Privacy Policy

1. Introduction

UnlockGenius Inc. ("we," "our," or "us"), a California corporation, is committed to protecting your privacy and safeguarding student data. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our AI-powered educational tutoring platform ("the Service").

We comply with all applicable federal and state privacy laws, including the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Student Online Personal Information Protection Act (SOPIPA), California Assembly Bill 1584, and the Protection of Pupil Rights Amendment (PPRA). By accessing or using our Service, you agree to the data practices described in this Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, date of birth, phone number
• Profile Information: Educational background, institution, major/specialization, occupation
• Address Information: Street address, city, state, zip code, country
• Emergency Contact: Contact name, relationship, phone number (optional)
• Payment Information: Credit card details (processed securely through Stripe; we do not store full card numbers)

2.2 Information Collected Automatically

• Usage Data: Pages visited, time spent, features used, learning session data
• Device Information: IP address, browser type, device identifiers, operating system
• Log Data: Server logs, error reports, diagnostic information
• Cookies & Similar Technologies: Session cookies, preference cookies, analytics cookies Cookie Settings

2.3 AI-Specific Data Collection

• Learning Analytics: Topics studied, time per subject, progress tracking, performance metrics
• Assessment Results: Quiz scores, practice exercise completion, skill level assessments
• Personalization Data: Detected learning style (visual/auditory/reading/kinesthetic), preferred teaching pace, identified knowledge gaps
• Conversation Data: Questions asked, AI responses, chat history

3. How We Use Your Information

• Provide and maintain our Service for authorized educational purposes
• Personalize your learning experience through AI, solely to support educational objectives
• Process payments and prevent fraud
• Send administrative updates and security alerts (marketing communications only with opt-in consent)
• Respond to your inquiries and support requests
• Analyze usage patterns to improve our educational platform
• Detect and prevent security threats or abuse
• Comply with legal obligations, including FERPA, COPPA, CCPA/CPRA, and SOPIPA
• Conduct research and develop new features (with aggregated, de-identified data only)

4. Student Data Protections

We recognize the particular sensitivity of student data and educational records. We maintain the following strict protections:

• No Sale of Student Data: We will never sell, rent, lease, or trade student data, personal information, or educational records to any third party.
• No Targeted Advertising: We will not use student data for targeted advertising or marketing to students, parents, or educational institutions.
• No Commercial Profiling: We will not create personal profiles of students for purposes other than supporting authorized educational purposes.
• Data Use Limitation: Student data is used solely for legitimate educational purposes as authorized by the educational institution, parent, or student (as applicable).
• Data Retention Limitation: We will not retain student data longer than reasonably necessary to fulfill authorized educational purposes or to comply with legal obligations.

5. How We Share Your Information

We do not sell your personal information. We may share information only in the following limited circumstances:

• Service Providers: Third-party vendors ("subprocessors") who help us operate our Service, subject to written data protection agreements requiring substantially similar protections. We maintain a current list of subprocessors and make it available to educational institutions upon request.
• Legal Requirements: To comply with laws, regulations, court orders, or government requests.
• Safety & Security: To protect rights, property, or safety of our users or the public.
• With Your Consent: When you explicitly authorize us to share specific information.

6. Third-Party Services & Subprocessors

We integrate with third-party service providers to deliver our platform. All subprocessors are subject to appropriate due diligence and written data protection agreements:

• AWS (Amazon Web Services): Cloud hosting, authentication, and infrastructure (SOC 2 compliant)
• Stripe: Payment processing (PCI-DSS compliant)
• Google (reCAPTCHA, Gemini AI): Bot protection and AI model services
• Sentry: Error tracking and performance monitoring

We remain responsible for the acts and omissions of our subprocessors with respect to student data. Educational institutions may request our current subprocessor list at any time by contacting privacy@unlockgenius.io.

