Privacy Policy
1. Scope and Purpose
This Privacy Policy (the "Policy") describes how Roots Charter High School ("Roots," "the School," "we," "us," or "our") collects, uses, discloses, and protects personal information through the public website located at rootshigh.org (the "Website"). Roots is a Utah public charter high school and Local Education Agency ("LEA") serving grades 9–12, operated by a Utah nonprofit corporation and authorized under Utah Code Title 53G, Chapter 5. For purposes of Utah law, Roots is a governmental entity and political subdivision of the State of Utah.
This Policy governs only information collected through the public Website. It does not govern:
- Student education records and student data, which are governed by the federal Family Educational Rights and Privacy Act ("FERPA"), the Utah Student Data Protection Act, and the School's separate student-data compliance instruments. See Section 9 (Children's and Student Data) for the controlling cross-references.
- Information you submit on third-party platforms that Roots links to but does not operate (for example, the donation platform, the learning management system, or state education portals). Those platforms maintain their own privacy policies, which govern your use of them.
Where this Policy and any School student-data instrument (the Data Governance Plan, Annual FERPA Notice, Directory Information Notice, Data Collection Notice, Metadata Dictionary, or IT Security Policy) address the same subject, the student-data instrument controls as to student education records, and this Policy controls as to general Website operations.
In this Policy, "personal information" means information that identifies, relates to, or could reasonably be linked with a particular individual, as collected through the Website.
Nothing in this Policy waives, limits, or expands any immunity, defense, or limitation available to the School as a governmental entity under the Utah Governmental Immunity Act, Utah Code Title 63G, Chapter 7, or under any other applicable law.
2. Information We Collect
Roots collects the following categories of information through the Website, and no others.
2.1 Information You Provide Through Forms
The Website hosts native web forms used to request information, express interest, or sign up for communications. Depending on the form, we collect the information fields presented on that form. Across the Website's forms, the categories of information collected are:
- Enrollment / admissions interest: prospective student name, parent or guardian name(s), email address, telephone number, and any details you choose to provide about your interest. The public Website does not host an online enrollment application at launch; if and when an online enrollment application is enabled, any student information it collects will be handled under the School's Data Governance Plan and FERPA framework rather than this Policy (see Section 9).
- Tour requests: name, email address, telephone number, and any scheduling details you provide.
- Contact / general inquiry forms: name, email address, telephone number, and the contents of your message.
- Volunteer inquiries: name, email address, telephone number, and information about your interest or availability.
- Governing board seat inquiries: name, email address, telephone number, and information you provide in support of your interest.
- Newsletter / email signup: name and email address.
You are not required to provide personal information to browse the Website's general informational content. Information is collected only when you choose to submit a form. Some fields on a form may be required to process your request; required fields are indicated on the form.
2.2 Information Collected Automatically (Server Logs)
When you visit the Website, our hosting provider automatically records standard technical information for security, diagnostics, and operation of the Website. This may include your Internet Protocol ("IP") address, browser type and version, device and operating system information, referring and exit pages, the pages you view, and the date and time of your visit. This information is generated by the operation of the Website and its hosting infrastructure and is not used to identify you personally except as necessary to investigate security incidents, prevent abuse, or comply with law.
2.3 Cookies and Similar Technologies
A cookie is a small text file stored on your device by your browser. The Website may use:
- Strictly necessary cookies and similar technologies required for the Website to function, maintain security, and remember basic preferences (such as a selected site language). These are essential and cannot be disabled through the Website without impairing functionality.
- Analytics cookies and identifiers, if and when the School enables web analytics (see Section 2.4), used to understand aggregate Website usage and improve content and navigation.
You can control or disable cookies through your browser settings. Most browsers allow you to refuse or delete cookies; doing so may affect some Website features. Where required by applicable law, the School will obtain consent or provide an opt-out mechanism before deploying non-essential cookies.
2.4 Web Analytics (If Enabled)
The School may use a web analytics service to measure aggregate, de-identified or pseudonymized usage of the Website (for example, page views, traffic sources, approximate geographic region, and device categories). The analytics provider, if enabled, is expected to be Google Analytics 4 (GA4). Analytics data is used in aggregate to evaluate and improve the Website and is not used to build advertising profiles of visitors or to sell personal information. Where an analytics provider is used, it may set cookies or process IP-derived data as a processor on the School's behalf, subject to that provider's terms. The School configures analytics to limit data collection to what is reasonably necessary for these purposes.
2.5 What We Do Not Collect on the Website
For clarity:
- We do not process payments or donations on the Website. Donations are handled entirely off-site by a third-party provider (Give Butter) at the point of donation. Donor payment information and donor personal information are collected and processed by that provider on its own platform under its own privacy policy. Roots does not collect, transmit, or store payment-card data through the Website. See Section 3.4.
