Privacy Policy — SchoolBusTrackr

1. Overview

SchoolBusTrackr ("we", "our", or "us") operates a real-time school transport management platform connecting school administrators, drivers, and parents. This Privacy Policy explains how we collect, use, and protect information when you use the SchoolBusTrackr mobile application and related services.

We are committed to the privacy and safety of children. We collect only the minimum information necessary to operate the service, and we never sell personal data to third parties.

By using SchoolBusTrackr, you agree to the collection and use of information as described in this policy. This policy applies to all users: school administrators, drivers, and parents.

2. Information We Collect

We collect the following categories of information depending on your role:

Account Information (all users)

Email address
Password (stored as a secure hash — we never store your plain text password)
Role (administrator, driver, or parent)

Administrator Profile

Full name
School name and address
Contact phone number
School invite code (used to onboard drivers and parents)

Driver Profile

Full name
Home address
Contact phone number
Bus plate number
Approval status (pending, approved, or rejected by school admin)

Parent Profile

Full name
Phone number
Home address (used to calculate ETA as the bus approaches)
Geographic coordinates of the home address (derived from the address for distance calculations)

Children's Information

Child's full name
School name and grade
Route assignment
A unique QR code identifier (used for scan verification; contains no personal data beyond an internal ID)

Location Data

Driver GPS coordinates during active journeys (latitude, longitude, heading, speed)
This data is shared with parents and administrators in real time during the journey and is deleted from our live store when the journey ends

Journey and Scan Records

Journey start and end times
Scan events: which child was scanned (pickup or dropoff), by which driver, on which journey, and at what time

Device Information

Expo push notification token (used to send alerts to your device)

Messages

In-app chat messages sent within a school group (visible to all members of the school: admins, drivers, and parents)

3. How We Use Your Information

We use the information we collect exclusively to operate and improve SchoolBusTrackr:

Real-time tracking: Driver GPS coordinates are shared with parents and admins to show bus location on the map during active journeys.
ETA calculation: Parent home addresses are used to calculate personalized arrival estimates as the bus approaches.
Student verification: QR codes and scan records confirm student pickup and dropoff and create a verifiable attendance record.
Push notifications: We send alerts when a child is picked up or dropped off, and ETA warnings (10 minutes and 5 minutes) as the bus approaches your address.
Route management: Administrator and driver profiles are used to assign routes, manage journeys, and enforce school-level access boundaries.
Communication: Chat messages are delivered within the school group.
Account security: Email addresses are used for password reset and invoice delivery.
Billing: We use student counts to calculate and send monthly invoices to school administrators.

We do not use your data for advertising, profiling, or any purpose unrelated to providing the service.

4. Sharing of Information

We do not sell, rent, or trade personal information. We share data only as follows:

Within your school: Administrators can see driver and route information. Parents can see the driver's name, bus plate, and live location during journeys. Drivers see only the children assigned to their routes.
Push notification delivery: Device tokens are sent to the Expo Push Notification Service (operated by Expo) solely to deliver alerts to your device. Expo does not receive any personal data beyond the token and the notification content.
Email delivery: We use Resend to send password reset emails and billing invoices. Resend processes the recipient email address and message content for delivery purposes only.
Geocoding: When an address is entered, we send it to the Nominatim geocoding service (operated by OpenStreetMap) to convert it to coordinates. No personally identifying information is included beyond the address text.
Legal compliance: We may disclose information if required by law, court order, or to protect the safety of individuals.

No data is shared with advertisers, data brokers, or analytics platforms.

5. Data Retention

Active accounts: Profile data is retained as long as your account is active.
Live driver location: GPS coordinates are stored in memory only during an active journey and deleted immediately when the journey ends.
Journey and scan records: Retained to support audit and history features. These records can be deleted upon request.
Password reset tokens: Automatically expire after 1 hour and are cleared after use.
Account deletion: You may request deletion of your account and all associated data by contacting us at the address below. We will process deletion requests within 30 days.

6. Security

We take the security of your data seriously. Our measures include:

Passwords are hashed using bcrypt (a strong, adaptive hashing algorithm) — plain text passwords are never stored.
All API requests are authenticated using signed JSON Web Tokens (JWT) with a 7-day expiry.
All data in transit is encrypted using HTTPS/TLS.
Every API endpoint enforces role-based access control — users can only access data belonging to their school and their own profile.
JWT tokens are stored in hardware-backed secure storage on device (iOS Keychain / Android EncryptedSharedPreferences).
Input validation and sanitization are applied to all user-submitted data to prevent injection attacks.
Rate limiting is applied to all authentication and sensitive endpoints.

While we implement industry-standard security practices, no system is completely immune to security risks. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorized access to your account.

7. Children's Privacy

SchoolBusTrackr is designed for use by adults — school administrators, drivers, and parents. Children do not create accounts or directly interact with the platform. Children's information (name, grade, route assignment) is entered by their parent or guardian and is used solely to facilitate safe school transport.

Our policy is not to knowingly collect personal information directly from children under the age of 13. Should you believe that a child has provided us with such information without parental consent, kindly contact us, and we will promptly delete it.

Children's QR codes contain only an internal database ID and no personally identifiable information.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you.
Correction: Update inaccurate or incomplete information through the app's profile settings, or by contacting us.
Deletion: Request deletion of your account and associated data.
Objection: Object to certain types of processing.
Portability: Request your data in a machine-readable format.

To exercise any of these rights, contact us at privacy@schoolbustrackr.com. We will respond within 30 days.

9. Third-Party Services

SchoolBusTrackr relies on the following third-party services to operate:

Expo Push Notification Service — Used to deliver push notifications to iOS and Android devices. Expo Privacy Policy
Resend — Used to send transactional emails (password resets and invoices). Resend Privacy Policy
Nominatim (OpenStreetMap) — Used to convert addresses to geographic coordinates for ETA calculation. OSM Privacy Policy
Google Maps — Used to display maps in the app. Google Privacy Policy

We do not use analytics services such as Google Analytics, Facebook Pixel, or similar tracking tools.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify users via email or an in-app notice.

We encourage you to review this policy periodically. Continued use of SchoolBusTrackr after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@schoolbustrackr.com
General enquiries: hello@schoolbustrackr.com
Website: schoolbustrackr.com

We take all privacy concerns seriously and will respond within 30 days of receiving your request.