Privacy Policy
Last Updated: June 10, 2026
Notable and Notable Learning is owned and operated by Business Box, LLC.
Notable holds the privacy and security of our site’s visitors, Licensees, and Students as one of our highest priorities. This Privacy Policy explains the services accessed, what information is gathered, and what happens with that information.
Notable is a curriculum provider which is delivered through a learning management system (LMS). Licensees, such as schools or districts, can access Notable by purchasing the curriculum and being granted access through our onboarding process. Students, patrons, and Licensees can access Notable through our online portal.
This Privacy Policy describes Notable’s privacy practices in relation to information that we collect through the website notablelearning.com, operated by us and made available for use on computers and mobile devices that link to this Privacy Policy.
1. Information We Collect
- Visitors: We track IP Addresses, Operating System, Browser Type, and Referring URLs through our website logs. This information is collected for security purposes and is not used to identify users personally.
- Licensees: Licensees (typically a school, district, library, or teacher) are required to provide their email address, first and last name, city, state, and organization name. This information is necessary to send setup instructions, respond to inquiries, provide information about new products and updates, and offer support. We do not sell or share this information with outside companies.
- Students: Students access our application servers using a password-protected ID provided by their Licensee. We collect information about each student’s session, including content visited, time on task, and curriculum progress. This data is organized to help Licensees improve the learning process. Licensees may optionally provide student names. Student email addresses are used for login purposes; however, Licensees may opt to use fictitious email addresses for added privacy.
2. Compliance with the Family Educational Rights and Privacy Act (FERPA)
Notable Learning is deeply committed to protecting student data and fully complying with the Family Educational Rights and Privacy Act (FERPA). To establish a clear legal framework under 34 CFR § 99.31(a)(1) for core application identity and roster data processing (including streams integrated via FACTS, Clever, and Google Classroom), the following terms strictly govern our platform operations:
- School Official & Legitimate Interest Designation: Notable Learning recognizes that in the context of providing our digital educational services to partner schools and districts, we operate strictly as a “School Official” with a “Legitimate Educational Interest.” Notable Learning performs an institutional service and function for which the school system would otherwise utilize its own employees.
- Direct Control & Data Ownership: The school or district (the “Licensee”) that contracts with us remains the primary owner of all student data. Notable Learning acknowledges that its collection, maintenance, and processing of student education records are under the direct control and institutional direction of the Licensee.
- Strict Purpose Restrictions & Non-Commercialization: We receive and utilize student data solely for the express purpose of serving the educational needs of the Licensee and optimizing our contracted platform curriculum (Entrepreneurship, Personal Finance, and Investing). Notable Learning does not sell, rent, or lease student information to any third party. No student data collected on our platform is ever used to compile commercial profiles, conduct market tracking, or serve targeted advertisements to students or their families.
- Data Retention and Deletion Protocol: Notable Learning retains student records only for the duration necessary to deliver the specific educational objectives contracted by the school. Upon formal institutional request or the termination/expiration of a school’s service agreement, Notable Learning will securely purge, erase, or de-identify all student records from our active databases and primary cloud infrastructure within thirty (30) business days.
- Security Incident Notification Window: Notable Learning implements robust administrative, physical, and technological safeguards to maintain the strict confidentiality, security, and integrity of student data. In the unforeseen event of a confirmed security incident or data breach impacting student personally identifiable information (PII), Notable Learning will notify the designated primary administrative contact of the affected school system within forty-eight (48) hours of discovery, providing immediate operational context and collaborative remediation support.
