Privacy Policy

Effective date: May 11, 2026
Last updated: May 11, 2026

MyLearningMaps is a curriculum-design service for K-12 schools. This policy explains what we collect when you use the service, why we collect it, who else sees it, and how long we keep it. It applies to mylearningmaps.com and the same product when offered as standardsunpack.com. We refer to both as "the Service."

The Service is operated by McClintock Technology LLC ("we," "us," "our"), a Nebraska limited liability company. If you are a school district administrator or teacher using the Service, "you" means you. If your district has a separate written agreement with us (a Data Processing Agreement, master subscription agreement, or addendum), that agreement controls where it conflicts with this policy.

We wrote this in plain language because most of the people reading it are educators, not attorneys. If anything is unclear, write us at support@mylearningmaps.com and we will explain.

1. Who We Serve and What the Service Does

The Service helps teachers unpack state academic standards. A teacher logs in, picks a standard, and the platform helps them break it down into verbs, depth-of-knowledge levels, vocabulary, learning targets, formative assessments, and instructional materials. District administrators manage course catalogs, invite teachers to their district, and view aggregate progress.

Important: the Service is teacher-facing, not student-facing. Students do not have accounts. Students do not log in. The Service does not collect student names, student IDs, grades, IEP information, behavioral data, attendance, or any other student record.

We are currently operating with beta districts in Nebraska, with plans to expand to other US states.

2. What Data We Collect

We collect only the data we need to run the Service.

Account data (required):

• Your full name
• Your work email address (typically a school-domain address, like name@yourdistrict.org)
• Your district and school assignment
• Your role (teacher, administrator, etc.)
• A bcrypt-hashed password if you sign in with a local password (we never store the password itself in plain text)

Optional sign-in data (only if you choose Google sign-in):

• Your Google account ID
• Your Google profile email
• Your Google profile picture

Content you create in the Service:

• Standards breakdowns, learning targets, vocabulary lists, assessment notes, and instructional-material selections that you author
• Adoption choices your district makes about high-quality instructional materials (HQIM)

Operational data:

• Login timestamps and IP address at sign-in (for security monitoring)
• Browser type and rough device class (for compatibility)
• Session cookies that keep you signed in
• A "remember me" token if you choose that option

Data we do not collect:

• We do not collect student PII of any kind. The Service is not designed to receive it, and our terms forbid uploading it.
• We do not collect biometric data, geolocation beyond IP-derived city, or browsing activity outside the Service.
• We do not use third-party advertising trackers, analytics that build cross-site profiles, or social-media pixels.

3. How We Use Your Data

We use your data only for these purposes:

1. To run the Service — show you your district's content, save the breakdowns you write, sync standards from state sources, and keep you signed in.
2. To send transactional email — password resets, invitations from your district admin, security notices, and service-status messages. We do not send marketing email without separate consent.
3. To secure the Service — detect suspicious sign-ins, block abuse, and investigate incidents.
4. To support you — when you write us at support@mylearningmaps.com, we use your email to reply and keep a record of the conversation.
5. To comply with law — when a valid legal request requires it, scoped narrowly.
6. For billing, in the future — once paid plans launch, we will use your billing contact information to process subscription payments through Stripe. Until then, the Service is in free beta and no payment data is collected.

We do not sell your data. We do not rent it. We do not use it to train AI models. We do not use it for advertising.

4. Who We Share It With

We share data with a small set of service providers ("subprocessors") who help us run the Service. Each is bound by their own terms and a written contract that limits their use of the data to providing services to us.

We will update this list when subprocessors change. If we add a subprocessor that materially changes how your data is processed, we will notify district administrators by email at least 30 days in advance, where reasonable.

We do not share your data with any other third party except:

• When you direct us to (for example, exporting your data)
• When required by law (subpoena, court order, valid government request)
• In connection with a corporate transaction such as a merger or acquisition, in which case we will give district administrators advance notice and the right to delete data before transfer

5. How Long We Keep Your Data

• Active accounts: while your account is active and for as long as your district subscribes to the Service.
• Closed accounts: we delete or anonymize personal account data within 90 days of account closure or non-renewal, except where a longer period is required by law.
• District-authored curriculum content: if your district closes its account, we offer an export window of 30 days. After 90 days, content tied to closed accounts is deleted.
• Subprocessor copies: some providers retain backups on their own schedule. We require subprocessors to delete personal data within their published retention windows after we instruct them to.
• Audit logs and security records: retained up to 12 months for security investigation, then deleted.
• Email correspondence with support: retained up to 24 months, then deleted.

6. How We Protect Your Data

Security is not a marketing claim for us. It is a set of practices we follow:

• Passwords are hashed with bcrypt. We never store or transmit passwords in plain text.
• All traffic is encrypted in transit with TLS (HTTPS).
• Access controls mean only the small number of staff who need access to the production database have it, and access is logged.
• Audit logging: authentication events, sensitive actions, and administrative access are logged.
• Data minimization: we collect only what we need and pass only the minimum needed to subprocessors.
• Hosting: the Service is hosted on a US-based shared web host. Backups are stored in the same US region.

