Privacy Policy

Last Updated: April 1st, 2026

1) Scope

These policies explain how Pebble ("Pebble," "we," "us," "our") collects, uses, shares, and protects information when you use our websites, applications, and related services (collectively, the “Services”).

Pebble primarily provides Services to schools and school districts (“Education Agencies” or “EAs”) and their authorized users (including district staff, counselors, administrators, and students).

When we process Student Data for an EA, we do so as a service provider on the EA’s behalf and under the EA’s direction, consistent with the EA agreement and applicable law.

2) Key Commitments (Student Data)

• No sale of Student Data.

• No targeted advertising using Student Data.

• No student-facing pop‑up ads or advertisements directed to children in student experiences.

• US-only storage for Student Data (unless an EA expressly approves otherwise in writing).

• Incident notification to the EA within 24 hours of discovery/confirmation of a covered incident.

• Data return/export and deletion within 90 days after termination/expiration (or as specified in the EA agreement), with secure destruction aligned to NIST SP 800‑88 Rev. 1 where applicable.

• No generalized AI/ML training: we do not use Student Data (or de‑identified/aggregated data derived from it) to train generalized AI/ML models.

• Security program aligned to the NIST Cybersecurity Framework (NIST CSF).

3) Information We Collect

A) Education Agency-provided / EA-authorized information (Student Data)

Depending on EA configuration, Pebble may process:

• SIS data integrated at EA direction (e.g., roster and related education records)

• Data generated within Pebble as part of providing the Services (including student‑to‑counselor communications via “Stress Spin”)

• Account identifiers (name, email/username, role, school/district association)

B) Information you provide directly

• Support requests and communications

• Information provided through forms (e.g., demo requests)

C) Information collected automatically

• Website log/device data (IP address, browser type, pages viewed, timestamps)

• Cookies and similar technologies

Google Analytics

We use Google Analytics on our public marketing website to understand website usage and improve our website and Services. We do not use Google Analytics to target advertising to students.

4) How We Use Information

We use information to:

• Provide, operate, maintain, and secure the Services

• Perform EA-authorized workflows and communications

• Provide customer support and service communications

• Improve reliability, performance, usability, and security

• Comply with legal obligations and enforce policies

De‑Identified and Aggregated Data (Internal Use; No AI Training)

We may create and use de‑identified and/or aggregated information derived from the Services for internal purposes such as product improvement, analytics, service performance, security, and research. We maintain such information in de‑identified form, do not attempt to re‑identify any individual, and do not disclose it in a manner that could reasonably identify an individual.

We do not use Student Data or de‑identified/aggregated data to train generalized AI/ML models.

5) How We Share Information

We share information only:

• With the EA and authorized users, as configured by the EA

• With subprocessors that help us provide the Services (see Section 6)

• To comply with law (e.g., court order), consistent with applicable requirements

• In connection with a corporate transaction (e.g., merger), with appropriate safeguards

6) Subprocessors and Flow‑Down Protections

Pebble may use subprocessors to deliver the Services (for example, infrastructure hosting, deployment, database services, monitoring, and analytics). Current examples may include Google Cloud Platform (GCP), Vercel, Neon, and Google Analytics.

When a subprocessor processes Student Data on our behalf, we require written obligations that:

• Limit processing to providing services to Pebble

• Prohibit selling Student Data or using Student Data for the subprocessor’s own commercial purposes

• Require confidentiality and appropriate security safeguards

• Support incident response obligations consistent with Pebble’s commitments

Subprocessor Updates

We may update subprocessors over time. Upon EA request, we can provide an EA‑specific list of subprocessors that may process that EA’s Student Data.

7) Cookies, Choices, and Global Privacy Control (GPC)

You can control cookies through browser settings. If you enable Global Privacy Control (GPC), we treat it as an opt‑out preference signal where applicable law requires or recognizes it.

8) Data Location

Student Data is stored in secure facilities located within the United States, consistent with our commitments and EA requirements.

9) Incident Response and Notification (24 Hours)

If Pebble confirms unauthorized access or acquisition that compromises the security, confidentiality, or integrity of Student Data/PII, we will notify the EA within 24 hours of discovery/confirmation and cooperate in response.

Our initial notice will include, to the extent available at the time:

• When the incident occurred (or estimated timeframe)

• When the incident was discovered

• The type of data involved

• Steps taken (or planned) to contain and mitigate

• A Pebble point of contact for follow‑up

We will provide follow‑up updates as we learn more.

10) Retention, Return, and Deletion

We retain information only as long as necessary to provide the Services, meet legal obligations, resolve disputes, and enforce agreements.

Upon termination/expiration of an EA’s Services (or as otherwise specified in the EA agreement), we will support export/return of EA data in an acceptable format and delete Student Data within 90 days. Secure destruction and media sanitization will be performed in a manner aligned to NIST SP 800‑88 Rev. 1 where applicable.

Deletion Certification

Upon EA request, Pebble can provide written confirmation that Student Data has been deleted in accordance with the EA agreement.

11) Contact

Privacy questions: Info@pebblenpond.org

Mailing address: available upon request

For requests to access, correct, or delete education records: please contact your EA first. Under FERPA, EAs control education records and the process for responding to these requests.

