Start your 30-day free trial today — no credit card required. See Plans
Start Free Trial

Privacy Policy

Last updated: May 2026

1. Introduction

James Stanfield Company ("Stanfield," "we," "us," or "our") is committed to protecting the privacy of educators, students, parents, and all users of our website and services. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

We recognize the particular sensitivity of student data in educational settings and comply with applicable federal and state privacy laws, including FERPA (Family Educational Rights and Privacy Act) and COPPA (Children's Online Privacy Protection Act).

2. Information We Collect

Information You Provide

  • Account information: Name, email address, school or organization name, and role when you create a teacher, school, or parent account.
  • Billing information: Name, billing address, purchase order numbers, and payment details when you make a purchase. Credit card information is processed by Stripe and is never stored on our servers.
  • Student information: When teachers create student profiles for tracking progress, we may store student first names or identifiers, activity completion data, and assessment scores. We do not require or collect student last names, dates of birth, or Social Security numbers.
  • Communications: When you contact us for support, we retain the contents of your messages.
  • Survey responses: If you participate in surveys or feedback requests.

Information Collected Automatically

  • Usage data: Pages visited, features used, videos watched, activities completed, and time spent on the platform.
  • Device information: Browser type, operating system, screen resolution, and device type.
  • Log data: IP address, access times, and referring URLs.
  • Cookies: We use session cookies to keep you logged in and functional cookies for site preferences. We do not use third-party advertising or tracking cookies.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our educational platform and streaming services
  • Process orders, subscriptions, and activation codes
  • Track student progress and generate reports for educators
  • Send transactional emails (order confirmations, activation codes, password resets)
  • Send marketing communications about our products and curriculum (with your consent; you may unsubscribe at any time)
  • Improve our programs, platform features, and user experience
  • Provide customer support
  • Detect and prevent fraud or unauthorized access

4. Student Data and FERPA Compliance

We take student privacy seriously. Stanfield acts as a "school official" under FERPA when processing student data on behalf of educational institutions.

  • Student data is used solely to provide educational services and is never sold, shared for advertising, or used to build marketing profiles.
  • Teachers and school administrators control student data within their accounts and may delete student records at any time.
  • We do not collect more student information than is necessary to provide our educational services.
  • Student progress data (activity completion, assessment scores, video watch history) is accessible only to the student's teacher and school administrators.

5. Children's Privacy (COPPA)

Our platform is designed for use in educational settings under teacher supervision. We do not knowingly collect personal information directly from children under 13 without parental or school consent. Student accounts are created and managed by teachers, and student access is facilitated through educator-controlled environments.

If you believe a child under 13 has provided personal information to us without proper consent, please contact us immediately and we will delete that information.

6. Information Sharing

We do not sell your personal information. We share data only in the following limited circumstances:

  • Service providers (subprocessors): We use vetted third-party services to operate our platform. Each receives only the data needed for its specific function, processes it on our behalf, and is contractually required to protect it. Our current subprocessors are:
    • Stripe — payment processing. Receives billing name, email, and card details (entered directly into Stripe; never stored on our servers).
    • Mailgun — transactional and marketing email delivery. Receives recipient email address, message contents, and engagement events (delivered, opened, clicked, bounced).
    • Vimeo — video hosting and playback. Receives anonymous playback events; no user identifiers are passed.
    • Google Analytics 4 — aggregated traffic and feature-usage analytics. IP addresses are anonymized; we do not enable Google Signals, advertising features, or cross-site tracking.
    • Cloudflare — DNS, content delivery, and bot protection (Turnstile) on signup forms. Receives request metadata (IP, user agent) for security and performance.
    • Microsoft 365 / Microsoft Graph — internal email infrastructure for our support inbox.
    • NeverBounce — one-time email-list validation to keep our deliverability healthy. Receives email addresses only.
    • Cloud hosting provider — application servers, database, and backups, located in the United States.
    A current list is maintained in our public Security & Trust page.
  • Legal requirements: We may disclose information if required by law, court order, or governmental authority.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users of any change in ownership or data practices.

