FERPA, COPPA, and state privacy law.
Roost is bought by parents, not schools, and it doesn't hold student records. That puts it in a different lane than the apps a district procures. Here's where the lines actually are.
Jump to: What FERPA is · How Roost fits with FERPA · COPPA and kids under 13 · State privacy laws · Legal contact
What FERPA is, in two paragraphs.
The Family Educational Rights and Privacy Act of 1974 (FERPA) is the federal law that protects student education records. It governs what a school can and can't share, and it applies to any school that receives federal funding — which is almost every public school and most private schools.
FERPA has one big carve-out that matters here: it covers education records that the school maintains. It does not cover information a parent chooses to share with another parent. The phone number you give to your kid's soccer carpool isn't a FERPA record. The address on the printed PTA directory that's gone home in a backpack for fifty years isn't a FERPA record. Roost is in that same territory: parent-to-parent contact information, chosen by the parent, never sourced from the school's record system.
How Roost fits with FERPA.
Roost is bought by the school's PTA or PTO. The PTA is a separate parent organization, not the school. The school isn't the customer. Education records — grades, IEPs, disciplinary files, attendance — never enter Roost. We don't have an API into the SIS. We don't want one.
What Roost holds is what each family chose to share: their names, contact info they explicitly enabled, and the kid-name + grade + teacher pairings that make a school directory useful for arranging playdates. Each family controls their own visibility setting. If a family chooses Opt out, they don't appear at all.
Three structural choices that make this work cleanly:
- No bulk export. Not by board members, not by school admins, not by us. The biggest FERPA-adjacent risk in a parent directory is the spreadsheet that gets emailed around once and then lives forever on a personal laptop. Roost makes that motion impossible.
- Family-controlled, not school-controlled. The school doesn't pre-fill data on a family's behalf. A roster import can bring a family in, but until they sign in and confirm what they share, they're a placeholder, not a listing.
- Database-enforced visibility. A family that chose Private isn't hidden by a CSS rule. The database itself refuses to return their information to other parents. A misconfigured permission or a UI bug can't leak what the database doesn't hand over.
If your district's general counsel or privacy officer wants to ask specific questions — about the boundary between Roost and the school's record system, or about how an opt-out family is treated — that conversation is welcome. We'd rather have it early.
COPPA and kids under 13.
The Children's Online Privacy Protection Act (COPPA) limits what online services can collect from kids under 13 without verifiable parent consent. Roost is built so this question rarely comes up: only adults sign in. A child appears in the directory only as a name + grade pairing managed by their parent. Kids don't have accounts. They don't type into forms. They don't receive emails.
The one place under-13 information shows is the Trusted Help listings — when a parent recommends a babysitter, that recommendation can include a minor (with the minor's parent's explicit confirmation). The information shown is first name, grade, and what the parent typed into the listing — never an email or login.
State privacy laws.
State privacy law is a patchwork that's changing every year. California (CCPA / CPRA), Colorado, Connecticut, Virginia, Texas, Utah, and a growing list of others have passed comprehensive consumer-privacy statutes. Several states also have student-data privacy laws on top of FERPA — most notably California's SOPIPA, New York's 2-d, and Illinois' SOPPA.
Our approach is structural rather than per-state. The same things that make Roost FERPA-clean make it state-law-clean: no education records, no bulk export, no advertising profile, no resale of data, no third-party sharing for marketing. We designed toward the GDPR + CCPA bar from the start because retrofitting privacy into a product that wasn't built for it is much more expensive than the other way around.
If a specific state law you care about isn't addressed here, email legal@roost.directory and we'll write the answer into this page. The page evolves as the legal landscape does.
Legal contact.
Legal questions: legal@roost.directory
Privacy-specific questions or rights requests under GDPR, CCPA, or state-equivalent laws: privacy@roost.directory
Security disclosure: security@roost.directory
Roost Directory is a product of Holdfast Community LLC, an Oregon LLC. Business address: 5441 S. Macadam Ave., Suite 5022, Portland OR 97239. The Privacy Policy and Terms of Service cover the rest of what an attorney would ask about.