Privacy Policy (MVP)

Effective date: 2026-04-21 Last updated: 2026-06-11

This is a real but lightweight Privacy Policy designed for beta user testing. Have a lawyer review before broader rollout.

1. What We Collect

We collect information necessary to operate and improve the learning system.

A. User-provided data

Answers to questions
Search queries (e.g., noun/concept searches)
Feedback on questions and videos

B. System-generated data

Performance scores (correctness, alignment, estimated ability levels)
Progress tracking per concept/noun
Interaction logs (question attempts, video engagement)

Note: This system builds an adaptive educational profile per user — correctness tracking + concept mastery graphs constitute behavioral and cognitive inference data. Treat it as sensitive by design.

C. Technical data

Basic device/browser information
Session logs for debugging and reliability

2. How We Use Data

We use data to:

Deliver adaptive questions and feedback
Calculate learning progress and ability estimates
Improve question selection and calibration models
Debug and improve system performance

We do not use data for advertising.

3. Data Storage

Data is stored in a secure database system (including graph-based storage)
Data is linked to a user account or anonymous identifier
Data is retained while the account exists or until deletion is requested

4. Data Sharing

We do not sell personal data.

We do not share personal data with third parties except:

Infrastructure providers (hosting, database, deployment services)
AI service providers. To grade your answers and generate feedback, we send question text and your responses to a third-party AI provider (currently OpenAI). This provider does not use the data to train its models, and processes it under its standard API terms (which include a limited retention window for abuse monitoring).
When legally required (e.g., court order)

5. Educational Data Sensitivity

This system processes learning and performance data, which may be considered sensitive in educational contexts. We treat this data with care and restrict access to system functionality only.

What this means in practice:

Ability estimates (θ), scoring, and calibration parameters are internal — not surfaced to third parties
Concept mastery graphs are used only for personalizing the user's own experience

Deferred compliance (not yet applicable):

FERPA (US education regulation) — applies when formally adopted by schools
GDPR full program — applies when EU users scale
Parental consent systems — applies when minors are broadly involved at institutional scale

6. Data Deletion and De-identification

Users may request deletion of their data. Upon request:

Account data (name, email, username, date of birth, phone number, OAuth identifiers, and similar direct identifiers) will be permanently removed.
Learning history will be deleted or irreversibly de-identified for measurement and content-quality research within a reasonable timeframe. When de-identification is used, we remove direct identifiers from the records and permanently destroy the association to the original account. We do not retain any mapping that would allow records to be re-linked.

De-identification is irreversible. Once your account is de-identified, we are unable to restore it or to provide you with a copy of the resulting records, because there is no longer any way to associate those records with you.

Backups. Erased data may survive in operational backup snapshots for up to 30 days following your erasure request. Backup snapshots are destroyed on our normal retention cycle, after which the erased data no longer exists in any system we control. We will not restore pre-erasure data from a backup unless required to do so by law.

Residual risk. Although we remove direct identifiers and permanently destroy the link to your account, no de-identification method can guarantee zero re-identification risk in every circumstance.

To delete your account: open Settings → Danger zone → Delete account permanently in the app. You can also contact the administrator if you cannot reach the in-product option.

7. Requesting a Copy of Your Data

You may request a copy of the personal data we hold about you — your profile, answer history, feedback and ratings, saved topics, and per-topic progress.

To make a request, contact the administrator from the email address associated with your account. We will verify the request and provide your data in a structured, machine-readable format (JSON) within 30 days.

This is how we honor data access and portability rights (e.g., GDPR Articles 15 and 20, CCPA). Requests are currently fulfilled by an administrator; there is no self-serve download in the app. Note that after deletion or de-identification (§6), we can no longer provide a copy, because the records are no longer linked to you.

8. Security

We use reasonable technical safeguards to protect data. However, no system is completely secure.

9. Children / Minors

If the system is used by minors:

It should be under supervision where legally required
Additional consent requirements may apply depending on jurisdiction

10. Changes

We may update this Privacy Policy. Continued use implies acceptance of changes.

Implementation references (repository)

These pointers are for legal review, school procurement review, and contributors auditing how this policy is operationalized. They are not part of the user-facing terms above.

profiling_ethics.md — the green / grey / red framework that governs what we will and will not infer or store about a user, and the two operational tests applied to new profiling features. §2 ("How We Use Data") and §5 ("Educational Data Sensitivity") above are the user-facing surface of those principles.
school_privacy_posture.md — current state of consent capture, deletion, export, sub-processor disclosure, and the open gaps. Source of truth for "do we actually do what this policy describes."
compliance_laws.md — the regulatory landscape (FERPA, COPPA, SOPIPA, GDPR, CCPA, PIPEDA, Law 25) this policy must stay inside.