Privacy Policy — Plio Academy

Effective Date: May 1, 2026

1. Overview

Plio Academy is a nonprofit organization providing free AI education to children ages 5–17. We are committed to protecting your privacy and comply with the Children's Online Privacy Protection Act (COPPA), California Consumer Privacy Act (CCPA), and all applicable privacy laws.

2. Who This Policy Covers

This policy applies to visitors, parents and guardians, students, instructors, administrators, and donors.

3. Information We Collect

From Guardians

• Full name, email address, phone number (optional)
• Address (optional) and preferred language
• Donation information (processed by Stripe, we don't store card numbers)

From Students (via Guardian Accounts)

• Display name (not legal name), age range
• Avatar emoji and color
• Learning activity: lessons completed, quiz scores, time spent

Automatically Collected

• Usage analytics via Vercel Analytics (privacy-friendly, no tracking cookies)
• Device and browser information
• Server logs (IP address, request details, retained 30 days)

4. Children Under 13 — COPPA Compliance

Children under 13 do not create accounts directly. Parents and guardians manage all account creation and data. We never collect direct contact information (email, phone) from children under 13 — only display name, age range, avatar preferences, and learning activity.

Before activating a child's profile, we send you a confirmation email. You must click to confirm before your child's account is activated. This is our verifiable parental consent mechanism under COPPA. At account creation we also present a direct notice summarizing: what we collect from your child, how it is used, who it is shared with, and your right to review and delete.

5. How We Use Your Information

• Provide educational services and show progress reports
• Send transactional emails and communicate about policies
• Improve curriculum and analyze learning outcomes (anonymized)
• Comply with law and prevent fraud

6. Third-Party Services

We use:Clerk (authentication),Neon/PostgreSQL (database),Vercel (hosting),Resend (email),Stripe (payments),Vercel Analytics (analytics),LiveKit (real-time video/audio for live tutoring sessions), andCloudflare R2 (video file storage for tutor interview recordings — not student data). Each is bound by a Data Processing Agreement preventing unauthorized use of your data.

7. Cookies and Tracking

Student-facing pages do NOT use third-party tracking cookies, advertising pixels, or behavioral profiling. Only essential cookies for login and CSRF protection.

8. Data Retention

• Account data: while active + 90 days after deletion
• Learning activity: while enrolled + 30 days after deletion (45 days for non-child account data)
• Donation records: 7 years (nonprofit financial requirements)
• Server logs: 30 days
• Tutor interview video recordings: 90 days after tutor status change or account deletion (stored in Cloudflare R2)
• Anonymized research data: indefinitely

9. Your Privacy Rights

You have the right to:

• Access your personal data
• Correct inaccurate information
• Delete your account and data
• Opt out of non-essential communication

We delete within 45 days(30 days for children's data). To exercise these rights, email hello@plio.academy with your request. We respond within 10 business days.

10. Security and Data Breach Notification

We use HTTPS encryption, encrypted databases, role-based access control, and regular security audits. No system is perfectly secure, but we take every reasonable precaution.

In the event of a confirmed data breach, we will notify affected guardians by email without unreasonable delay. For EU/UK data subjects, we will notify the competent supervisory authority within 72 hours of becoming aware of a confirmed breach, as required by GDPR Article 33.

11. European Users — GDPR

If you are located in the EU or UK, we process your data under the legal bases of contractual necessity, legitimate interest, consent, and legal obligation.

Children's data (GDPR Art. 8):For users under 16 (or the applicable age threshold in their EU/UK member state — e.g., 13 in Ireland and UK, 16 in Germany), we rely on verifiable parental/guardian consent under GDPR Article 8. We collect the minimum data necessary and do not use children's data for any purpose beyond providing the educational services.

12. California Residents — CCPA/CPRA

As a nonprofit organization, Plio Academy may be exempt from certain CCPA provisions. However, we voluntarily extend these privacy rights to all California residents as a matter of practice.

We do not sell or share personal information as defined by CCPA/CPRA. No action is required. We do not use sensitive personal information for advertising, profiling, or secondary commercial purposes. If you have questions, contact hello@plio.academy.

13. Changes to This Policy

We may update this policy. For material changes affecting children's data, we notify guardians by email 14 days before the change takes effect.

14. Contact Us

Plio Academy Privacy Office
Email: hello@plio.academy
We aim to respond within 5 business days.

This is a summary. For the full, detailed Privacy Policy effective May 1, 2026, please refer to the official document at docs/legal/privacy-2026-05.md.