Privacy Policy

ShommyX Education is a daycare management service operated by ShommyX Technologies. We’re based in Canada and our production database, application servers, and media storage are hosted in North America.

If you’re a daycare administrator, this policy applies to your account. If you’re a parent invited to the platform by a daycare, this policy applies to the information stored about you and your child, alongside the daycare’s own internal policies which you should request directly from them.

From staff and administrators

• Name, email, hashed password.
• Role and staff assignment within a daycare.
• Time-clock records (clock-in, clock-out, total hours).
• Audit metadata (actions performed, timestamps).

From parents

• Name, email, optional phone number.
• Approved links to your child’s record at a daycare.
• Messages exchanged with daycare staff.
• Acknowledgements (e.g. incident reports).

About children (entered by the daycare)

• First and last name, date of birth, gender (optional).
• Allergies and medical notes (provided by parents).
• Daily attendance, daily reports, photos and videos taken at the daycare.
• Incident reports, medication administration records, immunization records (entered by staff).
• Developmental milestone observations.
• Enrollment subsidy status (e.g. CWELCC).

Automatically collected

• IP address and request timestamp (rate limiting + audit logs).
• Application error reports (when an error occurs in the app, captured for debugging).
• Basic device info you provide when registering for push notifications.

• We do not sell or rent any personal information to anyone.
• We do not share child information with third parties for advertising, profiling, or analytics purposes.
• We do not use children’s information to train AI models.
• We do not serve third-party advertising on this product.

We use the information you provide solely to operate the daycare-management product you signed up for: keep attendance, share daily reports with parents, deliver push and email notifications, surface compliance and tax reports, and provide customer support. We do not repurpose it for anything else.

• Daycare staff at your daycare — only see records scoped to their daycare. They cannot see another daycare’s data.
• Parents — only see records for children they have an explicitly approved link to.
• Multi-location operators — only see records for the daycares within their own organisation.
• ShommyX Technologies staff — can access your data only when necessary for support or debugging, and only via audited tooling. Impersonation actions are logged with the impersonator’s identity attached.

• Database: Neon PostgreSQL on AWS (US-East). Backed up automatically.
• Photos and videos: Cloudflare R2, tenant-scoped object paths so one daycare cannot enumerate another’s files.
• Application + API: Fly.io, US region by default.
• Transactional email: Resend.

Some of these vendors process data outside Canada. By using ShommyX Education you consent to your data being processed in those locations under the privacy regimes that apply there.

• Active accounts: we retain your data for as long as your daycare is using the service.
• After a daycare cancels: data is retained for up to 90 days so the daycare can export records (parent rosters, attendance, incidents). On request, we delete sooner.
• Audit logs: retained for at least 2 years for compliance and security purposes.
• Backups: Neon retains point-in-time backups for 7 days. Cloudflare R2 retains object versions per its standard policy.

You have the right to:

• Access information we hold about you or your child.
• Correct information that’s inaccurate (or ask your daycare to correct it for the child’s record).
• Withdraw consent — for a parent, this means asking your daycare to revoke your link (or contacting us directly if the daycare is unresponsive).
• Request deletion of your personal information when there is no longer a legitimate need to retain it.
• File a complaint with the Office of the Privacy Commissioner of Canada (or your provincial equivalent) if you believe we’ve mishandled your data.

To exercise any of these rights, email support@shommyxedu.com. We respond within 30 days.

We use Argon2id for password hashing, JWT-based session tokens delivered as httpOnly cookies, and HTTPS everywhere. Webhooks from payment processors are HMAC-verified before we trust them. Internal API endpoints are tenant-scoped at every read so cross-tenant access is hidden as a 404 (not a 403) — we don’t leak which records exist.

More detail is on the security page.

Daycares enrol children on the platform on behalf of the child’s legal guardians. The daycare is responsible for obtaining the necessary parental consent before entering a child’s information into ShommyX Education. By using the service to enrol a child, the daycare confirms it has that consent.

Parents who are uncomfortable with a particular type of information (e.g. photos) being recorded can ask the daycare to withhold it — staff can leave those fields blank, and parents see only what’s recorded.

We use a single authentication cookie to keep you signed in and a small number of functional cookies for session management. We do not run third-party advertising trackers, Google Analytics, or social-media pixels on the app.

We’ll update the “Last updated” date at the top of this page when we change it. If a change is material (e.g. new categories of data, new sub-processors, change in retention), we’ll email signed-in admins before the change takes effect.

Questions or concerns? Email support@shommyxedu.com. We answer in plain language.