DRAFT — This privacy policy is pending legal review and is subject to change.

Privacy Policy

Last updated: March 2026

Version 0.1.0-draft

LessonCraft ("we," "our," or "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

Personal Information

We collect information you provide directly, including your name, email address, and role (student, teacher, or administrator).

Educational Records

We collect educational data such as course progress, grades, assessment results, and learning objectives to support your educational experience.

Usage Data

We automatically collect session data, IP addresses, user agent information, and interaction patterns to maintain and improve our services.

AI Interaction Data

When you use our AI tutoring features, we collect tutoring conversations and prompts to provide personalized educational support.

2. How We Use Your Information
  • Provide and maintain our educational services
  • Personalize your learning experience and adapt content to your needs
  • Improve our platform, features, and educational effectiveness
  • Communicate with you about your account, updates, and educational progress
  • Comply with legal obligations, including educational privacy regulations
3. Children's Privacy (COPPA)

LessonCraft complies with the Children's Online Privacy Protection Act (COPPA). We take additional steps to protect the privacy of users under the age of 13.

Consent Methods

  • Parent/Guardian Consent: When a child under 13 registers directly, we require verifiable parental consent via email verification before activating the account
  • School Consent Exception: Teachers may create student accounts for K-12 classroom use under COPPA's school consent exception, where data is used strictly for educational purposes

Data Collected from Children

  • First name and email (email only for self-registered accounts; teacher-created accounts use access codes)
  • Grade level for age-appropriate content
  • Learning progress including lesson completion, quiz scores, and time spent
  • AI tutoring interactions (personally identifiable information is stripped before sending to our AI provider for minors)
  • Session data (login times, IP address) for security — retained for 24 hours only

Data We Never Collect from Children

We do not collect geolocation data, photos, videos, audio recordings, contact lists, social media identifiers, or biometric data from children under 13.

Retention Periods for Children's Data

  • Session data: 1 day
  • AI tutoring conversations: 90 days
  • Learning progress and personal info: 1 year with active consent

Parent/Guardian Rights

  • Review all personal information collected about your child via the Parent Dashboard
  • Request deletion of your child's data at any time
  • Revoke consent, which will restrict the child's account and initiate data deletion
  • Download a machine-readable copy of your child's data (data portability)
  • Refuse further collection of your child's information

Third-Party Disclosures for Children's Data

We do not sell or share children's personal information for advertising or marketing purposes. AI tutoring data is processed by Google Gemini with personally identifiable information stripped for users under 13. Authentication data is processed by Supabase under a Data Processing Agreement.

COPPA Inquiries

For questions about our COPPA practices or to exercise your rights as a parent/guardian, contact us at privacy@lessoncraft.cc.

4. Student Privacy (FERPA)

Educational records on our platform are protected under the Family Educational Rights and Privacy Act (FERPA). Our commitments include:

  • Schools and educational institutions act as authorized agents for student data
  • Parents and eligible students have the right to review and request amendments to educational records
  • Student data is shared only with parties who have a legitimate educational interest
  • We maintain appropriate administrative, technical, and physical safeguards for educational records
5. Third-Party Services

We use the following third-party services to operate our platform. Each processes data in accordance with their own privacy policies:

  • Supabase — Database hosting and authentication services
  • Google Cloud Platform — Cloud hosting and AI infrastructure
  • Gemini AI — AI-powered tutoring and educational content generation
6. Data Retention

We retain your data only as long as necessary for the purposes outlined in this policy:

  • Session data: Up to 1 day
  • Learning progress: Up to 1 year
  • Personal information: Up to 1 year with active consent
  • Communications: 6 months

Data is deleted promptly upon revocation of consent, subject to any legal retention requirements.

7. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit using TLS
  • Row-level security policies on database tables
  • Role-based access control
  • Security headers including Content Security Policy (CSP) and CSRF protection
  • Regular security scanning and vulnerability assessments
  • Comprehensive audit logging
8. Your Rights

You have the following rights regarding your personal information:

  • Access the personal data we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data
  • Withdraw consent for data processing at any time
  • Request data portability in a machine-readable format

To exercise any of these rights, please contact us using the information below.

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

privacy@lessoncraft.cc

    LessonCraft™ - AI-Powered Educational Platform