The VGSpartans platform ("Platform," "we," "our") is committed to protecting the privacy of everyone who uses it — from students building their first website to visitors browsing a club page. This Privacy Policy explains what information we collect, how we use it, and the choices available to you.
This Privacy Policy is organized into clearly labeled parts so you can quickly find what applies to you:
- Part I — All Users covers data practices that apply to everyone, including visitors and registered users.
- Part II — Visitors covers what we collect when you browse public pages without an account.
- Part III — Registered Users covers the additional data we collect when you have an account.
- Part IV — How We Use Your Information explains the purposes behind our data collection.
- Part V — How We Share Your Information explains who has access to your data and why.
- Part VI — Data Retention explains how long we keep your data.
- Part VII — Your Rights and Choices explains what control you have.
- Part VIII — Special Provisions covers children's privacy, FERPA, and other legal frameworks.
- Part IX — General covers changes, contact information, and legal notes.
Part I — All Users
This part applies to everyone who accesses the Platform in any capacity, whether as a public visitor or a registered user.
1. Who We Are
The VGSpartans platform is a campus-wide digital infrastructure operated for Vista Grande High School ("School"), part of the Casa Grande Union High School District ("District"). The Platform is built, maintained, and developed by a student developer ("Platform Developer"). The Platform's source code is publicly available under the GNU Affero General Public License version 3 (AGPL-3.0). It is not a commercial service, does not display advertising, and does not sell user data to any third party.
2. Information Collected From All Users
2.1 Infrastructure-Level Data (Cloudflare)
Every request to the Platform is processed by Cloudflare, Inc., our infrastructure provider, before it reaches our application. This processing is automatic and cannot be disabled. On every request, Cloudflare provides us with:
- Your Internet Protocol (IP) address.
- Approximate geographic location derived from your IP: city, region, country, continent, postal code, latitude, and longitude.
- Your Autonomous System Number (ASN) and organization — this identifies your Internet service provider or network operator (for example, "Comcast" or a school network name).
- The Cloudflare edge datacenter that handled your request (for example, "LAX" for Los Angeles).
- Connection metadata: HTTP protocol version, TLS version and cipher suite.
- Cloudflare Ray ID — a unique identifier assigned to each individual request.
- Client hint headers provided by your browser, which may include browser name and version, operating system, platform, architecture, and device model.
This data is collected on every request, including requests for static pages, images, stylesheets, and scripts.
2.2 Standard HTTP Request Data
On every request, we also receive standard HTTP data, including:
- The URL you requested.
- The HTTP method (GET, POST, etc.).
- Your User-Agent string (browser and operating system identification).
- The referring URL (the page you came from, if applicable).
- Request headers, including language preferences and encoding support.
2.3 Essential Cookies
The Platform uses essential session cookies to maintain authenticated sessions for registered users. For visitors, no cookies are set unless you submit a form protected by Cloudflare Turnstile (bot detection), which may set a short-lived technical cookie.
2.4 No Tracking Cookies or Advertising
The Platform does not use advertising cookies, tracking pixels, cross-site tracking, or third-party analytics cookies. We do not participate in any advertising network. Public-page analytics are provided by Cloudflare Web Analytics, which operates without cookies and does not track individual users across sessions or across websites.
3. Third-Party Services
We use third-party services to operate the Platform. Each service receives only the data necessary for its function:
| Provider | Purpose | Data Processed |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, DNS, security, edge computing, storage, analytics, AI content moderation | All request data (IP, headers, payload), stored content, public-page analytics |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, email content (login codes, notifications) |
| Axiom, Inc. | Log aggregation, querying, and alerting | Structured log entries (see Sections 2 and 8) |
| Functional Software, Inc. (Sentry) | Browser error tracking | Browser error data, stack traces, session context |
| GitHub (Microsoft) | Code hosting, content archival, version control, audit log archival | Site content archives, audit logs |
| GitLab, Inc. | Redundant audit log archival | Audit log entries (mirrored from GitHub) |
| UptimeRobot | External uptime monitoring | Public endpoint availability (no user data) |
| Instatus | Public status page hosting | Incident status (no user data) |
| Google (YouTube) | Video hosting and embedding | See Section 3.1 below |
3.1 Embedded YouTube Content
Certain pages may contain embedded YouTube videos. When you play an embedded video, Google may collect data about you — including cookies, IP address, and viewing activity — in accordance with Google's Privacy Policy. The Platform has no control over Google's data collection on embedded content. If you prefer not to share data with Google, do not play embedded videos.