- Except for the newsletter signup, which submits your name and email address to our email service provider (see Section 3.3), and any analytics provider the School enables (see Section 2.4), we do not embed third-party tracking widgets, social-media pixels, or advertising networks on the Website.
- We do not embed the external learning, assessment, mapping, or calendar tools listed in Section 6; we link to them, and (for calendar) sync data into our own content system without embedding the third party's frame.
- We do not knowingly collect more information than the operative form fields and automatic technical data described above.
3. How We Use Information, and Third-Party Processors
3.1 Purposes of Use
We use information collected through the Website to:
- respond to your inquiry, request, or message (enrollment interest, tours, contact, volunteering, board-seat interest);
- send the email newsletter and related communications you request, and allow you to unsubscribe;
- operate, secure, maintain, and improve the Website;
- detect, prevent, and respond to security incidents, fraud, abuse, or technical problems; and
- comply with applicable law and the School's legal obligations as a Utah governmental entity, including records-retention and public-records obligations.
We use the information for the purpose for which you provided it and for the compatible operational purposes above. We do not use Website-collected personal information for automated decision-making that produces legal or similarly significant effects.
3.2 Legal Bases / Authority
As a Utah public LEA, Roots collects and uses this information to carry out its educational mission and public functions and to operate its official Website. Information you submit through a form is used on the basis of your request and submission.
3.3 Service Providers / Processors We Actually Use
Roots uses the following third-party service providers ("processors") in operating the Website. Each processes information only as needed to provide its service:
ProviderRoleInformation involvedWebflowWebsite host and platform; processes form submissions and server-log/technical data on the School's behalfForm submissions; automatically collected technical data (Section 2.2)ConvertKitEmail/newsletter service provider; manages newsletter list and deliveryName and email address of newsletter subscribersGoogle (Google Analytics 4)(if enabled — see Section 2.4)Aggregate web analyticsUsage data; cookies/identifiers; IP-derived data as configured
Give Butter (off-site donations) is addressed separately in Section 3.4 and is not a Website processor; the donation transaction occurs off the Website, and Roots does not process donor payment data.
These providers are authorized to use the information only to provide their services to Roots and are not authorized to use it for their own independent marketing. Each provider maintains its own privacy policy governing its services.
3.4 Off-Site Donations (Give Butter)
When you choose to donate, you are directed to Give Butter, a third-party donation platform, where the donation transaction occurs off the Roots Website. Give Butter collects and processes your donation information, including payment information, under its own terms and privacy policy. Roots does not receive or store your payment-card information. Roots may receive donor name and contact details from the platform for acknowledgment and recordkeeping purposes. Review Give Butter's privacy policy before submitting information on that platform.
3.5 Disclosures Required by Law; Public Records (GRAMA)
As a Utah governmental entity, Roots is subject to the Government Records Access and Management Act ("GRAMA"), Utah Code Title 63G, Chapter 2. Information the School holds — including certain information submitted through the Website — may constitute a government record subject to GRAMA's access, classification, and retention provisions, and may be subject to disclosure, protection, or retention as GRAMA requires. Personal information submitted through the Website may be classified as private or protected under GRAMA (for example, under Utah Code §§ 63G-2-302 and 63G-2-305) and handled accordingly, and the School responds to records requests within the timeframes set by Utah Code § 63G-2-204. The School may also disclose information when required by law, subpoena, court order, or other legal process, or to protect the rights, safety, or security of the School, its community, or the public. For how to make a public-records request, and for the School's designated Records Officer, see the School's [link: GRAMA Notice / Public Records Request] page. Nothing in this Policy enlarges or restricts any right or obligation under GRAMA.
3.6 No Sale of Personal Information
Roots does not sell personal information, and does not share it for cross-context behavioral advertising. We do not exchange personal information collected through the Website for monetary or other valuable consideration. We do not rent or trade Website visitor information to third parties for their own marketing.
4. Online Tracking, "Do Not Track," and Global Privacy Signals
Some browsers offer a "Do Not Track" ("DNT") setting and some support a "Global Privacy Control" ("GPC") or similar signal. There is no industry- or legal-consensus standard for how operators must respond to these signals. Because Roots does not use the Website to track visitors across third-party websites over time and does not sell or share personal information for advertising, the Website does not currently respond differently to DNT or GPC signals. Roots does not authorize third parties to collect personally identifiable information about your online activities across different websites through the Website. This disclosure is provided as a matter of best practice, consistent with the California Online Privacy Protection Act ("CalOPPA"), Cal. Bus. & Prof. Code § 22575(b).
