# Scholar — Privacy Policy

**TEMPLATE — review with counsel before publishing.**
**Last updated: [DATE]**
**Effective: [DATE]**

This policy explains what Scholar collects, why, who sees it, and how to
delete it. It applies to anyone using Scholar at scholar.[example].edu and
to any school instance hosted by [Operator Legal Name].

We are signing this policy under the authority of state student-data
privacy laws — including but not limited to California SOPIPA, Illinois
SOPPA, and New York Education Law §2-d — and the federal FERPA framework.

---

## 1. Who we are

Scholar is operated by **[Operator Legal Name]**, a [State] [entity type],
located at **[business address]**. Our designated privacy contact is:

> **[privacy officer name]**
> privacy@[domain]
> [phone]
> [postal address]

Our designated DMCA agent is listed in `DMCA-NOTICE.md` and registered
with the U.S. Copyright Office.

For users in the European Economic Area, our Data Protection Officer is
**[DPO name + contact]**.

## 2. What we collect

Scholar collects only the information needed to run an academic
discussion forum.

### Account information
- Name (display name)
- Email address (school-issued or personal, depending on signup method)
- Hashed password (or LMS-provided identity if signed in via LTI)
- Role: student, teaching assistant, or teacher
- Section number, if your teacher uses sections

### Class activity
- Class memberships and join dates
- Discussion posts and replies you author (text + uploaded attachments)
- Reactions you place on others' posts (agree, push back, curious, cite)
- Assignments you submit (drafts and final submissions)
- Grades and feedback your teacher records on your work
- Calendar events your teacher publishes
- Read receipts (which posts you've seen, last-visit timestamps)

### Operational metadata
- IP address (only retained for 30 days, only for security investigation)
- Browser user-agent (security only)
- Account creation, last-login, password-reset timestamps
- Any audit-log entries generated by your or your teacher's actions

### What we do NOT collect
- We do not collect biometric data.
- We do not collect precise geolocation.
- We do not run advertising trackers, pixels, or analytics SDKs.
- We do not sell, rent, or share your data with advertisers.
- We do not build advertising profiles or targeted-ad cohorts.
- We do not share data with social-media platforms.
- We do not retain credit card or payment information (handled by Stripe
  via tokenization if you ever pay us — students never do).

## 3. Why we collect it

Each piece of data has a specific operational purpose:

| Data | Purpose |
|---|---|
| Email + password | Authenticate you; deliver password resets |
| Name + role | Display in class roster; route teacher tools |
| Posts + replies | The product itself (a discussion forum) |
| Grades + feedback | Communicate teacher assessment to you |
| Read receipts | Show your teacher who's keeping up |
| IP + user-agent | Security investigation only; deleted after 30 days |
| Audit log | Show why a grade or flag changed (FERPA right of inspection) |

We do not process your data for any purpose other than those listed
above. We will not introduce a new purpose without notifying you and (if
you are under 13 or your school requires it) obtaining additional
consent.

## 4. Who sees it

### Inside your school
- **You** see all your own data, plus public posts in your class, plus
  your own grades.
- **Your teachers and authorized teaching assistants** see your full name
  attached to anonymous posts (an unavoidable consequence of FERPA — they
  are "school officials" with a legitimate educational interest), your
  grades, your submission history, and any AI-checker signals that fired
  on your writing.
- **Other students** see only your display name on your public posts and
  reactions; they do *not* see your grades, the AI-checker signals, or
  your anonymous-post identity.
- **School administrators** see only what their role inside Scholar
  permits — by default, nothing more than what teachers see.

### Outside your school
- **No one** sees your data outside your school except as required to
  operate the service (subprocessors below) or compelled by valid legal
  process.
- We do not sell, rent, license, or share your data for any commercial
  purpose. Ever.

### Subprocessors
We use the following third-party services. Each is contractually bound to
the same data-protection terms we offer you:

| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | USA | SOC 2 Type II, HIPAA-compatible |
| Cloudflare, Inc. | Static site hosting, edge security | USA | SOC 2 Type II, FedRAMP Moderate |
| [SendGrid / other email provider, if used] | Transactional email | USA | SOC 2 |

Full subprocessor list and 90-day change-notification policy: see
`SUBPROCESSORS.md`.

### Compelled disclosure
We will turn over your data to law enforcement only when presented with a
valid subpoena, warrant, or court order, and we will notify your
school's general counsel before complying unless legally prohibited.

