VenueOS
Sign inStart free trial

Privacy policy

How VenueOS collects, uses, and protects your data.

Last updated: April 16, 2026

This document is boilerplate drafted for VenueOS and is not legal advice. Review it with your own district or company's legal counsel before relying on it.

VenueOS ("we", "us") provides digital signage and emergency alerting software to K-12 school districts. This policy explains what information we collect from staff users and connected devices, how we use it, and your choices. By using VenueOS, you agree to the practices described here.

1. Information we collect

Account information

  • Your name, email address, and the school or district you are affiliated with.
  • Authentication data (hashed password, or identifier tokens issued by your SSO provider).
  • Role and permissions assigned to you within your organization's VenueOS tenant.

Content you upload

  • Signage assets (images, videos, documents) and templates you create.
  • Playlists, schedules, and screen-group configurations.

Device and usage information

  • IP address, browser, operating system, and device model of administrative users and paired display devices.
  • Display device metadata (resolution, last-seen timestamp, pairing code).
  • Audit logs: who triggered emergencies, who changed schedules, and similar privileged actions.

2. Student data

VenueOS is designed so that we rarely need to process personally identifiable information (PII) about students. Our standard product does not ingest student records. If your district enables optional features (for example, an attendance ticker or a classroom portal) that display or reference student PII, that data is processed under a separate data processing agreement and in accordance with FERPA and COPPA. See our FERPA statement and COPPA statement.

3. How we use information

  • To operate VenueOS and deliver the signage and alerting services you and your district request.
  • To authenticate users and enforce role-based access controls.
  • To produce audit logs that your district can review for compliance and safety investigations.
  • To diagnose and fix service issues.
  • To comply with legal obligations, valid legal process, or to protect users' safety.

We do not use customer content to train AI models, and we do not sell personal information to third parties.

4. Sharing and sub-processors

We use a small number of vetted sub-processors to run VenueOS:

  • Supabase — managed PostgreSQL database and object storage.
  • Railway / Vercel — hosting for our backend API and web dashboard.
  • Sentry — error monitoring (stack traces, scrubbed of PII).
  • Redis Labs / Upstash — real-time pub/sub for screen updates.
  • Clever, Google, Microsoft — optional SSO and rostering integrations, activated only when your district connects them.

Each sub-processor is contractually bound to protect customer data and to use it only to provide the services we request. A current list is available on request.

5. Data retention

  • Active accounts: we retain your data for as long as your district's subscription is active.
  • Audit logs: retained for a minimum of three years for safety and compliance review. Logs are immutable — we cannot delete or alter individual entries.
  • Cancelled accounts: after cancellation, a 90-day grace period applies during which you can export data. After that, we purge customer content within 30 days, except for audit logs retained as noted above.
  • Backups: encrypted database backups are retained for 30 days on a rolling basis.

6. Security

  • All traffic to VenueOS is encrypted in transit via TLS 1.2+.
  • Passwords are hashed with Argon2id; we never store plaintext.
  • Emergency broadcast messages are cryptographically signed and verified on the receiving device.
  • Role-based access control is enforced on every API endpoint.
  • We conduct code reviews, run automated security scans, and maintain a responsible disclosure program.

7. Your choices and rights

Depending on where you reside, you may have rights to access, correct, delete, or export your personal information. To exercise these rights, contact us at privacy@edusignage.app. We will respond within 30 days.

For school accounts, your district administrator is the primary contact for your data. We will typically direct rights requests through them.

8. Children under 13

VenueOS is a business-to-business product contracted by schools and districts. We do not knowingly collect personal information directly from children under 13. See our COPPA statement for details on how we handle any child-directed data.

9. International users

VenueOS is hosted in the United States. If you access the service from outside the US, you consent to the transfer of your information to the US. Districts with additional regulatory requirements (for example, under state data privacy laws such as CSDPA, SOPIPA, or SHIELD) should contact us to put an appropriate data processing addendum in place.

10. Changes to this policy

We may update this policy from time to time. Material changes will be posted here and communicated by email to district administrators at least 30 days before taking effect.

11. Contact

For privacy questions, contact privacy@edusignage.app. For data access requests, email dsr@edusignage.app.