Privacy Commitments

1) Purpose and Relationship to EA Agreements

This Student Data Privacy Policy provides additional detail about how Pebble handles Student Data when providing Services to an EA. It is intended to be a public‑facing explanation and does not replace an EA’s written agreement with Pebble. Where an EA agreement provides more specific or different requirements, the EA agreement controls for that EA’s use.

2) FERPA (School Official / Legitimate Educational Interest)

Pebble is designed to support an EA’s educational and administrative functions. When Pebble processes Student Data provided by (or at the direction of) an EA, Pebble acts as a “school official” or service provider, as applicable under FERPA, performing institutional services or functions for which the EA would otherwise use its own employees.

Access Limitation

• EA users may access Student Data only as authorized by the EA.

• Pebble limits internal access to Student Data to personnel with a legitimate need to know for operating, maintaining, securing, and supporting the Services.

Redisclosure

Pebble does not redisclose Student Data except as directed by the EA, as required by law, or as otherwise permitted under applicable education privacy requirements.

3) COPPA (Students Under 13)

Pebble is intended for use through EAs. Where students under 13 use the Services, student access is enabled by the EA for educational purposes, and EA authorization/consent mechanisms govern access where required.

Data Minimization

We do not require students to provide more personal information than is reasonably necessary to participate in an educational activity supported by the Services.

4) NY Education Law 2‑d / Part 121 (New York EAs)

For New York EAs, Pebble’s commitments are designed to align with Education Law 2‑d and Part 121 requirements, including:

• Purpose limitation (use Student Data only to provide the Services)

• Prohibition on sale or commercial marketing use of Student Data

• Security safeguards consistent with industry standards

• Subprocessor flow‑down protections

• Breach notification and cooperation

• Secure deletion and sanitization

5) Parents’ Bill of Rights Alignment (NY)

Consistent with NY Ed Law 2‑d “Parents’ Bill of Rights” principles:

• Student PII is not sold or released for commercial purposes.

• Parents/eligible students may inspect and review education records through the EA’s established processes.

• EAs may request an EA‑specific list of Student Data elements processed/configured for that EA deployment.

• Complaint pathways are generally handled through the EA; Pebble will cooperate with EA investigations related to unauthorized disclosure.

6) Legal Requests and Law Enforcement Access

If Pebble receives a request for Student Data (e.g., subpoena, court order, or law enforcement request), we will:

• Promptly notify the EA unless legally prohibited, and

• Respond only to the extent required by law or as directed/authorized by the EA.

This section does not limit Pebble’s ability to disclose information to comply with legally binding requests where notice is prohibited.

7) No AI Training on Student Data

Pebble does not use Student Data, or de‑identified/aggregated data derived from Student Data, to train generalized AI/ML models.

Terms of Service

Last Updated: April 1st, 2026

1) Acceptance; Who May Use the Services

These Terms govern your access to and use of the Services. The Services are intended for use by EAs and their authorized users (district staff, counselors, administrators, and students where enabled by the EA).

If you use the Services through an EA, you represent that you are authorized to do so and you agree to follow your EA’s policies and instructions.

2) Education Agency Terms Control

If you access the Services through an EA, the EA’s written agreement with Pebble (including any data privacy addendum) may apply and will control where it differs from these Terms for that EA’s use.

3) Privacy and Student Data

Your use is subject to the Pebble Privacy Policy and Student Data Privacy Policy. Pebble processes Student Data on behalf of EAs and under EA direction.

Compliance

Pebble’s handling of Student Data is intended to support compliance with FERPA, COPPA (where applicable), and, for New York EAs, Education Law 2‑d / Part 121.

4) Accounts and Security

You are responsible for safeguarding your credentials and for activity under your account. Notify us promptly of suspected unauthorized access.

5) Acceptable Use

You agree not to:

• Access data you are not authorized to access

• Bypass or attempt to defeat security controls

• Probe, scan, or test vulnerabilities without written permission

• Disrupt the Services or introduce malware

• Use the Services in violation of law or EA policy

6) No Sale of Student Data; No Student‑Directed Advertising

Pebble does not sell Student Data and does not use Student Data for targeted advertising. Student-facing experiences are not designed to serve pop‑up ads or advertisements directed to children.

7) User Content

You retain ownership of content you submit (“User Content”). You grant Pebble a limited license to host, process, transmit, and display User Content solely to provide, secure, and support the Services.

8) Subprocessors

Pebble may use subprocessors to provide the Services. Subprocessors are required by contract to process data only to provide services to Pebble and to maintain appropriate confidentiality and security safeguards consistent with Pebble’s commitments.

9) Suspension/Termination

We may suspend or terminate access to the Services if required by law or EA direction, to protect security, or for material violations of these Terms.

10) Disclaimers

The Services are provided “AS IS” and “AS AVAILABLE,” to the maximum extent permitted by law.

11) Limitation of Liability

To the fullest extent permitted by law, Pebble will not be liable for indirect, incidental, special, consequential, or punitive damages.

12) Governing Law and Venue

Except as provided below, these Terms are governed by the laws of the State of Delaware, without regard to conflict of laws principles.

If the Customer is a public school, school district, BOCES, or other governmental education agency, and applicable law requires different governing law or venue, those terms will be addressed in the applicable EA agreement and will control for that EA’s use.

13) Changes

We may update these Terms by posting an updated version with a new Effective Date.