Privacy Policy

Last Updated

1. Introduction

Welcome to Doorman (the "Service"), a student focus, attendance, and school policy-enforcement application provided by Doorman Labs Inc. ("Doorman," "we," "us," or "our"). We are based in New York City and operate in the United States.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when students, teachers, school administrators, and school districts use the Doorman mobile application, administrative dashboard, and related services.

Our top priority is protecting the privacy of students, educators, and parents who use our Service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App") and administrative dashboard (the "Dashboard"). While some Doorman features use Virtual Private Network (VPN) technology to apply school-configured access restrictions, Doorman is not a general-purpose consumer VPN. It is designed for educational institutions ("Schools" or "Districts") to support and enforce school-defined device and internet access policies during specified school times or classes.

We are committed to collecting only the information needed to provide the Service, support school-configured policies, maintain security, troubleshoot technical issues, and comply with applicable law. We are also committed to complying with applicable federal and state student privacy laws, including the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), the Student Online Personal Information Protection Act (SOPIPA), and similar state student privacy laws.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

We collect information in limited categories needed to provide and operate Doorman.

A. Information Provided by Schools/Districts:

  • School/District Information: We collect information about the School or District using Doorman, including institution name, contact information, school settings, and administrator account information such as name, email address, role, and permissions.

  • Student Roster Information: To create and manage student accounts, Doorman may receive information from Schools, Districts, Student Information Systems (SIS), or Single Sign-On (SSO) providers such as Google or Microsoft. This may include student names, student IDs, grade levels, class enrollments, and school-issued email addresses. We collect only the roster information needed for the Service to function.

  • Policy Configuration Data: Whitelists of applications and websites, restriction schedules (time-based), classroom-specific settings, and other policy parameters defined by administrators.

B. Information Collected Automatically from Student Devices:

  • Device and App Information: We may collect limited technical information needed to operate, secure, and troubleshoot the Service, such as app version, device model, and operating system version.

  • Tap-In, Classroom-Code, and Connection Events: When a student taps in using an NFC tag, uses a classroom code, connects to Doorman, or disconnects from Doorman, we collect information needed to validate and record that event. This may include the student identifier, school identifier, classroom or section information, NFC tag identifier where applicable, validation result, connection or disconnection timestamp, source of the event, and method, such as tap-in or classroom-code entry.

  • Bypass and Violation Events: Doorman may collect bypass or violation events when needed to report policy compliance. These may include unauthorized disconnects, emergency unlocks, device reboots during restricted periods, app reinstall detections, time manipulation alerts

  • Anonymous Blocked or Restricted Activity Events: When the VPN is active, Doorman may record anonymous policy enforcement events related to blocked or restricted activity. These events are not stored in a way that identifies, or can reasonably be reidentified to, an individual student.

C. VPN Traffic and Browsing Activity

Doorman does not inspect, log, or store the contents of student internet traffic passing through the VPN. We do not maintain identifiable browsing histories showing which student visited or attempted to visit specific websites or apps.

Doorman does not collect or store:

  • The contents of student web traffic

  • The content of communications sent or received through the VPN

  • Identifiable browsing histories

  • DNS request histories tied to an identifiable student

Doorman may process network traffic transiently as needed to operate the VPN and apply school-configured restrictions, but we do not use that traffic to create identifiable browsing profiles.

D. Information Related to Teachers and Administrators:

  • Account Information: We collect teacher and administrator account information, including name, email address, role, school affiliation, and account permissions.

  • Action Logs: We may collect records of actions taken within the Dashboard, such as policy creation or updates, attendance actions, manual violation reports, account permission changes, and report generation.

3. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Manage the Service:

  • Authenticate students, teachers, and administrators

  • Create and manage student, teacher, and administrator accounts

  • Apply school-configured restrictions

  • Validate tap-in and classroom-code events

  • Record attendance and connection status

  • Provide customer support and respond to inquiries

For School Policy Enforcement and Reporting:

  • Provide authorized school personnel with attendance, connection, tap-in, classroom-code, and bypass or violation records

  • Help Schools and Districts monitor compliance with their own policies

  • Generate reports related to attendance and policy enforcement

  • Notify authorized school personnel of configured compliance events, such as unauthorized disconnects or other bypass events

For Communication:

  • Communicate with Schools, Districts, teachers, and administrators about service updates, security notices, and support issues

To Improve Our Service:

  • Troubleshoot errors

  • Maintain reliability and performance

  • Detect, prevent, and investigate misuse, security incidents, or technical failures

  • Understand aggregated product usage and improve Service functionality

For Compliance and Legal Obligations:

  • Comply with applicable laws and regulations, including FERPA, COPPA, SOPIPA, and similar state student privacy laws

  • Respond to lawful requests from government authorities

  • Enforce our terms of service and other agreements.

