CozmicLearning — Privacy Policy

Account Information:

When you create an account, we collect:

• Name (first and last name)
• Email address
• Password (stored securely as a bcrypt hash, never in plain text)
• Date of birth (for age verification and COPPA compliance)
• Account type (student, parent/guardian, teacher)

Student Learning Data:

For students using the platform, we collect:

• Questions asked to the AI tutor
• AI-generated responses and explanations
• Assessment results, quiz scores, and practice problem performance
• Time spent learning on each subject and topic
• Subject and topic selections
• Character preferences (Everly, Nova, Lio, Jasmine, Theo)
• Progress tracking data (XP, levels, achievements, streaks)
• Study guides and notes created

Parent/Teacher Data:

For parents and teachers, we collect:

• Name and email address
• Access codes and student linking information
• Class and student management data (teachers only)
• Parent dashboard settings and preferences

Subscription & Payment Information:

• Plan type (Basic, Premium, or Trial)
• Billing frequency (monthly or yearly)
• Trial start and end dates
• Subscription status (active, cancelled, expired)
• Note: Credit card information is handled directly by Stripe and never stored on our servers

Usage & Session Data:

• Login and logout times
• Session duration and activity patterns
• Pages visited and features used
• Device type and browser information
• IP address (for security and fraud prevention)

We use the collected information to:

• Personalize Learning: Adapt AI responses, difficulty levels, and content recommendations to each student's needs
• Track Progress: Monitor learning progress, generate reports, and provide insights to students, parents, and teachers
• Manage Subscriptions: Process payments, handle billing, manage trials, and send account-related communications
• Improve Our Service: Analyze usage patterns to enhance AI tutoring quality, fix bugs, and develop new features
• Ensure Safety: Moderate content for inappropriate material, detect misuse, and maintain a safe learning environment
• Comply with Laws: Meet legal obligations including COPPA requirements and data protection regulations
• Communicate: Send important updates, notifications, and educational content (with opt-out options)

We use secure session cookies to maintain your login state and provide a seamless experience across the platform.

What We Store in Cookies:

• Login session identifier (encrypted)
• Character selection preferences
• Current XP, tokens, and level (for students)
• Learning progress tracking

Cookie Security: All cookies are marked as HTTPOnly and Secure to prevent unauthorized access and cross-site scripting (XSS) attacks. Session cookies expire when you log out or after a period of inactivity.

We do not use tracking cookies for advertising or sell your data to third-party advertisers.

All payment transactions are processed through Stripe, a PCI DSS Level 1 certified payment processor that meets the highest security standards.

What This Means:

• Credit card numbers, CVV codes, and payment details are handled directly by Stripe
• We never see or store your full credit card information
• Payment data is encrypted in transit and at rest
• Stripe's security measures exceed industry requirements

We only store non-sensitive payment metadata like subscription type, billing frequency, and payment status.

Age Verification:

All users must provide their date of birth during signup. This allows us to verify age and apply appropriate privacy protections.

Parental Consent for Children Under 13:

Children under 13 years of age are required to sign up using a parent access code. This ensures we obtain verifiable parental consent before collecting any personal information from children under 13.

The parent must first create a parent account, receive a unique access code, and provide that code to their child during signup. This mechanism ensures we have documented parental consent.

Information Collected from Children Under 13:

With parental consent, we collect:

• Name and email address (for account creation and communication)
• Date of birth (for age verification)
• Learning questions and AI-generated educational responses
• Progress data, assessment scores, and time spent learning
• Character and subject preferences
• Study guides and educational content created

Content Moderation & Safety:

All questions asked by students (regardless of age) are automatically moderated for inappropriate content using:

• AI-powered content filtering
• Keyword detection for prohibited topics
• Pattern recognition for potential safety concerns

Parents are immediately notified via email if any flagged content is detected from their child's account.

Parental Rights:

Parents have the right to:

• Review: Access all personal information collected from their child
• Delete: Request permanent deletion of their child's data at any time
• Revoke Consent: Withdraw consent and prevent further collection
• View Activity: See all questions their child has asked and responses received
• Control Access: Manage their child's account, set time limits, and restrict features

To exercise these rights, parents can use the parent dashboard or contact us at jakegholland18@gmail.com.

We do NOT sell, rent, or share student personal information with third parties for marketing purposes.

Limited Data Sharing:

We share data only with trusted service providers necessary to operate the platform:

OpenAI (AI Provider):

• Student questions are sent to OpenAI's API to generate educational responses
• Questions are moderated before sending to filter inappropriate content
• OpenAI processes data according to their API data usage policy
• Student names and personally identifiable information are NOT sent to OpenAI

Stripe (Payment Processing):

• Payment information for subscriptions (parents/teachers only)
• Student payment data is NEVER collected or shared

Email Service Provider:

• Email addresses for sending account notifications, progress reports, and platform updates
• Parents can opt out of non-essential communications

Legal Requirements:

We may disclose information if required by law, court order, or to protect the rights, property, or safety of CozmicLearning, our users, or the public.

We retain student learning data for as long as the account remains active to provide continuous progress tracking and personalized learning experiences.

Account Deletion:

• Users can request account deletion at any time through account settings or by contacting us
• Upon deletion, all personal information is permanently removed within 30 days
• Some data may be retained longer if required by law (e.g., billing records for tax purposes)
• Anonymized usage data (with no personal identifiers) may be retained for analytics

Inactive Accounts:

Accounts inactive for more than 2 years may be automatically deleted after email notification to the registered email address.

We implement multiple layers of security to protect your data:

• Password Protection: All passwords are hashed using bcrypt (industry-standard one-way encryption)
• HTTPS Encryption: All data transmitted between your device and our servers is encrypted using TLS
• Secure Cookies: HTTPOnly and Secure flags prevent unauthorized cookie access
• Input Validation: All user input is validated and sanitized to prevent SQL injection and XSS attacks
• Content Moderation: AI filtering and keyword detection prevent inappropriate content
• Access Controls: Role-based permissions ensure users only access their own data
• Regular Audits: Security reviews and updates to address emerging threats
• Database Security: Encrypted databases with restricted access

Important: While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet.

All users (or parents on behalf of children under 13) have the right to:

• Access: Request a copy of all personal information we have collected
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request permanent deletion of your account and all associated data
• Export: Download your learning data in a portable format
• Opt-Out: Unsubscribe from non-essential email communications
• Restrict Processing: Limit how we use your data in certain circumstances

To exercise these rights, contact us at jakegholland18@gmail.com with subject line "Privacy Request - CozmicLearning". We will respond within 30 days.

CozmicLearning is based in the United States. If you access the platform from outside the U.S., your information will be transferred to, stored, and processed in the United States.

By using CozmicLearning, you consent to the transfer of your information to the United States and our handling of it in accordance with this Privacy Policy.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You:

• Update the "Last Updated" date at the top of this page
• Email notification for significant changes
• In-platform notification upon next login

Continued use of CozmicLearning after updates constitutes acceptance of the revised Privacy Policy.

If you have questions about this Privacy Policy, COPPA compliance, data rights, or privacy practices, please contact us:

Email: jakegholland18@gmail.com

Subject Line: Privacy Request - CozmicLearning

Response Time: We will respond to all privacy inquiries within 30 days.

For COPPA-related parental requests (review, delete, or revoke consent for child data), please include your child's name and account email in your request for verification.