No system is perfectly secure. If we discover a breach that affects your personal data, we will notify affected district administrators without unreasonable delay and in any event consistent with applicable state breach-notification law.

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (subject to legal retention obligations)
• Export your data in a portable format
• Object to certain processing
• Withdraw consent where we rely on consent

To exercise any of these, write us at support@mylearningmaps.com. We will verify your identity, then respond within 30 days. There is no charge for a reasonable request.

If your district has its own administrator, they may be able to handle some of these requests directly inside the Service. Talk to them first if that's faster.

California residents (CCPA/CPRA): You have additional rights including the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to non-discrimination for exercising these rights. We do not "sell" or "share" personal information as those terms are defined under California law. To exercise California-specific rights, write support@mylearningmaps.com with "California Privacy Request" in the subject line.

EU and UK residents: The Service is designed for US K-12 customers. If you are accessing the Service from the EU, EEA, UK, or Switzerland and have a specific request regarding your personal data, write us at support@mylearningmaps.com and we will respond.

8. Children's Data

The Service is not directed to children. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, write support@mylearningmaps.com and we will delete it.

We do not knowingly collect personal information from anyone under 18 either. The Service is provided to school staff, not to students.

This means COPPA (the federal Children's Online Privacy Protection Act) does not apply to the Service in its current form. If our product ever changes such that students would interact with it, we will obtain proper verifiable parental consent or operate within a recognized school-authorization framework before that change goes live.

9. FERPA, Nebraska SOPIPA, and the K-12 Context

The Service is designed and marketed for K-12 school purposes, so we want to be precise about how the major K-12 privacy frameworks apply.

FERPA (Family Educational Rights and Privacy Act). FERPA governs "education records" of identifiable students. The Service does not process education records of identifiable students. Teachers and administrators use it to plan curriculum at the standards level — there is no roster, no gradebook, no IEP, no behavioral note, no individual student data of any kind in the system. Because we do not process education records, we are not acting as a "school official" under FERPA's school-official exception, and your district does not need to designate us as one for the Service to operate.

If your district later wants to integrate the Service with a roster system or gradebook in a way that would put student data into our system, we would not enable that integration without (a) a signed Data Processing Agreement, (b) a clear FERPA basis with your district named as the data controller, and (c) updates to this policy and our terms.

Nebraska Student Online Personal Information Protection Act (SOPIPA), Neb. Rev. Stat. §§ 79-2,154 to 79-2,155. SOPIPA applies to operators of online services "designed and marketed for K-12 school purposes." We treat ourselves as an operator under SOPIPA and follow its substantive prohibitions even though we do not collect Covered Information about students:

• We do not engage in targeted advertising to students. (We do not advertise at all.)
• We do not amass a profile about a K-12 student. (We have no student data.)
• We do not sell or rent student personal information.
• We do not disclose student personal information except as permitted by SOPIPA.
• We maintain reasonable security procedures.
• We delete student personal information at the request of a school or district. (We have none to delete; if we ever did, we would.)

If your district determines that SOPIPA-equivalent state laws (e.g., California's SOPIPA, Connecticut's Public Act 16-189, etc.) apply to your engagement with us, we will sign a state-appropriate addendum on request.

Other state K-12 privacy laws: as we expand beyond Nebraska, we will sign state-specific addenda where required (for example, New York Education Law 2-d, Illinois SOPPA, Colorado SB-027, and others).

10. Cookies

We use cookies for one purpose: keeping you signed in.

• A PHP session cookie holds your session for the duration of your browser session. It expires when you close the browser.
• A "remember me" cookie, if you choose that option, stays on your device for 30 days. You can clear it by signing out.

We do not use third-party analytics cookies, advertising cookies, social-media pixels, or cross-site trackers. Your browser's "Do Not Track" signal is honored by default — there is nothing to opt out of, because we do not track.

11. International Users and Data Residency

The Service is hosted in the United States. If you access the Service from outside the United States, your data is transferred to the United States and processed under US law. Privacy laws in the United States may be different from those in your country.

If your district is located outside the United States, write us at support@mylearningmaps.com before signing up so we can confirm whether we can lawfully serve you and what additional terms (such as Standard Contractual Clauses for EU/EEA transfers) would apply.

12. Changes to This Policy

We will update this policy as the Service evolves. When we do:

• For minor wording changes, we will update the "Last updated" date at the top.
• For material changes — new categories of data collected, new subprocessors that change the data flow, or changes affecting your rights — we will notify district administrators by email at least 30 days before the change takes effect, and post a notice on the Service.

Your continued use of the Service after the effective date of an update means you accept the updated policy. If you do not accept it, write us and we will help you export your data and close your account.

13. Contact Us

Questions, requests, or concerns about this policy:

For data-protection requests, put "Privacy Request" in the subject line.

This policy is provided in good faith and reflects our current practice. It is not legal advice. We recommend district administrators review this policy with their own counsel if they have questions about how it applies to their specific arrangement with us.