← Back to home

Privacy Policy

Last updated: June 2025

1. Who We Are

Potato is a safe AR/VR gaming platform for K-12 schools, operated by Lunchbox EdTech Inc. ("Potato," "we," "us," or "our"). Safety and privacy are core to our design — not afterthoughts. Contact us at privacy@potato.xyz.

2. COPPA Compliance

Potato serves students under 13 and strictly complies with COPPA (Children's Online Privacy Protection Act). We do not collect personal information from children under 13 without verifiable parental consent or school authorization.

Schools using Potato act as authorized agents for parental consent under the COPPA school consent exception. Parents may contact us at privacy@potato.xyz to review, correct, or request deletion of their child's data at any time.

3. FERPA

When Potato is used through a school, we operate as a "school official" under FERPA. We access student education records only as directed by and for the benefit of the school. Schools remain the data controller for student education records.

4. What Data We Collect

  • Students (via school): Name, grade level, gameplay activity (scores, game time, creations), and in-platform messages (school-monitored).
  • Teachers and administrators:Name, work email, school affiliation, and class roster data.
  • Website visitors: Aggregate analytics only. No ad tracking. No personal identifiers collected from unauthenticated visitors.

5. Safety by Design

All student interactions within Potato are school-controlled. Students cannot communicate with anyone outside their school's network. There are no public chat rooms, no stranger interactions, and no user-generated content shared outside the school's walled garden. Teacher and administrator accounts have full visibility into all in-platform activity.

We never sell student data. We never use student data for advertising. Game usage data is used only to improve the educational experience.

6. Data Retention

Student data is retained for the duration of the school's active subscription plus 90 days. Schools may export all data before cancellation. Upon request, individual student records can be deleted within 30 days.

7. Security

All data is encrypted in transit and at rest. The student network is fully isolated from the public internet. We conduct regular security audits and will notify affected schools within 72 hours of any confirmed breach.

8. Parental Rights

Parents may request access to, correction of, or deletion of their child's data by contacting privacy@potato.xyz. We will respond within 10 business days.

9. Changes to This Policy

Material changes will be communicated to schools by email at least 30 days before they take effect.

10. Contact

Privacy questions: privacy@potato.xyz. General inquiries: hello@potato.xyz.