← Back to Home

Privacy Policy

Last updated: 3/20/2026

1. Information We Collect

Parent/Teacher accounts: Name, email address, and a hashed password. We never store passwords in plain text.

Kid profiles: First name and age group only. We do not collect personal identifiable information (PII) from children. No email, phone number, address, or photos are collected from kids.

Usage data: Lesson progress, quiz scores, earned badges, and mission logs are stored to track educational progress.

2. How We Use Your Information

  • To provide the educational platform and track kid progress
  • To send OTP verification emails for kid dashboard access
  • To allow teachers to view student progress (if registered as teacher)

We do not sell, rent, or share your personal information with third parties.

3. Children's Privacy (COPPA Compliance)

SpiritFlare is designed with children's safety as a priority:

  • Children do not create their own accounts
  • No PII is collected from children (only first name and age group)
  • No social features, chat, or user-generated content visible to others
  • No advertising or third-party tracking
  • Parents control all access through OTP-verified links

4. Data Security

  • Passwords are hashed with bcrypt (12 rounds)
  • Sessions use JWT tokens with secure, httpOnly cookies
  • Kid access requires email OTP verification (10-minute expiry)
  • All API routes verify ownership before returning data
  • Rate limiting is applied to authentication endpoints
  • Database connections use SSL encryption
  • Security headers (X-Frame-Options, X-Content-Type-Options, etc.) are enforced

5. Data Storage

Data is stored in a PostgreSQL database hosted on Neon (serverless PostgreSQL). The application is hosted on Vercel. Both providers maintain industry-standard security practices.

6. Your Rights

You may request deletion of your account and all associated data at any time by contacting us. Deleting a parent account will remove all kid profiles and their progress data.

7. Third-Party Services

  • Neon: Database hosting
  • Vercel: Application hosting
  • Resend: Email delivery for OTP codes

No analytics, advertising, or social media tracking services are used.

8. Changes

We may update this policy from time to time. Changes will be posted on this page with an updated date.