Privacy Policy

Version: 1.0
Last Updated: March 22, 2026
Effective Date: March 22, 2026

LearningNuggets ("we," "us," or "our") operates the LearningNuggets cybersecurity education platform ("Service") available at [learningnuggets.com]. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting the privacy of all our users, with particular attention to children under 13 (COPPA) and students in educational settings (FERPA). Please read this policy carefully.

1. Information We Collect

1.1 Information You Provide

• Account Registration Data -- Name (or display name), email address, password (hashed, never stored in plaintext), age attestation, role selection (student/teacher/professional).
• Profile Information -- Account type, school affiliation (if applicable), grade level (for minors).
• Payment Information -- Processed and stored by our payment processor, Stripe. We receive only a tokenized reference, subscription status, and billing history. We do not store your full credit card number.
• Communication Data -- Messages you send to our support team, feedback submissions (including optional screenshots), and contact form inquiries.
• Parental Consent Data -- For users under 18: parent/guardian email address for consent verification.

1.2 Information Generated Through Use

• Learning Session Data -- Chat messages with the AI tutor, proficiency assessments, knowledge state, learning topic selections, session duration, and turn counts.
• Simulation Activity -- Commands entered in terminal simulations, code written in Python sandbox exercises, responses to social engineering training scenarios.
• Docker Lab Activity -- Terminal commands executed in lab environments, session duration, machine lifecycle events (provision, pause, resume, terminate). See Section 11 for details.
• Progress and Performance Data -- Proficiency levels (unassessed, beginner, journeyman, master), topic completion status, adaptive difficulty state.

1.3 Information Collected Automatically

• Device and Browser Information -- Browser type, operating system, screen resolution, and device type. Collected for Service functionality and troubleshooting, not for advertising.
• Usage Analytics -- Pages visited, features used, session frequency, and general interaction patterns.
• Authentication Tokens -- JWT (JSON Web Tokens) for session management and API authentication.
• IP Address -- Collected for security purposes, rate limiting, and fraud prevention. Not used for advertising or profiling.

2. How We Use Your Information

We use collected information for the following purposes:

1. Education Delivery -- Powering AI tutoring sessions, generating exercises, tracking learning progress, and adapting difficulty to your level.
2. Account Management -- Creating and maintaining your account, authenticating your identity, and managing subscription access.
3. Billing and Payments -- Processing subscription payments, managing tier access, and handling refund requests through Stripe.
4. Service Improvement -- Analyzing usage patterns (in aggregate) to improve educational content, AI tutor quality, and platform features.
5. Communication -- Sending transactional emails (account verification, password reset, subscription receipts, important service updates) through our email provider, Resend.
6. Security and Safety -- Monitoring for abuse, unauthorized access, and violations of our Terms of Service. Maintaining the security of lab environments.
7. Legal Compliance -- Fulfilling our obligations under COPPA, FERPA, GDPR, CCPA, and other applicable laws.

• Behavioral advertising or ad targeting
• Sale to third parties
• Profiling for purposes unrelated to education
• Automated decision-making with legal or similarly significant effects

3. AI and Machine Learning

3.1 How AI Processes Your Data

The LearningNuggets AI tutor ("Nugget") processes your chat messages in real-time to provide educational responses. This involves:

1. Sending your messages to AI language model providers (currently Anthropic/Claude) for response generation.
2. Analyzing your responses to assess proficiency and adapt teaching approach.
3. Maintaining session context (conversation history) within a single learning session for coherent dialogue.

3.2 What AI Does NOT Do

1. No Automated Legal or Significant Decisions -- AI assessments of proficiency are educational tools only and do not produce legal effects, employment consequences, or access to essential services.
2. No Long-Term Profiling Beyond Education -- AI does not build behavioral profiles for advertising, credit scoring, or purposes outside your educational experience.
3. No Training on Individual Data -- Your individual chat messages are not used to train or fine-tune the underlying AI models. AI providers process your data under data processing agreements that prohibit use of your data for model training.

3.3 PII Redaction in AI Sessions

For users with PII redaction enabled (all minors and school-affiliated users), personally identifiable information is automatically stripped from messages before they are sent to the AI provider. Redacted content is replaced with tokens and rehydrated only in the response delivered back to you. The AI provider never sees the original PII.

