Privacy Policy

1. Who we are

StoryPath is operated by StoryPath LLC, a company registered in Arizona.

Mailing address: 2942 N 24th St Ste 115, Phoenix, AZ 85016
Privacy contact: [email protected]
Information Security Coordinator: Don Slater ([email protected])

For purposes of data protection law, StoryPath LLC is the operator (under COPPA) and the controller (under LGPD, LFPDPPP, and GDPR) of the personal information described in this policy.

2. What this policy covers

This policy covers the personal information we collect through:

• The StoryPath mobile app (iOS and Android)
• The StoryPath website at storypathlearning.com
• Any communication you have with us about your account

It applies to both:

• Information about children under 13 who use StoryPath
• Information about adult account holders (parents, guardians, or educators who set up an account)

3. Information we collect about children

We collect only what we need to deliver personalized learning. Specifically:

From you (the parent or guardian), about your child:

• First name or nickname. We never ask for or store your child’s last name.
• Birth year. Only the year — we use it to scale lesson language to your child’s reading level. We do not collect or store the month or day of birth.
• Grade level (1 through 5).
• Avatar. Your child picks from a set of in-app avatars. We do not collect or store photos of your child.
• Favorite books, movies, shows, or activities. These are used to personalize lesson themes. You enter these on your child’s profile.

Generated as your child uses StoryPath:

• Lesson session data. Which lessons they have done, when, how long, and what score they got.
• Question-level answers. Whether they answered correctly or incorrectly, per question.
• Skill mastery progress. Per-skill mastery level, attempt counts, and pass/fail history.
• Collectible progress. In-app gamification progress (collectible counts by grade year).
• AI-generated lesson content that is created for your child and is tied to their profile.

SideQuest — schoolwork photographs

StoryPath’s SideQuest feature allows your child to photograph a piece of their schoolwork — for example, a math worksheet, a passage from a book, or a word problem — using the iPad camera. That photograph is transmitted directly to our AI provider (Anthropic) to generate a short personalized lesson based on what is in the image.

We do not store the photograph. It is sent to Anthropic and is not saved to our database or storage. Anthropic may retain it for up to 30 days under standard commercial terms and does not use it to train AI models.

The photograph is of schoolwork, not of your child. We recommend that you supervise your child’s use of SideQuest to ensure it is used as intended.

What we do not collect from children:

• Last names, physical addresses, phone numbers, or emails
• Photos or videos of your child (SideQuest photographs are of schoolwork only — see above — and are not stored by us)
• Voice recordings
• Persistent advertising identifiers
• Geolocation
• Behavioral telemetry (clickstreams, keystroke patterns, etc.)
• Device identifiers used for cross-app tracking

We do not collect more than what is needed for the purposes listed in Section 5.

4. Information we collect from adult account holders

When you create an account, we collect:

• Your email address and a password (stored hashed, never in plain text)
• Your subscription status and a reference to your payment method (the payment method itself is held by Stripe, not by us)
• Communications you have with our support team
• Your consent record — the timestamp, IP address, user agent, and version of consent text when you authorized us to collect your child’s information

We do not sell, rent, or trade your information.

4A. Pre-launch waitlist signups

If you sign up to the StoryPath early-access waitlist on storypathlearning.com, we collect:

• Your email address
• Whether you identify as a parent or an educator

We use this information only to send you the confirmation message at signup and to notify you when StoryPath becomes available to you. We do not use it for any other purpose, and we do not include waitlist signups in the sub-processor flows described in Section 6.

Waitlist records are stored in Cloudflare D1 (the database hosted by our infrastructure provider, Cloudflare) and delivered through Resend (our outbound email service). Each is bound by their standard terms of service, which prohibit using the data for advertising or model training.

We retain waitlist signups until one of the following happens, whichever is first: you ask us to remove you, you create a StoryPath account (at which point the waitlist record is reconciled with your account), or 24 months pass from your signup date without StoryPath becoming available to you. You can request earlier deletion at any time by emailing [email protected].

5. How we use information

We use the information we collect to:

• Deliver personalized lessons. Your child’s grade level, birth year, favorite interests, and skill mastery are used to generate lessons appropriate for them.
• Track your child’s progress. So we can adapt future lessons and show you reports.
• Run your account. Authentication, subscription billing, communication with you.
• Improve the product. We may use de-identified, aggregated data (data not linked to any individual student) for product analytics and improvement.
• Meet legal and regulatory obligations. Including responding to your rights requests, complying with court orders, and maintaining the consent records required by COPPA.

