Privacy Policy
Last updated: June 2026
What data we collect
Corso collects only the minimum data needed to operate a school run club program. This includes: student first name, last name, year group, class name, barcode or access code, run participation, awards, assigned training tasks, and limited admin-entered safety notes where the school needs them for run club duty of care. No email addresses, phone numbers, or home addresses are collected for students.
How data is used
Student data is used solely to track run club participation, lap counts, distance milestones, award progress, interschool athletics planning, and teacher-directed training. It is not used for advertising and is not sold. Any third-party hosting or software provider must be reviewed and approved by the school before real student data is entered.
Access boundaries
The platform is designed so each school can see only its own students. Parents can see only their own linked child or children, and students can see only their own profile. The platform should remain free from ads, advertising trackers, and cross-school data sharing.
Student login codes
Students access their own profile using a school-issued barcode, QR code, or access code. Production access codes should be generated by the backend and must not be simple name-based usernames. No real passwords or email addresses are exposed to students or visible in the student UI.
Data storage
In demo mode, all data is stored locally in your browser’s localStorage and never leaves your device. In production mode, data is stored in a Supabase-hosted database with row-level security ensuring each school can only access its own data.
School and Department approval
Corso should be treated as a school online service before real student information is added. The school should confirm parent/guardian communication, acceptable-use expectations, approved hosting, staff roles, and any Department or sector review requirements. Demo data should be used until that approval is recorded.
Medical and safety notes
Medical notes are limited to practical run-club safety information such as asthma, anaphylaxis/allergies, medication carried, emergency action notes, and whether a school health plan has been supplied. These notes are for authorised staff/guardian safety reference only and do not replace official school health care plans.
Security and breach response
Production use requires authenticated staff accounts, school-scoped role permissions, row-level security, audit logs, and a documented breach response process. Any suspected unauthorised access, disclosure, loss, or misuse of student information should be escalated through the school’s approved information breach process.
Before real student data is added
The current public demo is for testing only. Before importing a real roster, the app must move from browser-only localStorage to authenticated school accounts, row-level security, audit logs, role-based access, and a clear data retention process. Public demo access must be disabled before any identifiable student data is entered.
Data retention
Schools can export and delete their data from the Admin Dashboard. Before launch, each school should decide how long run club, athletics, training, guardian access, audit, and medical safety records are retained, and when records should be deleted or de-identified.
Contact
For privacy questions or data deletion requests, contact your school’s run club administrator.