4. Data Retention

4.1 Account Deletion

You may request deletion of your account and associated data by contacting privacy@learningnuggets.com. Upon receiving a verified deletion request:

1. Your account will be deactivated within 5 business days.
2. Personal data will be permanently deleted within 30 days, except where retention is required by law.
3. Anonymized and aggregated data that cannot be linked back to you may be retained indefinitely.

5. Data Sharing and Third Parties

We share your information only with the following categories of service providers, and only to the extent necessary to operate the Service:

5.1 What We Do NOT Do

1. We do not sell your personal information to any third party, for any purpose, ever.
2. We do not share data for advertising or allow third-party advertising on the platform.
3. We do not provide data to data brokers.

5.2 Legal Disclosures

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Children's Privacy (COPPA)

LearningNuggets complies with the Children's Online Privacy Protection Act (COPPA) for users under 13 years of age.

6.1 Parental Consent

1. Users under 13 may not create an account without verifiable parental or guardian consent.
2. During registration, users who indicate they are under 18 are required to provide a parent/guardian email address.
3. We obtain consent before collecting personal information from children under 13.

6.2 Data Minimization for Children

For child users, we:

1. Collect only the minimum information necessary to provide the educational Service.
2. Automatically enable PII redaction in all AI tutoring sessions -- the AI tutor never processes a child's real name, email, or other identifying information.
3. Do not engage in behavioral advertising or build advertising profiles.
4. Do not require children to provide more information than reasonably necessary to participate.

6.3 Parental Rights

Parents and guardians have the right to:

1. Review their child's personal information by contacting privacy@learningnuggets.com.
2. Request deletion of their child's personal information.
3. Refuse further collection or use of their child's information (which may require account closure).
4. Consent to collection without consenting to disclosure to third parties (except our essential service providers listed in Section 5).

7. Student Data and FERPA

LearningNuggets complies with the Family Educational Rights and Privacy Act (FERPA) for student data collected through School tier accounts.

7.1 School-Consented Data Collection

1. Schools (through authorized teachers and administrators) consent to data collection on behalf of students under FERPA's "school official" exception.
2. LearningNuggets functions as a "school official" with a legitimate educational interest in the student data.

7.2 Protections for Student Education Records

1. Student data collected through School accounts is treated as education records.
2. PII redaction is automatically and permanently enforced for all school-affiliated users, regardless of age.
3. Student data is never used for advertising, data mining, or any purpose unrelated to education.
4. We do not build non-educational profiles of students.

7.3 Parent and Eligible Student Rights Under FERPA

1. Parents (or eligible students age 18+) may inspect and review education records by contacting their school administrator, who can coordinate with LearningNuggets.
2. Parents may request correction of inaccurate records.
3. Direct requests may also be made to privacy@learningnuggets.com with verification of identity and relationship.

7.4 Data Processing Agreements

Schools may enter into a Data Processing Agreement (DPA) or Student Data Privacy Agreement with LearningNuggets. Contact legal@learningnuggets.com for institutional agreements.

8. GDPR Rights (European Economic Area)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

1. Right of Access -- You may request a copy of the personal data we hold about you.
2. Right to Rectification -- You may request correction of inaccurate or incomplete personal data.
3. Right to Erasure -- You may request deletion of your personal data, subject to legal retention obligations.
4. Right to Restriction -- You may request that we restrict processing of your data in certain circumstances.
5. Right to Data Portability -- You may request a machine-readable copy of your personal data.
6. Right to Object -- You may object to processing of your data based on legitimate interests.
7. Right to Withdraw Consent -- Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

8.1 Legal Basis for Processing

8.2 Exercising Your Rights

To exercise any GDPR right, contact our Data Protection contact at privacy@learningnuggets.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

9. CCPA Rights (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request that we disclose:

1. The categories of personal information we collect about you.
2. The categories of sources from which personal information is collected.
3. The business purpose for collecting your personal information.
4. The categories of third parties with whom we share your personal information.
5. The specific pieces of personal information we have collected about you.

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal compliance obligations).

9.3 Right to Opt-Out of Sale

We do not sell your personal information. We do not engage in the "sale" of personal information as defined by the CCPA. No opt-out is necessary, but if you have concerns, contact privacy@learningnuggets.com.

9.4 Right to Non-Discrimination

We will not discriminate against you for exercising any CCPA rights. You will not receive different pricing, service quality, or access levels for exercising your privacy rights.