5. How Long We Keep Information (Retention)
Roots retains personal information collected through the Website only as long as reasonably necessary for the purpose for which it was collected, and thereafter as required by the School's records-retention obligations as a Utah governmental entity under GRAMA (Utah Code Title 63G, Chapter 2) and applicable State Archives retention schedules. In general:
- Form submissions (inquiries, tour, contact, volunteer, board-seat) are retained while we act on your request and for the period required by applicable records-retention rules, then disposed of in accordance with those rules.
- Newsletter subscription data is retained until you unsubscribe or the School discontinues the newsletter, after which it is removed from active mailing use in accordance with the provider's processes and applicable retention rules.
- Server logs and analytics data are retained for a limited period appropriate to security and diagnostic purposes and to the analytics provider's configured retention period.
6. External Links and Synced Content
The Website provides links to third-party resources for the convenience of students, families, and the public, including the learning management system (Canvas / instructure.com), the student information / assessment systems (Aspire / aspire.k12.us and Renaissance / renaissance.com), Utah state education portals, a Google Maps location link, and similar resources. These are outbound links; the linked services are operated by third parties under their own privacy policies, and this Policy does not govern them. We encourage you to review the privacy policy of any third-party site you visit.
The Website displays School calendar events that are synced from the School's Google Calendar into the Website's content system. The School does not embed Google's calendar frame on the Website; only event data is brought into the Website's own content. Outbound links and synced calendar content do not cause Roots to collect personal information about you beyond what is described in Section 2.
7. Security
Roots maintains administrative, technical, and physical safeguards designed to protect personal information collected through the Website against unauthorized access, use, alteration, disclosure, or destruction. The Website is served over encrypted connections (HTTPS/TLS). Form data and technical data are processed by our hosting and service providers under their respective security programs. The School's internal information-security controls are governed by the School's [link: IT Security Policy].
No method of transmission over the Internet or method of electronic storage is completely secure. While we use reasonable measures to protect personal information, we cannot guarantee absolute security. Do not transmit sensitive information through general Website forms; use the appropriate official channel for sensitive matters. Nothing in this Section waives or limits any immunity or limitation available to the School under the Utah Governmental Immunity Act (Utah Code Title 63G, Chapter 7).
8. Your Choices and Rights
You have the following choices regarding information you provide through the Website:
- Email / newsletter: You may unsubscribe at any time using the unsubscribe link in any newsletter email, or by contacting us using the information in Section 11.
- Form submissions: You may contact us to ask what Website-form information we hold about you, to request correction, or to request deletion, subject to the School's legal and records-retention obligations under GRAMA and applicable law.
- Cookies: You may control cookies through your browser settings (Section 2.3).
Utah Consumer Privacy Act (UCPA). The Utah Consumer Privacy Act (Utah Code Title 13, Chapter 61) imposes obligations on certain for-profit "controllers" and "processors" doing business in Utah. The UCPA expressly excludes governmental entities from its obligations (Utah Code § 13-61-102(2); "governmental entity" as defined by reference to Utah Code § 63G-2-103). As a Utah governmental entity, Roots is not a "controller" subject to the UCPA's business obligations. Accordingly, the consumer-request rights created by the UCPA do not apply to Roots. The choices described in this Section, together with your rights under GRAMA and, for student records, under FERPA and the Utah Student Data Protection Act (Section 9), are the avenues available to you.
General Data Protection Regulation (GDPR). Roots is a Utah public school serving a local Utah community and does not target its Website to individuals in the European Union or the European Economic Area. The EU General Data Protection Regulation is not applicable to the Website. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local law; your information will be processed in the United States.
9. Children's and Student Data
Roots is a high school serving grades 9–12 (students typically ages 14–19). Most students are 13 or older. The public Website is general-audience and is not directed to children under 13, and Roots does not knowingly collect personal information from a child under 13 through the Website's public forms.
COPPA. The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and its implementing Rule (16 C.F.R. Part 312) govern the online collection of personal information from children under 13. Because the public Website is directed to a general audience (prospective and current families, donors, and the community) and not to children under 13, the School does not knowingly collect personal information from children under 13 on the public Website. If you believe a child under 13 has provided personal information through the public Website, contact us using Section 11 and we will take reasonable steps to delete it. In the educational context, where an operator collects student personal information for a school-authorized educational purpose, the FTC's guidance permits a school to authorize that collection on a parent's behalf; this concept is FTC COPPA FAQ guidance and was not codified as a lettered subsection in the 2025 amended COPPA Rule. Any such school-authorized educational data collection is addressed through the School's student-data instruments and FERPA framework, not this Website Policy.
