CorkBoard Studio legal
Privacy Policy
Effective: July 16, 2026 | Last updated: July 16, 2026
1. Scope and Controller
This Policy applies to CorkBoard Studio, CorkBoard University, Framewalker, and related websites, apps, and services operated by Jack Allen (collectively, "CorkBoard"). It does not govern third-party sites, devices, or services that have their own privacy practices.
If a school, district, employer, or production organization provides your account, that organization may control your account and content. Its privacy notice and written agreement with CorkBoard may supplement this Policy.
2. Information We Collect
| Category | Examples | How collected |
|---|---|---|
| Account and identity | Name, email address, Firebase user ID, profile name, authentication provider, account and approval status | From you, Google/Apple authentication, or an organization |
| Production and creative content | Scripts, breakdowns, schedules, budgets, contacts, auditions, locations, call sheets, emergency contacts, safety notes, graphics, wardrobe, props, storyboards, messages, files, exports, and project metadata | From users and collaborators |
| Education information | School/class association, enrollment, pathway, assignments, assessments, progress, grades, credentials, teacher feedback, and portfolio submissions | From students, instructors, schools, and service activity |
| Collaboration data | Invitee email, inviter, role, membership, permissions, acceptance status, team activity, comments, and communications | From project owners and collaborators |
| Files and media | Documents, PDFs, scripts, images, PNG graphics, URLs, and associated metadata selected for import or upload | From your device or linked service |
| Settings and local data | Display preferences, drafts, project caches, local-only projects, API keys you elect to store locally, and game or lesson progress | Stored in browser storage or on your device |
| Technical and usage data | IP address, browser/device type, timestamps, request and error logs, security events, feature use, sync status, and approximate location inferred from IP | Automatically through hosting, security, and service operation |
| Integration data | Addresses or coordinates sent for maps/routes/weather, selected content sent to an AI provider, email links, and local broadcast device addresses/commands | When you invoke the integration |
| Transaction data | Plan, purchase status, billing contact, transaction identifiers, and limited payment metadata | From you and a payment provider; full card details are handled by the provider |
| Support and feedback | Messages, attachments, diagnostic information, requests, and survey or feedback responses | From you |
Some project fields can contain sensitive information, including private contact details, precise production locations, emergency information, student records, unreleased scripts, or confidential budgets. Enter only information that is necessary and that you are authorized to process.
3. How We Use Information
- Provide authentication, storage, synchronization, collaboration, exports, education, support, and broadcast features.
- Apply project and school permissions and deliver invitations.
- Operate optional features you request, such as weather, routing, AI, email, and hardware integrations.
- Maintain, secure, debug, measure, and improve the services.
- Prevent fraud, abuse, unauthorized access, and violations of our Terms.
- Administer accounts, subscriptions, institutional relationships, and support.
- Comply with law, enforce agreements, protect rights and safety, and resolve disputes.
- Send service, security, account, and legal notices. Marketing messages, where used, will include choices required by law.
Where applicable law requires a legal basis, we process information to perform our contract, pursue legitimate interests such as service security and improvement, comply with legal obligations, protect vital interests, or act with consent.
5. AI, Maps, Weather, and Hardware Integrations
Optional integrations can transmit data outside CorkBoard:
- An AI request may send selected script or project content to Google Gemini or a customer-configured proxy. Provider retention and model-training choices depend on the provider account and terms.
- Address-based weather and routing can send an address or coordinates, along with ordinary network information, to Nominatim/OpenStreetMap, OSRM, Open-Meteo, or related services.
- Google and Apple receive information when you use their sign-in services.
- Local hardware integrations may process device addresses and commands on your network. Network or server configuration can affect whether those details leave the device.
- External fonts, libraries, and content-delivery networks receive ordinary web-request data such as IP address, browser information, and requested resource.
Do not use an integration with confidential, regulated, student, or third-party material unless the relevant organization has approved the provider and terms.
6. Schools, Education Records, and Children
CorkBoard is not directed to children under 13 for independent registration. We do not knowingly collect personal information directly from a child under 13 without an authorized school arrangement or legally valid parental consent. Contact us to request deletion if you believe this occurred.
When a school uses CorkBoard to perform an institutional service, the applicable written agreement should define the school as controller of education records, permitted educational purposes, direct-control requirements, access, redisclosure, security, retention, deletion, and parent/student rights. CorkBoard uses school-managed records to provide the contracted service and not for targeted advertising.
Schools are responsible for determining whether and how FERPA, COPPA, state student-privacy laws, accessibility rules, and local policies apply before provisioning accounts or uploading education records. This Policy alone is not a school data-processing agreement or parental-consent mechanism.
7. Retention and Deletion
We retain account and content information while needed to provide the service, for the period directed by an organization, and as reasonably necessary for security, backups, fraud prevention, disputes, legal compliance, and enforcement. Retention varies by data type and account context.
Local-only information may remain on your device until you clear browser storage, remove the app, or delete it. Deleting active cloud content may not immediately remove encrypted backups or records that must be retained by law, but such data will remain protected and removed or isolated according to the applicable cycle.
Export important projects before requesting deletion. Contact support for access or deletion where an in-product control is unavailable. Organization-managed users may need to direct requests to their administrator.
8. Security
We use administrative, technical, and organizational measures designed to protect information, including authentication, role-based Firestore rules, transport protections, access controls, and backups where configured. No online service is completely secure. Protect your credentials, limit sensitive project fields, review team membership, and maintain independent backups of critical productions.
If we determine that a security incident requires notice, we will notify affected users, organizations, or authorities as required by applicable law.
9. Your Choices and Privacy Rights
Depending on your location and relationship with CorkBoard, you may have rights to request access, correction, deletion, portability, restriction, objection, or withdrawal of consent. You may also have a right to appeal a denied request or complain to a regulator.
Submit requests to support@corkboardstudio.com. We may verify your identity and authority. Authorized agents must provide legally sufficient authorization. Some information may be exempt or retained as permitted by law. Organization-managed account requests may be referred to the controlling organization.
You can manage certain information directly by editing projects, changing permissions, exporting data, signing out, clearing local browser storage, or declining optional integrations.
10. U.S. State Privacy Disclosures
The table in Section 2 describes categories of personal information collected, sources, purposes, and recipients. Depending on applicable state law, relevant statutory categories can include identifiers, customer records, commercial information, internet or electronic activity, approximate or precise location entered into project tools, education information, professional information, audio/visual content, and inferences generated from activity.
We do not currently sell personal information or share it for cross-context behavioral advertising. We do not knowingly sell or share the personal information of users under 16 for those purposes. We will not discriminate against you for exercising an applicable privacy right.
11. International Processing
CorkBoard and its providers may process information in the United States and other countries whose laws may differ from those where you live. Where required, an institutional agreement may include an approved transfer mechanism and additional regional terms. Do not deploy CorkBoard for regulated international use until the organization has completed its own legal and provider review.
12. Changes to This Policy
We may update this Policy as the service, providers, or law changes. We will update the date above and provide additional notice of material changes where required. Prior versions may be requested from support.