Privacy Policy

1. Who We Are

BrightRoot is an after-school academic enrichment program run by Scientia Vitae Academy. We serve students ages 8–17. We take the privacy of children seriously and follow US and international laws designed to protect them.

2. What Information We Collect

We collect only what we need to run the program:

• Parent or guardian: Name, email address, and phone number. This is used for enrollment communication, billing, and progress reports.
• Student: First name, age group (for cohort placement), and current school name. We do not collect student home addresses or social security numbers.
• Learning activity: Assignments submitted, session attendance, reflections written or recorded, rubric scores, and AI tutor interactions. This is used to track progress and provide teacher feedback.
• Technical: Log-in timestamps and browser type, used for security and to fix technical problems.

We collect only what is necessary for your child's education. We do not collect data we do not need.

3. How We Use the Information

• To deliver lessons and track your child's learning progress
• To give teachers information they need to support each student
• To send weekly progress reports to parents
• To process tuition payments
• To improve the BrightRoot program using anonymized, combined data — never data linked to individual students
• To comply with legal requirements

We do not use student data to show advertisements. We do not sell personal information to anyone.

4. Who We Share Data With

We share personal information only with the companies that help us run BrightRoot:

• Supabase — Our secure database. Student and parent data is stored in Supabase data centers in the United States.
• Stripe — Processes tuition payments. Stripe sees parent billing information only. Stripe does not receive student data.
• Anthropic — Powers the AI tutoring features. Student questions and AI responses are sent to Anthropic for processing. Anthropic does not retain personal student data after the session ends, per their enterprise data policies.
• BrightRoot teachers and staff — Teachers in your child's cohort can see their student's submissions, reflections, and progress scores.

We do not share data with schools, third-party advertisers, data brokers, or any other parties. We may disclose information to legal authorities if required by law.

5. Children's Privacy (COPPA)

BrightRoot serves students as young as 8 years old. US law (COPPA — the Children's Online Privacy Protection Act) requires us to get a parent's permission before we collect personal information from any child under 13.

How we get consent: When enrolling a student under 13, the teacher or administrator confirms that they have obtained the parent's or guardian's written consent before the student's account is created. Parents also receive an enrollment confirmation email.

What parents can do:

• Review all personal information we hold about their child by emailing us
• Request that we correct or delete their child's personal information at any time
• Withdraw consent and have their child's account and data removed

We do not use student data for behavioral advertising. We do not allow third-party tracking on student accounts.

6. Your Rights (GDPR — UK and EU Users)

If you are in the UK or EU, you have the following rights:

• Access: You can ask us for a copy of the personal data we hold about you or your child.
• Correction: You can ask us to fix any information that is wrong.
• Erasure: You can ask us to delete your or your child's personal data. We will process deletion requests within 30 days.
• Portability: You can ask for a copy of your data in a machine-readable format.
• Object: You can object to certain types of data processing.
• Withdraw consent: If we are processing data based on your consent, you can withdraw that consent at any time.

To exercise any of these rights, email [email protected].

7. Cookies

We use essential cookies to keep you logged in. These are required for the platform to work and do not track your activity across other websites.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. A notice will appear on your first visit to confirm this.

8. Data Security

We use encrypted connections (HTTPS), access controls, and secure hosting to protect personal data. Only authorized staff and teachers can access student information. No system is 100% secure, and we cannot guarantee absolute security.

9. How Long We Keep Data

We keep student and parent data for the duration of enrollment plus 12 months after a student leaves the program. This allows us to provide final reports and handle any billing questions. After that period, personal data is deleted. Anonymized and aggregated data (with no names or identifying information) may be kept longer for program improvement.

10. Deleting Your Account

You can request deletion of your account and all associated data at any time by emailing [email protected]. We will confirm the deletion within 30 days.

11. Changes to This Policy

We may update this policy. If we make important changes, we will email you at the address on file at least 14 days before the changes take effect. The updated date at the top of this page shows when it was last changed.

12. Contact

For privacy questions, data access requests, or deletion requests:

• Email: [email protected]
• General: [email protected]