Privacy Policy
This Privacy Policy explains how RoundUp Early Childhood ("RoundUp," "we," "us," "our") collects, uses, shares, and protects information when child-care centers, their families, and their staff use our software, our website at roundupece.com, or our mobile applications (collectively, the "Service").
RoundUp is operated by Swift Start LLC, an Oregon limited liability company. We are committed to protecting child, family, and staff information with the care that early childhood education demands.
Contents
- Scope & roles
- Information we collect
- How we use information
- Legal bases for processing
- Child data & COPPA
- Sharing & service providers
- Cookies, tracking & analytics
- Information security
- Retention & deletion
- Your privacy rights
- Oregon, California & other state-specific notices
- International users
- Changes to this policy
- Contact us
1. Scope & roles
This Policy applies to information processed in connection with the Service. Two distinct relationships are covered:
- When a child-care center subscribes to RoundUp, the center is the controller of the child, family, and staff records it enters into the Service. RoundUp acts as a processor on the center's behalf, and our handling of that data is governed by this Policy and any Data Processing Addendum the center has signed.
- When you visit our website or contact us directly (for example, by booking a demo or subscribing to our newsletter), RoundUp is the controller of the information you provide. This Policy describes that processing in full.
2. Information we collect
2.1 Center accounts (directors, owners, staff)
- Name, email address, phone number
- Role (director, lead teacher, assistant, owner) and employment dates
- Authentication credentials, stored only as a one-way salted hash
- Background-check status as a yes/no flag — we do not store the underlying record
- Hours worked (when payroll integration is enabled by the center)
2.2 Family accounts (parents, guardians, authorized contacts)
- Name, email address, phone number, mailing address
- Authorized pickup contacts and emergency contacts the family chooses to share
- Payment method, tokenized through our payment processor (Stripe). We never see or store the actual card number, bank account number, or CVC
- Communications you send to the center through the parent thread feature
2.3 Child records
- Name, date of birth, room assignment
- Photos uploaded by the family or by authorized staff with the family's permission
- Allergies, dietary needs, and medical or behavioral notes the family chooses to share
- Daily activity recorded by staff: check-in and check-out times, naps, meals, photos, and short notes for the family
2.4 Operational data
- Attendance and ratio readings
- Billing transactions and subsidy reporting (Oregon ERDC and similar programs)
- Audit logs of every check-in, edit, and approval
- Application diagnostics (crash reports, performance metrics) — we strip personal identifiers from these before they reach our error-monitoring vendor
2.5 Website & marketing
- If you subscribe to our newsletter, we collect the email address you provide
- If you book a demo through our scheduling tool, we collect the name, email, and phone number you enter into that form
- If you contact us by email, we collect the contents of your message and any attachments
- We use a privacy-first analytics tool (Plausible) that records aggregate visit data without cookies and without personal identifiers. See Section 7
3. How we use information
We use the information described above only for the following purposes:
- Operate the Service for the center that subscribes to us — including check-in, ratio tracking, billing, parent communication, and compliance reporting
- Process payments for tuition, fees, and subsidies, working with Stripe as our payment processor
- Send required notifications — check-in and pickup confirmations, emergency alerts, ratio breach warnings, billing receipts, password resets, and security alerts
- Generate compliance reports the center is required to submit (Oregon Office of Child Care, Spark QRIS, ERDC subsidy reporting)
- Improve our software through bug fixes, performance work, and new features. We do not rely on personal data for product analytics; we use aggregate, de-identified telemetry
- Communicate with subscribers who opted in to our newsletter or contacted us directly
- Protect the Service and its users from fraud, abuse, and security threats
- Comply with law, including subpoenas, court orders, mandated child-safety reporting, and tax or regulatory requirements
What we do not do. We do not sell, rent, or trade personal information. We do not use child data, family data, or staff data for advertising, profiling, or any third-party marketing. We do not use any data we hold to train artificial-intelligence models. We do not share information with data brokers.
4. Legal bases for processing
Where applicable law requires us to identify a legal basis for processing personal information, we rely on the following:
- Performance of a contract — to operate the Service for centers that subscribe to us, and to fulfill the Terms of Service
- Legitimate interests — to keep the Service secure, prevent fraud, debug software issues, and operate our business. These interests do not override the rights and freedoms of children, families, or staff
- Compliance with a legal obligation — to retain records that licensing, tax, or child-safety law requires us to keep
- Consent — for marketing emails, newsletter subscriptions, and any optional photo or content sharing where we ask for explicit permission
5. Child data & COPPA
We treat child records with extra care.
- Photos and daily reports about a child are visible only to that child's family and to authorized staff at the child's center. They are never visible to other families or other centers
- We do not use any child information to train AI or machine-learning models, generate analytics for any third party, or send marketing communications to children or about children
- Children under 13 do not interact with the Service directly. Parents, legal guardians, and authorized caregivers act on a child's behalf in all interactions with RoundUp. We do not knowingly collect personal information directly from children. If we learn that we have inadvertently received information from a child without proper authorization, we will delete it
- The Children's Online Privacy Protection Act (COPPA) applies to us in our capacity as a service operating on behalf of a child-care center. The center, as a provider of services to families, is responsible for obtaining parental consent for the collection and use of child data through the Service. We support centers in meeting that obligation
- The Family Educational Rights and Privacy Act (FERPA) generally does not apply to private child-care centers. We follow FERPA-aligned practices on parental access, correction, and consent regardless
6. Sharing & service providers
We share personal information only with vendors who help us operate the Service. Each vendor is bound by a written data-processing agreement that limits their use of the data to what we instruct.
| Vendor | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (us-west-2) | Cloud hosting and storage | All Service data, encrypted |
| Stripe | Payment processing | Tokenized payment methods and transaction metadata |
| Microsoft 365 | Business email and document storage | Customer-support correspondence we send and receive |
| Sentry | Error monitoring | Application crash reports — personal identifiers are removed before transmission |
| Plausible | Privacy-first website analytics | Aggregate visit data only, no cookies, no personal identifiers |
| Calendly | Demo scheduling | Information you enter directly into the demo-booking form |
| Mailchimp (or equivalent) | Newsletter delivery | Email addresses of newsletter subscribers |
We may share information when legally required (subpoena, court order, or mandated reporting). Where law allows, we will notify the affected center before disclosing data so the center can take action.
