For schools
Get a real cut, and keep every child’s photo on your own private system.
Pholio is school photography where the school is a paid party, not a passive host: a named cut of every sale, portraits that run on your own private system instead of a vendor cloud, identity resolved by your own roster, and consent enforced at the database.
What you get
The school gets paid
The four-way split gives the school a real, named share of every portrait sale — a line item, not a kickback. Final split percentages pending
On your own private system
Self-hosted in the school’s (or operator’s) own VPC: a child’s photos and face data are never sent to an outside AI or photo company, and identity resolves against your own roster, not a face match.
Consent gates the sale, in the data model
A portrait is sellable only when a valid consent record permits it. The unsellable case is impossible by construction — the constraint lives in the schema, not a policy someone has to police.
One photo of record
Every portrait ties to the single student record, so a child’s consent, photo, and roster entry are one thing — the same record the rest of the school’s systems already trust.
What picture day looks like when the school is a paid party
Whether your studio runs the day or you host it yourself, the roster stays yours and the money finally names the school.
- Your roster stays the source of truth. Portraits bind to the one student record, and the do-not-publish and under-13 flags travel with it — so a suppressed student is suppressed everywhere.
- The shoot runs on your own private system. A child’s photos and face data are never sent to an outside AI or photo company; the pipeline runs in your (or your operator’s) own VPC.
- Consent is checked before anything is sellable. A portrait without a valid consent record is simply not offered — there is no checkbox to forget, because the gate reads the consent record in code.
- Families find their child by a roster lookup. Name, grade, homeroom — a query the school already trusts, not a face match, and with no biometric template computed at all.
- The school takes a named cut of every sale. A real line item on the four-way split, on an exact-penny ledger — and the school stays the controller of its students’ images, not a photo vendor.
What’s live today, and what’s early access
The core capture pipeline and consent gate are live today. We mark the money model and the AI-assisted culling step as early access.
- The private-system capture pipeline, roster-lookup “find my child” with no biometric template, consent-gated parent galleries, and the single-school FERPA plus rep-PII walls. Shipped
- The consent gate — a portrait is sellable only when consent on file permits it, with do-not-publish and under-13 students suppressed end to end. Shipped
- The parent-facing portrait storefront and the four-way split that gives the school its named cut. Early access
- AI-assisted culling and cropping — in-VPC, off by default until the school (or its operator) configures its own encoder service. Early access
- The school-leg payout wiring — the ledger routes your leg today; the physical payout is the launch-critical follow behind it. Fast-follow
Honest on the money: the ledger routes the school’s leg and flips the order paid, but the school-leg payout wiring is the launch-critical fast-follow — we don’t claim dollars reach a school’s account today. These describe what the platform does now; the binding policy lives in-app.
Built for minors, honestly
What “privacy” has to mean when the subjects are children
School photography is the one place a child’s face becomes a product. Pholio is built so the protections are structural — enforced in the data model and the pipeline, not promised in a policy PDF.
- Consent is a database constraint, not a checkbox. A sale reads a valid consent record for that subject; if consent is missing, the photo is blocked by default, not by someone remembering to uncheck a box.
- Do-not-publish and under-13 are suppressed end to end. A flagged student never surfaces in a sellable gallery, a directory export, or a composite — the suppression follows the one record.
- No biometric template, ever. There is no faceprint to leak, subpoena, or sell, because none is computed. “Find my child” is a roster query the school already trusts, not surveillance.
- Guardians see only their own child. A parent claims their student by a claim code or a roster match and lands in a tenant-isolated, consent-gated gallery — never a vendor-wide pool of other people’s children.
- The school stays the controller. Your students’ images run on your own private system, never sent to an outside AI or photo company, and the same portraits flow into the directory, ID cards, and the yearbook.
- Honest about money on a minor’s image. Consent gates the sale before a dollar is ever possible; the school-leg payout wiring is the launch-critical fast-follow — we don’t claim dollars reach a school’s account today.
The same promise, every lane
Whichever lane you sit in, the promise holds: Pholio is self-hosted, so a child’s photos and face data are never sent to an outside AI or photo company — the pipeline runs on your own private system, in your own VPC. Families find their child by a roster lookup, not a face match, and there is no biometric template to leak or subpoena. A portrait is sellable only when a valid consent record permits it, and every sale splits four ways — with a real, named cut for the school. That is true for studios, schools, and photographers alike.