1. Who We Are
Classroom Heroes ("we," "us," or "our") is an AI literacy education platform for students in grades 3 through 6. We teach children how artificial intelligence works through animated storytelling, quizzes, and interactive mini-games, all within a safe, teacher-supervised environment.
This privacy policy explains what information we collect from students and teachers, how we use it, who else can see it, and how long we keep it. We wrote this in plain language so that parents, teachers, and school administrators can understand our data practices.
We comply with the Children's Online Privacy Protection Act (COPPA), including the 2025 amendments. We do not collect more information than we need to run the platform.
2. School Consent
Classroom Heroes is used in schools. Under FTC guidance, schools may consent on behalf of parents when an online service is used solely for an educational purpose. Teachers act as agents of the school when they sign up and create classes on Classroom Heroes.
Before creating a class, every teacher must accept our Data Processing Agreement (DPA). The DPA explains what student data we collect, how we use it, and how we protect it. Teachers see and accept the DPA during the class creation process.
Parents always have the right to review their child's data, request deletion, or ask that their child be removed from the platform. See Section 10: Parent Rights below for details.
3. What We Collect
We collect only the minimum information needed to run the educational service. We do not collect email addresses, last names, phone numbers, home addresses, photos, or location data from students.
From Students
| Data | Why We Collect It |
|---|---|
| First name only | So teachers and students can identify each other within a class |
| Quiz answers and scores | To track learning progress and give teachers a view of how students are doing |
| Mini-game scores | To award points and track which games each student has completed |
| Video completion status | To track which episodes a student has watched |
| Points, streaks, and badges | To reward progress and motivate continued learning |
| Avatar customization choices | To let students personalize their character |
From Teachers
| Data | Why We Collect It |
|---|---|
| Email address | To create a teacher account and allow sign-in |
| School or organization name | To identify which school the teacher belongs to |
For a complete list of every data field we store, including technical details, see our Data Inventory.
4. How We Use It
We use the information we collect for these purposes only:
- Student login: Students enter their class code and first name to access their class. No password is needed.
- Learning progress: We record quiz scores, game scores, and video completion so teachers can see how each student is doing.
- Points and rewards: We calculate points earned from watching videos, completing quizzes, and playing mini-games.
- Teacher dashboard: Teachers see an overview of their class and individual student progress.
- Keeping the platform running: We use session cookies for login, rate limiting to prevent abuse, and error monitoring to find and fix problems.
5. Cookies and Session Data
Classroom Heroes uses a small number of cookies that are strictly necessary for the platform to work. We do not use advertising cookies, analytics trackers, or third-party tracking pixels.
Persistent Identifiers We Use
COPPA defines "persistent identifiers" as data that can recognize a user over time or across websites. We use two persistent identifiers, both for internal operations only:
| Cookie | What It Does | How Long It Lasts |
|---|---|---|
| student_session | Keeps the student logged in. This is an HMAC-signed token. It does not contain the student's name, email, or any personal information. It only links the browser to an active session. | 8 hours |
| csrf_token | Prevents cross-site request forgery attacks on form submissions. This is a random token used for security. | Browser session |
These identifiers are used only to support internal operations (authentication and security). We do not use them to track students across websites, build profiles, or serve advertising.
Sentry, our error monitoring service, may set a session cookie to group error reports. This cookie contains no personal data.
