BookBright

Privacy Policy

Last updated: 2026-04-28. First-pass content; lawyer review pending.

1. What we collect

Account holders (parents, 13+ students, teachers): email address, optional display name, hashed password, OAuth provider IDs if used, billing identifiers managed by Stripe and RevenueCat (we do not store card numbers).

Student profiles (under 13): display name and grade level only. No email, no last name, no contact info, no demographics.

Usage data: which questions were attempted, which answers selected, mastery levels, streak data, sticker and badge unlocks, last study date.

2. How we use it

To operate the study experience (serve questions, track progress, award stickers and badges), to process payments via Stripe and RevenueCat, to send transactional email via Resend (signup confirmation, password reset, magic link), and to improve the service in aggregate. We do not sell or rent personal information.

3. Children’s privacy

BookBright is COPPA compliant. We never collect personal information directly from children under 13. Student profiles under 13 store only a display name and grade level. See our COPPA notice for full details, including parental rights to review, delete, or refuse continued collection.

4. Sharing

We share data only with service providers required to run the service: Supabase (database and authentication), Stripe and RevenueCat (payments and entitlements), Resend (transactional email), Vercel (hosting). Each operates under their own privacy commitments and processes data only on our behalf.

5. Storage and retention

Data is stored on Supabase infrastructure (US region). Account data is retained while the account is active and deleted within 30 days of account deletion. Anonymized aggregate data may be retained for product improvement.

6. Security

Passwords are hashed. Data in transit is encrypted via TLS. Database access is gated by row-level security policies that prevent users from seeing other accounts’ data. No system is perfectly secure; we will notify affected users of any breach within 72 hours of discovery.

7. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing mark.nygren1@gmail.com. California, Colorado, Connecticut, Virginia, and EU residents have additional rights under their respective privacy laws; we honor those rights regardless of jurisdiction.

8. Cookies

We use cookies for authentication (HTTP-only, SameSite=Lax, Secure in production) and to remember the selected student profile. We do not use third-party advertising cookies.

9. Changes

Material changes to this policy will be communicated by email at least 30 days before they take effect.

10. Contact

Privacy questions or requests: mark.nygren1@gmail.com.