Legal

Privacy Policy

How SafePath Systems collects, uses, and protects data across your district's fleet.

Last updated: April 19, 2026

1. Overview

SafePath Systems, Inc. ("SafePath," "we," "us," or "our") provides AI-powered school bus fleet management software to school districts and transportation departments ("Districts"). This Privacy Policy explains how we collect, use, disclose, and protect information when Districts and their authorized personnel use our platform, mobile applications, and related services (collectively, the "Service").

Our core commitment: Student data is never sold, rented, or used for advertising. It is collected solely to operate the safety and fleet management features your district has authorized.

By using the Service, you agree to the practices described in this policy. If your District has executed a separate Data Processing Agreement (DPA) with SafePath, the terms of that DPA govern where they conflict with this policy.

2. Data We Collect

2.1 District & Administrator Data

When a District sets up a SafePath account, we collect:

  • District name, address, and contact information
  • Administrator names, email addresses, and job titles
  • Billing and payment information (processed via PCI-compliant third-party processors)
  • Account credentials and authentication logs

2.2 Driver & Vehicle Data

During active operation of the Service, we collect:

  • Real-time and historical GPS location of vehicles
  • Route data, planned vs. actual path comparisons, and geofence events
  • Driver device identifiers and app session data
  • Driving behavior signals (speed, braking patterns, idle time)
  • Timestamped trip logs and compliance events

2.3 AI & Safety Monitoring Data

Our AI safety features process:

  • On-device video and audio streams for threat and behavioral detection
  • Detected event metadata (event type, confidence score, timestamp, location)
  • Alert logs and emergency dispatch records
Important: Raw video and audio streams are processed locally on the device or on your district's servers (in on-premise deployments). Only event metadata — not raw footage — is transmitted to SafePath cloud infrastructure unless your District has explicitly enabled cloud video storage.

2.4 Usage & Technical Data

  • Dashboard usage logs, feature interactions, and session durations
  • Device type, operating system, and app version
  • Error and crash reports

3. How We Use Data

We use collected data exclusively to:

  • Provide, operate, and improve the SafePath platform and its safety features
  • Detect threats, route deviations, and compliance violations in real-time
  • Trigger automated alerts and emergency notifications as configured by your District
  • Generate fleet performance reports and compliance documentation for your District
  • Provide customer support and respond to District inquiries
  • Maintain the security and integrity of our infrastructure
  • Comply with applicable law, legal process, or government requests

We do not use your data for advertising, profiling unrelated to fleet safety, or any purpose beyond delivering the contracted Service.

4. Student Data & FERPA

SafePath Systems operates as a School Official under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. We access student-related data solely under the direction and control of the District, and only to the extent necessary to perform the Service on the District's behalf.

  • Student data is used exclusively for the educational purpose authorized by the District
  • We do not disclose student education records to third parties without District consent, except as required by law
  • Districts retain full ownership and control of all student data processed by SafePath
  • Upon contract termination, student data is deleted or returned per the District's written instructions

Districts are responsible for ensuring their use of the Service complies with FERPA, including obtaining any required parental consents. SafePath will support Districts in meeting these obligations upon request.

5. Children's Privacy (COPPA)

The Children's Online Privacy Protection Act (COPPA) restricts the collection of personal information from children under 13 without verifiable parental consent. SafePath does not directly interact with students and does not knowingly collect personal information from children for its own purposes.

Any student data processed by SafePath is done so at the direction of the District under the District's FERPA authority, which provides the applicable consent framework. If you believe SafePath has inadvertently collected personal data from a child outside of a District authorization, contact us immediately at privacy@safepathsystems.com.

6. Deployment & Data Location

SafePath offers two deployment models, and your data handling differs between them:

6.1 On-Premise Deployment

All AI processing, video analysis, and event data remain entirely within your district's own network and servers. SafePath does not receive, store, or access raw operational data. Only anonymized diagnostic and error data may be transmitted to SafePath for support purposes, subject to your District's configuration.

6.2 Cloud-Hosted Deployment

Data is processed and stored on SafePath-managed infrastructure hosted on SOC 2-oriented, encrypted cloud servers located in the United States. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is restricted to authorized SafePath personnel under strict need-to-know controls.

7. Data Sharing

We do not sell or rent your data. We share data only in the following limited circumstances:

  • Emergency Services: Location and event data is shared with emergency dispatch services automatically when a safety threat is detected, as configured by your District
  • Service Providers: Trusted sub-processors (cloud hosting, payment processing) who are contractually bound to protect data and may only process it on our behalf
  • Legal Requirements: When required by law, court order, or to protect the safety of individuals
  • District Direction: When your District instructs us to share data with a specific third party

A current list of sub-processors is available upon request at privacy@safepathsystems.com.

8. Data Retention

  • Active account data is retained for the duration of the District's contract
  • Trip and event logs are retained for 24 months by default, configurable per District policy
  • Safety incident records may be retained longer at District request for compliance purposes
  • Account data is deleted within 90 days of contract termination, unless the District requests earlier deletion or longer retention for legal hold purposes

9. Security

SafePath implements industry-standard technical and organizational security measures including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication for all administrative access
  • Regular penetration testing and vulnerability assessments
  • 24/7 security monitoring and incident response procedures

No security system is impenetrable. In the event of a data breach affecting your District, we will notify you within 72 hours of discovery in accordance with applicable law.

10. Your Rights

Depending on applicable law, Districts and individuals may have the right to:

  • Access the personal data SafePath holds about them
  • Request correction of inaccurate data
  • Request deletion of data (subject to legal retention requirements)
  • Receive a portable copy of their data
  • Restrict or object to certain processing activities

Districts may exercise these rights on behalf of their staff and students by contacting us. We respond to verified requests within 30 days.

11. Contact Us

For privacy questions, data requests, or to report a concern:

SafePath Systems — Privacy Team
Email: privacy@safepathsystems.com
Subject line: "Privacy Request — [Your District Name]"

We aim to respond to all privacy inquiries within 5 business days.

We may update this Privacy Policy from time to time. Material changes will be communicated to District administrators via email at least 30 days before taking effect.