Privacy Policy

“BrainSpark” (the “Service”) is operated as an educational practice platform. This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, and your rights over that information.

Account information

• Email address
• Password (hashed and stored by Firebase Authentication; we never see your password in plaintext)
• Display name and role (student, guardian, or teacher)
• Email verification status
• Account creation and last-sign-in timestamps

Practice data

• Answers you submit (which option you chose, or your written response)
• Scores, correctness, time spent per question
• Diagnostic attempts, mastery progress, mock-exam results, control-paper results
• Which concepts you have viewed, which archetypes you have drilled
• Streaks, session counts, neglected-section flags

Writing submissions

• The full text of your writing response to a prompt
• AI grading results (overall score, per-criterion scores, band descriptors, feedback, flagged errors)
• Time spent on each writing submission

Device & session information

• Browser type, operating system, screen size (via standard HTTP and client-side checks)
• IP address (logged transiently by Firebase for security/abuse purposes; not stored long-term)
• Session timestamps

We do not collect precise geolocation, contact lists, photos, microphone, camera, or any device-file content.

AI provider inputs

When you use a feature powered by an AI provider (writing grading, coaching chat, Socratic tutor, teach-me, concept explainer), your relevant inputs (question stem, your answer, writing text, prior chat turns) are sent to the provider to generate a response. We use the providers listed in Section 4.

• To provide the core service (practice, grading, personalised recommendations)
• To generate analytics (readiness score, trajectory, weak-archetype surfacing)
• To detect abuse and secure accounts
• To fix bugs and improve the Service
• To produce anonymised, aggregated statistics about feature use and content quality

The Service relies on the following processors. By using the Service you consent to your data being processed by them.

Each provider has its own privacy policy. We recommend reviewing them. BrainSpark is not responsible for those providers' data-handling practices, outages, or policy changes.

• Sell your personal data to anyone.
• Share your data for marketing, advertising, or profiling.
• Build a third-party advertising profile.
• Use your writing submissions to train our own models (subject to AI providers' own retention policies).

BrainSpark is designed for school-aged students. For users under 13, an adult (parent or guardian) must create the account and expressly consent to the data processing described here.

How we collect consent. During signup, students under 13 must supply a parent or guardian name and email address. On the first signed-in session, a consent modal requires the parent/guardian to tick an acknowledgement checkbox in the child's presence, confirming they have reviewed this Policy and the Terms, understand the key risks (including AI inaccuracy and experimental features), and consent to the child's use of the Service. Parent details and the consent timestamp are recorded against the child's account for audit.

Self-declaration only. This consent model is self-declaration. BrainSpark does not currently perform verified parental consent (e.g. email-click verification, payment-card verification, or government-ID matching). Operators wishing to meet stricter COPPA, GDPR-K, or Australian Privacy Act verified-consent standards should implement such a verification flow before launching to a broader audience. Parents and guardians may contact us at any time to review, correct, or delete a child's data.

• Practice data is retained while your account is active and for up to 12 months after account deletion for audit and abuse-detection purposes.
• Writing submissions are retained indefinitely in your account unless you request deletion. Anonymised, aggregated signals derived from submissions may persist indefinitely for service improvement.
• AI provider inputs may be retained by the provider under its own retention policy, which BrainSpark does not control.
• Logs (IP, request timestamps) are retained for up to 30 days for security and debugging.

Depending on your jurisdiction, you may have the right to access, correct, export, restrict processing of, or delete your personal data. To exercise these rights, email us at srinipatil@gmail.com. We aim to respond within 30 days.

If you are in the European Economic Area, United Kingdom, or a jurisdiction with equivalent protections, you may also have the right to lodge a complaint with a supervisory authority.

BrainSpark stores practice progress in your browser under localStorage keys prefixed brainspark. and a unified attempt log key brainspark-attempt-log. Clearing your browser storage will erase device-local progress, but cloud-synced data in Firestore will remain.

Data is encrypted in transit (HTTPS). Firestore security rules restrict reads and writes to each authenticated user's own documents. Cloud Functions run under standard Google Cloud security. No security system is perfect; you accept residual technical risk inherent in any internet service.

Data may be processed on servers outside Australia, including in the United States (Firebase, Gemini) and China (DeepSeek fallback). By using the Service you consent to these transfers. These providers may be subject to lawful access requests by their local authorities.

We may update this Privacy Policy. Material changes will trigger a version bump and you may be prompted to re-accept. The current version and effective date are shown at the top of this page.

Privacy questions, data-access requests, or data-deletion requests:

srinipatil@gmail.com