Data Security and Privacy Plan

Last updated: May 13, 2026

Lemonade Lab is committed to protecting student data, educator data, parent data, and school community information.

This Data Security and Privacy Plan describes the administrative, operational, and technical safeguards Lemonade Lab uses to support school privacy requirements and protect personally identifiable information.

This plan applies to Lemonade Lab for Schools and is intended to support school agreements, including Data Privacy Agreements and applicable student privacy obligations.

1. Implementation of contract privacy requirements

Lemonade Lab will implement applicable data security and privacy requirements for the duration of each school contract.

Student data is used only to provide the services requested by the school or district, including student onboarding, classroom setup, project based learning, storefront creation, parent approval workflows, safety moderation, educator dashboards, student progress tracking, and related platform support.

Lemonade Lab does not sell student data. Lemonade Lab does not use student data for targeted advertising.

2. Administrative, operational, and technical safeguards

Lemonade Lab uses administrative, operational, and technical safeguards designed to protect personally identifiable information from unauthorized access, disclosure, acquisition, destruction, use, or modification.

These safeguards include:

Role based access controls
Least privilege access practices
Encrypted data transmission
Encryption of sensitive data at rest where applicable
Authentication controls
Logging and monitoring of platform activity
Restricted internal access to student information
Separation of support access from sensitive child data
Secure development practices
Periodic review of access permissions
Subprocessor review and contractual controls
Safety and moderation systems designed for student use cases

Lemonade Lab limits access to student data to personnel and approved service providers who need access to provide, maintain, secure, or support the platform.

3. Training

Lemonade Lab requires employees, contractors, and relevant service providers with access to student data to follow confidentiality and privacy obligations.

Training and internal guidance may include student privacy, data handling, access controls, incident reporting, secure support practices, confidentiality requirements, and applicable privacy obligations such as FERPA, COPPA, state student privacy requirements, and Canadian privacy principles where applicable.

4. Employee, contractor, and subprocessor obligations

Lemonade Lab requires personnel with access to student data to follow written confidentiality and data protection obligations.

Lemonade Lab also uses written agreements with subprocessors that support the operation of the platform. These agreements require subprocessors to protect data, limit use of data to authorized services, and maintain appropriate confidentiality and security obligations.

Lemonade Lab does not grant subprocessors ownership rights in student data.

5. Incident response

Lemonade Lab maintains procedures to identify, assess, respond to, and mitigate data security and privacy incidents.

If Lemonade Lab confirms an incident involving student personally identifiable information, Lemonade Lab will notify the affected school or district in accordance with the applicable agreement and legal requirements.

Incident response activities may include:

Initial investigation
Containment and mitigation
Assessment of affected data
Internal escalation
Subprocessor coordination if applicable
School or district notification
Corrective action
Post incident review

6. Data transition and return

When student data is no longer needed to provide the contracted services, Lemonade Lab will support reasonable school or district requests to return, export, transfer, or delete student data, subject to applicable law and the relevant agreement.

Where technically feasible, Lemonade Lab will provide student data in a reasonably usable format.

7. Secure deletion and destruction

Lemonade Lab will delete or destroy student data when required by the applicable agreement, school request, or legal obligation.

Deletion may include removal from active systems and scheduled removal from backups according to Lemonade Lab’s data retention and backup practices.

Upon request, Lemonade Lab can provide written confirmation of deletion or destruction where applicable.

8. Alignment with school policies

Lemonade Lab will review applicable school or district data security and privacy policies provided under a signed agreement and will make reasonable efforts to align platform practices with those requirements.

Where a school or district requirement conflicts with Lemonade Lab’s technical operation, legal obligations, or security practices, Lemonade Lab will work with the school or district to identify a reasonable path forward.

9. NIST Cybersecurity Framework alignment

Lemonade Lab’s security and privacy program is designed to materially align with the NIST Cybersecurity Framework Version 1.1 across the following core functions:

Identify

Lemonade Lab identifies the systems, data types, personnel, subprocessors, and workflows involved in providing the platform. Lemonade Lab reviews privacy and security risks related to student data, parent data, educator data, payments, storefront activity, communications, moderation, and platform support.

Protect

Lemonade Lab uses access controls, encryption, confidentiality obligations, secure development practices, data minimization, and internal restrictions to protect personally identifiable information.

Detect

Lemonade Lab uses logging, monitoring, moderation workflows, and operational review practices to help identify suspicious activity, unauthorized access, policy violations, and potential platform misuse.

Respond

Lemonade Lab maintains incident response procedures to investigate, contain, mitigate, communicate, and document data security and privacy incidents.

Recover

Lemonade Lab maintains operational recovery practices designed to restore affected systems or services and to improve internal processes based on incident review and lessons learned.

Contact

For privacy or security questions, contact:

Privacy Contact: Dean Horsfield
Company: Lemonade Lab, Inc.
Email: [email protected]
Address: 1830 Bloor St. West, Toronto, ON, Canada, M6P 0A2

Important note

This plan is intended to summarize Lemonade Lab’s data security and privacy practices. It does not disclose confidential technical architecture, security configurations, vulnerability details, or other sensitive information that could compromise Lemonade Lab systems or student data.