We do not use your child’s information to:

• Sell advertising or build advertising profiles
• Profile your child for behavioral or marketing purposes unrelated to learning
• Train any AI model on your child’s specific data
• Make any decision that has a legal or similarly significant effect on your child

6. Who else processes information on our behalf

These companies help us run StoryPath. Each is bound by a Data Processing Agreement (or equivalent terms incorporated into their service agreement) that requires them to (a) use the data only to provide services to StoryPath, (b) not use it to train AI models on customer data, (c) not share it with anyone else, and (d) delete it when we ask.

Anthropic’s Data Processing Agreement is incorporated into its Commercial Terms of Service, accepted at account creation. Amazon Web Services’ Data Processing Agreement is incorporated into the AWS Customer Agreement. Neither Anthropic nor AWS uses your child’s information to train AI models. Anthropic may retain inputs and outputs for up to 30 days under standard commercial terms; on the Bedrock path, AWS is the sole processor and Anthropic has no access. OpenAI and Fal.ai receive only image-description prompts — no child’s personal information — and no DPA is required for that use.

We will tell you in advance if we add a new sub-processor or materially change which information any current sub-processor receives. You will be asked to re-consent before the change takes effect.

7. What we don’t do

We commit to the following, and we are accountable for them under the laws listed at the top of this policy:

• We do not sell, rent, or trade your child’s personal information, or yours.
• We do not show targeted advertising to your child or to you within StoryPath.
• We do not use your child’s information to train AI models for our own benefit or anyone else’s.
• We do not build advertising profiles of children or adults from this information.
• We do not share your child’s information with anyone other than the sub-processors listed above, except in the narrow circumstances of (a) responding to a valid legal request, (b) protecting our rights, (c) protecting the safety of a child, or (d) a corporate transaction where the new owner is bound by this same policy.

8. How long we keep information

The full details are in our Data Retention Policy. In brief:

• Child profile and learning data is kept while the student is active. After 12 months of inactivity, the profile is automatically retired. 6 months after that, it is automatically deleted.
• Adult account data is kept while your subscription is active and for a short window afterward to allow re-subscription, then deleted.
• Consent records are kept for the lifetime of your subscription plus a regulatory-defense buffer, because we may need to show that consent was obtained.
• Waitlist signups are retained until you ask us to remove you, until you create a StoryPath account, or 24 months from your signup date, whichever first. See Section 4A.
• Backups retain deleted data for up to 7 days while backup snapshots rotate. Deletion is complete after this window.

You can request deletion of your child’s information at any time (see Section 10). We will complete the deletion within 30 days of your request.

9. How we protect information

We have a written Information Security Program that describes the controls we use. Highlights:

• All data is encrypted in transit (HTTPS / TLS 1.2+) and at rest in our database.
• Adult account passwords are hashed with bcrypt. Children do not have their own logins.
• Database access is governed by Row-Level Security policies, so the application can only retrieve a parent’s own account and their own children’s data.
• Administrative access to production systems is limited to a small named group with multi-factor authentication.
• We have a documented incident response plan and named coordinator.
• We do not collect persistent advertising identifiers, geolocation, or device identifiers from children — which materially reduces the surface area of a breach.

The full Information Security Program is an internal document; a summary or copy is available on request to [email protected].

10. Your rights as parent or legal guardian

You have the following rights, and you can exercise them at any time:

• Review. You can view all of the information we hold about your child from your account screen.
• Correct. You can correct or update your child’s information from your account screen.
• Delete. You can delete your child’s information from your account, or by emailing [email protected]. We will complete the deletion within 30 days.
• Refuse further collection. You can tell us to stop collecting more information about your child without deleting what we already have. Some features may stop working in this state; we will tell you what stops.
• Receive a copy. You can request a copy of your child’s information in a portable format. We will provide it within 30 days.
• Withdraw consent. You can withdraw the consent you previously gave. We will stop collecting your child’s information immediately and, unless you instruct otherwise, delete it within 30 days.
• Lodge a complaint. You can lodge a complaint with the data-protection authority in your country. The relevant authorities are listed in Section 13.

