Privacy Policy

Last updated: March 2026

Who this service is for

Random Roster is designed for educators and other authorized adults. You must be at least 18 years old to create an account. Students do not have accounts and do not interact with this service directly. Student names and data entered into Random Roster are labels supplied by the teacher, not collected directly from students.

Data we collect

Random Roster collects the minimum data needed to operate the service:

  • Account email address: used for login and account recovery only.
  • Class and student data: names, capability levels (high/medium/low), attendance, and grouping preferences you enter.
  • Grouping history: saved group configurations for your classes.
  • Payment information: if you purchase Pro, payment is processed by Square. We receive only an order confirmation and do not store card details.

We do not collect student ages, photos, government IDs, or any other personally sensitive information. Student names are user-supplied labels under your control.

How we use your data

We use data only to provide and improve the service:

  • Authenticate your account and maintain your session.
  • Store and retrieve your classes, students, and grouping history.
  • Process payments for Pro upgrades.
  • Respond to support requests.

We do not use student data for advertising, profiling, or any purpose outside of operating the service. We do not sell your data or student data to any third party.

FERPA

Random Roster operates as a school official with a legitimate educational interest under FERPA (20 U.S.C. § 1232g) when used by teachers at institutions subject to FERPA. In this capacity we:

  • Access student education records only as necessary to provide the grouping service.
  • Do not re-disclose student data to any unauthorized party.
  • Do not use student data for any purpose other than the educational service.
  • Support data deletion at any time via the account deletion feature.

The teacher (or their institution) remains the FERPA data controller. You are responsible for ensuring your use of Random Roster is consistent with your school's data governance policies. We recommend using only first names or anonymized identifiers where your institution requires it.

COPPA

Random Roster is directed at educators and adults, not children. We do not knowingly collect personal information directly from children under 13. Students do not create accounts, log in, or interact with this service. Any student names entered into the service are provided by the teacher as user-supplied labels.

If you believe a child under 13 has created an account, contact us at privacy@randomroster.com and we will promptly delete it.

GDPR (EU and UK users)

If you are located in the European Union, European Economic Area, or United Kingdom, the following applies in addition to the rest of this policy.

Data controller

Random Roster acts as the data controller for your account data (email address, account settings). For student data you enter, you are the data controller and Random Roster acts as a data processor on your behalf.

Lawful basis for processing

  • Account data: performance of a contract (providing the service you signed up for).
  • Student data: processed on your instruction as data controller, under your legitimate educational interest.
  • Payment data: performance of a contract (completing your purchase).

Your rights

You have the right to:

  • Access your data via the Export Data option in the dashboard menu.
  • Rectify your data by editing it directly in the dashboard.
  • Erase your data using Menu → Delete Account, which permanently deletes all your classes, students, and grouping history.
  • Portability: export your data as JSON or CSV via the dashboard menu.
  • Restrict or object to processing by contacting us at privacy@randomroster.com.

To exercise any right, or to request a Data Processing Agreement (DPA) for your institution, email privacy@randomroster.com.

International data transfers

Your data is stored on servers operated by Supabase, Inc. (US). Supabase complies with GDPR data transfer requirements via Standard Contractual Clauses (SCCs). By using Random Roster, you consent to the transfer of your data to the US for processing.

Right to lodge a complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data in accordance with applicable law.

How data is stored and secured

Data is stored in a PostgreSQL database hosted by Supabase, Inc. Row-level security policies ensure each teacher can only access their own data. Data at rest is encrypted by the hosting provider. Data in transit is encrypted via TLS.

Sub-processors

We use the following third-party sub-processors:

  • Supabase, Inc. (US): database hosting and authentication.
  • Square, Inc. (US): payment processing for Pro upgrades only. Square receives payment card data; we do not.
  • Render Services, Inc. (US): web application hosting.

No student data is shared with Square or Render. Supabase stores and processes your class and student data on our behalf.

Cookies and sessions

We use session cookies to keep you logged in. These cookies are HttpOnly, Secure, and SameSite=Strict in production. No advertising, tracking, or analytics cookies are used. Session cookies are strictly necessary to operate the service and do not require consent under ePrivacy.

Analytics

Random Roster does not use third-party analytics services. No account or student data is sent to external analytics providers.

Data retention

Your data is retained for as long as your account is active. You can permanently delete your account at any time via Menu → Delete Account. Deletion is immediate and irreversible. Deleted data is not retained in backups beyond 30 days.

Changes to this policy

We may update this policy from time to time. Material changes will be noted by updating the date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

Contact

Questions about this policy, data subject requests, or DPA inquiries? Email us at privacy@randomroster.com.