Privacy Policy
Last updated: June 12, 2026
The short version
- We collect your email and your name (or your child's name) to manage your account and to deliver classes. That's the core of it.
- We never sell your data. We never advertise external services to you or your children.
- We share data only with the tools we need to run the service. We store data on DigitalOcean's infrastructure and use Mailgun for email — both are contractually restricted from using your data for their own purposes. Payments are processed by Square, which maintains its own privacy practices for payment data.
- Parents can access, correct, or delete their child's data at any time by emailing [email protected].
- Student data is protected under California's SOPIPA law and the federal COPPA law.
Contents
This Privacy Policy describes how Data Detectives LLC, a California limited liability company ("Data Detectives," "we," "us," or "our"), collects, uses, and protects information about the people who use our educational services, website, and any associated applications (collectively, the "Service"). This policy applies to parents, guardians, students, instructors, and any other visitors to our website.
1. Information We Collect
We collect information in two ways: information you provide directly, and information collected automatically when you use the Service.
Information you provide directly
- Account information: email address and password (stored encrypted). Your username is automatically generated from the portion of your email address before the @ symbol and is not displayed to other users. You may choose a display name for your child or it defaults to "Default Name" if you are an adult and is shown when applicable — you may update it at any time in your account settings. Required to create an account.
- Profile details (all optional — only collected if you choose to provide them):
- Bio — available to adult users (18+) only
- Profile photo — available to adult users (18+) only. We do not collect or store profile photos from users under 18.
- Phone number
- School - for minor students, optional
- Organization — relevant for instructors or institutional accounts
- Student profile: student first and last name, provided by the parent or guardian at enrollment. Users under 18 select from a set of pre-defined avatars in place of a profile photo; we do not collect or store profile photos or bios from minor students. Adult students (18+) may optionally upload a profile photo.
- Educational data: class enrollments, session records, assignments, submissions, grades, progress notes, and learning metric recordings.
- Communications: messages or emails you send us, including inquiries, support requests, and discovery call notes.
- Payment information: processed through Square. We do not store full card numbers — payment data is handled entirely by our processor.
Information collected automatically
We collect very little data automatically. We do not use analytics tools, tracking pixels, or behavioral monitoring. The only information collected without your direct input is:
- Account activity timestamps: when your account was created and when you most recently logged in, used for account security and administration.
- Session and security cookies: described in full in Section 9.
Information we do not collect
We do not collect Social Security numbers, government-issued ID numbers, precise geolocation data, or biometric identifiers. We do not collect any personal information from students under 18 without verifiable parental consent.
2. How We Use Information
We use the information we collect for the following purposes only:
- To deliver our educational services: organizing classes, tracking student progress, connecting students with instructors, and communicating with parents about their child's experience.
- To communicate with you: sending class confirmations, schedule updates, progress summaries, and service-related information to you or the parent or guardian on file.
- To process payments: solely to process enrollment fees and apply our Learning Guarantee policy.
- To improve our services: we use operational and platform data — including course enrollment patterns, discovery call conversion rates, onboarding completion, platform usage, and instructor performance ratings — to improve our curriculum, instructor matching, student onboarding, and overall service quality. This analysis is conducted internally and is never shared with third parties. Where possible, we use aggregated or de-identified data. We do not use individual student educational content — including assignments, grades, or session notes — for business analytics or service improvement purposes.
- To comply with legal obligations: we may use or disclose information as required by applicable law, court order, or lawful government request.
We do not use student information for
- Targeted or behavioral advertising to third parties, on our Service or anywhere else
- Any marketing or advertising using student educational data — progress records, assignments, grades, and session notes are never used for commercial purposes of any kind
- Building profiles of students for any non-educational purpose
- Selling, renting, trading, or licensing student data to any third party
- Any commercial purpose unrelated to delivering the educational service you or your family enrolled in
First-party communications
We may use parent, guardian, and adult student contact information to let you know about other Data Detectives courses, features, or programs that may be relevant to your enrollment. These communications are first-party only — we do not share your information with third parties for marketing purposes. You can opt out of non-essential communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected].
3. Data Sharing
We share information with third parties only in the following limited circumstances.
Instructors
Instructors actively working with a student can view that student's progress records, notes, assignments, and learning metrics — and only for the students they are currently assigned to. Instructors are contractually required to handle student data in accordance with applicable privacy law.
