Effective Date: March 2026 · Governing Law: State of Florida
1. Introduction
Fox-Mar Studios, Inc. ("Fox-Mar Studios," "we," "our," or "us") is committed to protecting the privacy and security of all data processed through the Photo Student Locator mobile application ("App") and the Fox-Mar Studios School Photography Portal ("Portal"). This Privacy Policy describes how we collect, use, store, and protect information in connection with these platforms.
By using the App or Portal, you acknowledge that you have read and understood this Privacy Policy.
2. Who May Use These Platforms
The App and Portal are provided exclusively for use by authorized school staff members, including administrators, yearbook advisors, activities directors, teachers, and designated school personnel. Users must be adults (18 years of age or older) and currently employed or authorized by a school that has an active photography services contract with Fox-Mar Studios.
Access by students, parents, and guardians is strictly prohibited. The platforms are not directed at, designed for, or intended to be used by children or the general public.
3. Our Role Under FERPA
Fox-Mar Studios acts as a "school official" with a "legitimate educational interest" under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, in its capacity as the school's contracted photographer. As a school official, Fox-Mar Studios operates under the direct control of the school with respect to the use and maintenance of education records.
Each school and its authorized staff members are solely responsible for ensuring their use of the App and Portal complies with FERPA, the Children's Online Privacy Protection Act (COPPA), and all other applicable federal, state, and local privacy laws and regulations.
4. Information We Collect and Process
User Account Information: When school staff members register for an account, we collect their name, professional email address, phone number, and job title. This information is used solely for authentication, authorization, and communication related to the platforms.
Student Data: Student data accessible through or uploaded to the platforms may include:
- Student names, grade levels, homeroom assignments, and teacher assignments
- Student ID numbers (primary and secondary)
- Student photographs
- Contact information (addresses, phone numbers, email addresses) when enabled by the school
- Parent and guardian names and contact information when enabled by the school
- Class schedules (period, term, course, teacher, building, room)
- Date of birth and gender when enabled by the school
Contact Field Visibility: Each school controls which student contact and demographic fields are accessible through the App and Portal. Fields that are not enabled by the school's administrator are not transmitted to or displayed on any device.
5. How We Use Information
All student data is used solely for the following legitimate school administrative purposes:
- School identification and student ID card production
- Yearbook photo captioning and identification assistance
- School safety identification
- Photography reporting and session management
- Award certificate generation
- Student roster management and lookup by authorized school staff
Student data is never used for any commercial, marketing, advertising, or other purpose unrelated to the school's contracted photography services.
We do not sell, rent, license, or trade student data to any third party for any purpose.
6. Activity Logging and Audit Trail
For the protection of student privacy and to maintain accountability, all user activities within the App and Portal are logged, including but not limited to:
- User login events (date, time, IP address)
- Student record views — each time a user views a student's detail page
- Search queries — what search terms were used and how many results were returned
- Barcode scans — when a user scans a student ID and which student was matched
- Contact actions — when a user initiates a phone call, text message, or email to a student, parent, or guardian through the App
- Record modifications — when a user creates or edits a student record, including which fields were changed
- Photo uploads — when a user adds or replaces a student photograph
Audit logs are maintained for compliance purposes and are available to school administrators and Fox-Mar Studios personnel. These logs help ensure that student data is accessed only for legitimate purposes and enable investigation of any unauthorized access.
7. Data Storage and Security
Data is hosted on secure cloud infrastructure (Railway) with managed PostgreSQL databases. All data in transit is encrypted via HTTPS/TLS. User passwords are stored using bcrypt one-way hashing and are never stored in plain text.
Authentication tokens used by the mobile App expire after 30 days, requiring re-authentication. On supported devices, the App offers biometric authentication (Face ID / Touch ID) as a convenience for returning users, with credentials stored in the device's encrypted secure storage.
Student photographs are stored on encrypted persistent volumes and are accessible only to authenticated, authorized users with appropriate school and service permissions.
8. Data Retention and Deletion
Student photographs and associated data are refreshed at the beginning of each new school year when updated portraits are uploaded. Fox-Mar Studios will delete student photographs and any facial recognition embeddings within ninety (90) days of contract termination with a school.
User accounts that are terminated (whether by the user's separation from employment, school contract expiration, or administrative action) are deactivated. Associated access permissions and audit logs are retained for compliance purposes.
9. Third-Party Services
The platforms integrate with the following third-party services necessary for operation:
- Railway — cloud hosting and database infrastructure
- Mailchimp Transactional (Mandrill) — email delivery for account verification and notifications
- Google reCAPTCHA — login security and bot prevention (Portal only)
- Twilio — SMS delivery for appointment reminders and two-factor authentication
- Apple Wallet / Google Wallet — digital student ID card delivery (when enabled)
We do not share student data with any third party for marketing, advertising, or commercial purposes. Third-party services receive only the minimum data necessary for their specific function.
10. Children's Privacy (COPPA)
The App and Portal are not directed at children under the age of 13 (or any minor). Only adult school staff members may create accounts or access the platforms. While student data (including data of children under 13) may be processed through the platforms, this processing occurs under the authority of the school as a FERPA-covered educational institution, and Fox-Mar Studios acts solely as a school official in this capacity.
We do not knowingly collect personal information directly from children. All student data is uploaded and managed by authorized adult school staff members.
11. Your Rights and Choices
As a registered user, you may:
- Update your account information through the Portal's profile page
- Request deactivation of your account by contacting your Fox-Mar Studios representative
- Contact your school's administration regarding the handling of student data under FERPA
Parents and guardians with questions about their child's data should contact their school directly. Fox-Mar Studios processes student data at the direction of the school and defers to the school's policies regarding parental access to education records.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the effective date at the top of this page. Continued use of the App or Portal after any changes constitutes acceptance of the updated Privacy Policy.
13. Contact Information
For questions regarding this Privacy Policy, data practices, or to exercise your rights, please contact:
Fox-Mar Studios, Inc.
Email: support@foxmar.com
Web: portal.foxmar.com
You may also contact your school's designated Fox-Mar Studios representative through the contact information provided in the Portal.