Privacy Policy

1. Information We Collect

1.1 Teacher Information

When a teacher creates an account, we collect:

• Email address
• Display name
• Authentication credentials (password hash or Google OAuth token)

Each teacher is assigned a unique 5-character access code used by students to join their class.

1.2 Student Information

Student accounts are created under teacher supervision. We collect the minimum information necessary to operate the Service:

• First name
• Last initial (single letter)
• Emoji-based password (two emojis selected by the student, stored as a text code)

We do not collect email addresses, phone numbers, physical addresses, photographs, or any other personal contact information from students.

1.3 Tutoring Session Data

During each tutoring session, we collect:

• Conversation transcripts. Text records of what the student said (as transcribed from speech) and the AI tutor's responses.
• Whiteboard content. Descriptions and visual data generated by the AI tutor during the session.
• Learning analytics. AI-generated assessments including identified mathematical misconceptions (mapped to Common Core standards), metacognitive skill observations, lesson progress, and slide completion status.
• Session metadata. Start time, end time, lesson identifier, and lesson title.

1.4 Voice and Audio Data

When a student uses the voice tutoring feature, their speech is captured through the device microphone and transmitted to our servers for processing. The audio is converted to text in real time by our speech-to-text provider and is not stored after transcription is complete. Only the resulting text transcript is retained as part of the session record.

1.5 Survey Responses

Students may be asked to complete brief pre-session and post-session surveys about their learning experience. Responses are stored alongside the student's session record and are accessible to their teacher.

1.6 Technical and Performance Data

We collect technical data to monitor and improve Service quality, including:

• Speech-to-text processing latency and confidence scores
• AI response generation timing
• Text-to-speech processing timing
• Error rates and types
• Session duration

This data is used for performance monitoring and does not include the content of conversations.

1.7 Information We Do Not Collect

We do not collect:

• Student email addresses or phone numbers
• Precise geolocation data
• Device identifiers or advertising IDs
• Browsing history outside of the Service
• Social media profiles or contacts
• Payment or financial information

2. How We Use Information

We use collected information solely for the following purposes:

• Providing the Service. Authenticating users, delivering AI tutoring sessions, generating whiteboard visualizations, and producing session analysis reports.
• Educational reporting. Generating learning progress reports, misconception identification, and metacognitive skill assessments for teachers.
• Service improvement. Analyzing aggregate, de-identified usage patterns to improve tutoring quality, AI response accuracy, and user experience.
• Security. Detecting and preventing unauthorized access, fraud, and abuse.
• Communication. Sending teachers password reset emails and essential account notifications. We do not send marketing emails.

We do not use student information for advertising, marketing, profiling for non-educational purposes, or any purpose unrelated to providing and improving the educational Service.

3. Third-Party Service Providers

To deliver the Service, we share limited data with the following third-party providers, each of which processes data solely on our behalf and for the purposes described below:

We do not sell, rent, or trade personal information to any third party. We do not share student data with third parties for advertising or commercial purposes. Data shared with service providers is limited to what is strictly necessary for them to perform their function.

4. COPPA Compliance

Our Service is designed for children in grades 3–8 (approximately ages 8–14). We comply with the Children's Online Privacy Protection Act (COPPA) in the following ways:

4.1 Consent

Student accounts can only be created under teacher supervision using a teacher-provided access code. Children cannot create accounts independently or access the Service without teacher authorization. Schools and teachers act as authorized agents for obtaining any required parental consent under COPPA, and we rely on school consent for the collection of student information for educational purposes as permitted by COPPA regulations.

4.2 Data Minimization

We collect only the information reasonably necessary to provide the educational Service. Student accounts require only a first name, last initial, and emoji password. We do not condition a child's participation on the collection of more information than is reasonably necessary.

4.3 Parental and Teacher Rights

Parents and teachers may at any time:

• Review the personal information we have collected from a student
• Request correction of inaccurate student information
• Request deletion of a student's personal information and associated records
• Refuse further collection or use of a student's information (which may require discontinuing the student's use of the Service)

Teachers can manage student accounts directly through their dashboard, including deactivating accounts. For requests beyond what the dashboard provides, or for parent-initiated requests, please contact us at the address listed below.

