HomeroomBook a demo

Privacy & consent

Facial recognition off by default. A photo is only available to buy when permission allows.

The yearbook industry quietly turned picture day into a face-recognition data business: a child’s portrait is sent to a vendor’s AI cloud, matched by face or fingerprint data, and sold far from the school. Homeroom is built differently. Facial recognition is off by default; finding a child is a student-list lookup, not a face match. If a parent turns face-assisted matching on, the face template stays in our own private system, is never sent to an outside company, and is destroyed when consent is withdrawn or at the end of the school’s retention schedule — a year at most. A portrait is sellable only when permission allows. This page explains exactly how — in plain language.

Four things this architecture guarantees

Facial recognition is off by default

Finding a child is a student-list lookup, not a face match — so normally no face data is created at all. If a parent opts in to face-assisted matching, the face data stays inside our own private system, is never sent to an outside company, and is destroyed when consent is withdrawn or at the end of the school’s retention schedule (a year by default). Shipped

“Find my child” is a student-list lookup

A parent finds their child by the school’s own student list — name, grade, homeroom — not by a face match. It is a look-up a school already trusts, not a surveillance feature. Shipped

Student photos and data are never sold

Neither student photos nor student records are ever sold to advertisers, data brokers, or any other third party — by anyone in this platform. A portrait is only available to purchase when permission on file says it may be; no other monetization of a student image is possible. Shipped

Permission gates the sale

A photo becomes purchasable only when the permission on file says it may be — enforced in the code itself, not by a checkbox someone might forget. No permission, no sale. The consent gate is enforced in code today; the parent portrait store it guards is in early access. Consent gate shipped Parent portrait store in early access

How the pipeline keeps student photos out of the data business

  1. Student photos are never sold or shared with advertisers. No student photo is ever sold to a data broker, used in an ad network, or shared with a party whose purpose is to profit from the image. A portrait becomes purchasable only when permission allows.
  2. Identity is by the student list, not by face. A photo is matched to a student through the student list the school provided — the same trusted source the gradebook uses — so there is never a need to run face recognition.
  3. Permission is checked before anything is sellable. The permission check reads the permission record before a portrait can appear in a store. A photo without sale permission is simply not offered.
  4. The school stays in charge. The school — not a photo vendor — remains the authority over its students’ images. The platform is the party legally responsible for the permission flow, and the in-app policy spells out the exact terms.

Where any face data is handled at all — for example, the opt-in face-match helper, or to help an operator crop to the eyes — face detection returns only boxes and key points, never sent to an outside company, and it runs inside our own private system. Face-data handling follows state law: it is off in New York, opt-in in several states, and defaults to the careful opt-in everywhere else, with collected data deleted on a schedule and right away when permission is withdrawn.

A single-school wall the database enforces

Privacy isn’t only about picture day. Homeroom keeps schools apart as a hard rule inside the database: an adviser, a student staffer, or a studio sales rep tied to one school cannot read another school’s student rows. It is enforced one layer below the screens, not in the app, and it is proven against a real database across the full student record — a cross-school view returns zero student rows even with both schools in scope. This is how Homeroom is built to fit the federal student-records law (FERPA).

A studio or sales rep sees totals, adult contacts, and money reconciliation — and never a student row — under the same kind of rule. That is what makes a genuinely resold product possible without anyone outside the school ever touching a child’s record.

The frameworks this design answers to

Homeroom is built to fit how schools are already required to handle student data — FERPA for education records and COPPA for children’s data — rather than bolting compliance on afterward. We describe here what the architecture does; the binding terms, the data-controller relationship, and the exact retention and deletion commitments live in the in-app policy your administrator agrees to. We’d rather show you the mechanism than wave a badge.

We’re honest about what’s shipped

The picture-day pipeline with consent-gated sales and facial recognition off by default, the permission check that gates every sale, student-list “find my child,” the single-school privacy wall, and the sales-rep privacy wall are live today. The parent portrait store the permission check guards is building now on top of that shipped gate, and a few photo-arm helpers — face-assisted matching with templates kept in our own private system, and the encrypted face-data vault — are in early access. The privacy guarantees above describe what the platform does today; they are not a regulator’s certification, and the binding policy lives in the app.