aiStudyBuddy.academy ("we," "us," or "our") is committed to protecting the privacy of our users, especially children ages 5-18. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered educational tutoring Service.
We comply with the Children's Online Privacy Protection Act (COPPA) as amended in 2025 and take special precautions to protect the privacy of children under 13. This policy should be read together with our End User License Agreement (EULA).
Key Points: We never sell children's data, we use AI that may not be 100% accurate, we require parental consent for children under 13, and parents have full control over their child's information.
2. Information We Collect
2.1 Parent/Guardian Information
When you create an account, we collect:
Account Information: Email address, password (encrypted with bcrypt)
Payment Information: Payment card details (processed and stored securely by Stripe; we do not store complete card numbers)
EULA Acceptance: IP address and user agent (for legal compliance when you accept our EULA)
2.2 Student Information (Children Ages 5-18)
IMPORTANT - Parental Consent Required: For students under 13, we only collect personal information with verifiable parental consent. By creating a student account, you (as parent/guardian) provide this consent.
With parental consent, we collect:
Required Information:
Student first name (no last name required)
Grade level and age
Learning preferences and educational goals
Automatically Collected During Use:
Tutoring Session Conversations: Complete conversation logs with the AI tutor (for progress tracking and parent review)
Assessment Data: Questions asked, student responses, scores, and performance metrics
All service providers are contractually required to:
Maintain confidentiality of student data
Implement appropriate security measures
Use data ONLY for providing services to us
Comply with COPPA and other privacy laws
Delete or return data upon termination of services
4.2 Legal Requirements
We may disclose information if required by law, court order, or governmental request, or to protect the rights, property, or safety of aiStudyBuddy.academy, our users, or the public. We will notify parents of any such disclosure unless prohibited by law.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction. We will notify you via email at least 30 days before any such transfer and provide options for account deletion.
5. Data Security (COPPA 2025 Requirements)
We maintain a Written Information Security Program (WISP) as required by COPPA 2025, which includes:
5.1 Technical Safeguards
Encryption in Transit: All data transmitted uses TLS/SSL encryption (HTTPS)
Encryption at Rest: Database encryption using AES-256
Secure Authentication: Passwords hashed with bcrypt, multi-factor authentication for admins
Access Controls: Role-based access limits who can view student data
Intrusion Detection: Automated monitoring for suspicious activity
5.2 Administrative Safeguards
Designated Security Coordinator: Responsible for security oversight
Employee Training: All personnel trained on data protection and COPPA compliance
Background Checks: For any personnel with data access
Incident Response Plan: Documented procedures for security breaches
5.3 Regular Testing and Audits
Annual Risk Assessments: Regular evaluation of security risks
Security Audits: Regular vulnerability assessments and penetration testing
Compliance Reviews: Periodic review of COPPA compliance measures
5.4 Data Breach Notification
If a data breach occurs affecting student information, we will:
Notify affected parents via email within 72 hours of discovering the breach
Describe the nature of the breach and what data was affected
Explain steps being taken to mitigate harm and prevent future breaches
Cooperate with law enforcement and regulatory authorities
Provide credit monitoring services if financial data was compromised
Important Security Note: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information.
6. Data Retention and Deletion
6.1 How Long We Keep Data
We retain student data only as long as necessary to provide the Service and comply with legal obligations:
Active Accounts: Data retained while account is active
Inactive Accounts: Accounts inactive for 12 consecutive months flagged for review
Deleted Accounts: Personal data removed within 30 days of deletion request
Session History: Retained for progress tracking; deleted with account
Legal Compliance: Some data may be retained as required by law (e.g., financial records for tax purposes)
6.2 What Gets Deleted
Upon account deletion, we delete:
Student profiles and learning preferences
Session conversation logs and uploaded materials
Assessment results and progress data
Parent account information
Payment information (except as required for tax compliance)
6.3 What Gets Retained
Aggregated, De-identified Data: Anonymous usage statistics for service improvement
Legal Records: Data required by law (financial transactions for 7 years per IRS requirements)
Dispute Resolution: Data necessary to resolve disputes or enforce agreements
7. Your Rights and Choices
7.1 Parental Rights Under COPPA (Children Under 13)
Parents and legal guardians have the following rights:
1. Right to Review:
Access and review all information collected about your child
View session transcripts, assessment results, and progress reports
How: Log in to your Parent Dashboard or
2. Right to Delete:
Request deletion of your child's personal information at any time
We will delete data within 30 days (or immediately upon request)
How: with "Delete Child Data" in subject
3. Right to Refuse Further Collection:
Withdraw consent for further data collection
Prevent future use of your child's information
How: Delete student profile or
4. Right to Access and Download:
Download all student data in portable format (JSON, CSV, PDF)
Includes session logs, assessments, progress reports
How: with "Data Export Request"
Response Time: We will respond to all parental rights requests within 5 business days.
