Privacy & Security

RideBeacon Privacy & Security

Principal-ready overview. Parents control student identification. Schools only see student names when parents opt in. Parent contact information is never exposed. All school actions are audited.

Security Summary
What is in place today.
  • Student data protected
  • Parent contact information protected
  • Schools only access data authorized by parents
  • Row Level Security enabled on every table
  • Audit logging enabled
  • No public access to rider records
  • All school actions recorded
What schools can see
  • Anonymous rider IDs and bike codes (e.g. RB-1047)
  • Parking compliance, violations, and intervention status
  • Safety scores and Safe Rider certifications for opted-in riders
  • Rider name and grade — only when the parent explicitly opts in to school identification
  • Their own school's records — never another school's
What schools cannot see
  • Parent names, phone numbers, or email addresses
  • Home addresses or any billing information
  • Live GPS coordinates of a rider's location off campus
  • Rider names or personal details for parents who have not opted in
  • Any data belonging to a different school
What parents control
  • Whether their child's real name is visible to the school (opt-in)
  • Which alerts they receive (parking, speed, intervention, weekly recap)
  • The phone number RideBeacon uses to contact them
  • Full visibility into their own rider's history and score
How data is protected
Row Level Security (RLS)

Every table enforces row-level security in the database. Even with a valid login, the database refuses to return rows that don't belong to that user's role and school.

Role-based access

Parents, school staff, and school admins each have distinct roles stored in a separate, tamper-resistant table. Roles are checked by the database — not by the browser.

Encrypted in transit and at rest

All traffic is HTTPS. Credentials are never stored in plain text. API keys for SMS and maps are held server-side only.

Parent-controlled identification

School staff cannot see a rider's real name unless the parent has explicitly turned on school identification for that rider.

How audit logs work

Every school-staff action — viewing a rider's record, issuing a violation, authorizing a bike lock, lifting a campus restriction — writes an immutable entry to the audit log with the actor, role, timestamp, and the affected rider or bike.

Parents can see every action taken against their own rider's record. School admins can review every action taken at their school. Audit entries cannot be edited or deleted by any signed-in user.

Documented design decisions
Items we are intentionally accepting for the pilot, with the reason behind each.
Public complaint submissions
By design

Anyone with a bike's QR code can submit a parking or safety complaint without logging in. This is intentional — it's how community members report issues. Submissions only attach to that specific bike and are reviewed by school staff before any action.

Public complaint photo links
By design

Photos attached to complaints live in a read-only public bucket so school staff and the bike's parent can view them directly from an SMS link. Links are random and not listable from the browser; uploaders and staff are the only roles allowed to delete or modify them.

Pilot scoring rules visible to staff
Pilot limitation

Schools in the pilot share the same RideBeacon scoring weights so outcomes are comparable across campuses. Per-school configuration is intentionally not exposed in the dashboard during the pilot.