Privacy Policy
Socrates Educational Platform Effective Date: March 9, 2026 Last Updated: March 9, 2026
1. Introduction
Socrates Educational Platform ("Socrates," "we," "us," or "our") operates the website at socrates.ofbwfh.net (the "Platform"). We provide an AI-powered educational tool that helps students learn through interactive games generated from their homework and assignments.
We take the privacy of our users seriously — especially the privacy of children. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have regarding your data.
This policy applies to all users of the Platform, including students, guardians (parents and caregivers), and administrators. If you are a student under the age of 18, please review this policy with your parent or guardian.
If you are under 13 years of age, we are required by the Children's Online Privacy Protection Act (COPPA) to obtain verifiable parental consent before collecting your personal information. Please see Section 8 (Children's Privacy) for details.
For a child-friendly version of this policy written in plain language, please see our Child-Friendly Privacy Policy.
2. Information We Collect
2.1 Information You Provide Directly
| Data Type | Examples | Who Provides It |
|---|---|---|
| Account information | Name, email address, role (student/guardian) | All users |
| Educational profile | Grade level, school name, city, state (optional) | Students |
| Uploaded content | Homework images, documents, photographs of assignments, direct text input | Students |
| Study notes | Notes and annotations created during study sessions | Students |
| Messages | Communications within family groups | All users |
| Avatar customization | Character selection, hair color, eye color, toga color, accessory choices | Students |
| Parental consent records | Consent confirmations, consent revocation requests | Guardians |
2.2 Information Generated Through Platform Use
| Data Type | Description | Who It Applies To |
|---|---|---|
| AI conversation logs | Exchanges between students and the Socratic tutoring system, including questions asked and guidance provided | Students |
| Game performance data | Scores, completion rates, accuracy, time spent, difficulty levels | Students |
| Activity data | Login timestamps, session durations, feature usage, login streaks | All users |
| Virtual currency records | Socrates Coin (drachma) balances, earning history, spending history, reward proposals | Students |
| Progress metrics | Subject mastery levels, learning trajectory data, escalation patterns | Students |
2.3 Information Collected Automatically
| Data Type | Description | Purpose |
|---|---|---|
| Session tokens | Encrypted authentication tokens stored in cookies | Maintaining your login session |
| IP addresses | Recorded in server logs | Security, abuse prevention |
| Device information | Device type (mobile/tablet/desktop), screen size, browser type | Adapting the interface for your device |
| Error logs | Technical error information | Diagnosing and fixing problems |
2.4 Information We Do NOT Collect
- We do not collect precise geolocation data.
- We do not collect biometric data.
- We do not use third-party tracking pixels, analytics services, or advertising networks.
- We do not collect financial information (no payments are processed on the Platform).
- We do not collect social media profiles or contact lists.
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Core Educational Services
- Homework analysis: Uploaded homework is sent to AI providers to identify subjects, concepts, and learning objectives.
- Game generation: AI providers generate structured game content (as JSON data, not executable code) based on homework analysis.
- Socratic tutoring: AI powers the help system, providing guided questions and explanations adapted to the student's level.
- Study audio generation: AI creates audio study materials based on uploaded content.
- Progress tracking: Game performance and activity data are used to show students and guardians how learning is progressing.
3.2 Account Management
- Authentication: Email addresses are used to send magic-link login emails.
- Family management: Account information connects guardians and students within family groups.
- Communication: Email addresses are used for transactional messages (login links, welcome emails, weekly digest summaries).
3.3 Platform Improvement
- Bug diagnosis: Error logs and technical data help us identify and fix problems.
- Feature development: Aggregate, de-identified usage patterns help us understand which features are most useful.
3.4 Safety and Security
- Abuse prevention: Activity logs and IP addresses help detect unauthorized access.
- Content moderation: Uploaded content and messages may be reviewed by administrators to ensure compliance with our Acceptable Use Policy.
