Parents' Bill of Rights for Data Privacy and Security
Under New York Education Law §2-d and 8 NYCRR Part 121.
Template. New York school districts should have their Chief Privacy Officer review and adopt this before publishing to families.
- A student's personally identifiable information cannot be sold or released for any commercial purpose.
- Parents have the right to inspect and review the complete contents of their child's education record stored by LeagueForge or their child's school. Requests should be made to the school's designated privacy officer.
- State and federal laws (including FERPA and NY Ed Law §2-d) protect the confidentiality of personally identifiable information. Safeguards in place at LeagueForge include encryption in transit and at rest, row-level security on every table, role-based access controls, audit logging of all access to student records, and background-checked staff.
- A complete list of all student data elements collected by NYSED is available at nysed.gov/data-privacy-security/student-data-inventory; parents may request a copy from their school district.
- Parents have the right to file complaints about possible breaches of student data with the school district's designated privacy officer or with the NYSED Chief Privacy Officer at privacy@nysed.gov.
Supplemental information about LeagueForge
- Exclusive purposes for which student data will be used: operating the school's esports program — roster management, scheduling, scoring, in-platform communication.
- Oversight of subprocessors: all subprocessors (Supabase for hosting, Cloudflare for CDN, Resend for email) are bound by contracts requiring the same level of data protection.
- Contract duration & data return / destruction: at the end of the agreement or upon school request, LeagueForge will export and return student data, then destroy all copies within 30 days.
- Challenge data accuracy:parents and eligible students may request corrections via the school's privacy officer; corrections are made within 30 days.
- Where data is stored and security practices: student data is stored in Supabase regions in the United States; encryption uses TLS 1.2+ in transit and AES-256 at rest.
- Encryption: in transit and at rest, as required by §2-d.
Schools should append this to their signed Data Processing Agreement and publish it to families. See also our Privacy Policy.