Platform Infrastructure Sub-Processor Directory
To maintain absolute operational transparency under FERPA regulations, student data streams may be securely routed through the following core platform infrastructure sub-processors strictly required to host, serve, and secure the contracted service:
| Sub-Processor | Core Infrastructure Function | Scope of Data Processed |
|---|---|---|
| Google Cloud Platform (GCP) | Secure Cloud Infrastructure & Databases | Main database storage for student rosters, identities, and course progress records. |
| Vercel | Application Interface Frontend Hosting | Serves the web-app user interface and handles temporary user session queries. |
| Mux | Specialized Video Hosting & Playback | Manages curriculum streaming, video delivery, and secure viewing analytics. |
| Sentry | Real-Time Technical Error Tracking | Logs system crashes and application diagnostic data to prevent system downtime. |
| Datadog | System Health & Infrastructure Monitoring | Tracks overall application performance metrics and server environment optimization logs. |
| SendGrid | Transactional Email Infrastructure | Dispatches account verification, password reset, and platform notification emails. |
| Upstash | High-Speed Data Caching Layer | Manages temporary memory cache to ensure fast, responsive page loads for students. |
- Technical Safeguards and Security Baseline: To protect student personally identifiable information (PII) from unauthorized access, exploitation, or disclosure, Notable Learning implements rigorous, industry-standard cryptographic controls. All student education records processed within our platform environment are encrypted utilizing advanced AES-256 standards while at rest within our infrastructure and cloud databases, and are securely mandated via TLS 1.3 transport layers while in transit across all system endpoints.
3. Compliance with Children’s Online Privacy Protection Act (COPPA)
Notable is committed to complying with the Children’s Online Privacy Protection Act (COPPA).
- Parental Consent: For students under the age of 13, Notable requires schools, districts, or Licensees (on behalf of parents or legal guardians) to provide consent for the collection of personal information. This is consistent with the FTC’s guidance allowing schools to consent on behalf of parents for the use of educational technology in the school context.
- Direct Notice to Parents: Licensees accessing Notable on behalf of a School or District must ensure parents or legal guardians have access to this privacy policy.
- Information Collected from Children: We collect limited personal information from students under 13 only for the purpose of providing our educational services. This may include a name (if provided by the school), an email address (which can be a fictitious one), and usage data such as progress and time on task. Students may also create audio and video recordings as part of the curriculum.
- Use of Information: Student information is used solely for educational purposes to facilitate the learning process and is not used for commercial purposes. This information is not shared with third parties except those necessary for providing the service as outlined in this policy.
- Parental Rights: Parents have the right to refuse the use of the site for their child. Parents can access their child’s information and request to have it deleted by contacting their Licensee.
- Conditioning Participation: We do not condition a child’s participation in any activity on the disclosure of more personal information than is reasonably necessary to participate in that activity.
- Data Security: We implement and maintain reasonable security procedures and practices to protect the confidentiality, security, and integrity of personal information collected from children.
4. Compliance with the Protection of Pupil Rights Amendment (PPRA)
Notable complies with the Protection of Pupil Rights Amendment (PPRA).
- Surveys: We do not administer surveys to students that ask for personal information concerning political affiliations, mental and psychological problems, sexual behavior and attitudes, illegal or anti-social behavior, critical appraisals of family members, legally recognized privileged relationships, religious practices, or income.
- Inspection of Instructional Material: Parents have the right to inspect any instructional materials used in connection with our curriculum. Licensees must make these materials available for parental review.
- Marketing and Sales: We do not collect, disclose, or use personal information from students for the purpose of marketing or selling that information.
5. Compliance with the Student Online Personal Information Protection Act (SOPIPA)
Notable complies with the Student Online Personal Information Protection Act (SOPIPA).
- Targeted Advertising: We do not use, disclose, or compile student information for the purpose of targeted advertising to students.
- Data Protection and Deletion: We implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, or disclosure. We will delete student information upon the request of the school or district.
- Use and Disclosure Restrictions: We do not create student profiles for non-educational purposes and will not disclose student information except in limited circumstances as permitted by law, such as to our service providers who are contractually obligated to maintain the confidentiality and security of the data.
6. Compliance with California Assembly Bill 1584 (AB 1584)
For our Licensees in California, Notable complies with the requirements of AB 1584.
- Control of Student Records: All student records remain the property of and under the control of the local educational agency (LEA).
- Restrictions on Use: We will not use any personally identifiable information in student records for any purpose other than providing the contracted services to the LEA.
- Parental and Student Rights: Parents, legal guardians, or eligible students may review their personal information and correct any erroneous information by contacting their LEA.
- Breach Notification: In the event of an unauthorized disclosure of student records, we will promptly notify the affected LEA. We have procedures in place to handle security incidents, including a process for making notifications as required by law.