Part II — Visitors
This part applies to public visitors who browse the Platform without a registered account. If you are a registered user, this part also applies when you access public pages.
4. What We Collect From Visitors
When you visit publicly accessible pages (club websites, public student and teacher sites, the main portal, the bounty program page, or the status page), we collect only the data described in Part I, Section 2. Specifically:
- The infrastructure-level data provided automatically by Cloudflare on every request (Section 2.1).
- Standard HTTP request data (Section 2.2).
We do not require visitors to identify themselves, create accounts, or provide personal information to browse public pages.
4.1 Public-Page Analytics
Public-page traffic is measured using Cloudflare Web Analytics. This service is cookieless, does not use JavaScript tracking beacons on the client, does not assign persistent identifiers to visitors, and does not track individuals across sessions or websites. Analytics data is aggregated and is not linked to any individual visitor.
4.2 Form Submissions
Certain public pages include forms, such as club membership sign-up forms, event sign-up forms, contact forms, and bug bounty submission forms. If you choose to submit a form, we collect the information you voluntarily provide (such as your name, email address, and message content). All public-facing forms are protected by Cloudflare Turnstile, a bot detection service that may collect additional technical data (such as browser characteristics and interaction patterns) to distinguish humans from automated bots.
Form submissions are processed for the purpose stated on the form. Contact form submissions are delivered to authorized club officers or Platform Administrators. Bug bounty submissions are processed through the Platform's security reporting workflow.
4.3 Bot Detection and Security
The Platform employs automated bot detection and web application firewall (WAF) rules that analyze request characteristics to identify and block malicious traffic. These measures may evaluate your IP address, request patterns, headers, and other technical signals. If your request is identified as potentially malicious, it may be challenged, rate-limited, or blocked.
Part III — Registered Users
This part applies to individuals who create and maintain a registered account on the Platform. The data collection described in Parts I and II also applies to you.
5. Account Information
When you register, we collect:
- Your school email address (@cguhsd.org).
- Your display name.
- Your role on the Platform (student, teacher, advisor, webmaster, or administrator).
- For students: your graduation year, as derived from your school email identifier.
6. Authentication Credentials
6.1 Email Verification
All accounts require initial identity verification through a one-time code sent to your school email address.
6.2 Login Credentials
Depending on your role, you authenticate using either a one-time email code (for privileged roles such as administrators, advisors, and webmasters) or a server-generated password (for students and teachers). Passwords are hashed using industry-standard algorithms (bcrypt) before storage. We never store your password in readable form and have no ability to retrieve it.
6.3 Step-Up Authentication
Certain sensitive actions require additional verification through a separate one-time code, even within an active session. Records of step-up authentication events are logged.
7. Content You Create
We store all content you upload, publish, or transmit through the Platform, including:
- Files and web pages uploaded to your personal site.
- Images, text, code, and media.
- Content contributed to club websites in your capacity as a webmaster or authorized contributor.
- Messages sent through Platform messaging features.
- Settings changes, username selections, and language preferences.
- Form submissions and bug reports.
8. Activity and Security Data
To keep the Platform secure and to protect you in the event of account compromise or abuse disputes, we collect and log detailed activity and security data associated with your account.
8.1 Activity Logging
Every authenticated action you perform on the Platform is logged, including but not limited to: logins and logouts, page visits within dashboards and consoles, file uploads and deletions, content modifications, settings changes, username changes, site renewals, and messages sent. Each log entry includes a timestamp, your user ID, the action performed, your IP address, your device fingerprint hash (see Section 8.2), the session ID, and a unique request identifier.
8.2 Device Fingerprinting
To protect your account and detect unauthorized access, we collect device-identifying characteristics from your browser on login and on certain sensitive actions. These characteristics include:
- Screen resolution and color depth.
- Timezone and language settings.
- Hardware specifications: processor core count, device memory, and touch capability.
- Operating system and platform identifier.
- Graphics processing unit (GPU) model and vendor, obtained through your browser's WebGL interface.
- A canvas rendering signature — a hash derived from how your device renders a specific test image.
- An audio processing signature — a hash derived from how your device processes a specific test audio signal.
These characteristics are combined into a single composite fingerprint hash that represents your device. This fingerprint is stored and linked to your account. Over time, we build a record of the devices you normally use to access the Platform.
Why we collect this: Device fingerprinting exists to protect you. If your account is ever used to perform actions you did not authorize, we can compare the device fingerprint on those actions against your established device history. A mismatch between the fingerprint of the abusive session and your known devices is strong evidence that your account was compromised — evidence that could protect you from being falsely held responsible.