Student education records and student data are not governed by this Policy. Student information is governed by the following federal and Utah authorities and the School's separate, controlling compliance instruments, which this Policy incorporates by reference and does not restate or modify:
- FERPA — Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g; 34 C.F.R. Part 99. See the School's [link: Annual FERPA Notice] and [link: Directory Information Notice].
- PPRA — Protection of Pupil Rights Amendment, 20 U.S.C. § 1232h (parental rights regarding certain surveys, instructional materials, and examinations). See the School's [link: PPRA Notice].
- Utah Student Data Protection Act — Utah Code § 53E-9-301 et seq. (LEA data governance, student data manager, and data-sharing limitations). See the School's [link: Data Governance Plan], [link: Data Collection Notice], and [link: Metadata Dictionary].
- Information security for student data — see the School's [link: IT Security Policy].
If anything in this Policy appears to conflict with the School's student-data instruments as to a student education record, the student-data instrument controls. Questions about student records, FERPA rights, directory-information opt-outs, or student-data privacy should be directed to the School's designated student-data and FERPA contacts identified in those instruments, not through general Website forms.
10. Changes to This Policy
Roots may update this Policy from time to time to reflect changes in our practices, technology, the Website's features, or the law. When we make a material change, we will revise the Effective Date (and the Last Updated date) above and, where appropriate, post a notice on the Website. The dated version published on the Website is the operative version as of its effective date. We encourage you to review this Policy periodically. Consistent with the School's website compliance practice, this Policy is updated before any new data-processing feature or integration goes live on the Website.
11. Contact Us
For questions about this Policy or about information collected through the Website:
Roots Charter High School
2250 S 1300 W, Suite D
West Valley City, UT 84119
Phone: 385-715-2591
Email: info@rootshigh.org
For accessibility of this page or assistance with this notice (Section 504 Coordinator and accessibility point of contact):
Alisa Muhlestein · alisa@rootshigh.org · 385-715-2591 ext. 121
For matters of nondiscrimination and civil rights, including Title IX, see the School's standalone [link: Notice of Nondiscrimination], which identifies the School's designated civil-rights officials. For public-records requests (GRAMA), see the School's [link: GRAMA Notice / Public Records Request] page and its designated Records Officer. For student-records and FERPA matters, see the contacts named in the School's [link: Annual FERPA Notice] and [link: Data Governance Plan].
References
- Children's Online Privacy Protection Act — 15 U.S.C. §§ 6501–6506; COPPA Rule, 16 C.F.R. Part 312 (as amended eff. June 23, 2025; general compliance date Apr. 22, 2026). Note: the 2025 amended Rule did not codify an ed-tech / school-authorization provision; school authorization for educational-purpose collection rests on FTC FAQ guidance, not a codified Rule subsection.
- Family Educational Rights and Privacy Act (FERPA) — 20 U.S.C. § 1232g; 34 C.F.R. Part 99.
- Protection of Pupil Rights Amendment (PPRA) — 20 U.S.C. § 1232h; 34 C.F.R. Part 98.
- Utah Student Data Protection Act — Utah Code § 53E-9-301 et seq. (incl. §§ 53E-9-303, 53E-9-308).
- Utah Consumer Privacy Act — Utah Code Title 13, Chapter 61 (governmental-entity exclusion at § 13-61-102(2); "governmental entity" per § 63G-2-103). Not applicable to Roots. (Chapter under amendment in the 2026 General Session — verify section numbering at publication.)
- Government Records Access and Management Act (GRAMA) — Utah Code Title 63G, Chapter 2 (incl. §§ 63G-2-204, 63G-2-302, 63G-2-305).
- Utah Governmental Immunity Act — Utah Code Title 63G, Chapter 7.
- Utah charter school / LEA authorization — Utah Code Title 53G, Chapter 5.
- California Online Privacy Protection Act (CalOPPA), "Do Not Track" disclosure — Cal. Bus. & Prof. Code § 22575(b).
- Section 504 of the Rehabilitation Act — 34 C.F.R. § 104.7 (coordinator/grievance, 15+ employees); ADA Title II — 28 C.F.R. § 35.107 (coordinator/grievance, 50+ employees).
- Title IX — 34 C.F.R. Part 106 (2020 Rule currently in force); Tennessee v. Cardona, No. 2:24-cv-00072 (E.D. Ky. Jan. 9, 2025) (nationwide vacatur of 2024 Title IX Rule).
- EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 — referenced as non-applicable.
This Policy governs the public rootshigh.org Website only and is subordinate to the School's student-data instruments as to student education records.