7.2 All User Rights
Access Your Data: Log in to view your account information and student profiles
Update Information: Edit account details, student profiles, and preferences in your dashboard
Export Data: Request a copy of your data in machine-readable format
Delete Account: Request account deletion via settings or by contacting support
Opt-Out of Marketing: Unsubscribe from promotional emails (we don't send marketing to children)
7.3 How to Exercise Your Rights
with your request:
Subject Line Examples:
"COPPA Request - Review Child Data"
"COPPA Request - Delete Child Data"
"Data Export Request"
"Account Deletion Request"
8. AI-Specific Privacy Considerations
Our Service uses Artificial Intelligence (Google Gemini) to provide tutoring. Here's what you need to know:
8.1 How AI Processes Student Data
Real-Time Processing: Student conversations are sent to Google Gemini for generating responses
No Model Training: Student data is NOT used to train Google's AI models
Temporary Processing: Google processes data only for the duration of the tutoring session
No Retention by Google: Google does not retain student conversation data after processing
8.2 AI Limitations and Privacy
AI May Be Inaccurate: The AI may provide incorrect information or misunderstand questions
Content Moderation: We monitor sessions for inappropriate content but cannot guarantee 100% detection
No Human Review: Session transcripts are NOT routinely reviewed by humans (only in case of reported issues)
Parental Supervision Recommended: Parents should review session transcripts, especially for younger children
8.3 Safety Measures
AI is programmed with age-appropriate content filters
Automated detection of inappropriate requests or responses
Parents can report concerning AI interactions
Session transcripts available for parent review at any time
9. Cookies and Tracking Technologies
We use minimal cookies, and NO third-party advertising cookies:
9.1 Essential Cookies (Required)
Authentication: Keep you logged in during your session
Session Management: Maintain your preferences during use
9.2 Analytics (Optional)
We use anonymized analytics to understand how the Service is used and make improvements. This data is aggregated and cannot be linked to individual users.
9.3 What We Do NOT Use
❌ Third-party advertising cookies
❌ Social media tracking pixels
❌ Behavioral advertising networks
❌ Cross-site tracking
10. California Privacy Rights (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: What personal information is collected, used, and shared
Right to Delete: Request deletion of personal information
Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
Right to Correct: Request correction of inaccurate personal information
Right to Limit: Limit use of sensitive personal information
Right to Non-Discrimination: Equal service regardless of privacy choices
To exercise these rights: with "CCPA Request" in the subject line.
11. International Data Transfers
Your information may be transferred to and processed in the United States where our service providers operate. By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.
For European Users: If you are located in the European Economic Area (EEA), UK, or Switzerland, we comply with applicable data transfer requirements and use Standard Contractual Clauses where necessary.
12. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by:
Posting the updated policy on this page with a new "Last Updated" date
Sending an email notification to registered users
Displaying an urgent announcement on the Service
Providing a grace period (typically 30 days) to review changes
For changes affecting children under 13: We will obtain new verifiable parental consent before collecting any additional types of information not previously disclosed.
Your continued use of the Service after the grace period constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you may delete your account and request data deletion.
13. Children's Privacy - COPPA Summary
Our Commitment to Children's Privacy:
✅ Verifiable Parental Consent: Required for children under 13 before data collection
✅ Minimum Data Collection: We collect only what's necessary for tutoring services
✅ No Selling of Data: Student data is NEVER sold or rented to third parties
✅ No Targeted Advertising: We do not use student data for advertising purposes
✅ Parental Control: Parents can review, modify, or delete child data anytime
✅ Secure Storage: Written Information Security Program with designated coordinator
✅ Limited Retention: Data deleted when no longer necessary for educational purposes
✅ Service Provider Oversight: All vendors contractually bound to protect child data
✅ Breach Notification: Parents notified within 72 hours of any data breach