Service providers
We use the following third-party vendors to operate the Service. Except where noted, each is contractually prohibited from using your data for their own purposes:
| Provider | Purpose | Data shared |
|---|---|---|
| DigitalOcean (App Platform / Droplet) | Web application hosting | All data transmitted through the Service passes through DigitalOcean infrastructure |
| DigitalOcean Managed PostgreSQL | Database hosting | All user accounts, student profiles, educational records, and application data, encrypted at rest |
| DigitalOcean Spaces | File and media storage | Uploaded files and static assets associated with accounts |
| Mailgun (Sinch) | Transactional email delivery | Parent / guardian and adult student email addresses, names, and email content (enrollment confirmations, progress updates, account notifications) |
| Cloudflare | Security, DDoS protection, and bot management | Network-level traffic data (IP addresses, request metadata) for security filtering. Cloudflare does not receive your application data. |
| Square | Payment processing (in-person and online) | Parent / guardian or adult student name, email address, and payment details. We do not store card numbers — all payment data is handled directly by Square. Square maintains its own privacy policy governing buyer data at squareup.com/legal/privacy. |
Legal requirements
We may disclose information if required to do so by law, court order, subpoena, or lawful government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Data Detectives, our users, or the public.
Business transfers
If Data Detectives is involved in a merger, acquisition, or sale of assets, we will notify you and parents and guardians before any student data is transferred to a new entity, and we will provide an opportunity to request deletion of your or your child's data prior to the transfer.
We do not sell personal information
We do not sell, rent, trade, or share personal information with advertisers, data brokers, or any third party for marketing or commercial purposes.
4. Children's & Minor Students' Privacy
Our service is designed also for school-aged students to be used under parental supervision.
We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 COPPA Rule amendments, with full compliance required by April 22, 2026. Federal COPPA law specifically governs students under 13. For students ages 13–17, we apply equivalent protections as a matter of policy.
For students under 18
We do not collect personal information from children under 18 without first obtaining verifiable parental consent. Before enrollment, a parent or guardian must complete our enrollment process, which includes a standalone COPPA-compliant consent step, and email verification after account signup. If we discover we have collected information from a child under 18 without proper parental consent, we will delete it promptly.
What we collect from students
With parental consent, we collect only the information necessary to deliver our educational services: the student's first and last name, school (optional), class enrollment status, and educational progress data (assignments, session notes, learning metrics). Students under 18 use pre-defined avatars — we do not collect student email addresses, profile photos, precise location data, or free-text bio fields from minor users.
Parental rights
Parents and guardians have the right to:
- Review the personal information we have collected about their child at any time
- Request correction of inaccurate information
- Revoke consent and request deletion of their child's personal information
- Refuse to allow further collection or use of their child's information going forward
- Request a copy of their child's data in a portable format
To exercise any of these rights, contact us at [email protected]. We will respond within 10 business days. Revoking consent may affect your child's ability to continue using the Service.
Data retention for children's data
We retain student personal information only for as long as necessary to deliver the enrolled class, and for up to 12 months afterward. Upon a parent's written deletion request, we will delete the student's personal information within 30 days. Educational progress records may be retained in anonymized, non-identifiable form for service improvement purposes only.
Data protection impact assessment (DPIA)
We have conducted a Data Protection Impact Assessment evaluating how our Service may affect student users, and we review this assessment whenever we make material changes to our data practices.
5. Student Data & SOPIPA Compliance
Data Detectives complies with California's Student Online Personal Information Protection Act (SOPIPA), Cal. Business & Professions Code § 22584.
As an operator of a service used for K–12 educational purposes, we make the following commitments regarding student personal information:
- We will not sell student personal information under any circumstances.
- We will not use student personal information for targeted advertising, on our Service or on any third-party service.
- We will not use student personal information to build a profile of a student for any non-educational purpose.
- We will not disclose student personal information except to provide the educational service, to comply with a legal obligation, or with the explicit written consent of the parent or guardian.
- We maintain reasonable security procedures, including encryption in transit and at rest and role-based access controls, to protect student personal information from unauthorized access, disclosure, or destruction.
- We will delete student personal information upon written request from a parent, guardian, or school within 30 days.