## 5. How long we keep it

| Data | Retention |
|---|---|
| Account record | While you're enrolled + 90 days after last enrollment ends |
| Class content (posts, submissions) | Per the contracting school's retention schedule, default 7 years (matches FERPA) |
| Audit log | 7 years (FERPA records-retention default) |
| IP address logs | 30 days |
| Email-delivery logs | 30 days |
| Backup snapshots | 30 days rolling, encrypted at rest |

Full schedule and deletion process: see `DATA-RETENTION.md`.

## 6. Your rights

You may, at any time:

- **Access** your data — sign in and see it, or request a machine-readable
  export by emailing privacy@[domain].
- **Correct** inaccuracies in your name, email, or section by editing
  your profile (or asking your teacher to correct grade records).
- **Delete** your account and all associated content by clicking
  "Delete my account" on the settings screen, or emailing
  privacy@[domain]. We will complete deletion within 30 days. Posts that
  others have replied to may be replaced with a tombstone reading
  "(deleted user)" rather than removed entirely, to preserve thread
  context — let us know if you want a hard delete instead.
- **Object** to our processing — email privacy@[domain].
- **Restrict** processing — email privacy@[domain].
- **Withdraw consent** (where consent is the lawful basis) — email
  privacy@[domain].
- **Lodge a complaint** with your state's Attorney General or
  (in the EEA) your local supervisory authority.

If you are under 13, your parent or legal guardian can exercise these
rights on your behalf. We will respond to all rights requests within 30
days (or sooner, where state law requires).

## 7. AI integrity checker — special notice

Scholar includes an AI-writing-detection tool used by teachers. Important
disclosures:

- The detector is **not a probability claim**. It runs twelve independent
  factual checks (e.g. "this passage uses three em-dashes per few
  sentences," "this passage has zero contractions in 200 words") and
  reports which signals fired with the underlying measurement. It does
  **not** report a "% likely AI" number.
- The detector is **only visible to teachers**. Students never see
  signals on their own writing.
- A signal firing is **not evidence of academic misconduct**. It is a
  prompt for the teacher to read more carefully and (if they have
  concerns) talk to the student.
- You may request the **full audit log** of any AI-checker signal that
  fired on your writing by emailing privacy@[domain]. We will provide it
  within 30 days.
- You may request **human-only review** of any grade affected by an AI
  signal. Your teacher and school decide grade appeals; we do not.

For the model card describing how the detector works, see
`AI-CHECKER-DISCLOSURE.md`.

## 8. Children under 13 (COPPA)

Scholar is intended for use in schools, where it operates under the
**school authorization exception** to COPPA (16 CFR §312.5(c)(6)). Your
school has authorized us to collect a limited set of student information
on its behalf, in lieu of obtaining individual parental consent.

Parents or guardians who would like to:

- Review their child's information,
- Request deletion of their child's information,
- Refuse further collection or use of their child's information,

should contact the child's school directly. The school can then contact
us at privacy@[domain]. We will comply within 30 days.

## 9. Security

We protect your data with industry-standard practices including:

- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security policies enforced at the database, not in the
  browser
- Principle-of-least-privilege access controls; only on-call engineers
  have production database read access, and all access is logged
- Multi-factor authentication required on all administrative accounts
- Quarterly penetration testing by an independent security firm
- Annual SOC 2 Type II audit [once obtained]

In the event of a data breach we will notify affected schools within
**7 days** (consistent with the strictest applicable state law), as
detailed in `BREACH-NOTIFICATION.md`. Affected users will be notified
through their school within an additional 7 days.

## 10. International users

If you are outside the United States, your data will be transferred to
and processed in the United States. We rely on the following safeguards:

- **EEA users:** Standard Contractual Clauses (Module 2 — Controller to
  Processor); Supplementary Measures: encryption + minimal data; Data
  Privacy Framework certification status: [TBD]
- **UK users:** UK International Data Transfer Addendum
- **Swiss users:** equivalent clauses

You may request a copy of our SCCs by emailing privacy@[domain].

## 11. Changes

We will not make material changes to this policy without:

1. Posting notice on the sign-in screen at least 30 days before the
   change takes effect, and
2. Emailing the school administrators of every active deployment.

If you do not accept the change, you have the full 30-day notice period
to delete your account before the change takes effect.

## 12. Contact

- General privacy questions: privacy@[domain]
- DMCA / copyright: see `DMCA-NOTICE.md`
- Security vulnerabilities: security@[domain] (PGP key available)
- DPO (EEA only): [DPO name + email]
- Data subject requests (GDPR / CCPA): privacy@[domain]