Minga Privacy Policy


Effective Date: July 5, 2026

Minga Solutions, Inc. (“Minga,” “we,” “us,” or “our”) is committed to the highest standards of data privacy and security. This Privacy Policy explains how we collect, use, and protect information in connection with our educational platform and our corporate operations. Throughout this policy, “Platform Data” refers to personal information we collect or process on behalf of a District, including account details, structured activity records such as hall pass history and check-in logs, and roster data.

This policy is organized into two parts:

  • Section 1 – Platform Privacy Notice: How we protect data for students, staff, and parents using the Minga platform.
  • Section 2 – Corporate Privacy Policy: How we handle data for visitors to our public websites and prospective customers.

Questions about this policy or requests regarding your data may be directed to: privacy@minga.io

Section 1: Platform Privacy Notice (Educational Services)


1.1 Roles and Regulatory Compliance

Minga provides software services to school districts and educational organizations (“Districts”). In this context, the District is the Data Controller and retains ownership of all Platform Data submitted to the platform. Minga acts solely as a Data Processor, handling information only as instructed by the District and only as necessary to deliver the contracted services.

We align our platform with the following privacy frameworks:

  • FERPA: Minga is designated as a “school official” with a legitimate educational interest, as permitted under the Family Educational Rights and Privacy Act. For the purposes of this policy, ‘legitimate educational interest’ means the need to review or access an education record in order to fulfill a professional responsibility or service described in Minga’s agreement with the District.
  • COPPA: We do not knowingly collect personal information from students under the age of 13 outside of the school consent model under COPPA, which permits schools to consent on behalf of parents where data collection is solely for educational purposes with no commercial application. Minga relies on the District’s representation that it has the authority to provide such consent and has taken appropriate steps to notify parents.
  • CSPC & SDPC: Minga is a member of the California Student Privacy Coalition (CSPC) and the Student Data Privacy Consortium (SDPC). We utilize their frameworks, including the California Student Data Privacy Agreement (CSDPA), to support compliance with state-specific student privacy laws.
  • NDPA: We enter into National Data Privacy Agreements as requested by Districts.
  • Canadian Law: We adhere to PIPEDA (federal) and PIPA (British Columbia) frameworks for any applicable Canadian operations.
  • State Student Privacy Laws: Minga complies with applicable state student data privacy laws, including, without limitation, NY Ed Law 2-d, Illinois SOPPA, and the Texas SCOPE Act, and executes state-specific addenda upon request.. 

1.2 Information We Collect

We collect and process only the information necessary to provide our platform services. This includes:

  • Data Imported by the District: Information that the District chooses to integrate from other systems to establish user accounts and records, such as roster data, demographics, or existing academic and behavioral information.
  • Activity Data (Platform Generated): Structured records, engagement metrics, and historical logs generated by users through the Platform’s various modules.
  • User-Generated Content (UGC): Posts, messages, and other content created within the platform by students, staff, and other users. See §1.2.1 for details on how UGC is moderated and deleted.

Minga explicitly does not collect the following categories of information:

  • Biometric data (e.g., fingerprints or facial recognition data).
  • Precise geolocation data (e.g., real-time GPS tracking).
  • Health or medical records.

1.2.1 User-Generated Content

The following provisions apply specifically to User-Generated Content (UGC):

  • Content Moderation: Districts are responsible for moderating User-Generated Content within their instance of the platform. Districts may enable Minga’s automated content filtering, which scans submitted content for inappropriate material prior to or at the time of posting. Administrative controls allow District-designated personnel to review reported content and remove posts that violate District policies.
  • Deletion by Users: Users may delete content they have created within the platform. District-designated administrators may also delete content posted by others. Minga does not restore user-deleted or administrator-deleted content except at the explicit direction of the District.

1.3 What We Will Never Do With Student Data

Minga makes the following explicit commitments regarding Platform Data. We will never:

  • Sell students’ personal information to any third party.
  • Use student data to target students with advertising, whether behaviorally targeted or otherwise.
  • Use student data for any purpose unrelated to the educational services provided to the District.
  • Disclose student personal information to data brokers or analytics companies for commercial purposes.
  • Use student-generated content or personally identifiable platform activity to train AI or machine learning models (see §1.4 for our use of aggregated, de-identified data).
  • Retain student data beyond the deletion window following contract termination (see §1.7).

1.4 AI and Machine Learning

Minga does not use Student Personal Information to train artificial intelligence or machine learning models. Aggregated and de-identified data — derived from platform usage such as hall pass volumes, check-in trends, and feature engagement, and produced using methods consistent with FERPA de-identification standards — may be used to improve and develop our services, generate aggregate insights for customers, and train and enhance machine learning models. Such data does not identify, and cannot reasonably be linked back to, any individual student, school, or district.

1.5 Subprocessors

Minga engages third-party service providers (“Subprocessors”) that may have access to Platform Data to deliver our services. All Subprocessors are bound by contractual obligations no less protective than those in our agreements with Districts.

An up-to-date list of Minga’s Subprocessors is maintained at minga.io/privacy/subprocessors.

Before adding a new Subprocessor with access to Platform Data, Minga will provide affected Districts with at least 30 days’ advance written notice by email to the District’s designated privacy contact. In addition, a platform notice may be provided, but not in place of an email notice for these changes. 

Administrative updates that do not change the subprocessor’s identity, the categories of data processed, or the location of processing — such as a corporate name change of an existing Subprocessor — will be reflected on the Subprocessors page without separate notice, except where a District’s agreement requires otherwise.

