Data Retention Policy

Our principles

StoryPath retains personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. We do not retain children’s personal information indefinitely.

We commit to four principles:

• Purpose-bounded retention. Each category of data has a stated purpose, and a retention period tied to that purpose.
• Automated deletion. Retention is not manual. The system enforces retention through automated triggers; we do not rely on the parent or operator to remember to delete.
• Right of deletion is honored. A parent can request deletion of a child’s information at any time, and we will complete the deletion within thirty days.
• Complete deletion. When we delete, we delete from live systems immediately and from backup systems on a scheduled cycle disclosed below.

How long we keep each kind of information

Child profile data

What we mean: display name, birth year, grade level, avatar selection, favorite interests and activities, narrative theme preference.

Why we keep it: to personalize the child’s learning experience.

How long we keep it:

• While the student profile is active — the child is using StoryPath and the parent’s subscription is active.
• Automatically moved to a retired state after twelve consecutive months of session inactivity.
• Automatically deleted six months after entering the retired state.
• The parent can retire or delete the profile manually at any time.

Learning history data

What we mean: per-skill mastery levels and attempt counts, per-question responses, session timestamps and scores, exam answers, collectible progress, the current curriculum unit, and facilitator-set difficulty settings.

Why we keep it: to adapt future lessons to the child’s current skill level and progress.

How long we keep it: the same lifecycle as the child profile (active → retired → deleted), with the same automated triggers above. Aggregate, de-identified analytics — cohort-level data not linked to any individual student — may be retained beyond the per-student period for product improvement. Such data is decoupled from the student’s identifier when the profile is retired.

Account holder data (parents and legal guardians)

What we mean: email address, password hash, account creation timestamp, subscription status, payment method reference (held by Stripe), consent record, and communications history with support.

Why we keep it: authentication, billing, parental rights administration, and support.

How long we keep it:

• While the subscription is active.
• For thirty days after subscription cancellation, so you can re-subscribe without re-creating the account.
• After those thirty days, the account and all linked student data are automatically deleted.
• The consent record specifically is retained for the lifetime of the subscription plus a seven-year buffer for audit purposes — required by COPPA enforcement defense.

Generated session content

What we mean: AI-generated lesson narratives, AI-generated questions and answers, and AI-generated illustrations associated with a specific student’s sessions.

Why we keep it: the child or facilitator may want to revisit a recent lesson; product analytics.

How long we keep it: the same lifecycle as the child profile. Generated content is treated as student data because it is tied to and influenced by the student’s information.

System logs

What we mean: application logs, error logs, and security event logs.

Why we keep them: operational troubleshooting and security monitoring.

How long we keep them:

• Ninety days for application logs.
• 365 days for security event logs (required by the § 312.8 program for incident response).
• All logs are scrubbed of personal information before retention. If a log contains personal information due to error, it is purged within seven days of detection.

Consent records

What we mean: records of parental consent (timestamp, user agent, IP address, consent text version, payment linkage).

Why we keep them: auditable proof of verifiable parental consent.

How long we keep them: the lifetime of the subscription plus a seven-year buffer following account deletion. This is a regulatory-defense requirement; consent records may need to be produced for FTC or state-attorney-general inquiry years after the account closes.

What “deletion” means

When data is deleted under this policy:

• Live database: the record is removed from the live production database immediately. Deletion cascades across all related tables (student profile, sessions, mastery data, preferences, exam answers, collectibles).
• Backups: StoryPath uses point-in-time recovery backup snapshots provided by our database host. Personal information remains in those snapshots for up to seven days following live-database deletion, after which the snapshots rotate and the data is purged with them. We disclose this window here transparently. During the window, the data is not retrievable through normal application access; it can only be retrieved by re-restoring an older backup, which is performed only in extreme operational scenarios with documented justification.
• Audit log: an entry recording the deletion is written to an internal audit table. The audit log itself does not contain personal information; it confirms that a deletion occurred for compliance-confirmation purposes. Audit log entries are retained for 365 days.

Deletion on parent request

When a parent requests deletion of their child’s information — either through the account interface or by emailing [email protected] — the following happens:

• The system marks the student as retired immediately, then queues a delete operation.
• The hard-delete completes within thirty days of the request.
• A confirmation is sent to the parent’s email when deletion is complete.
• The deletion event is logged in the audit table described above.

Refusal of further collection

A parent may refuse further collection of their child’s information without deleting existing data. In this state:

• No new session data is collected.
• No new exam data is collected.
• No new preference data is collected.
• Existing data remains until the parent later requests deletion or the automated triggers fire.

The child’s continued use of StoryPath may be limited in this state, since some features depend on collecting session data. The parent is notified of this trade-off at the moment they exercise the refusal right.

Where the data lives

Production data is hosted in the United States by our infrastructure provider, Supabase. The retention periods in this policy apply regardless of where the user is located.

For users in Brazil, Mexico, Argentina, and other Latin American countries, transferring personal information to the United States is permitted by the local data-protection authority subject to disclosure to the data subject. This policy and our privacy policy disclose the transfer.

For users in the European Union, when applicable, transfers will rely on Standard Contractual Clauses approved by the European Commission, as documented in the data-processing addendum to the privacy policy.

How this policy is enforced

Retention is enforced by automated code, not by manual process. Scheduled jobs in our backend periodically check every student profile against the trigger periods above and apply the appropriate state change. The point-in-time backup window is configured at the database host level and is documented in our Information Security Program.

We choose automation over manual enforcement because automation is reliable. A policy that depends on someone remembering to delete data is not a policy a child can count on.

Material changes to this policy

Any of the following constitutes a material change requiring parents to be re-notified and re-consent:

• Lengthening any retention period.
• Adding a new category of data that is retained.
• Changing the deletion-request response time.
• Changing the backup window beyond thirty days.
• Changing the backup-deletion mechanism.

Non-material changes — clarifications, contact updates, formatting — do not require re-consent.

Contact

Information Security Coordinator: Don Slater — [email protected]

General privacy contact: [email protected]

Changes to this policy

If we make changes to this policy, we will update the effective date at the top of the page. If the changes are material — see above for what counts — we will notify account holders by email before the change takes effect.