CALIFORNIA STUDENT DATA PRIVACY AGREEMENT

2.1 What student data elements are collected?

• Identifiers: Name, email address (via Google Sign-In or email/password)
• Educational Records: Writing submissions, outlines, essay drafts, AI-generated feedback reports
• Progress Data: Mission completion status, scores, Brain Points (gamification currency)
• Usage Data: Activity logs, navigation patterns, session timestamps
• Preferences: Accessibility settings, TTS voice preferences, color themes

2.2 How is data collected?

• User input during registration and writing activities
• Google OAuth authentication (if selected)
• Automatic logging of application usage
• Teacher/admin input when inviting students

2.3 Is any data collected from third parties?

No. All student data is collected directly through the application or provided by the school/district during account setup.

3.1 How is student data used?

• Provide personalized writing instruction and AI feedback
• Track student progress and generate reports for teachers
• Enable accessibility features (TTS, color themes)
• Support classroom management for teachers/admins
• Improve service functionality and fix bugs

3.4 Is student data used for AI model training?

No. Student writing submissions are not used to train AI models. AI feedback is generated using Google Gemini API with data processed in real-time and not retained for training purposes.

4.1 With whom is student data shared?

4.2 Are subprocessors bound by data protection agreements?

Yes. All subprocessors (Google Cloud, Microsoft 365) maintain their own data processing agreements and comply with applicable data protection regulations.

5.1 What security measures are in place?

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest (Firebase)
• Firebase Authentication with secure session management
• Role-based access controls (Learner, Teacher, Admin, Developer)
• Activity logging and audit trails
• No direct database access - all operations via Cloud Functions

5.2 What certifications does the infrastructure have?

Google Cloud Platform (Firebase) maintains: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA (with BAA), FedRAMP.

5.3 What is the breach notification policy?

In the event of a data breach, we will notify affected schools/districts within 72 hours of discovery, including details of the breach, affected data, and remediation steps.

6.1 How long is student data retained?

Student data is retained for the duration of the active account. Upon contract termination or deletion request, data is deleted within 60 days.

6.2 How can data be deleted?

• Individual Student: Administrators can use "Full User Wipe" to permanently delete all student data
• Bulk Deletion: Contact support for organization-wide data deletion
• Contract Termination: All data deleted within 60 days of termination

6.3 What data is deleted?

Full deletion includes: user profile, writing submissions, mission reports, activity logs, progress state, and optionally Firebase Authentication records.

7.1 How can parents access their child's data?

Parents should contact their school/district administrator, who can use the "Export User Data" feature to provide a complete data export in JSON format.

7.2 How can parents request data correction or deletion?

Parents should submit requests through their school/district. Administrators can modify student records or perform full data deletion using built-in tools.

7.3 COPPA Compliance for students under 13

For students under 13, the school/district provides consent on behalf of parents pursuant to the COPPA school consent exception (16 CFR § 312.5(c)(4)).

8.1 What accessibility standards are followed?

We are working toward WCAG 2.1 Level AA compliance and Section 508 conformance. Current features include keyboard navigation, focus management, screen reader support, and multiple color themes for color vision accessibility.

8.2 What accessibility features are available?

• Text-to-Speech with multiple voice options
• Color themes: Default, Deuteranopia-friendly, Protanopia-friendly, High Contrast
• Keyboard-accessible navigation and focus trapping in modals
• Semantic HTML structure with proper headings and landmarks