1.6 Security & Breach Notification

Minga employs industry-standard technical, physical, and organizational security measures, including:

  • Encryption at Rest: All Platform Data is encrypted at rest using AES-256 encryption.
  • Encryption in Transit: All data transmitted to and from the platform is protected using TLS 1.2 or higher.
  • Password Security: User passwords are protected using salted password hashing.
  • Standards-based Single Sign-On (SSO): Minga supports SSO as the recommended authentication method for Districts, reducing reliance on password-based access and improving security for staff and student accounts.
  • Data Residency: Platform Data for Districts located in the United States is stored and processed in data centers located in the continental United States. Platform Data for Districts located in Canada is primarily stored in data centers located in Canada. Minga does not transfer Platform Data to servers outside of these regions without prior written consent from the District.
  • Physical and Infrastructure Security: Minga’s platform is hosted on Google Cloud Platform and Amazon Web Services, both of which maintain SOC 2 Type II certification. Physical data center security controls — including facility access controls, environmental protections, and redundant power and network systems — are governed by those providers’ certifications.
  • Access Controls: Access to Platform Data is restricted to Minga personnel with a documented business need. Role-based access controls and the principle of least privilege are applied across internal systems. Access rights are reviewed and revoked upon changes in role or employment status.
  • Employee Training: All Minga staff with access to Platform Data complete privacy and security awareness training as part of onboarding and on an ongoing basis.
  • Third-Party Security Assessments: Minga engages independent third parties to conduct periodic security assessments of its platform and infrastructure. Findings are reviewed and remediated in accordance with Minga’s internal security program.

In the event of a confirmed security breach affecting Platform Data, Minga will notify the affected District(s) without undue delay and within 72 hours of discovery. Minga will also comply with state breach notification laws, which may impose additional or shorter notification timeframes. More specific breach notification procedures, including notification to affected individuals and relevant regulatory authorities where required by law, are addressed in individual customer agreements.

1.7 Data Retention, Export, and Deletion

Platform Data, including District-imported data, platform-generated activity data, and User-Generated Content, is subject to the following retention, export, and deletion terms:

  • Right to Export: Districts may request a return or export of their Platform Data at any time during the term of their agreement.
  • Deletion on Termination: Upon contract termination, Minga will permanently delete or de-identify all Platform Data within 90 days. De-identification, performed in accordance with FERPA standards, including the removal of all direct and indirect identifiers, will be used only as an alternative where permanent deletion is not technically feasible.

1.8 Exercising Data Rights

Districts may submit requests to access, correct, export, or delete Platform Data by contacting us at support@minga.io. Requests will be acknowledged within 5 business days and fulfilled in accordance with applicable law and the terms of the District’s agreement with Minga.

Parents and eligible students seeking to exercise rights under FERPA should contact their District directly. The District, as Data Controller, is responsible for managing individual rights requests relating to student education records.

Section 2: Corporate Privacy Policy (Public Websites & Marketing)


2.1 Information We Collect

When you visit our public websites or submit an inquiry, we may collect:

  • Contact information: name, school or work email address, and phone number, voluntarily provided via demo requests, contact forms, or event registrations.
  • Device and usage data: automatically collected via cookies and similar technologies when you browse our public site, including IP address, browser type, pages visited, and session duration.

2.2 How We Use This Data

We use the data collected through our public websites and marketing channels to:

  • Respond to inquiries and provide requested information.
  • Manage our sales and marketing communications with prospective customers.
  • Measure the performance of our marketing and promote Minga on other websites and platforms.
  • Improve the performance and content of our public websites.

We rely on legitimate interests as the legal basis for processing contact data submitted through our website, and on consent where required (for example, for marketing emails sent under CASL).

2.3 Your Choices

  • Marketing Opt-Out: You may unsubscribe from marketing emails at any time by using the unsubscribe link in any communication or by emailing support@minga.io.
  • Do Not Track (DNT): Our website does not currently respond to browser Do Not Track signals.
  • Cookie Management: You may manage or disable non-essential cookies through your browser settings, including cookies used for analytics and advertising. Note that disabling cookies may affect the functionality of certain parts of our site.
  • Cookies in use: We use functional cookies (required for site operation), preference cookies, analytics cookies (to understand how our site is used), and advertising and cross-site tracking cookies (to measure our marketing and promote Minga on other websites).

To submit a data access, correction, or deletion request relating to your corporate contact data, please email support@minga.io.

Section 3: General Disclosures


3.1 Corporate Ownership

Minga Solutions, Inc. is an affiliate of Riverwood Capital. Riverwood Capital does not have access to Platform Data, including student data, in the ordinary course of its affiliation with Minga. This affiliation does not change the data practices described in this policy. In the event of a merger, acquisition, or change of control, we will ensure that any successor entity is bound by the terms of this Privacy Policy with respect to previously collected data, and Districts will be notified of any material changes at least 30 days in advance.

With respect to Student Data specifically: in the event of a change of control, Minga will not transfer personally identifiable Student Data to any successor entity unless that entity has agreed to data privacy standards no less protective than those set out in this policy. Districts will be given advance notice and the opportunity to request deletion of their Student Data prior to any such transfer taking effect.

3.2 Policy Changes & Version History

We will notify Districts and users of any material changes to this Privacy Policy via email or a prominent notice on our website, at least 30 days before changes take effect. 

3.3 Contact Us

For questions, concerns, or requests related to this Privacy Policy:

Email: privacy@minga.io
Attention: Pam Boyko, Chief Operating Officer