This data is collected without requiring browser permission prompts and is accessible only to Platform Administrators (Developer and IT Admin). It is never displayed to other users.
8.3 Network and Connection Data
On every authenticated request, the following data from Cloudflare (described in Part I, Section 2.1) is associated with your session and logged alongside your activity:
- Your IP address (stored as-is, not hashed).
- Your ASN and organization (Internet service provider / network operator).
- Approximate geographic location (city, region, country, coordinates).
- The Cloudflare edge datacenter that handled the request.
- The Cloudflare Ray ID for the request.
8.4 Behavioral and Anomaly Data
The Platform monitors for patterns that may indicate unauthorized access or abuse, including:
- Concurrent active sessions from different devices, IP addresses, or geographic locations.
- Unusual speed between consecutive actions within a session (action velocity).
- Logins from network providers (ASNs) that differ from your established baseline.
- Traffic routing through unexpected Cloudflare edge datacenters.
- Navigation to sensitive endpoints via direct URL rather than normal dashboard navigation.
These patterns are logged as security events. They are used for post-incident investigation, not for real-time automated blocking of your access.
9. Communications and Messaging
Messages sent through Platform messaging features are logged permanently with full content to tamper-evident audit destinations, even if messages are presented as ephemeral within the Platform interface. The Platform does not offer end-to-end encryption on any communication or messaging feature. Platform Administrators have access to all message content for governance, moderation, and security purposes.
Part IV — How We Use Your Information
This part explains how we use the information described in Parts I, II, and III.
10. Purposes of Data Use
10.1 Platform Operation
We use your information to operate the Platform: authenticating your identity, managing sessions, hosting and delivering content, enforcing resource quotas, processing your requests and settings changes, and sending transactional communications (login codes, account notifications, expiry reminders, moderation notices).
10.2 Security and Abuse Prevention
We use your information to detect, investigate, and prevent unauthorized access, fraud, abuse, and policy violations. This includes building device fingerprint profiles, monitoring for behavioral anomalies, enforcing rate limits, maintaining threat blocklists, and conducting post-incident investigations. Security data serves as an evidence trail that protects both the Platform and individual users.
10.3 Content Moderation and Safety
We use automated artificial intelligence tools and human review to analyze content for compliance with Platform policies and applicable law. Content may be flagged, quarantined, or removed as a result of this analysis.
10.4 Analytics and Improvement
We use aggregated, non-personally-identifying usage data to understand how the Platform is used and to inform improvements. We use error tracking data to diagnose and resolve technical issues.
10.5 Compliance and Legal Obligations
We use your information to comply with applicable laws, regulations, and legal processes, to respond to lawful government requests, and to fulfill records retention obligations required by the School, the District, and applicable law.
Part V — How We Share Your Information
11. Data Sharing Principles
We do not sell, rent, or trade your personal information to any third party. We do not display advertising on the Platform and do not share your data with advertisers or data brokers.
11.1 Service Providers
We share data with the third-party service providers listed in Section 3, solely for the purposes described. These providers process data on our behalf and in accordance with their respective terms and privacy policies.
11.2 School and District
Platform Administrators — including the School's IT department and the Platform Developer — have access to all Platform data, including account information, content, activity logs, device fingerprint records, and communications. This access is necessary for the Platform to operate within the School's institutional framework and for governance, security, compliance, and operational purposes.
11.3 Tamper-Evident Audit Logs
All platform events are permanently logged to private repositories maintained by the Platform Developer on personal version control accounts (GitHub and GitLab). These repositories are outside institutional control by design. This architecture ensures that the audit record cannot be altered by any party after the fact — protecting all users by making administrative actions permanently and immutably accountable.
11.4 Legal Requirements
We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Platform, its users, the School, the District, or the public.
Part VI — Data Retention
12. Retention Periods
12.1 Active Accounts
While your account is active, we retain all information described in this Privacy Policy, including activity logs, content, device fingerprint records, and communications.
12.2 Account Expiry
Upon account expiry (graduation for students, two-year term expiry for teachers, or administrative deactivation):
- Your site content is archived to cloud storage and version control repositories before deletion from active storage.
- Your user profile is soft-deleted and permanently removed after 90 days.
- Your sessions and active site records are permanently deleted.
- Archived content (cloud storage and version control copies) is retained in accordance with the School's and District's records retention policies.
- Audit log entries associated with your account — including activity logs, security events, and device fingerprint records — are retained permanently and are never deleted.