- Audit trail: Administrative actions are logged for accountability.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a lawful basis for processing personal data, our legal bases are:
| Purpose | Legal Basis |
|---|---|
| Providing the educational service | Performance of a contract (Terms of Service) |
| Sending login magic links | Performance of a contract |
| Parental consent for under-13 users | Consent (COPPA/GDPR Article 8) |
| Sending digest emails | Legitimate interest (with opt-out) |
| Security and abuse prevention | Legitimate interest |
| Legal compliance | Legal obligation |
5. How We Share Your Information
We do not sell, rent, or trade your personal information. We do not share your information with advertisers. We share information only in the following limited circumstances:
5.1 AI Service Providers
To provide our core educational features, we send certain data to AI providers for processing:
| Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (Claude API) | Uploaded homework content (text and images), student grade level, subject context | Homework analysis, game generation, Socratic tutoring, study audio generation |
| OpenAI (GPT-4o API) | Uploaded homework content (text and images), student grade level, subject context | Homework analysis, game generation, Socratic tutoring, study audio generation |
Important: We use these providers' API services, which operate under zero-retention or limited-retention data policies. Content sent via API is not used by these providers to train their AI models. We do not share student names, email addresses, or other account identifiers with AI providers.
- Anthropic's API data usage policy: https://www.anthropic.com/policies/privacy
- OpenAI's API data usage policy: https://openai.com/policies/api-data-usage-policies
5.2 Infrastructure Providers
| Provider | Data Shared | Purpose |
|---|---|---|
| Cloudflare | IP addresses, request metadata (URLs, headers) | CDN, DDoS protection, secure tunnel to our servers |
| Resend (SMTP provider) | Email addresses, email content | Delivering transactional emails (magic links, welcome messages, digest emails) |
5.3 Legal Requirements
We may disclose personal information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:
- Comply with a legal obligation, subpoena, or court order.
- Protect the safety of a user, particularly a child.
- Protect the rights or property of Socrates Educational Platform.
- Prevent fraud or abuse of the Platform.
5.4 With Guardians
Guardians within a family group can view the following information about students in their family:
- Profile information (name, grade level)
- Game performance and progress data
- Activity summaries
- AI interaction history
- Virtual currency balances and transactions
- Messages within the family group
6. Cookies
We use a minimal number of cookies, all of which are essential for the Platform to function. We do not use any tracking, analytics, or advertising cookies.
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
next-auth.session-token |
Maintains your authenticated session | Session (expires on browser close or after inactivity) | Essential |
next-auth.csrf-token |
Prevents cross-site request forgery attacks | Session | Essential |
next-auth.callback-url |
Remembers where to redirect you after login | Session | Essential |
Because all cookies are strictly essential for the Platform to function, no cookie consent banner is required under most privacy regulations. However, you can manage cookies through your browser settings. Please note that disabling cookies will prevent you from logging in.
For more details, see our Cookie Policy.
7. Data Retention
We retain your information only as long as necessary to provide our services and comply with legal obligations. For complete details, see our Data Retention Policy.
| Data Type | Retention Period |
|---|---|
| Account data | Lifetime of account + 30 days after deletion request |
| Uploaded homework | 1 year after last access, or upon deletion request |
| AI conversation logs | 6 months (rolling) |
| Game session data | 1 year |
| Family messages | Lifetime of the family account |
| Audit logs | 3 years |
| Session tokens | Duration of session |
| Server logs (IP addresses) | 90 days |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized.
8. Children's Privacy (COPPA Compliance)
8.1 Our Commitment
We are committed to complying with the Children's Online Privacy Protection Act (COPPA) and all other laws designed to protect children's privacy. We recognize that many of our users are under 13, and we have designed our Platform with children's privacy as a priority.
8.2 Guardian-First Registration
Students cannot create accounts independently. The registration flow requires:
- A guardian creates their own account first.
- The guardian creates a family and invites students.
- For students under 13, the guardian must provide verifiable parental consent before the student account is activated.
- The consent process clearly discloses what data will be collected, how it will be used, and with whom it will be shared.
See our Parental Consent Form for the full consent disclosure.
8.3 Verifiable Parental Consent (VPC)
For students under 13, we implement the following VPC method:
- Email Plus method: The guardian provides consent through a signed-in authenticated session, and we send a confirmation email with a delayed opt-out period. Because student homework content is shared with third-party AI providers, we supplement this with credit card verification or a signed consent form for higher assurance as required by FTC guidance.
8.4 Parental Rights Under COPPA
As a parent or guardian, you have the right to:
Review your child's data. You can view all data associated with your child's account through your guardian dashboard, or request a complete data export by emailing [email protected].
