MySched
For schools

Data and security

The timetable data MySched uses, the data it does not request, and the school upload boundary.

The institution flow is built for published timetable data. It is not a student-information system.

Data in scope

MySched may process the school name, term, courses, sections, meeting days and times, rooms, and instructor names needed to publish the timetable. It also stores the authorized partner contact and submission metadata needed to run the partnership.

Do not upload:

  • student names, numbers, emails, or phone numbers;
  • grades, attendance, disciplinary, financial, or health records;
  • passwords, portal exports containing credentials, or access tokens; or
  • any document broader than the class timetable.

If a file contains student data by mistake, contact support@getmysched.com immediately and identify the school and filename. Do not send the private token in a public message.

Upload protection

  • Upload links contain a high-entropy token sent to the school contact.
  • MySched stores a SHA-256 hash of the token, not the clear token.
  • The upload claim is single-use and checks expiry in the same database operation.
  • Files are checked for size and type on the server.
  • Timetable files are stored in a private Supabase Storage bucket.
  • The browser receives only the public Supabase key and the opaque upload token; the service-role key stays inside the upload function.

Preview protection

Preview and confirmation links use the same opaque-token model. The public website calls narrow database functions that return only the submission metadata needed for review. Partner tables are not directly readable by anonymous visitors.

Search engines are told not to index upload and preview pages. That is useful hygiene, but the secret token—not noindex—is the access control. Treat the link like a password and forward it only to authorized reviewers.

Student privacy boundary

Publishing a timetable makes class meeting data available to students who select that school, term, and section. It does not give the school access to a student's MySched account or personal records.

Personal tasks, attendance, grades, notes, exams, reminders, and local app preferences stay outside the institution partner flow. See the Privacy Policy for the wider app and website disclosure.

Control and removal

The school owns its timetable data and can request a correction, replacement, unpublish, or partnership end at any time. Requests are verified with the authorized contact before changes are made.

Next steps

On this page