- End-of-Contract Data Handling: Upon the expiration of a license, student data is archived. The LEA may request the permanent deletion of all student data by emailing support@notablelearning.com.
- Targeted Advertising Prohibition: We do not use any information in student records to engage in targeted advertising.
7. Data Retention and Security
We retain personal data only for as long as is reasonably necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Once a license expires, data is archived in case of renewal but can be permanently deleted upon request.
We use industry-standard TLS 1.3 to encrypt information transmitted over the internet. We have also implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. However, no data transmission over the internet can be guaranteed to be 100% secure.
8. Tracking Technologies
We use cookies and Local Storage Objects (LSOs) to store authentication information, content information, and user preferences. We also use third-party service providers for features such as analytics, customer support, and error reporting; these providers may also use cookies and LSOs. This information is never transmitted to other third parties beyond these contracted providers.
9. Changes to this Privacy Policy
We reserve the right to change or update this Privacy Policy at any time. Any changes will be effective immediately upon posting to our site.
10. Contact Us
If you have any questions about this Privacy Policy, please contact us at:
Business Box, LLC DBA: NotablePO Box 265
Mansfield, TX 76063
support@notablelearning.com
11. Third-Party Service Providers
As referenced in section 8, we engage the following service providers (sub-processors) to operate the platform on our behalf. Each is contractually obligated to maintain the confidentiality and security of student data and to process it only as necessary to provide their service.
Vercel
Purpose: Application hosting, serverless functions, and content delivery
Data processed: HTTP request metadata, IP addresses, deployment logs. No student records are stored at rest in Vercel infrastructure.
Region: United States
Google Cloud SQL (PostgreSQL)
Purpose: Primary application database storing user accounts, courses, and student progress
Data processed: Student names, email addresses, school affiliations, course enrollments, lesson progress, and audit logs
Region: United States (us-central1) — data residency requirement
Google Cloud Storage (GCS)
Purpose: Object storage for course media, uploads, and user-generated content
Data processed: Course images, instructional videos, PDFs, and lesson attachments. Files are stored under UUID filenames; no personally identifiable information appears in object keys.
Region: United States (us-central1)
SendGrid
Purpose: Transactional email delivery (account verification, password reset, notifications)
Data processed: Recipient email address, message subject, message body, and delivery status
Region: United States
Mux
Purpose: Video hosting, transcoding, and adaptive streaming
Data processed: Course video assets and aggregate playback telemetry
Region: United States
Upstash (Redis)
Purpose: Rate limiting, session caching, and ephemeral key-value storage
Data processed: IP addresses for rate-limit windows. No student names, email addresses, or progress data are stored in Redis.
Region: United States
Datadog
Purpose: Application performance monitoring (APM), real user monitoring (RUM), and operational logs
Data processed: Request traces, performance metrics, and browser-side telemetry. RUM is configured to mask form inputs at capture so student-entered values are not transmitted.
Region: United States
Sentry
Purpose: Error tracking and exception monitoring
Data processed: Stack traces, error context, and browser metadata. Error payloads are scrubbed to exclude student names, email addresses, and progress values.
Region: United States
Google OAuth and Google Classroom
Purpose: Single Sign-On and Google Classroom integration (course roster sync, grade passback)
Data processed: Google account email, profile name, and (only with explicit teacher consent) Google Classroom course roster and grade data
Region: United States
Microsoft Entra ID
Purpose: Single Sign-On for schools using Microsoft 365
Data processed: Microsoft account email, profile name, and tenant identifier. No student progress or grade data is shared with Microsoft.
Region: United States
Clever
Purpose: Student Information System integration for roster sync and Secure Sync OAuth login
Data processed: Student names, email addresses, grade levels, school affiliations, and class rosters provided by the district via the Clever API
Region: United States
FACTS Student Information System
Purpose: Student roster sync for partner schools using FACTS SIS
Data processed: Student names, grade levels, school affiliations, and class rosters provided by the school via the FACTS API
Region: United States
Canvas (LTI 1.3)
Purpose: Learning Tools Interoperability launch from Canvas LMS for partner schools
Data processed: JWT-signed launch claims (user ID, role, course context) provided by Canvas during LTI launch
Region: United States