12.3 Visitor Data
Infrastructure-level request data from visitor traffic is retained in log storage for 90 days (Axiom free tier retention) and permanently in tamper-evident audit archives for security events only. Routine visitor request data is not permanently archived.
12.4 Form Submission Data
Data submitted through public-facing forms is retained for the operational purpose of the form (membership tracking, event management, bug reporting) and is subject to the School's records retention policies.
12.5 Permanent Records
The following data is retained permanently and is never deleted: all audit log entries (all categories), tamper-evident log archives (GitHub and GitLab repositories), and records of content moderation actions.
Part VII — Your Rights and Choices
13. Registered User Rights
13.1 Access and Correction
You may view and update certain account information — such as your display name, username, and language preference — through your Platform dashboard. To request access to other personal information we hold about you, contact a Platform Administrator.
13.2 Login History
Students and teachers may view a summary of their recent login activity (timestamp, approximate city, and device type) through the Platform dashboard. This feature helps you detect unauthorized access to your account.
13.3 Account Compromise Reporting
If you believe your account has been accessed without your authorization, you may report it through the Platform's compromised account process or by contacting a Platform Administrator in person. We will secure your account and review the audit trail to determine whether disputed actions were performed by you or by an unauthorized party.
13.4 Content Removal
You may delete your own content through the Platform dashboard, subject to applicable archival and retention policies. Deleted content may persist in backups, archives, and audit logs.
13.5 Limitations
Because the Platform operates as part of the School's institutional infrastructure, certain data management requests may be subject to the School's and District's policies and applicable legal requirements (including FERPA). We will accommodate your requests to the extent permitted by applicable law and institutional policy.
14. Visitor Rights
Visitors who wish to inquire about data collected during their visits may contact the Platform Developer or the School's IT department using the contact information in Section 19. Because visitor data is not linked to identified individuals (no accounts, no persistent identifiers), specific data access or deletion requests for visitor data may not be feasible.
Part VIII — Special Provisions
15. Children's Privacy
The Platform is designed for use by students and staff of Vista Grande High School. The Platform is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without appropriate consent, we will take steps to delete that information.
For users aged 13 to 17, the Platform operates under the School's and District's educational authority. The School's and District's acceptable use policies, signed by parents or legal guardians, constitute the applicable consent framework for the data collection and use described in this Privacy Policy.
16. FERPA Compliance
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. To the extent that any information collected or maintained by the Platform constitutes an "education record" under FERPA, such information is subject to FERPA's requirements. The Platform operates as a service under the School's and District's direct control, and the School and District serve as the custodians of any education records maintained on the Platform.
Parents and eligible students may exercise their FERPA rights — including the right to inspect, review, and request amendment of education records — by contacting the School directly in accordance with the School's and District's FERPA notification procedures.
17. Data Security
We implement administrative, technical, and physical security measures designed to protect your information, including:
- All data transmitted between your browser and the Platform is encrypted using TLS 1.3.
- Authentication credentials are hashed using industry-standard algorithms before storage.
- Access to administrative functions requires elevated authentication (step-up re-authentication).
- The Platform operates behind a defense-in-depth security architecture including DDoS protection, web application firewall rules, bot detection, rate limiting, and adaptive threat intelligence.
- Access to user data is restricted by role, with the principle of least privilege applied across all access tiers.
- All administrative actions are logged to tamper-evident audit trails.
While we take reasonable measures to protect your information, no method of transmission over the Internet or method of electronic storage is perfectly secure. We cannot guarantee absolute security.
18. Data Transfers
The Platform's infrastructure is operated by Cloudflare, Inc., a United States-based company with a global network of data centers. Your data may be processed at any Cloudflare edge location worldwide and is stored on servers located in the United States. Third-party service providers may also process or store data outside of your geographic location. By using the Platform, you consent to the transfer and processing of your information as described in this Privacy Policy.
Part IX — General
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, the "Last Updated" date at the top will be revised. For registered users, material changes will also be communicated through the Platform (such as a banner on the dashboard or a notification upon login). Your continued use of the Platform after such changes constitutes your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically.
20. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
Platform Developer: [EMAIL]
School IT Department: [EMAIL]
School Administration (FERPA requests): [SCHOOL ADDRESS / EMAIL]
Note: This document is provided as a draft framework. It should be reviewed and approved by the School, the District, and qualified legal counsel before publication. It does not constitute legal advice. Given the involvement of minors and education records, professional legal review is strongly recommended before deployment.