Legal

Privacy Policy.

Effective April 19, 2026 · Version 2026-04-19

What we collect, why we collect it, and what you can do about it. We try to be boring about privacy — the less data we hold, the less we can lose.

We collect what's needed to run the app: your email, your progress, and — if you subscribe — billing details via Stripe. We don't sell your data, we don't use your work to train public AI models, and you can delete your account at any time.

01What we collect

Account information. When you sign up we collect the email address and (optionally) full name you provide, plus a hashed password.

Usage and progress.We store what topics you've studied, your practice attempts, AI grading results, and other progress so the Service can remember where you left off and surface review material.

Billing. If you subscribe, our payment processor (Stripe) collects and stores your card details directly; we receive only a customer ID, subscription status, and billing metadata — not your full card number.

AI interactions. When you use Teach It, Prove It, Practice, or AI grading, we send the minimum necessary context (including your prompts and any uploaded work) to our AI providers so they can generate a response.

Technical logs. Our servers log standard diagnostic information such as IP address, user agent, request path, and timestamps, which we use to operate and secure the Service.

02How we use your information

  • To provide, maintain, and improve the Service.
  • To authenticate you, personalize your experience, and remember your progress.
  • To process payments and manage subscriptions.
  • To respond to support requests and send transactional messages (receipts, password resets, security notices).
  • To detect, prevent, and investigate abuse, fraud, and security incidents.
  • To comply with legal obligations and enforce our Terms of Service.

03What we don't do

  • We do not sell your personal information.
  • We do not serve third-party advertising inside the Service.
  • We do not use your submitted work to train public, shared AI models. Our AI providers process inputs to generate responses under contracts that prohibit them from training on our customer data.

04Sharing with service providers

We share data with vendors that help us run the Service, only as needed for them to perform their function and under contractual confidentiality and security obligations. Today these include:

  • Supabase — primary database and authentication.
  • Stripe — subscription billing.
  • Anthropic — AI model inference for Practice, Teach It, Prove It, and FRQ grading.
  • Resend — transactional email.

We may also disclose information if required by law, to protect our rights or the safety of our users, or as part of a corporate transaction (merger, acquisition, or sale of assets), with notice where feasible.

05Cookies and local storage

We use a small number of first-party cookies and browser storage items that are strictly necessary to operate the Service — for example, the signed session cookie and your theme preference. We do not use third-party analytics or advertising cookies.

06Security

We take reasonable technical and organizational measures to protect your information — including TLS in transit, encryption at rest, scoped database access, short-lived signed session tokens, and least-privilege credentials for service providers. No system is perfectly secure, so we cannot guarantee absolute security, but we work hard to keep the attack surface small.

07Retention

We keep account data for as long as your account is active. When you delete your account we remove or anonymize your personal information within a reasonable period, except where we are required to retain records by law (e.g., tax and billing records). Backups may persist for a limited additional period but are not used for product purposes.

08Your choices and rights

Depending on where you live, you may have rights under laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), including the rights to access, correct, delete, or port your data, and to object to or restrict certain processing. To exercise these rights, use your account settings or the contact page; we will respond within the timeframe required by applicable law.

If you are in the EU/UK, our legal bases for processing are: (i) performance of a contract (providing the Service), (ii) our legitimate interest in operating and securing the Service, (iii) compliance with legal obligations, and (iv) your consent where explicitly requested.

09Children

The Service is designed for students age 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us and we will delete it.

10International transfers

We operate in the United States. If you use the Service from outside the U.S., your information will be transferred to, stored in, and processed in the U.S. and other countries where our service providers operate, which may have data-protection rules different from those in your country.

11Changes to this policy

We may update this Privacy Policy from time to time. If a change is material we will give reasonable notice. Changes become effective on the “Effective” date shown at the top.

Privacy questions? Reach us at our contact page.