Data Security & Privacy Policy

At Champions Christian Academy, we hold the privacy and security of our students and their families as our highest operational priority. We operate under a strict, liability-averse framework. All data submitted via our enrollment portals and administrative interfaces is handled with strict access controls and row-level security at the database level.

1. FERPA Compliance

We adhere strictly to the Family Educational Rights and Privacy Act (FERPA). No student record, behavioral file, or academic transcript will be shared with unauthorized third parties under any circumstance. Our enrollment system is built on a strictly permissioned database architecture where access to data is enforced at the database engine level — ensuring that only authorized personnel can view or modify any record.

2. Infrastructure & Encryption

All enrollment and student data is hosted exclusively on Supabase (postgresql), a HIPAA-compliant managed database service, with the frontend deployed on Vercel Edge Network. Our stack implements the following safeguards:

• Data in Transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
• Data at Rest: Supabase enforces encryption at rest on all database volumes using AES-256.
• Database Security: Row-Level Security (RLS) policies are enforced at the database engine level. Public-facing API endpoints have no direct table access — every query is routed through enforced RLS policies.
• Authentication: Administrative access is protected by Google OAuth 2.0 with PKCE, enforced by Supabase Auth. Session tokens are HMAC-signed and stored in httpOnly cookies.

3. Medical & Sensitive Information (HIPAA-Aligned)

Where medical or behavioral health records are collected for student support, we apply HIPAA-aligned technical safeguards. This data is stored in isolated, access-controlled database tables. Access is restricted exclusively to designated administrative personnel, enforced through Supabase Row-Level Security policies tied to authenticated service role credentials.

4. Data Retention & Destruction

Enrollment data for applications that are not finalized or rejected is retained for 90 days from submission date, after which it is permanently deleted from our active systems. Records for enrolled students are retained strictly according to state guidelines. Secure deletion is performed by removing records from the live database; encrypted backups are retained by Supabase for the duration of their standard retention policy and automatically purged on expiration.

5. COPPA Compliance (Children's Online Privacy)

In strict accordance with the Children's Online Privacy Protection Act (COPPA), our online interfaces are explicitly directed toward parents, legal guardians, and adults aged 18 and older. We do not knowingly solicit, collect, or maintain personally identifiable information directly from children under the age of 13 through our public websites or enrollment portals. If we discover that such information was inadvertently collected without verifiable parental consent, it is immediately expunged from all active systems.

6. Transactional Communications

Enrollment confirmation emails and administrative notifications are sent via Resend, a privacy-focused transactional email service. Parent email addresses are used solely for enrollment-related communications and are never sold, rented, or used for marketing purposes.

7. Third-Party Access

We do not share student or guardian data with any third party, except as required for enrollment processing (e.g., scholarship applications routed to Step Up for Students) or as required by applicable law. No data is shared with marketing platforms, analytics services, or advertising networks.