9.5 Exercising Your Rights

To exercise CCPA rights, contact privacy@learningnuggets.com or submit a request through your account settings. We will verify your identity before processing requests and respond within 45 days.

10. Cookies and Tracking

10.1 Cookies We Use

10.2 What We Do NOT Use

1. No third-party advertising cookies. We do not serve ads and do not allow third-party advertising networks to place cookies on the Service.
2. No cross-site tracking. We do not track your activity across other websites.
3. No social media tracking pixels unless you explicitly interact with a social sharing feature (not currently implemented).

10.3 Cookie Management

Essential cookies (authentication and security) are required for the Service to function. You may configure your browser to block cookies, but this may prevent you from using the Service.

11. Docker Lab Data

11.1 What We Collect in Labs

When you use Docker lab environments, we collect:

1. Terminal commands -- Commands you enter in the lab terminal are captured for educational purposes (allowing the AI tutor to observe your progress and provide guidance).
2. Session metadata -- Machine lifecycle events (provision, pause, resume, terminate), session duration, and resource usage.
3. Lab environment type -- Which lab image was provisioned and the associated topic.

11.2 How Lab Data Is Used

1. Educational feedback -- Terminal activity is shared with the AI tutor (within the same session) so it can provide relevant guidance based on what you are doing.
2. Security monitoring -- Activity is monitored for violations of our Terms of Service (such as attempts to escape the sandbox or attack external systems).
3. Usage tracking -- Session duration is tracked against your tier's monthly budget.

11.3 Lab Data Retention

1. Terminal session logs are stored for 30 days after the session ends and then automatically deleted.
2. Logs are stored in encrypted storage (Supabase Storage) with access restricted to your account and platform administrators.
3. No personally identifiable information is intentionally stored within lab environments. PII redaction is active for all protected users.

11.4 Lab Data Sharing

Lab activity data is not shared with any third party except:

• Fly.io -- As the infrastructure provider, Fly.io processes machine lifecycle operations. Terminal content is relayed through our backend and is not stored by Fly.io beyond operational needs.

12. Security Measures

We implement the following security measures to protect your data:

1. Encryption in Transit -- All data transmitted between your browser and our servers uses TLS (HTTPS) encryption.
2. Encryption at Rest -- Database contents are encrypted at rest through our infrastructure providers (Supabase, Railway).
3. Row Level Security (RLS) -- Database access policies ensure users can only access their own data. Every table containing user data has RLS policies enforced and tested.
4. JWT Authentication -- Stateless, cryptographically signed tokens (ES256) for API authentication. No session data stored server-side.
5. Lab Security -- Docker labs operate with seccomp profiles, network isolation (no outbound internet), resource limits, and runtime monitoring. Suspicious activity triggers automatic termination.
6. PII Redaction -- Automated redaction of personally identifiable information before it reaches AI providers, enforced for all minors and school-affiliated users.
7. Password Security -- Passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
8. Access Controls -- Role-based access control (student, teacher, admin) enforced at middleware and database levels.

12.1 Incident Response

In the event of a data breach affecting your personal information, we will:

1. Notify affected users within 72 hours of discovery (or as required by applicable law).
2. Notify relevant supervisory authorities as required by GDPR, state breach notification laws, or other applicable regulations.
3. Take immediate steps to contain and remediate the breach.

13. International Data Transfers

LearningNuggets is based in the United States. Your data is processed and stored on servers located in the United States through our infrastructure providers (Supabase, Vercel, Railway, Fly.io).

If you access the Service from outside the United States:

1. Your data will be transferred to and processed in the United States.
2. For users in the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms, to ensure adequate protection of your data.
3. By using the Service, you consent to the transfer of your data to the United States, subject to the protections described in this Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

1. We will update the "Last Updated" date at the top of this document.
2. We will notify registered users via email or an in-platform notification at least 14 days before the changes take effect.
3. For School tier accounts, we will provide at least 30 days' notice to institutional administrators.
4. For changes affecting children's data (COPPA), we will obtain renewed parental consent where required.

15. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices:

• Privacy Inquiries and Data Rights Requests: privacy@learningnuggets.com
• Data Protection Contact: privacy@learningnuggets.com
• General Support: support@learningnuggets.com
• Legal and Institutional Agreements: legal@learningnuggets.com
• Security Vulnerability Reports: security@learningnuggets.com

This Privacy Policy is effective as of March 22, 2026.