Privacy Policy

Just Tutor Me ("we," "us," or "our") operates the website at justtutor.me and provides an AI-powered adaptive learning platform for homeschool families. This Privacy Policy explains how we collect, use, store, and protect information from parents ("you") and your children who use our platform.

We are committed to protecting the privacy of children. Our platform is designed from the ground up to comply with the Children's Online Privacy Protection Act (COPPA) and applicable state privacy laws.

Children under 13 never create accounts on our platform. Children are represented as profiles within a parent's family account. Only parents create accounts through our authentication provider (Clerk).

Children access the platform using a family code and a numeric PIN set by their parent. This authentication method does not require any personal information from the child — no email address, no username, no password.

All COPPA-relevant actions (account creation, child profile creation, data access, and deletion) are logged in an immutable audit trail.

Parent Account Information

• Email address (for account creation and notifications)
• Name (as provided during sign-up)
• Authentication data managed by Clerk (our auth provider)

Child Profile Information

• First name (display only, set by parent)
• Birth year (used to determine developmental level, not exact age)
• Learning style preference (set by parent)
• PIN (hashed with bcrypt, never stored in plain text)

Learning Data

• Skill mastery levels and progression data
• Assessment results (encrypted with AES-256-GCM at rest)
• Chat transcripts with the AI tutor (encrypted with AES-256-GCM at rest)
• Session duration and activity logs
• Spaced repetition scheduling data

Platform Usage Data

• AI token usage (tracked per student, per subject, per purpose)
• Feature usage patterns (anonymized)
• Error reports sent to our monitoring service (with all PII stripped)

BYOC (Bring Your Own Curriculum) Uploads

• Files uploaded by parents (PDFs, documents, images)
• Extracted text content used for AI-grounded instruction

We use collected information exclusively for:

• Providing adaptive AI tutoring instruction to your children
• Tracking skill mastery and learning progression
• Generating progress reports and compliance documentation
• Scheduling spaced repetition reviews
• Sending parent notifications (safety alerts, milestones, session summaries)
• Improving platform reliability through anonymized error monitoring

We do not sell, rent, or share personal information with third parties for marketing purposes. We do not use children's data for advertising. We do not build behavioral profiles for advertising purposes.

We use the following third-party services to operate the platform. Each service receives only the minimum data necessary for its function:

• Clerk — Parent authentication only. Children never interact with Clerk. Manages parent email, password, and OAuth sessions.
• Anthropic (Claude API)— AI tutoring engine. Receives student first name, learning context, and conversation content to provide instruction. Subject to Anthropic's data usage policies, which prohibit training on API inputs.
• Neon — PostgreSQL database hosting. Stores all platform data with encryption at rest and in transit.
• Cloudflare R2 — File storage for BYOC uploads and generated documents. Files are stored encrypted.
• Vercel — Frontend hosting. Receives standard web request data (IP address, user agent). No child PII is sent to Vercel.
• Render — Backend API hosting. Processes API requests containing learning data.
• Sentry — Error monitoring configured with COPPA-safe settings: sendDefaultPii is disabled, and all request bodies, auth headers, and cookies are stripped before transmission.
• Resend — Email delivery for parent notifications only. Receives parent email addresses. Never receives child information.
• Microsoft Clarity — Behavioral analytics (session recording, heatmaps) used on public marketing pages only. Clarity is NOT loaded on any authenticated or child-facing pages (dashboard, tutor, diagnostic, games, settings). IP addresses are anonymized by Clarity. No personally identifiable information is collected. Children never interact with Clarity-tracked pages.

We implement multiple layers of security to protect your data:

• Assessment results and chat transcripts are encrypted with AES-256-GCM
• Child PINs are hashed with bcrypt (never stored in plain text)
• API rate limiting (15 requests/minute for AI endpoints, 60/minute general)
• Request body size limits (50KB) to prevent abuse
• Session tokens expire after 8 hours
• Cross-family data access prevention (IDOR protection)
• All data in transit is encrypted via TLS
• Database connections use SSL
• No child PII appears in error logs or monitoring

When you delete a child's profile, we initiate a 30-day grace period. During this period, the data is marked as deleted and is inaccessible but can be recovered if the deletion was accidental. After 30 days, all associated data is permanently purged from our systems, including:

• Child profile information
• All learning data, mastery records, and assessment results
• Chat transcripts and session logs
• Spaced repetition items

When you delete your family account, the same process applies to all child profiles and family data. COPPA audit logs are retained as required by law.

As a parent, you have the right to:

• Access all data we hold about your children
• Export your children's learning data and progress reports
• Delete any or all child profiles and associated data
• Modify your children's profile information at any time
• Control notification preferences (except safety alerts, which cannot be disabled)
• Configure worldview and content filtering settings
• Review and delete BYOC uploaded materials

To exercise these rights, use the Settings pages in your parent dashboard or contact us at the email address below.

We use only essential cookies required for authentication and session management. We do not use advertising cookies or tracking pixels that follow users across websites. On our public marketing pages (homepage, features, about, state guides, and comparison pages), we use Microsoft Clarity for anonymized behavioral analytics (session recording and heatmaps) to improve the visitor experience. Clarity is never loaded on authenticated pages where children or parents interact with the learning platform.

We will notify you of material changes to this Privacy Policy via email at least 30 days before they take effect. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your parental rights, contact us at: privacy@justtutor.me