To exercise any of these rights, log into your account or email [email protected]. We will respond within 30 days. If we need more time, we will tell you why and when to expect a response.

11. Verifiable parental consent

Before we collect any personal information about your child, we ask you to consent at a dedicated consent screen, and we record that consent.

Under U.S. COPPA, the most common method for verifying parental consent is the parent’s use of a credit card or other online payment system that confirms each transaction to the primary account holder. StoryPath uses this method: your subscription payment is the verification of your parental consent. The consent screen you see at sign-up is also designed to meet the stricter “specific and prominent” requirement of Brazil’s LGPD Article 14.

We retain the record of your consent (timestamp, version of consent text, payment linkage) for the lifetime of your subscription plus a regulatory-defense buffer.

You can review and withdraw your consent at any time from your account settings or by emailing [email protected].

12. Information from users outside the United States

StoryPath’s production systems are based in the United States. When you and your child use StoryPath from outside the United States, your information is transferred to and processed in the U.S.

This transfer is permitted under the laws of Mexico (LFPDPPP), Brazil (LGPD), and Argentina (Resolution 4/2019), subject to disclosure to the data subject — which we provide here, in the consent screen, and at the moment of account creation. For European Union users (when StoryPath launches in the EU), the transfer will rely on Standard Contractual Clauses approved by the European Commission, available on request.

All retention periods, security controls, and parental rights described in this policy apply regardless of where you are located.

13. Specific notices for jurisdictions

United States

This policy is our Online Notice under COPPA § 312.4(d). The Direct Notice required by § 312.4(b) is the consent screen you see when you create your child’s profile. Our § 312.8 Information Security Program and § 312.10 Data Retention Policy are referenced in Sections 8 and 9 above and are available on request.

If you live in California, Colorado, Connecticut, Virginia, Utah, or another state with a comprehensive privacy law, you have additional rights — most of which are covered by Section 10 above. You can also request information about the categories of personal information we have collected about you (the adult account holder) in the prior 12 months. To request this, email [email protected].

Brazil

This policy is also our notice under LGPD Articles 9 and 18. The Brazilian National Data Protection Authority is ANPD (Autoridade Nacional de Proteção de Dados; www.gov.br/anpd). You have the right to complain to ANPD if you believe we are not meeting our obligations.

Our processing of children’s personal information is based on the “specific and prominent” consent given by a parent or legal guardian (LGPD Art. 14) and is conducted with the best interest of the child in mind.

Mexico

Under LFPDPPP, you (the titular) have the rights of Acceso, Rectificación, Cancelación, and Oposición (ARCO) over your personal information and your child’s. These rights are reflected in Section 10. The Mexican data-protection authority is INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales; www.inai.org.mx).

Argentina

Under Ley 25.326 and Resolution 4/2019, parental consent is required for processing minors’ personal information. The Argentine data-protection authority is the AAIP (Agencia de Acceso a la Información Pública; www.argentina.gob.ar/aaip).

European Union (forward-compatible; applies when StoryPath launches in the EU)

We will be the controller of your personal information under GDPR. The legal basis for processing your child’s information is your explicit consent as parent or guardian, in accordance with GDPR Article 8. You have the rights set out in GDPR Articles 15 through 22, which are reflected in Section 10. You may complain to your national data-protection supervisory authority.

14. Changes to this policy

We may update this policy. When we do, we will:

• Update the effective date and version number at the top
• Post the new version at the same URL
• Keep a record of prior versions accessible on request

If the change is material — meaning it affects what we collect, who we share it with, how long we retain it, or your rights — we will:

• Notify you by email
• Ask you to re-consent before the change applies to your account or your child’s

Until you re-consent, the change does not apply to your account. Examples of material changes: adding a new sub-processor, collecting a new category of data, lengthening a retention period.

Non-material changes (clarifications, formatting, contact-info updates) do not require re-consent; they will appear in the version history below.

15. Contact

For privacy questions, rights requests, complaints, or to ask about anything in this policy:

Email: [email protected]
Mail: StoryPath LLC, 2942 N 24th St Ste 115, Phoenix, AZ 85016
Information Security Coordinator: Don Slater ([email protected])

We aim to respond to all inquiries within 30 days. For urgent or sensitive matters, please mark the email accordingly.

16. Version history