6. Third-Party Services
We use a small number of trusted services to run Classroom Heroes. Each service is listed here by name, along with what they do and what data they receive. None of these services receive student data for their own purposes.
| Service | Category | What Data They Receive |
|---|---|---|
| Supabase | Database and teacher authentication | All student data (first names, progress, scores, badges, avatar choices) and teacher accounts. This is our primary database. |
| Vercel | Application hosting | IP addresses and request timestamps in server logs. Vercel hosts the website. |
| Sentry | Error monitoring | Error reports and stack traces only. We strip all personal information (no emails, usernames, or IP addresses) before sending errors to Sentry. |
| Upstash | Rate limiting | Anonymous request counters only. No personal data is sent to Upstash. |
| Vimeo | Video delivery | Video view events. We set the Do Not Track (dnt=1) flag on all Vimeo embeds to minimize tracking. |
| YouTube | Video delivery | Video view events. Some episode videos are hosted on YouTube. |
| Google Fonts | Icon typography | IP address (standard web request to load font files). No data is stored by Google Fonts beyond the request itself. |
For full details on each service, including their privacy policies and security certifications, see our Third-Party Service List.
7. What We Do Not Do
Classroom Heroes does not:
- Sell, rent, or share student data with anyone for advertising
- Use student data for marketing or promotional purposes
- Use student data to train AI or machine learning models
- Display ads of any kind to students
- Build behavioral profiles of students
- Track students across other websites or apps
- Use analytics trackers, social media pixels, or ad networks
- Share student data with third parties for their own commercial purposes
All third-party services we use receive data only as needed to operate the platform, not for any other purpose.
8. How Long We Keep Data
We do not keep student data indefinitely. Every type of student data has a clear retention period and a clear trigger for deletion.
| Data Type | How Long We Keep It | What Triggers Deletion |
|---|---|---|
| Student account (name, points, avatar) | While enrolled in a class | Teacher removes the student, or the class is deleted |
| Learning progress (videos, quizzes, games) | While the student exists | Automatically deleted when the student is deleted (cascading deletion) |
| Quiz and game attempts | While the student exists | Automatically deleted when the student is deleted |
| Badges earned | While the student exists | Automatically deleted when the student is deleted |
| Session cookie | 8 hours | Expires automatically, or cleared on logout |
| CSRF token | Browser session | Cleared when the browser is closed |
| Teacher account | Until the teacher requests deletion | Teacher request or administrator removal |
When a student is deleted, all of their data is permanently and irreversibly removed from our database. This includes their name, progress, scores, badges, quiz answers, game scores, and avatar. There is no grace period and no way to recover the data.
For a detailed list of every data field and its retention period, see our Data Inventory.
9. Data Security
We use industry-standard security measures to protect student and teacher data:
- Signed session cookies: Student sessions use HMAC-signed cookies that cannot be forged or tampered with.
- CSRF protection: All form submissions are protected against cross-site request forgery attacks.
- Rate limiting: Login attempts and form submissions are rate-limited to prevent brute-force attacks.
- Row-level security: Database access is restricted so teachers can only see data for their own classes.
- Content Security Policy: HTTP security headers restrict which resources the browser can load.
- Encrypted connections: All data travels over HTTPS. Cookies are set with the Secure flag.
- Stripped error reports: Our error monitoring removes email addresses, usernames, and IP addresses before sending error reports to Sentry.
10. Parent Rights
Parents have the following rights under COPPA:
Review Your Child's Data
You can ask to see what data we have about your child. Contact your child's teacher first. The teacher can share your child's progress, scores, and badges from the teacher dashboard.
Request Deletion
You can ask to have your child's data deleted. Contact your child's teacher, who can remove the student from their class. Deletion is immediate and permanent. All progress, scores, badges, and quiz answers are removed.
Refuse Further Collection
You can ask that we stop collecting data from your child. Contact your child's teacher to have your child removed from the platform. Once removed, we no longer collect any data from that student.
How to Exercise These Rights
Start by contacting your child's teacher directly. Teachers can review data, delete students, and remove students from classes using their teacher dashboard.
If you cannot reach the teacher or need additional help, contact us at privacy@classroomheroes.app. We will respond within 30 days.
11. Contact Us
If you have questions about this privacy policy or our data practices, contact us:
Classroom Heroes
Email: privacy@classroomheroes.app
We will respond to privacy inquiries within 30 days. For urgent matters related to children's privacy, we will prioritize our response.