Privacy Policy
Last updated: May 24, 2026
What we collect
Account: email, display name, birthdate, parent/guardian email (for users 13–17). Learning data: lessons completed, XP earned, code you write in the editor, conversations with your AI tutor. Technical: IP address, browser, and device type for security/abuse prevention.
What we DON'T collect
We do not collect: real name (only display name), home address, phone number, school name, sensitive demographic data, or biometric data. We do not require a credit card to use the free tier.
How we use it
(1) Run your account and personalize your AI tutor; (2) detect safety/crisis signals in chat; (3) notify parents/guardians of safety events; (4) prevent abuse (rate limits, fraud); (5) understand product usage in aggregate. We do not sell your data. We do not show third-party advertising.
AI tutor and chat content
Your chat with the AI tutor is processed by Google Gemini. We screen messages for crisis indicators using OpenAI Moderation and regex pattern matching. We never store the raw text of your chat messages in our crisis incident log — only metadata (severity, source, timestamp) is logged. Memory the tutor builds about you is encrypted at rest with a per-user key.
COPPA — users under 13
We do not knowingly collect personal information from children under 13. Our signup flow blocks under-13 registration. If we learn that a child under 13 has registered, we delete the account and all associated data. If you are a parent and believe your under-13 child has registered, contact safety@stratoforce.ai.
Minors 13–17 — parental rights
Parents/guardians of users aged 13–17 can: (1) receive safety notifications about crisis events; (2) request a copy of their child's data; (3) request deletion of their child's account at any time. To exercise these rights, email safety@stratoforce.ai from the email address listed on the account.
Crisis safety notifications
If our system detects signs of self-harm or crisis in a student's chat, we automatically: (1) pause the chat and show 988/Crisis Text Line resources; (2) email the parent/guardian listed on the account; (3) log a metadata-only incident record. We do not include the original message content in the parent email.
Data retention
Active accounts: data retained while account is active. Closed accounts: deleted within 7 days of deletion request, with cryptographic erasure of memory keys (rendering encrypted memory permanently unreadable). Crisis incident logs: retained per legal/safety requirements, in metadata-only form.
Third parties
We use: Supabase (auth/database, US), Vercel (hosting, US), Google (Gemini AI, US), OpenAI (content moderation, US), Resend (email delivery, US), Cloudflare (DNS, CDN). Each is a data processor for us under their respective terms. We do not share data with any party for advertising.
Security
Memory content is encrypted per-user. Database access is restricted by Row-Level Security. We use TLS in transit, HMAC-signed cross-service webhooks, and 2FA-required admin access. Crisis logs never include raw chat content. We will notify affected users of any data breach within 72 hours of discovery.
Your rights
You can: (1) access your data at any time via your dashboard; (2) request a copy of all your data by emailing support@stratoforce.ai; (3) request deletion at any time; (4) opt out of non-safety communications.
Contact
Privacy questions: safety@stratoforce.ai.