Privacy Policy

This policy applies to mayprompt.com, our learning application, the practice library, and related services (the “Service”). It covers individual learners, parents who manage child profiles, educators, and enterprise/organization users. It does not cover third-party sites we link to.

Account information you provide:

• Name (display name) and email address.
• Account type (student, educator, professional, parent, or individual).
• Optional organization details: organization type (school or company), organization name, and job title.
• Your chosen learning track and password (stored only as a salted hash by our authentication provider).

Learning activity we generate as you use the Service:

• Lesson and drill progress: scores, letter grades, stars, XP, levels, streaks, and the responses you submit in lesson drills (e.g., the prompt you write when an exercise asks you to rewrite one).
• Estimated tokens saved and similar learning metrics.
• For parent-managed child profiles: the child’s display name, chosen track, and a full activity history of the exercises they complete (see Section 8).

What we do NOT do with the Playground: prompts you type into the interactive Playground are analyzed entirely in your browser by a deterministic, rule-based engine. They are not transmitted to any AI model and not stored on our servers. Drawings made in kids’ exercises stay on your device.

Technical data: like most websites, our infrastructure providers process standard log and device data (IP address, browser type, timestamps) to deliver and secure the Service. We use a minimal first-party cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.

Payment data: if and when paid plans are enabled, payments are processed by a third-party payment processor. We do not store full card numbers on our servers.

• Provide, operate, and personalize the Service and your learning progress.
• Authenticate you and keep your account secure.
• For enterprise customers, give the organization’s administrator aggregate and per-member progress and savings figures.
• For parents, provide visibility into their child’s activity.
• Maintain, debug, and improve the Service.
• Communicate with you about your account, security, and material changes.
• Comply with law and enforce our Terms.

We do not sell your personal information, and we do not use it for behavioral advertising.

Where the GDPR/UK GDPR applies, we process personal data under these bases: performance of a contract (to provide the Service), legitimate interests (to secure and improve the Service), consent (for optional features and child profiles), and legal obligation.

We share personal data only as needed to run the Service:

• Service providers (subprocessors) that host and power the Service, under contract — see Section 6.
• Your organization’s administrator, if you sign up under an enterprise/organization account, may see your learning progress within that organization.
• Legal, safety, and business-transfer situations (e.g., to comply with law, protect rights, or in a merger/acquisition, with notice where required).

We rely on these vetted providers:

• Amazon Web Services (AWS) — cloud hosting, content delivery, and compute (United States).
• Supabase — managed database and authentication (runs on AWS).
• A payment processor (e.g., Stripe) — only if/when paid plans are enabled.

These providers process data on our behalf under data-processing agreements and may not use it for their own purposes.

We keep account and learning data while your account is active. You can delete your account at any time from the Account page; deletion removes your profile, progress, attempts, and (for parents) your children’s profiles and activity. We may retain limited records as required by law or for legitimate business needs (e.g., security logs), then delete or anonymize them.

Our Sprouts track is intended for children aged 8–12. Children do not create their own accounts; a parent or guardian creates and manages a supervised child profile, provides consent, and can review and delete all of the child’s activity at any time. We collect only the child’s display name and learning activity, never behavioral-advertising data. For full details, including parental rights and how to exercise them, see our Children’s Privacy (COPPA) notice.

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. You can edit your profile and delete your account in-app, or contact us. California residents (CCPA/CPRA) have the right to know, delete, correct, and to opt out of “sale”/“sharing” — we do not sell or share personal information as those terms are defined. We will not discriminate against you for exercising your rights.

To make a request, email privacy@mayprompt.com. We may need to verify your identity first.

We use industry-standard safeguards including encryption in transit (HTTPS), row-level security on our database so users can only access their own data, hashed passwords, scoped access controls, and bot protection on sign-up and sign-in. No system is perfectly secure, but we work to protect your information and will notify affected users of a material breach as required by law.

We operate in the United States; if you access the Service from elsewhere, your data is processed in the U.S. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

We may update this policy. Material changes will be announced in-app and reflected by a new effective date. Continued use after changes means you accept the updated policy.

Privacy questions or requests: privacy@mayprompt.com.