Pinnova Fleet Intelligence

Privacy Policy

Last updated: 2026-04-21

This policy describes the data Pinnova collects, how we store it, who can access it, and the legal rights of parents and students under FERPA. The policy matches the implementation — the engineering controls described here are enforced in code, not just promised on paper.

1. Who we are

Pinnova Fleet Intelligence is a product of Jenavus LLC (the "Company"), operated from Alexandria, Virginia. We provide K-12 school-district transportation-management software to district administrators, dispatchers, drivers, and parents.

2. What we collect

We collect the data a school district gives us to operate its transportation program. This includes:

• District data — district name, billing contact, Stripe customer ID.
• Staff data — dispatcher, driver, route-manager, and admin user records (username, email, name, role, last-login timestamp, bcrypt password hash).
• Fleet data — buses, routes, dispatches, GPS telemetry, incidents.
• Student education records (FERPA) — student legacy ID, name, grade, grade band, date of birth, home address, stop ID, pickup time, emergency contacts, authorized pickup list.
• Parent data — name, email, phone, relationship, derived from student emergency contacts.
• Operational telemetry — HTTP request logs, timing, status codes, rate-limit counters. See §5 on PII scrubbing.

3. How we store it

All tenant data lives in a DigitalOcean Managed Postgres cluster in the US East (NYC) region. The cluster uses:

• Transparent Data Encryption (TDE) at rest — disks encrypted with AES-256; keys managed by DO.
• TLS in transit — all client connections use TLS 1.2+.
• Daily automated backups with 7-day retention.
• Tenant isolation at the query layer — every Pinnova table that holds tenant data carries a district_id foreign key, and every tenant-scoped API endpoint filters by the caller's district. A caller in district A cannot read records from district B — this is verified by automated tests on every deploy.

4. FERPA compliance

Student education records are protected by the Family Educational Rights and Privacy Act (20 U.S.C. §1232g; 34 CFR Part 99). Pinnova treats every row in the students and parents tables as a FERPA record.

4.1 Lawful access

Under FERPA, the school district is the data controller. Pinnova acts as a "school official with legitimate educational interest" under 34 CFR §99.31(a)(1)(i)(B), as contracted by the district. We access records solely to operate the service.

4.2 Parent authentication

Parents authenticate to the parent portal with student ID + date of birth. No record is returned unless both match the specific student in the specific district. A student ID that exists in another district cannot be looked up from the wrong portal.

4.3 Access trail

Every read of a FERPA record is logged in the ferpa_audit_logs table with: who accessed (user ID), what (subject type + subject ID), when (timestamp), from where (IP), and via what route. District administrators can view their own district's access trail in the admin dashboard.

4.4 Brute-force protection

The parent-portal lookup is rate-limited to 5 requests per minute per IP and 20 per hour per (student ID, district). Both successful and failed attempts count — we care about anomalous patterns more than success or failure. Every rate-limit trip is logged to audit_logs so districts can investigate suspected brute-force.

4.5 Retention

If a district cancels Pinnova service:

• Operational data (buses, routes, live dispatches) is deleted 30 days after the end of the final paid period.
• FERPA access logs are retained for 7 years separately — this overrides the 30-day deletion to preserve audit trail per FERPA recommended practice.
• Stripe billing records are retained per Stripe's own policy (separate from Pinnova).

5. PII scrubbing in logs

Log output (application logs, HTTP access logs, error traces) is passed through a redaction filter before emission. The filter replaces:

• Email addresses → <email>
• Phone numbers → <phone>
• Student legacy IDs → <student_id>
• Dates of birth → <dob>
• Home addresses → <address>
• Names in key/value pairs → <name>

Non-PII fields — district ID, HTTP path, status code, timing, request ID — are kept intact for operational monitoring. The canonical access trail is the FERPA audit table (§4.3); log scrubbing is defense in depth.

6. Who can see what

Access to the admin console is role-gated:

• Admin (district): full district — users, billing, audit, FERPA trail.
• Dispatcher: fleet, routes, dispatches, incidents within the district. No billing, no FERPA audit viewer.
• Driver: only their own route manifest. No district-wide view.
• Route Manager: routes + coverage, no roster access.
• Viewer: read-only dashboard.
• Pinnova superadmin: Jenavus engineering may access any district for support and incident response. Access is gated by a shared secret and every call is logged.

7. Data subject rights

Parents retain the rights granted under FERPA: to inspect their student's records, request correction, and consent (or deny consent) to disclosures outside the "school official" scope. Those requests go through the district — Pinnova assists the district in responding but does not itself arbitrate parental FERPA requests.

For data-portability or deletion of non-FERPA data (e.g. your own dispatcher user account), email privacy@pinnovatms.com.

8. Third parties we use

• DigitalOcean — hosting + managed Postgres (US East).
• Stripe — billing. Stripe processes payment card data; we never store card numbers.
• Resend — transactional email (welcome + onboarding).
• Mapbox / OSRM — map tiles + routing for the dispatch and parent portal views. Only coordinates are sent — no PII.

Each third party has its own privacy practices linked from their domains. Pinnova does not sell data to any third party.

9. Changes to this policy

Material changes are announced via the admin dashboard and email to the billing contact 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact

Jenavus LLC — Alexandria, VA
Privacy Officer: privacy@pinnovatms.com
Incident / breach reporting: security@pinnovatms.com