We may share information in connection with a corporate transaction, such as a merger, acquisition, or sale of substantially all our assets. The acquiring party must commit to protections at least as strong as those in this Policy. We will notify you in advance of any such change of control.
7. Cookies, tracking & analytics
We use the smallest possible set of website mechanisms to operate the site.
- Session cookies — set when an authenticated user signs in to the Service. Used only to keep that user signed in. Cleared when the session ends
- Analytics — we use Plausible Analytics, which does not set cookies, does not collect personal data, and does not track visitors across sites. Plausible records aggregate page-view counts, referrer category, country (not city), and device class
- Newsletter — our newsletter platform may use a tracking pixel to record whether a recipient opened a message. You can disable image loading in your email client to block this
- Demo scheduling — Calendly may set its own cookies on the demo-booking page. See Calendly's privacy policy for details
We do not use Google Analytics, Meta Pixel, advertising trackers, or any cross-site tracking technology.
8. Information security
- Infrastructure: RoundUp runs on Amazon Web Services (AWS) across multiple regions — primary in us-west-2 (Oregon), failover in us-east-1 (Virginia) — with multi-AZ deployment within each region. RDS Multi-AZ for the database, S3 cross-region replication for files, Route 53 DNS failover for sub-minute cutover, CloudFront edge endpoints globally
- Uptime: 99.9% best-effort target across all plans; 99.95% contractual SLA with credit terms on Enterprise plans
- All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256
- Authentication enforces strong-password requirements. Single sign-on (SAML/Okta/Google Workspace/Microsoft Entra) is available on Enterprise plans
- Access to production systems is logged and limited to a small set of authorized engineers, each authenticated by hardware-based MFA
- Continuous monitoring via CloudWatch and PagerDuty with on-call rotation. Daily automated backups with 30-day retention. SOC 2 Type II review available to Enterprise customers under NDA
- We perform regular vulnerability scanning, dependency-risk monitoring, and prompt patching
- We do not store payment card numbers, bank account numbers, or CVC values; payment information is tokenized through Stripe
- If a security incident affects your information, we will notify the affected center director by email without undue delay, and within any timeframe required by law
No system can be made perfectly secure. We work continuously to keep ours as secure as we can.
9. Retention & deletion
While a center is an active subscriber, we retain the data the center needs to run the Service.
When a center cancels:
- The center can export its data at any time, and may continue to do so for 90 days after cancellation
- Active production records are deleted within 90 days of cancellation
- Backups are retained for an additional 90 days, then permanently deleted
- Some operational records (billing transactions, audit logs, tax records) may be retained longer where law requires — typically up to 7 years
Marketing data — including newsletter email addresses — is retained until the subscriber unsubscribes or asks us to delete it.
10. Your privacy rights
Depending on your jurisdiction, you may have rights to:
- Know what personal information we hold about you
- Receive a copy of your personal information in a portable format
- Correct inaccurate personal information
- Delete your personal information, subject to legal retention requirements
- Object to certain processing
- Withdraw consent for any processing that relies on consent
- Lodge a complaint with a data protection authority
To exercise any right, contact us using the details in Section 14. We will respond within 30 days, or sooner where the law requires. We will not retaliate against any person who exercises a privacy right.
If you are a parent or legal guardian and you want to review, correct, or delete information we hold about your child, please contact your child's center first. The center is the controller of those records and is best positioned to coordinate the request. We will assist the center in fulfilling it.
11. Oregon, California & other state-specific notices
Oregon residents
The Oregon Consumer Privacy Act (effective July 1, 2024) gives Oregon residents specific rights to access, correct, delete, and obtain a copy of personal data, and to opt out of profiling and the sale of personal data. RoundUp does not sell personal data and does not engage in profiling that produces legal or similarly significant effects. To exercise any other right, contact privacy@roundupece.com.
California residents
The California Consumer Privacy Act (CCPA), as amended by the CPRA, gives California residents rights to know, delete, correct, and opt out of the sale or sharing of personal information. RoundUp does not sell personal information and does not share it for cross-context behavioral advertising. We do not knowingly sell or share personal information of consumers under the age of 16.
California residents may exercise their rights by contacting privacy@roundupece.com. We do not discriminate against consumers for exercising any CCPA right.
Other states
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may exercise rights granted to them under their state's law by contacting us at the email above.
12. International users
RoundUp is provided from the United States. Information you provide is processed and stored in the United States, primarily in the AWS us-west-2 region (Oregon). If you are accessing the Service from outside the United States, please be aware that your information will be transferred to and processed in the United States, where data-protection law may differ from that of your country.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Effective" and "Last updated" dates at the top of this page
- Notify center directors by email at least 30 days before the change takes effect
- For material changes that affect parents or staff, ask the center to share notice with the affected individuals where appropriate
Continued use of the Service after the effective date of an updated Policy constitutes acceptance of that update.
14. Contact us
For privacy questions, complaints, or rights requests:
- Email: privacy@roundupece.com
- Mail: RoundUp Early Childhood, c/o Swift Start LLC, Oregon, United States (full mailing address available on request)
If you do not receive a satisfactory response, you may contact your local data-protection authority.