4.4 No Behavioral Advertising

We do not use student data for behavioral advertising, targeted marketing, or user profiling for non-educational purposes. We do not use third-party analytics or tracking tools. The only cookies we set are strictly necessary authentication cookies.

5. FERPA Compliance

When Simili is used by a school or school district, student records created through the Service may constitute "education records" under the Family Educational Rights and Privacy Act (FERPA). We comply with FERPA in the following ways:

5.1 School Official Exception

Simili operates as a "school official" with a "legitimate educational interest" under FERPA. We access and process student education records solely to provide the educational services contracted for by the school or teacher, and we do not use education records for any other purpose.

5.2 Direct Control by the School

Teachers and school administrators maintain direct control over student data through the teacher dashboard. Teachers can view session transcripts, review learning analytics, manage student accounts, and request data deletion.

5.3 No Re-disclosure

We do not disclose personally identifiable information from education records to any third party except as necessary to provide the Service (as described in Section 3) or as required by law. Third-party service providers process data on our behalf and under our direction, not for their own purposes.

5.4 Right to Inspect and Review

Parents and eligible students have the right to inspect and review the student's education records. Teachers can access session transcripts and learning reports through their dashboard. For additional requests, parents may contact us or work with their child's school to obtain copies of records.

5.5 Right to Request Amendment

Parents or eligible students who believe that education records contain inaccurate or misleading information may request that we amend the records. Requests should be submitted to us in writing at the contact address below.

6. Data Security

We implement technical and organizational safeguards to protect the information we collect, including:

• Encryption in transit. All data is transmitted over HTTPS/TLS encrypted connections.
• Encryption at rest. Data stored in our database is encrypted at rest by our hosting provider.
• Authentication security. Student passwords are verified server-side through a challenge-based system (passwords are never sent to the browser). Teacher passwords are hashed. Sessions use encrypted, httpOnly, secure cookies.
• Access controls. Row-level security policies restrict data access so that teachers can only access their own students' data. Administrative operations require a separate service-role credential.
• Account protection. Student accounts automatically lock after 3 consecutive failed login attempts within a 15-minute window. Rate limiting is applied to authentication endpoints.

No method of transmission or storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security. If we become aware of a security breach affecting student data, we will notify affected schools and, where required, parents in accordance with applicable law.

7. Data Retention and Deletion

7.1 Retention Periods

We retain data for the following periods:

• Teacher accounts. Retained while the account is active and for a reasonable period after deactivation to allow for reactivation.
• Student accounts. Retained while the student is active in a teacher's class. Deactivated student records are retained for the remainder of the school year unless earlier deletion is requested.
• Session transcripts and learning analytics. Retained for the duration of the school year in which they were created, or until deletion is requested by the teacher or school.
• Technical performance data. Retained in aggregate form for up to 12 months for Service improvement.

7.2 Deletion

Teachers can deactivate student accounts through their dashboard. To request permanent deletion of all data associated with a student, teacher, or school, including session transcripts and learning analytics, contact us at the address below. We will process deletion requests within 30 days.

When data is deleted, it is removed from our active database. Copies may persist in encrypted backups for a limited period (up to 90 days) before being permanently purged.

8. Cookies and Tracking

We use only strictly necessary cookies to operate the Service:

• Student session cookie (student_session). An encrypted, httpOnly cookie containing a JWT token for student authentication. Expires after 7 days.
• Teacher session cookies. Authentication cookies set by our database provider (Supabase) for teacher login sessions.

We do not use third-party analytics cookies, advertising cookies, tracking pixels, or any other tracking technologies. We do not participate in cross-site tracking or behavioral advertising.

9. Your Rights

9.1 For Teachers

You have the right to:

• Access and review all data associated with your account and your students
• Correct inaccurate information in your account
• Delete your account and request deletion of all associated data
• Manage student accounts, including deactivating and removing students from your class

9.2 For Parents and Guardians

Under COPPA and FERPA, you have the right to:

• Review the personal information we have collected from your child
• Request that we correct inaccurate information
• Request that we delete your child's personal information and all associated session records
• Refuse further collection of your child's information (which may require your child to stop using the Service)
• Receive a copy of your child's education records in a commonly used format

To exercise these rights, contact us at the address below or work with your child's teacher or school.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes to how we collect, use, or share student information, we will provide notice through the Service and, where feasible, notify teachers by email at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when the most recent revision was made. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.