected promptly upon request.
Right to erasure — personal data is deleted within 30 days of account termination or upon verified request. Emergency incident records are deleted after 1 year.
Data breach notification — in the event of a breach affecting personal data, affected schools will be notified within 72 hours of discovery.
No automated decision-making — we do not make automated decisions with legal or significant effects using student or staff data.
Processor agreements — our use of Apple APNs and Google FCM for push notification delivery is governed by their respective data processing agreements.

Student Data & FERPA Alignment

Student information within BlueBird Alerts (name, grade level, classroom) is entered exclusively by authorized school administrators — not collected from students directly. We follow FERPA-aligned practices:

Student records are accessible only to authorized staff within the same school
No student data is sold, shared with advertisers, or provided to any third party
Students under 13 do not interact directly with the platform
Schools retain ownership of their student data and may request full deletion at any time

Children's Privacy

BlueBird Alerts is designed for use by school staff and administrators (adults). Student names and grade levels may appear in the roster feature, entered by school administrators. We do not knowingly collect personal data directly from children under 13.

Changes to This Policy

We may update this policy from time to time. We will post the updated policy at this URL and update the effective date. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy? Email us at [email protected].