LAST UPDATED · APRIL 2026

Data & Compliance

An overview of how 101 approaches key privacy and regulatory frameworks.

Regulatory Overview

COPPA: Children's Online Privacy Protection ActADDRESSED

Section 230: Platform liability for user contentADDRESSED

FERPA: Family Educational Rights and Privacy ActN/A

101 is not an official school or district system and does not store or process education records as defined by FERPA.

CCPA: California Consumer Privacy ActN/A

101 does not serve California residents in its intended scope.

GDPR: General Data Protection RegulationN/A

101 does not serve EU data subjects in its intended scope.

COPPA

The Children's Online Privacy Protection Act applies to platforms that knowingly collect personal information from children under 13. 101 does not target users under 13. The platform collects only an email address for authentication purposes. No name, location, behavioral data, or any other personal information is collected from any user.

If a user under 13 creates an account, we collect no more information from them than from any other user. Parents or guardians may contact the platform administrator to request account deletion.

Section 230

Section 230 of the Communications Decency Act protects platforms from liability for user-generated content. 101's design further limits exposure:

Teacher ratings use structured multiple-choice fields only. No free-text fields exist where defamatory content could be entered.
Suggestions are moderated before publication
A disclaimer on the ratings page clarifies that scores reflect anonymous opinion, not formal evaluations

Data Minimization

101 is built on a strict data minimization principle:

Email:collected for authentication only, never displayed or linked to platform activity
Anonymous username:randomly generated at registration, not traceable to real identity
Rating answers:multiple choice only, stored with no connection to email or real name
Suggestion text:moderated before publication, stored with anonymous account ID only
Vote records:stored as anonymous account ID + suggestion ID pairs only

No behavioral analytics, advertising cookies, or third-party tracking scripts are used.

Data Infrastructure

101 uses the following providers, each with their own compliance certifications:

Supabase:database and authentication. SOC 2 Type 2 compliant. U.S.-based infrastructure.
Vercel:application hosting. SOC 2 Type 2 compliant. U.S.-based edge network.

No user data is processed outside the United States. No data is sold or shared with third parties for any purpose.

Data Deletion

Any user may request full deletion of their account and all associated data. This includes removal of their email, anonymous username, rating history, submitted suggestions, and vote records. Requests are completed within a reasonable timeframe.

Incident Response

In the event of a data breach or unauthorized access, the platform administrator will assess the scope, notify affected users promptly, and take immediate remediation steps including credential rotation and access revocation as appropriate.