7. Email Communications

We send the following types of email:

  • Transactional emails: Order confirmations, activation codes, password resets, and account notifications. These cannot be opted out of as they are necessary for service delivery.
  • Marketing emails: Product announcements, curriculum updates, and promotional offers. You may unsubscribe from marketing emails at any time using the unsubscribe link in any email.

We maintain a global suppression list. Once you unsubscribe, we will not send you further marketing emails unless you explicitly re-subscribe.

8. Cookies and Tracking

We use the following cookies and analytics:

  • Session cookies: Required for authentication and maintaining your logged-in state. These expire when you close your browser or after a period of inactivity.
  • Preference cookies: Store your settings and preferences (e.g., selected guard/role type).
  • Analytics — Google Analytics 4 (GA4): We use GA4 to understand aggregate traffic patterns, feature usage, and site performance (Core Web Vitals). IP addresses are anonymized by GA4 before storage. We do not enable Google Signals, advertising personalization, remarketing, or cross-device tracking, and we do not share GA4 data with advertising networks.

We do not engage in cross-site tracking, do not sell or rent personal information, and do not serve targeted advertising on or off our site.

9. Data Security

Stanfield's security program is aligned to CIS Controls v8, Implementation Group 1 (IG1) — the baseline of essential cyber-hygiene safeguards published by the Center for Internet Security. Our current posture includes:

  • Encryption in transit: TLS 1.2+ on all connections, with HSTS (max-age 1 year, includeSubDomains, preload-eligible) enforced site-wide.
  • Encryption at rest: Database, file storage, and backup volumes are encrypted at rest by our cloud provider; sensitive credentials and API tokens are stored using application-layer encryption.
  • Authentication: Multi-factor authentication is required for all administrative access (cloud console, source control, payment processor, email infrastructure). Bot protection (Cloudflare Turnstile) is enforced on signup endpoints; rate limiting is applied to login and password-reset endpoints.
  • Access control: Role-based access (teacher, school, admin, parent guards) limits data access to authorized personnel. Student progress data is accessible only to the student's teacher and school administrators.
  • Network & transport hardening: HTTP security headers in production include HSTS, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options.
  • Backups & recovery: Production database is backed up daily, with backup volumes encrypted at rest and access-controlled. An isolated cross-account copy is tracked in our IG1 roadmap.
  • Monitoring: Application errors, queue health, and email-delivery anomalies are continuously monitored; alerts are routed to the on-call engineer. Significant staff-initiated state changes (account creation, license issuance, refunds, role changes) are persisted in the application database and attributable to the actor; a dedicated audit log of authentication events and administrative actions is on our roadmap.
  • Vulnerability management: Dependencies are tracked and security patches are applied on a defined cadence.
  • Vendor management: Subprocessors are vetted before onboarding (see Section 6).

For a more detailed technical description, see our Security & Trust page.

No system is completely secure. If you believe you have discovered a security vulnerability, please report it confidentially to hello@stanfield.com; we acknowledge reports within 3 business days.

10. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information in your account
  • Delete your account and associated data (subject to legal retention requirements)
  • Export your data in a portable format
  • Opt out of marketing communications at any time
  • Object to processing of your data for purposes beyond service delivery

To exercise any of these rights, contact us at hello@stanfield.com. We will respond within 30 days.

11. California Residents

Under the California Consumer Privacy Act (CCPA), California residents have additional rights, including the right to know what personal information is collected and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

12. International Users

Our services are hosted in the United States. If you access our platform from outside the United States, your data will be transferred to and processed in the United States. By using our services, you consent to this transfer.

13. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of any third-party services you use.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Material changes will be communicated via email or a prominent notice on our website.

15. Data Retention

For details on how long we retain different types of data, please see our Data Retention Policy.

16. Contact

For questions about this Privacy Policy or our data practices, contact us at:

James Stanfield Company
hello@stanfield.com
805-897-1185

Ready to get started?

Join thousands of educators using Stanfield curriculum in their classrooms.

View Pricing Explore Courses