6. Data Security
We implement reasonable and appropriate technical and organizational measures to protect personal information, including:
- Encryption of all data in transit using TLS/HTTPS
- Encryption of database records at rest
- Application-level access controls — instructors can only access data for their assigned students through our platform; direct database access is restricted to administrative personnel only
- Password hashing using PBKDF2 with SHA-256; passwords are never stored in plaintext
- Regular review of our data handling and access practices
No system is completely secure. In the event of a data breach that may affect your personal information, we will notify affected parents and guardians as soon as reasonably possible and no later than 72 hours after discovering the breach, as required by California law (Cal. Civil Code § 1798.82).
7. Data Retention
| Data type | Retention period |
|---|---|
| Parent/guardian or adult account information | Duration of active account + 30 days after deletion request |
| Student profile and enrollment data | Duration of active enrollment + 12 months |
| Educational progress records | 12 months after the end of the last active enrollment; deleted upon written request regardless of account status |
| Payment records | 7 years, as required by tax law |
| Communications and support records | 3 years |
Upon account deletion, we will anonymize or delete personal data within 30 days. For students under 18: we will delete all personal information upon a parent's written request within 30 days, regardless of account status. Payment records are retained only as required by law and do not contain student educational data.
8. Your Rights
- Right to know: request a summary of the personal information we hold about you or your child.
- Right to access: view your personal data at any time via your account profile, or by contacting us.
- Right to correct: request correction of inaccurate information. You can update most information directly in your account settings.
- Right to delete: request deletion of your personal information. We will process deletion requests within 30 days, except where we are legally required to retain certain data.
- Right to data portability: request an export of your data in CSV format. (Feature in development — contact us to request a manual export in the meantime.)
- Right to revoke consent (COPPA): parents may revoke consent for their child's data collection at any time. See Section 4 for details.
To exercise any of these rights, email [email protected] or use our contact form. We will respond within 10 business days.
9. Cookies & Tracking
We use only strictly necessary cookies on this site. We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.
| Cookie | Type | Purpose | Expiry |
|---|---|---|---|
| sessionid | Strictly necessary | Keeps you logged in securely. Set as HttpOnly — inaccessible to JavaScript for security purposes. | 2 weeks (or on logout) |
| csrftoken | Strictly necessary | Protects all form submissions from cross-site request forgery attacks | 1 year |
| __cf_bm | Strictly necessary | Set by Cloudflare to distinguish human visitors from automated bots, protecting the site from malicious traffic. Does not identify or track individual users. | 30 minutes |
The cookie notice preference is stored in your browser's localStorage under the key dd_cookie_notice_dismissed, not as a cookie. It stores only a numeric flag and contains no personal information.
Our application runs on DigitalOcean App Platform. Our domain is proxied through Cloudflare for security and DDoS protection. Cloudflare may set the __cf_bm cookie listed above for bot detection purposes. Neither DigitalOcean nor Cloudflare set advertising or tracking cookies on your browser.
10. Do Not Track
California law (CalOPPA) requires us to disclose how we respond to "Do Not Track" browser signals. Because we use no analytics, advertising, or behavioral tracking technologies of any kind, enabling Do Not Track in your browser has no additional effect on your experience on this site. We do not track users across third-party websites.
11. Shine the Light (Cal. Civil Code § 1798.83)
California residents may request, once per calendar year, a list of the categories of personal information we have disclosed to third parties for direct marketing purposes during the preceding year. We do not share or disclose personal information to any third party for direct marketing purposes. We have no information to provide in response to a Shine the Light request, but you are welcome to contact us to confirm this at [email protected].
12. Do Not Sell or Share My Personal Information
We do not sell, share, or monetize your personal information in any way — including for the purpose of cross-context behavioral advertising. This applies to all users, including California residents exercising rights under CCPA and CPRA.
There is nothing to opt out of because we do not engage in these practices. If you have questions or want written confirmation, contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time as our services evolve or as laws change. We will notify you of material changes by:
- Sending an email to the address on file at least 30 days before changes take effect
- Posting a prominent notice on our homepage and on this page
- Updating the "Last updated" date at the top of this document
For material changes affecting how we handle student or children's data, we will obtain fresh parental consent where required by COPPA. Your continued use of the Service after the effective date of an updated policy constitutes acceptance for non-material updates.
14. Contact Us
For privacy questions, data requests, COPPA inquiries, or to exercise any of your rights:
Data Detectives LLC
1255 Treat Blvd, Suite 300 PMB 3136
Walnut Creek, CA 94597
Email: [email protected]
We aim to respond to all privacy requests within 10 business days.