Privacy Policy

1. Overview & Scope

This Privacy Policy describes how BMcks Apps ("we," "us," "our") collects, uses, and protects information when students, parents, and teachers use SmartTutor at bmcksos.polsia.app/smarttutor.

SmartTutor is an AI-powered educational tutoring platform designed for students. It provides AI chat tutoring, quizzes, flashcards, study plans, and other learning tools. This policy is specifically designed to meet the requirements of:

• COPPA — Children's Online Privacy Protection Act (applies to users under 13)
• FERPA — Family Educational Rights and Privacy Act (applies when used by educational institutions)
• General Data Minimization Principles

2. COPPA Compliance — Children Under 13

Age Gate & Parental Consent

On first visit, SmartTutor asks users to confirm their age. Users who indicate they are under 13 years old are required to obtain verifiable parental consent before accessing any features. Until consent is received:

• No data is collected from the minor beyond the age gate response
• No AI features are accessible
• No tracking of study activity occurs

Parental Consent Process

1. The child enters a parent or guardian's email address
2. We send a consent email to that address with a verification link
3. The parent reviews this Privacy Policy and clicks "I Give My Consent"
4. Access is granted only after the parent clicks the verification link

What We Do NOT Collect from Children Under 13

• Full name, home address, phone number
• Photos, videos, or audio recordings
• Precise geolocation
• Persistent identifiers used to track across websites
• Any information not strictly necessary for the educational service

Parental Rights Under COPPA

Parents and guardians may, at any time:

• Review personal information collected from their child by contacting us
• Revoke consent and have their child's information deleted
• Refuse to permit further collection of their child's information

To exercise these rights, see Section 9: Parent & Student Rights.

3. FERPA Compliance — School Use

SmartTutor as a School Official

When schools or districts adopt SmartTutor as an educational tool, we operate as a "school official" under FERPA, meaning we:

• Use student education records only for the legitimate educational purpose of providing tutoring services
• Do not disclose education records to third parties without written consent from the eligible student or parent/guardian
• Maintain appropriate security controls over student data
• Comply with all applicable FERPA requirements

Education Records

FERPA defines education records as records that are directly related to a student and maintained by an educational agency or institution. In SmartTutor, this includes:

• Quiz scores and performance data associated with a student
• Classroom enrollment records (when using the classroom feature)
• Assignment completion records
• Progress tracking data submitted to a teacher dashboard

Access Controls & Audit Logging

SmartTutor maintains an audit log of all significant data access events, including:

• When student data is accessed or exported
• Parental consent grant and revocation events
• Data deletion requests and their processing
• Teacher access to classroom student data

These logs are retained for a minimum of one year and are available to authorized school administrators upon request.

Data Export for Schools

Schools and parents can request a complete export of a student's data at any time. See Section 9 for the request process. We will respond within 30 days.

4. Data We Collect

SmartTutor is designed with data minimization as a core principle. Most study data is stored locally on the user's device and never transmitted to our servers.

Data Stored Locally (on Device Only)

The following data is stored in the browser's localStorage and never sent to our servers:

• Selected subjects and academic level preferences
• XP (experience points), streak counts, and leaderboard scores
• Flashcard decks created by the user
• Study plan notes
• AI conversation history (chat messages)
• Age verification status and consent status

Data Sent to Our Servers

What We Never Collect

• Student's real name (unless voluntarily provided to a classroom)
• Home address
• Phone number
• Photos or video
• Social security number or government ID
• Financial information

5. How We Use Data

We use the limited data we collect strictly for these purposes:

• Providing the service — AI tutoring responses, quiz generation, flashcard creation
• Parental consent management — COPPA compliance for under-13 users
• Teacher dashboards — allowing teachers to see class-wide progress when students join a classroom
• Security and fraud prevention — protecting against abuse
• Legal compliance — FERPA audit logging

6. Data Sharing & Third Parties

AI Provider

SmartTutor uses an AI language model (via an intermediary proxy) to generate tutoring responses. Message content is transmitted to this provider for processing. The provider does not retain message content and does not use it for training. No personally identifiable student information is included in AI requests.

Email Service

We use Brevo (Sendinblue) to send transactional emails (parental consent verification, data deletion confirmations). Brevo receives email addresses only for the purpose of sending these emails.

No Sale of Data

We do not sell, rent, or trade student personal information. Period.

Law Enforcement

We may disclose information if required by law, court order, or to protect the safety of users or the public. We will notify affected parties where legally permitted.

7. Data Retention & Deletion

Deletion Process

Data deletion requests are honored within 45 days per COPPA requirements. Upon receipt of a verified deletion request:

1. Classroom progress data is immediately deleted
2. Consent records are marked as revoked
3. A confirmation email is sent to the requesting parent or guardian
4. Any remaining data in backup systems is purged within 45 days

8. Security

We implement appropriate technical and organizational measures to protect student data:

• HTTPS — all data in transit is encrypted via TLS
• Parameterized queries — all database queries use parameterized statements to prevent SQL injection
• Access controls — teacher data access requires authentication; student data is isolated by student ID
• Audit logging — all significant data access events are logged for FERPA compliance
• Minimal data collection — we don't store what we don't need
• Secure tokens — parental consent tokens are cryptographically random (384-bit entropy)

In the event of a data breach, we will notify affected schools, parents, and users within 72 hours of discovery as required by applicable law.

9. Parent & Student Rights

Rights Under COPPA (for children under 13)

• Right to review — request a copy of all data collected about your child
• Right to delete — request deletion of your child's data at any time
• Right to revoke — revoke previously given consent
• Right to refuse — refuse further data collection going forward

Rights Under FERPA (when used by a school)

• Right to inspect — inspect and review education records
• Right to amend — request correction of inaccurate or misleading records
• Right to consent — consent to disclosure of education records to third parties
• Right to file a complaint — file a complaint with the U.S. Department of Education

How to Exercise Your Rights

Use the data deletion form within SmartTutor, or contact us directly:

We respond to all requests within 30 days. For COPPA deletion requests, data is removed within 45 days of verification.

10. School District Adoption

Schools and districts that adopt SmartTutor as an official educational tool may enter into a Data Processing Agreement (DPA) with us. The DPA formalizes:

• Our role as an authorized school official under FERPA
• The specific data elements collected and their purposes
• Security standards and breach notification procedures
• Data deletion timelines aligned with the school's retention policy
• Parent notification procedures for data practices

To request a DPA or discuss district-wide adoption, contact us at info@bmcksapps.com.

School's Responsibilities

Schools using SmartTutor are responsible for:

• Obtaining appropriate parental consent (or confirming students are 13+) before assigning SmartTutor for classroom use
• Notifying parents of the use of SmartTutor as part of their annual FERPA notification
• Ensuring only authorized teachers access the Teacher Dashboard

11. Contact Us

For privacy questions, data requests, or to report a concern:

If you believe we have not adequately addressed your concerns, you may file a complaint with the Federal Trade Commission (FTC) at ftc.gov/coppa or the U.S. Department of Education at studentprivacy.ed.gov.