PickupFlow™ Privacy Policy

Effective Date: January 2026

PickupFlow ("we," "our," or "us") is a school dismissal management application operated by CM Santos Group LLC, doing business as Nexpath Infrastructure. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using PickupFlow, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use our Service.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you create an account, we collect your name, email address, and password. For guardians, we also collect phone number and relationship to enrolled students.
• Student Information: Schools provide student names and grade levels. Guardians are linked to students through school-issued enrollment codes.
• Vehicle Information: Guardians may register vehicle details (make, model, color, license plate) to facilitate identification during pickup.
• Authorized Pickup Persons: Primary guardians may designate additional authorized individuals who can pick up their students, including their names, email addresses, phone numbers, and relationship to the student.
• Calendar Images (School Administrators only): School administrators may upload images of school calendars for AI-powered conversion to digital calendar events. These images are processed and immediately deleted; they are not stored permanently.

1.2 Information Collected Automatically

• Location Data: With your permission, we collect precise GPS location data when you use the "On My Way" or "I'm Here" features. This data is used solely to notify school staff of your arrival status and is not stored after your pickup session ends.
• Bluetooth Beacon Data: When enabled, our app detects Bluetooth beacons installed at school pickup zones to automatically confirm your arrival. This data is processed locally and only arrival confirmations are transmitted to our servers.
• Camera Access: With your permission, we access your device's camera solely to scan QR codes during the student enrollment process. This allows you to quickly enroll by scanning school-provided enrollment codes. We do not capture, store, or transmit any images or video. The camera processes QR codes locally on your device, and only the decoded enrollment code text is transmitted to our servers.
• Device Information: We collect device identifiers, operating system version, and app version for troubleshooting and service improvement.
• Push Notification Tokens: We collect Firebase Cloud Messaging tokens to send you notifications about pickup status, student dismissal, and important school announcements.
• Crash Logs and Diagnostics: We automatically collect crash logs, performance data, and diagnostic information to identify and fix technical issues, improve app stability, and enhance user experience. This data does not include personal information and is used solely for troubleshooting and service improvement.

2. Photo Library Access

School administrators may grant PickupFlow access to their device's photo library to upload images of school calendars. This access is:

• Only requested from school administrator accounts
• Used solely for uploading calendar images for AI processing
• Not used to access personal photos
• Not used for any marketing or tracking purposes

Parents and guardians are never asked for photo library access.

3. AI-Powered Calendar Processing

PickupFlow uses artificial intelligence to convert images of school calendars into digital calendar events.

How it works:

• School administrators upload an image of a printed or digital school calendar
• The image is securely transmitted to our AI processing service
• AI extracts dates, event names, times, and descriptions from the image
• Extracted events are added to the school's digital calendar

Data handling:

• Calendar images are processed in real-time
• Images are automatically deleted immediately after processing
• We do not retain copies of uploaded calendar images
• Extracted calendar data is stored within your school's secure account
• Images are never used for AI training or any other purpose

Third-party AI processing:

Calendar images may be processed using third-party AI services (such as Google Cloud Vision or similar providers). These services:

• Only receive the calendar image for processing
• Are bound by strict data processing agreements
• Do not receive any user account information or student data
• Process data in accordance with their respective privacy policies

Recommendations for Schools:

When uploading calendar images, we recommend:

• Using calendars that do not contain student names or personal information
• Reviewing extracted events for accuracy before publishing
• Only granting calendar upload access to authorized staff members

4. How We Use Your Information

We use the information we collect to:

• Provide and maintain the Service
• Facilitate communication between guardians and school staff during dismissal
• Verify guardian identity and authorization for student pickup
• Send push notifications about pickup status and school announcements
• Process calendar images and create calendar events (school administrators only)
• Improve and optimize our Service
• Comply with legal obligations
• Protect the safety of students, guardians, and school personnel

5. Information Sharing and Disclosure

• With Schools: We share guardian and student information with the schools where students are enrolled. Schools can view guardian arrival status, vehicle information, and pickup history.
• With Other Guardians: Primary guardians can see authorized pickup persons they have designated. Authorized pickup persons can see the students they are authorized to pick up.
• Service Providers: We use third-party services including Google Firebase (authentication, database, cloud functions, push notifications) and Google Cloud Platform (hosting and infrastructure). These providers are bound by contractual obligations to protect your data.
• AI Processing Services: Calendar images uploaded by school administrators are processed using third-party AI services to extract event information. These services only receive the calendar image and do not have access to any user account information or student data.
• Legal Requirements: We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit using TLS/SSL
• Secure authentication through Firebase Authentication with email verification
• Role-based access controls limiting data access to authorized personnel
• Regular security assessments and monitoring
• Secure cloud infrastructure hosted on Google Cloud Platform
• Immediate deletion of calendar images after AI processing

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service.

• Location data from pickup sessions is retained only for the duration of the pickup event and deleted thereafter.
• Calendar images are deleted immediately after AI processing is complete; they are not stored.
• Extracted calendar events are retained as part of the school's calendar data.

Schools may retain pickup history records in accordance with their record-keeping policies. Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business purposes.

8. Children's Privacy

PickupFlow is designed for use by adults (guardians and school staff). We do not knowingly collect personal information directly from children under 13. Student information is provided by schools and parents/guardians, not collected directly from children. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

9. Your Rights and Choices

• Access and Correction: You may access and update your account information through the app settings.
• Location Permissions: You can enable or disable location services through your device settings. Note that disabling location services will prevent the use of arrival notification features.
• Camera Permissions: You can enable or disable camera access through your device settings. If disabled, you can still complete enrollment by manually entering the enrollment code.
• Photo Library Permissions: School administrators can enable or disable photo library access through device settings. Disabling this will prevent the use of the AI calendar conversion feature.
• Push Notifications: You can manage notification preferences through your device settings or within the app.
• Account Deletion: You can delete your account at any time directly within the PickupFlow app. Go to Settings → Account Settings → Delete Account and confirm the deletion. Your account and associated personal data will be permanently deleted within 30 days. You will receive an email confirmation when you initiate the deletion request. For detailed instructions, visit our account deletion help page. Note that schools may retain certain records as required by their policies and applicable laws.

California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

• The right to know what personal information we collect and how it is used
• The right to request deletion of your personal information
• The right to opt-out of the sale of personal information (we do not sell your information)

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app and updating the "Effective Date" above. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: