Privacy Policy

Last updated: April 8, 2026

This Privacy Policy describes how the DayLynx platform ("we," "us," or "our") collects, uses, stores, and protects personal information, including information about children under the age of 13. We are committed to complying with the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and all applicable state and federal privacy laws.

1. Information We Collect

About Children

• First name, last name, preferred name, and date of birth
• Classroom assignments and attendance records
• Photographs (only with verifiable parental consent)
• Medical notes or allergies (as entered by authorized staff)
• Media consent status

About Parents and Guardians

• Name, email address, and phone number
• Relationship to the child
• Kiosk PIN (stored as a one-way hash — we cannot see your PIN)
• Pickup authorization status
• Account login credentials (password stored as a one-way hash)

About Staff

• Name, email address, and role
• Classroom assignments
• Login activity and audit trail

2. Children's Privacy (COPPA Compliance)

We take the privacy of children very seriously. In compliance with COPPA:

• Parental consent is required before any photographs of a child are collected, stored, or shared through the platform. Teachers cannot tag or upload photos of children whose guardians have not granted media consent.
• No data is used for advertising.We do not display advertisements, and we never share children's personal information with advertisers or third-party marketing companies.
• No data is sold. We never sell personal information of children, parents, or staff to any third party.
• Parents may review their child's dataat any time by logging into the parent portal or by contacting the childcare center's administrator.
• Parents may request deletionof their child's personal information at any time. Requests can be submitted through the parent portal or by contacting the center administrator. We will delete the data within 30 days of a verified request, except where retention is required by law.
• Data retention is limited.Children's personal information is retained only as long as necessary to provide the service. Photographs are subject to the center's data retention policy. When a child is unenrolled, their data may be archived and deleted according to the retention schedule.

3. How We Use Information

We use personal information solely to:

• Track daily attendance (check-in, check-out, teacher confirmation)
• Share approved photos and daily reports with authorized parents
• Enable communication between staff and families
• Generate attendance reports for the childcare center
• Maintain an audit trail of sensitive actions for safety and compliance
• Verify guardian identity at kiosk check-in/check-out via PIN

4. How We Protect Information

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: All data stored in our database and file storage is encrypted at rest using AES-256 encryption.
• Multi-factor authentication: Staff accounts support TOTP-based two-factor authentication for additional security.
• Role-based access control:Each user can only access data relevant to their role. Parents see only their own children's data. Teachers see only their assigned classrooms. Administrators see organization-wide data.
• Row-level security: Database-level security policies ensure that data from one organization is never accessible to another organization.
• Audit logging: All sensitive actions (logins, data changes, exports, photo uploads/deletions) are recorded in an immutable audit trail.
• Passwords and PINs: Stored using Argon2 one-way hashing. We cannot retrieve your password or PIN.
• Rate limiting: Login attempts are rate-limited to prevent brute-force attacks.

5. Who Can Access Information

• Center staff (administrators, directors, teachers) can access student and family records within their organization as needed to operate the center.
• Parents and guardianscan access their own linked children's attendance, photos, and messages.
• Platform operators (SHIFT MSP) have access to infrastructure for maintenance and support purposes only. We do not access individual child records unless requested by the center for technical support.
• No third parties receive access to personal information unless required by law (e.g., court order, regulatory investigation).

6. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy. Specific retention periods:

• Attendance records: Retained for the duration of enrollment plus the center's configured retention period (typically 3-7 years for regulatory compliance).
• Photographs: Subject to the center's data retention policy. May be auto-deleted after a configured period.
• Audit logs: Retained for a minimum of 3 years for compliance purposes.
• Account data: Retained while the account is active. Deleted upon verified request after a 30-day processing period.

7. Your Rights

Parents and guardians have the right to:

• Access their child's personal information through the parent portal
• Request correction of inaccurate information
• Request deletion of their child's personal information
• Withdraw media consent at any time (preventing future photo collection)
• Opt out of non-essential communications

To exercise these rights, contact your center's administrator or email the platform operator at the contact information below.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify affected users of material changes via email or in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact:

SHIFT MSP
Email: privacy@shiftmsp.com
Albuquerque, New Mexico