Request deletion of your child's data. You can request that we delete all personal information collected from your child. We will comply within 30 days. Email [email protected] or use the account deletion feature in your guardian settings.
Refuse further collection. You can revoke consent at any time, which will deactivate your child's account and halt all data collection. Previously collected data will be deleted upon request.
Prevent disclosure to third parties. You can request that we stop sharing your child's data with AI providers. Note that this will disable the core educational features (game generation, tutoring) for your child's account.
8.5 Data Minimization for Children
We collect only the minimum information necessary to provide our educational services. School name, city, and state are optional fields. We do not require children to provide more information than is reasonably necessary to participate.
8.6 Third-Party Operators
Our AI providers (Anthropic and OpenAI) receive student homework content for processing. These providers:
- Process data solely at our direction and for our purposes.
- Are contractually prohibited from using children's data for any other purpose.
- Operate under zero-retention or limited-retention API data policies.
- Do not receive student names, email addresses, or other direct identifiers.
9. Your Rights
9.1 All Users
Regardless of where you live, you have the right to:
- Access your personal data.
- Correct inaccurate personal data.
- Delete your personal data (subject to legal retention requirements).
- Export your data in a portable format.
9.2 California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to Know: You can request that we disclose what personal information we have collected about you, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You can request that we correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (such as educational data) for purposes permitted under CPRA.
To exercise any of these rights, email [email protected] with the subject line "CCPA Request" or use the data management features in your account settings. We will verify your identity before processing requests. We will respond within 45 days.
Categories of Information Under CCPA:
| CCPA Category | Collected | Sold | Shared for Advertising |
|---|---|---|---|
| Identifiers (name, email) | Yes | No | No |
| Education information | Yes | No | No |
| Internet activity (session logs) | Yes | No | No |
| Geolocation (IP-derived, approximate) | Yes | No | No |
| Inferences (learning progress) | Yes | No | No |
9.3 European Economic Area / UK Residents (GDPR)
If you are located in the EEA or the UK, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access (Article 15)
- Right to Rectification (Article 16)
- Right to Erasure ("Right to be Forgotten") (Article 17)
- Right to Restriction of Processing (Article 18)
- Right to Data Portability (Article 20)
- Right to Object to processing based on legitimate interest (Article 21)
- Right to Withdraw Consent at any time, without affecting the lawfulness of processing before withdrawal
- Right to Lodge a Complaint with your local supervisory authority
International Data Transfers: Our servers are located in the United States. If you are accessing the Platform from outside the US, your data will be transferred to the US. We rely on Standard Contractual Clauses (SCCs) or your explicit consent as the legal mechanism for such transfers. Our AI providers (Anthropic and OpenAI) are US-based companies.
To exercise your rights, contact [email protected]. We will respond within 30 days.
10. Data Security
We implement reasonable technical and organizational measures to protect personal information, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS), enforced via Cloudflare.
- Encryption at rest: Database connections use encrypted channels.
- Authentication: Passwordless magic-link authentication eliminates password-related vulnerabilities.
- Access controls: Role-based access ensures users can only see data appropriate to their role.
- Session management: Session tokens are HttpOnly, Secure, and SameSite-protected cookies.
- Content security: All external content passes through a server-side proxy with DOMPurify sanitization and domain allowlisting.
- No code execution: AI-generated game content is structured data (JSON), never executable code.
- Infrastructure: Self-hosted on a secured Docker Swarm cluster with network isolation between services.
In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities in accordance with our Incident Response Plan and applicable law.
11. Third-Party Links and Content
Our Platform may embed educational content from third-party websites through our content proxy (e.g., Khan Academy, educational YouTube videos). This content is sanitized and served through our proxy — your browser does not connect directly to these third-party sites. However, if you click a link that takes you away from the Platform, that third party's privacy policy will apply.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this policy.
- We will notify all guardians by email at least 30 days before material changes take effect.
- For changes that affect children's data collection, we will obtain fresh parental consent where required by COPPA.
- Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how your data (or your child's data) is being handled:
Email: [email protected] Subject line suggestions:
- "Privacy Question" for general inquiries
- "Data Access Request" to request a copy of your data
- "Data Deletion Request" to request deletion
- "COPPA Request" for parental rights under COPPA
- "CCPA Request" for California privacy rights
We aim to respond to all privacy-related inquiries within 30 days.