Privacy Policy

This policy covers the parent or guardian who creates an account and manages the Service (the "Account Holder") and the student who uses the desktop application for tutoring sessions (the "Student").

Minimum age requirement. The Service is designed for students who are at least 13 years old. Account Holders must be at least 18 years old. We do not knowingly collect or process personal information from children under 13. If you believe a child under 13 is using the Service, please delete all data immediately (see Section 8) and notify us at legal@sparkyed.com.

Because of our local-first architecture, we do not collect, receive, or process:

• Voice recordings or transcripts of tutoring sessions
• Coaching responses or AI conversation content
• Student session logs, concept performance data, or mastery scores
• API keys (Anthropic, ElevenLabs)
• Screenshots captured during tutoring sessions
• Parent PIN or local configuration settings

Speech recognition is performed entirely on-device using the open-source faster-whisper model. Voice audio is never saved to disk and is never transmitted to any server, ours or otherwise. Screenshots captured during tutoring are held in memory only, transmitted directly to your Anthropic API account, and immediately discarded.

The desktop application transmits the following limited information to our servers to operate your subscription:

• Account email and subscription status, used to validate your subscription before granting AI features (cached on your device for up to 24 hours)
• Anonymous error reports, sent fire-and-forget when the application encounters an unrecoverable error. Reports contain no session content, voice audio, or screenshots.
• Weekly usage pings, indicating that the application is in active use. Pings contain no session content.

If you create your account through the website, the website also collects:

• Account email and password (password hashed by Supabase) at signup and login
• Payment card details, processed by Stripe under their privacy policy. We do not store your card number. We receive only a transaction reference and subscription state from Stripe.
• Email open and click events, recorded by Resend for transactional emails we send you (account confirmations, billing receipts, password resets)
• Authentication cookies, set by Supabase. We do not use third-party tracking or advertising cookies.

The desktop application stores the following data on your computer only:

Note: the internal data directory is named MathTutor for compatibility with installations of earlier versions. The user-facing brand is SparkyEd.

SparkyEd requires you to configure your own accounts with the following third-party services. When you use the desktop application, data flows directly from your device to these services under your own accounts, not through us.

• Anthropic (Claude API). Receives: student voice transcript (text), optional screenshot images, session context. anthropic.com/privacy
• ElevenLabs (TTS API). Receives: AI-generated coaching text for voice synthesis. elevenlabs.io/privacy

Review the privacy policies of Anthropic and ElevenLabs to understand how they handle data submitted through their APIs. We are not responsible for their data practices.

"Use" refers both to how the desktop app uses data stored locally and to how we use the limited information you provide through the website or that the app transmits to our servers (see the review note in Section 2).

• Local session logs and student profile are used to operate the desktop app, calculate concept mastery scores, and produce weekly reports for parents.
• Account email and subscription state are used to validate your subscription and grant the desktop app access to AI features. See Section 2A for what is transmitted.
• Payment information is processed by Stripe under their privacy policy. We do not store your card number.

We do not use your data for advertising, profiling, or any commercial purpose other than operating your subscription. We do not sell or share personal information with third parties for cross-context behavioral advertising.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding personal information.

Categories of personal information collected

• Identifiers: student first name (local), account holder email (server, for subscription)
• Educational information: grade level, subjects, session history, concept performance (local)
• Preferences: hint style, voice settings (local)
• Security: hashed parent PIN (SHA-256, original PIN is never stored) (local), account password (server, hashed by Supabase)
• Commercial information: subscription tier and status (server)

Do we sell or share personal information?

No. We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising.

Your CCPA rights

• Right to know. You have the right to know what personal information is collected. This Privacy Policy provides that disclosure.
• Right to delete. Local data: use the Delete Account & Data function in the Parent Dashboard. Server-side data: email legal@sparkyed.com.
• Right to correct. You may correct personal information through the app's settings or by contacting us for server-side records.
• Right to opt out of sale or sharing. Not applicable. We do not sell or share personal information.
• Right to non-discrimination. We will not discriminate against you for exercising any CCPA right.

How to submit a CCPA request

For local data, exercise your rights directly through the app. For server-side records, email legal@sparkyed.com with subject line "CCPA Rights Request." We will respond within 45 days as required by law.

SparkyEd is designed for students aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 is using the Service, delete all app data using the Delete Account & Data function in the Parent Dashboard and contact us at legal@sparkyed.com to remove any associated server-side records.

You can permanently delete locally stored app data at any time:

• In-app: Parent Dashboard, Settings, Delete Account & Data
• Manual on macOS: delete ~/Library/Application Support/MathTutor/ and your configured Reports folder
• Manual on Windows: delete %APPDATA%\MathTutor\ and your configured Reports folder

To delete server-side data (account, subscription history, error reports, usage pings), email legal@sparkyed.com. Local deletion is irreversible. Server-side deletion is processed within 45 days of request.

• API keys are stored in config.json in the app's application support directory, protected by macOS or Windows file system permissions. Future versions will migrate to OS-managed credential storage (Keychain on macOS, Credential Manager on Windows).
• Parent PIN is stored as a SHA-256 hash. The original PIN is never retained.
• All API and server communications use HTTPS.
• Screenshots are never written to disk.
• Voice audio is processed on-device and never transmitted.
• Server-side data is hosted on Supabase and Vercel infrastructure with industry-standard access controls and encryption at rest.

Locally stored data is retained on your device until you delete it. Server-side account and subscription records are retained for as long as your subscription is active and for up to seven (7) years thereafter for tax, accounting, and legal compliance purposes, unless you request earlier deletion.

The desktop app may automatically check for updates via Sparkle on macOS or WinSparkle on Windows. The check connects to our distribution server (signed appcast feed at sparkyed.com/api/app/appcast) to retrieve version information. The DMG (macOS) or installer (Windows) is downloaded from our public distribution storage. No personal information or session data is transmitted during update checks beyond your device's IP address, current app version, and operating system version (standard HTTPS request metadata).

You can disable automatic update checks in the Parent Dashboard. Manual "Check for Updates" remains available regardless.

We may update this Privacy Policy from time to time. We will notify you of material changes through an in-app notice at next launch and through the website. The updated policy becomes effective when posted. Continued use of the Service after the effective date constitutes acceptance.

For privacy questions, CCPA requests, or concerns:

For California residents: you may also contact the California Attorney General's office at oag.ca.gov/privacy.