4. How We Share Your Information

We do not sell student personal information. We share information only in the limited circumstances described below:

  • With the School or District: All information collected through the Service for the purpose of policy enforcement and reporting is accessible to the respective School/District that has contracted our Service. They are the primary data controllers for all data associated with their institution’s use of Doorman.

  • With Parents/Guardians (As Directed by School/District): We may provide student information to parents or guardians when directed by the School or District and in accordance with applicable law, including FERPA.

  • Service Providers: We may share information with vendors and service providers that perform services on our behalf, such as cloud hosting, authentication, analytics for internal service improvement, customer support, error monitoring, and communications. These service providers are required to protect the information and use it only to provide services to us.

  • For Legal, Safety, and Security Reasons: We may disclose information only when legally required to do so, such as in response to a valid subpoena, court order, or other lawful process, or when necessary to protect the security or integrity of the Service or prevent imminent harm. Where legally permitted and appropriate, we will direct requests for student information to the applicable School or District or notify the School or District before disclosing student information.

  • Aggregated or De-Identified Information: We may use aggregated or de-identified information for internal research, analysis, product improvement, and operational purposes. We do not share aggregated or de-identified student information with external third parties for their own advertising or profiling purposes. Because Doorman does not collect traffic contents or identifiable browsing histories, we cannot provide that information to Schools, Districts, service providers, or third parties.

5. Data Security

We implement robust security measures designed to protect your information from unauthorized access, use, alteration, and disclosure. These measures include:

  • End-to-End Encryption: All data transmitted between student devices, our VPN servers, and the Admin Dashboard is encrypted using industry-standard protocols.

  • Secure Authentication: Secure authentication through supported identity providers and account controls

  • Access Controls: Role-based access controls that limit access based on user permissions

  • Data Minimization: Data minimization practices designed to limit collection to the categories described in this Privacy Policy

  • Regular Security Audits: Regular security assessments and audits to identify and address potential vulnerabilities.

  • Data Storage: Secure cloud infrastructure with appropriate physical and electronic safeguards

While we take reasonable precautions to protect information, no security system is impenetrable, and we cannot guarantee absolute security.

6. Data Retention

We retain personal information only for as long as needed to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and meet our contractual obligations to Schools and Districts.

  • Student Data: Student data is retained as directed by the applicable School or District and in accordance with our agreement with that School or District. Upon termination of the agreement, or upon request from the School or District, we will delete or de-identify student personal information as required by our agreement and applicable law.

  • Anonymized  or De-Identified Data: We may retain aggregated or de-identified data for internal analytical, security, and service improvement purposes, provided it does not identify and cannot reasonably be used to reidentify an individual student.

7. Your Rights and Choices

Schools and Districts are the primary controllers of student data. Students and parents should direct any requests regarding student information to their respective School or District.

  • Access and Correction: Schools and Districts can access and update certain account, roster, attendance, and policy information through the Dashboard or by contacting us. Parents or guardians may have rights to review their child's educational records under FERPA and should contact their School or District for such requests.

  • Communications: Administrators may opt out of non-essential communications by following the unsubscribe instructions in those communications. We may still send service, security, legal, or account-related messages.

  • Data Deletion: Schools and Districts may request deletion of information associated with their account, subject to applicable law and our agreement with the School or District.

8. Children's Privacy (COPPA, FERPA, SOPIPA)

Doorman is intended for use by educational institutions and their authorized students, teachers, and administrators. We are committed to complying with:

  • COPPA: We collect personal information from children under 13 only with the consent and direction of the applicable School or District, which may act as the agent of the parent or guardian for COPPA consent in the educational context. We do not knowingly collect personal information from children under 13 for any other purpose. If we learn that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete it.

  • FERPA: Where applicable, we act as a "school official" under FERPA and receive student information from Schools and Districts for legitimate educational interests and the purposes for which it was disclosed to us, as outlined in this Privacy Policy and our agreements with Schools and Districts.

  • SOPIPA and Similar Student Privacy Laws: We comply with SOPIPA and similar state student privacy laws. We do not sell student data, use student data for targeted advertising, or create student profiles for non-educational purposes.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Schools or Districts by email, through the Dashboard, or by another appropriate method before the change becomes effective where required by law or contract.

We encourage you to review this Privacy Policy periodically. Continued use of the Service after an updated Privacy Policy becomes effective means that the Service will be subject to the updated Privacy Policy.

10. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at hello@doorman.school

Parents or guardians with questions about their child's data or school policies should contact their School or District administration directly.