WellRoster handles student health data during a narrow, active window. This page explains exactly what data we collect, who can see it, how long we keep it, and what we never do with it.
Effective: June 12, 2026WellRoster is an active illness cross-referencing tool. It exists to answer one question while a student is ill: who else shared a classroom, bus, or activity with them? It is not a medical record system, not a long-term health history, and not a clinical charting platform. When an illness resolves, the student's data is removed. What remains is only anonymized, aggregate statistics for public health trend analysis — nothing that can identify a student.
Clinical records, immunization history, medication management, and ongoing health documentation belong in your district's dedicated electronic health records (EHR) system. WellRoster does not replace those systems and does not integrate with them.
Every data element we collect serves a specific operational purpose. We do not collect data speculatively or for future use.
| Data Type | What It Includes | Why We Collect It |
|---|---|---|
| Student identity 🗑 Purged when illness resolves | Student name and school enrollment record | Required to locate the student's schedule, bus assignment, and activity enrollments for cross-referencing. Without this link, no exposure mapping is possible. |
| Illness report 🗑 Purged when illness resolves | Reportable condition type, symptom onset date, report date, confirmation status (confirmed / suspected / ruled out), and estimated return-to-school date | Tracks which students are actively ill and with what condition. Drives outbreak threshold alerts and determines how long cross-reference data is retained. |
| Schedule & exposure data 🗑 Purged with illness record | Class periods, teacher assignments, bus route and AM/PM trip, and activity or club enrollments at the time of illness | The core cross-reference data — used to identify which classrooms, buses, and activities an ill student shared with others. Retained only for the duration of the active illness window. |
| Anonymized statistics ✏ Retained — no PII | Weekly and monthly case counts by condition, school, and district — no student names, IDs, or any identifying information | Supports district-wide and multi-year illness trend analysis for public health planning. These counts are produced when an illness is reported and are never linked back to individual students. |
| User account data ✏ Retained while account is active | Name, email address, username, job title, hashed password, TOTP authenticator configuration, and passkey (WebAuthn) credentials | Authentication and role-based access control. Passwords are stored as one-way bcrypt hashes — the original password is never recoverable from the stored value. |
| Session data 🗑 Expires on logout or inactivity | Session token, IP address, authentication method, and last-activity timestamp | Maintains secure, authenticated sessions. Sessions are automatically revoked after 60 minutes of inactivity or on explicit logout. Session tokens are server-side and cannot be replayed after revocation. |
| Audit log ✏ Retained for compliance | Username, IP address, action type (view / create / update / delete / purge), record type, record ID, school or district context, and timestamp. Student names and health details are never stored in the audit log. | HIPAA § 164.312 and FERPA § 99.32 require a verifiable record of every access to and disclosure from student health data. The audit log satisfies this requirement while containing no patient-identifying information. |
Access is controlled by role and organizational scope. Every request is evaluated server-side against the user's assigned role before any data is returned. No role has broader access than its operational function requires.
Manages reportable conditions and configures outbreak threshold rules for the districts under their authority. Cannot access case data, illness reports, student records, or any health or student-identifying data of any kind. Their access is limited strictly to condition and rule configuration.
Manages user accounts, bus fleet, and district-level configuration. Views anonymized illness overviews and trends across all schools. Cannot access individual student records or illness reports. District administrator contact information (name and email address) is visible to administrators of other districts for the purpose of facilitating inter-district communication.
Views anonymized, aggregate illness trend data and outbreak status across all schools in the district. Cannot access individual student records, names, or illness reports.
Manages staff, schedules, and user accounts for their school. Can view active illness reports and cross-reference results for students at their assigned school only, during the active illness window. No access to data from other schools.
Submits student illness reports and views the resulting cross-reference results — which classrooms, buses, and activities carry active exposure risk — for their assigned school only. No access to data from other schools.
Manages bus fleet and route numbers for the district. Can view the Bus Illness Report, which shows active case counts per bus and condition and identifies which schools are contributing cases to each route. Student names are never included. Transportation staff cannot access individual illness reports, student records, or any student-identifying information.
Data collected by WellRoster stays within the organizational hierarchy of the district that collected it. The commitments below are not qualified by fine print.
Student health data, staff account data, and organizational records are never sold, licensed, or monetized in any form to any entity, inside or outside the district.
Data is not shared with, transmitted to, or accessible by any person or organization outside the organizational hierarchy — health authority, district, and schools — without explicit permission from an authorized administrator within that hierarchy.
WellRoster contains no third-party tracking scripts, analytics platforms, advertising networks, or social media integrations. No usage data leaves the server.
Student personally identifiable information is not retained beyond the active illness window. Once illness resolves, the record is purged. We do not archive student health histories.
Student health data, illness reports, and school-level records from one district are never visible to users of another district. The only cross-district visibility is district administrator contact information (name and email), which is made available to administrators of other districts solely to facilitate inter-district communication.
Student health data, staff information, and organizational records collected by WellRoster are not used to train, fine-tune, or evaluate any machine learning or artificial intelligence model.
Protection is applied in layers — from the database on disk to the browser session. No single control is relied upon exclusively.
The entire database is encrypted using MySQL InnoDB tablespace encryption. Data on disk is unreadable without the encryption key, even with direct storage access.
All communication between browsers and the server is encrypted via TLS. Plain HTTP connections are redirected to HTTPS. Session cookies are flagged Secure and never sent over unencrypted connections.
Supports password with TOTP two-factor authentication and FIDO2 passkeys / hardware security keys. Passwords are stored as one-way bcrypt hashes. Accounts lock after five failed attempts.
Sessions expire automatically after 60 minutes of inactivity. Cookies are HttpOnly (inaccessible to browser scripts) and SameSite=Strict (blocked on cross-site requests). Sessions are revoked server-side on logout.
Every data access and modification is logged with the acting user's identity, IP address, and timestamp. The audit log is append-only — the application user cannot update or delete audit records.
Two separate database users are used: one for the application (cannot write to the audit log) and one exclusively for writing audit records (cannot access any other table). Neither can alter the database schema.
Every database query throughout the application uses parameterized prepared statements. No user-supplied input is ever concatenated directly into a SQL query.
All forms that modify data include a server-generated, session-bound CSRF token. Requests without a valid token are rejected before any data operation is performed.
The Family Educational Rights and Privacy Act (FERPA) grants parents and eligible students specific rights over education records. WellRoster is designed to support those rights.
Parents and eligible students may request access to any education records held about them. Requests should be directed to the school or district's designated FERPA records officer. WellRoster's audit log provides a complete record of who accessed a student's data and when, which can be provided upon request.
If you believe a record in WellRoster is inaccurate or misleading, you may request that the school correct it. Contact your school's health staff or administrator. Because WellRoster removes student records once illness resolves, most records will no longer exist by the time a formal correction request is received.
WellRoster does not disclose student records to parties outside the organizational hierarchy — health authority, district, and schools — without consent. Data is not shared with any external entity, vendor, or researcher without explicit authorization.
If you have questions about how WellRoster handles data at your district, contact your district's designated FERPA or privacy officer. For questions about the platform itself, contact your district's WellRoster system administrator.
This policy reflects the technical design and operational commitments of the WellRoster platform. Individual districts may have additional privacy policies that govern how they operate within their jurisdiction. In the event of a conflict, the district's policy governs.