7. Data Security

We implement and maintain commercially reasonable and industry-standard administrative, technical, and physical security measures to protect your data, including: encryption of data in transit using TLS 1.2 or higher; encryption of data at rest using industry-standard algorithms; multi-factor authentication for all administrative access; role-based access controls on a need-to-know basis; regular security audits, vulnerability assessments, and penetration testing; comprehensive incident response and data breach notification procedures; secure disposal procedures for data no longer needed; logging and monitoring of access to student data; and network security controls including firewalls and intrusion detection. We review and update our security measures at least annually. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. Your Privacy Rights

8.1 General Rights (All Users)

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal data, subject to legal retention obligations
• Portability: Receive your data in a structured, commonly used format
• Opt-Out: Unsubscribe from non-essential communications
• Manage Cookies: Control cookie preferences via our Cookie Settings

8.2 Student & Parent Rights (FERPA)

• Parents of students under 18 (and eligible students 18 or older) have the right to inspect and review education records
• Request amendment of education records believed to be inaccurate, misleading, or in violation of the student's privacy rights
• Consent to disclosures of personally identifiable information from education records, except to the extent authorized by law
• File a complaint with the U.S. Department of Education regarding alleged FERPA violations

8.3 GDPR Rights (EU/UK Users)

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

8.4 CCPA/CPRA Rights (California Residents)

• Right to know what personal information is collected, used, and shared
• Right to request deletion of personal information
• Right to opt-out of the sale or sharing of personal information (we do not sell personal information)
• Right to correct inaccurate personal information
• Right to non-discrimination for exercising your rights

We will respond to verifiable requests within 45 days, subject to permitted extensions under applicable law.

9. Children's Privacy (COPPA Compliance)

We take children's privacy very seriously. For services provided through schools, the school may consent on behalf of parents for students under 13, and we will use such children's personal information only for the educational purposes authorized by the school, consistent with COPPA requirements.

For services provided directly to families (outside of a school context), we obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. Parents have the right to: review the personal information collected from their child; revoke consent and request deletion of their child's personal information; and contact us with questions about our information practices regarding their child.

10. School Data Processing Agreements

Before providing services to educational institutions, we execute written agreements that clearly define the parties' respective rights and obligations with respect to student data. These agreements designate us as a "school official" with "legitimate educational interests" under FERPA, specify the educational purposes for which student data may be used, address data retention and deletion obligations, and grant the educational institution audit rights over our compliance.

Educational institutions may request our standard data processing agreement template by contacting privacy@unlockgenius.io.

11. AI Transparency & Accountability

We are committed to transparent and responsible use of artificial intelligence in our educational platform. We maintain documentation of AI training data sources and publish information about how AI is used in our platform. We implement technical and procedural safeguards to identify and mitigate AI bias, including regular fairness audits. We provide clear disclosures when students are interacting with AI-generated content. We maintain human oversight for AI-generated educational content, assessments, and recommendations. AI systems do not make final decisions regarding student grades, academic advancement, or disciplinary actions without meaningful human review. We implement processes to detect and remediate AI errors or inappropriate outputs. We are committed to complying with all applicable AI transparency and accountability laws.

12. Data Breach Notification

In the event of a data breach or unauthorized access to student data, we will: take immediate steps to contain and mitigate the breach; conduct a prompt investigation to determine the scope and impact; notify affected educational institutions without unreasonable delay; provide notice to affected individuals as required by applicable law; notify applicable regulatory authorities as required; document the breach and remedial actions taken; and conduct a post-incident review to prevent future incidents.

13. Data Retention

We retain personal information only as long as reasonably necessary to fulfill authorized educational purposes or as required by law. Account data is retained while your account is active. Upon termination of a school agreement, or upon request, we will delete or return student data to the educational institution. After account deletion, we may retain limited data as required for legal compliance (e.g., transaction records). De-identified data that can no longer be associated with any individual may be retained for research and platform improvement.

14. Changes to This Privacy Policy

We review our privacy policies, terms of service, and compliance procedures at least annually. We will notify you of material changes via email or prominent notice on our Service. Continued use after changes constitutes acceptance. We will re-obtain consent where required by applicable law.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, contact our Privacy Officer: