Privacy Policy

Who we are

GradeEarn is operated by [OPERATOR LEGAL NAME], with offices at [OPERATOR MAILING ADDRESS], San Antonio, Texas, United States. Contact: privacy@gradeearn.com. Phone: [OPERATOR PHONE]. This Privacy Policy explains how we collect, use, share, and protect personal information from children and their parents who use our learning service.

Children under 13 — COPPA notice

GradeEarn is designed for children. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and the 2025 amendments effective April 22, 2026. We do not knowingly collect personal information from a child under 13 without verifiable parental consent (VPC). If you are a parent and believe your child gave us information without your consent, contact us immediately at privacy@gradeearn.com and we will delete it.

What we collect

We collect only what we need to provide the service:

• From the parent: email address (for VPC, account recovery, and required notices), encrypted password, IP address (security only), and a one-way hash of the IP at the moment of consent (audit trail).
• From the child: first name (no last name), birth year (no full date of birth — data minimization), grade, journal entries the child writes, homework notes the child types, timetable entries, task list, chat messages with the AI study buddy, practice answers and scores, and device identifiers strictly for internal operations (anti-fraud, account recovery).
• We do NOT collect: last name, full date of birth, home address, phone number, school name, biometric data (voice prints, face templates), photos of the child, contacts, or precise geolocation.

How we use each data type

Per FTC guidance, one-to-one mapping of what we collect to how it's used:

• Parent email → account login, password recovery, VPC, required compliance notices, optional weekly progress summary if consented.
• Child first name → personalize the in-app greeting and the AI study buddy's tone.
• Birth year → determine the age regime (under-13 → COPPA; 13-17 → light COPPA).
• Grade → serve grade-appropriate practice questions and worksheets.
• Journal / homework / timetable / tasks → provide the MySpace feature; show the child their own data; pass it to the AI buddy as context when the child asks the AI a question.
• AI chat messages → generate the AI buddy's reply; scan for safety signals; preserve for parent review per the retention schedule below.
• Practice answers and scores → personalize practice difficulty; show progress in the parent dashboard.
• Device identifiers → security only. Never used for advertising. Never sold.

Subprocessors and third-party sharing

We share data with the third-party processors listed in our Subprocessors page. We do not share child data with advertising networks, social media platforms, behavioral analytics services, or data brokers under any circumstance.

We use AI models from [AI MODEL PROVIDER NAME — e.g., OpenAI via Azure]. We have a Data Processing Agreement (DPA) with this provider that confirms: child conversations are not used to train AI models. Verify the current vendor list at /legal/subprocessors.html.

Parental rights

COPPA gives parents four rights, and we honor each of them:

1. Review — see all personal information we have on your child. Email privacy@gradeearn.com or use the "Export my data" button in the parent dashboard. We respond within 10 business days.
2. Delete — permanently delete your child's account and content. Use the "Delete account" button or email us. Deletion completes within 30 days end-to-end (including backups).
3. Refuse further collection — pause or stop the service at any time without explanation.
4. Revoke consent — withdraw a specific consent (e.g., extended chat retention, weekly emails) in the parent dashboard. Required consents (core service) cannot be revoked without deleting the account.

Verifiable Parental Consent (VPC) methods

Before an under-13 child can use the app, the parent must complete one of the FTC-approved VPC methods:

• Credit card $0.50 micro-charge (refunded immediately) via Stripe
• Knowledge-based authentication via [VENDOR — to be selected]
• Government ID scan via [VENDOR — to be selected]
• Manual phone/video call with our team (slow but always available as escape hatch)

Data retention

Per the 2025 COPPA Final Rule (effective April 22, 2026), indefinite retention is prohibited. We retain each data type only as long as needed:

• AI chat messages: 30 days (unless parent opts into extended retention)
• Journal entries: 1 year, or until parent or child deletes
• Homework notes: 1 year
• Tasks: 6 months
• Safety events: 3 years (legal compliance audit)
• Audit log: 7 years (SOX-style; protects child and operator)
• Consent records: 7 years
• Parent account: until parent deletes; we delete within 30 days of request including from all backups

Security

All data is encrypted at rest (AWS DynamoDB encryption-at-rest with AWS-managed keys) and in transit (TLS 1.2+). Passwords are stored as PBKDF2 hashes. Access to production data is limited to a single operator (Hamid Ali) for now; this will expand to a documented role-based access control system before the team grows beyond one. Continuous backups are enabled (DynamoDB PITR, 35-day window).

No behavioral advertising. Ever.

We do not show advertisements of any kind to children. We do not track children across other apps or websites. We do not enable behavioral profiling. The 2025 COPPA Final Rule effectively bans this practice for under-13s; we go further and refuse it entirely, regardless of age.

Contact us

Privacy questions, data requests, or concerns: privacy@gradeearn.com. Mailing address: [OPERATOR MAILING ADDRESS], San Antonio, TX. Phone: [OPERATOR PHONE]. We respond to parental requests within 10 business days (often much faster).

Changes to this policy

Material changes will be emailed to parents and shown in-app on next login. We require re-acceptance before the child can resume using the service. The version history is available at /legal/privacy.html and includes the effective date of every version.

Document version: 1 · Effective date: May 12, 2026 · Status: Pre-launch placeholder pending privacy lawyer review.

Related policies

• Terms of Service
• AI Disclosure (separate document — required for AI products)
• Acceptable Use Policy (kid-facing rules)
• Parent Agreement
• Subprocessors