PRIVACY POLICY

TeachTime Application

Last Updated: October 4, 2025

Version: 1.0

Effective Date: October 4, 2025

1. Introduction and Scope

2. TeachTime's Role: Data Processor vs. Data Controller

3. Governing Language and English Proficiency Requirement

4. Information We Collect

5. How We Use Your Information

6. Children's Privacy and Parental Consent (COPPA/GDPR Compliance)

7. Information Sharing and Disclosure

8. Data Security Measures

9. Data Retention and Deletion

10. Your Privacy Rights (GDPR/CCPA/GLOBAL)

11. International Data Transfers

12. Cookies and Tracking Technologies

13. Do Not Track Signals

14. Third-Party Links and Services

15. California Privacy Rights (CCPA)

16. European Union Data Protection Rights (GDPR)

17. Changes to This Privacy Policy

18. Contact Information and Data Protection Officer

19. Legal Basis for Processing (GDPR)

20. Complaints to Supervisory Authorities

1. INTRODUCTION AND SCOPE

1.1 Purpose of This Policy

This Privacy Policy ("Policy") describes how TeachTime ("we," "us," "our," or "the Service") collects, uses, discloses, and protects personal information from users of the TeachTime application, including:

Teachers (primary account holders)
Students (individuals with student-level access, including minors)
Parents (individuals with parent-level access managing child profiles)
Visitors (individuals accessing our website or landing pages)

1.2 Scope and Application

This Policy applies to all personal information collected through:

The TeachTime web application
TeachTime mobile applications (if applicable)
TeachTime website and landing pages
Email communications with TeachTime
Customer support interactions
Any other services provided by TeachTime

1.3 Consent to This Policy

By using TeachTime, creating an account, or accessing our services, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree to this Policy, you must not use the Service.

1.4 Compliance Framework

This Policy is designed to comply with:

General Data Protection Regulation (GDPR) (European Union)
Children's Online Privacy Protection Act (COPPA) (United States)
California Consumer Privacy Act (CCPA) (California, United States)
California Privacy Rights Act (CPRA) (California, United States)
Other applicable federal, state, and international privacy laws

1.5 Special Notice for Minors

If you are under 18 years of age, your use of TeachTime must be authorized by your parent or legal guardian who has reviewed and consented to this Privacy Policy. See Section 5 for detailed information about children's privacy.

2. TEACHTIME'S ROLE: DATA PROCESSOR VS. DATA CONTROLLER

2.1 Critical Legal Distinction

THIS SECTION IS CRITICAL TO UNDERSTANDING YOUR DATA RIGHTS AND TEACHTIME'S RESPONSIBILITIES.

TeachTime's role in handling your personal data varies depending on the type of data and who you are:

2.1.1 When TeachTime is a Data Processor (Service Provider)

FOR STUDENT AND PARENT DATA:

When your teacher creates student or parent accounts and enters personal information about students, TeachTime acts as a "Data Processor" (also called "Service Provider" under CCPA) on behalf of the teacher.

What this means:

Your teacher is the "Data Controller" (or "Business" under CCPA)
Your teacher decides what data to collect about you
Your teacher decides how to use your data
Your teacher is responsible for obtaining your consent (or parental consent for minors)
Your teacher is responsible for complying with privacy laws (GDPR, COPPA, CCPA, etc.)
TeachTime simply processes the data according to your teacher's instructions
TeachTime does NOT independently collect or control student/parent data

Practical implications:

If you want to access, correct, or delete your data, contact your teacher first
Your teacher is responsible for responding to your data rights requests
Your teacher must obtain parental consent before entering minor student data (not TeachTime)
TeachTime is not liable for your teacher's failure to comply with privacy laws

2.1.2 When TeachTime is a Data Controller (Business)

FOR TEACHER DATA:

When teachers create their own accounts, TeachTime acts as a "Data Controller" (or "Business" under CCPA) for the teacher's personal information.

What this means:

TeachTime decides what data to collect from teachers
TeachTime decides how to use teacher data
TeachTime is responsible for complying with privacy laws for teacher data
Teachers can exercise data rights directly with TeachTime

FOR CERTAIN SYSTEM DATA:

TeachTime may also act as a Data Controller for:

Website visitor data (IP addresses, cookies, analytics)
Contact form submissions
Marketing communications (if applicable)
System logs and security data

2.2 Why This Distinction Matters

Under GDPR and CCPA:

Data Controllers/Businesses have primary legal responsibility for data protection compliance
Data Processors/Service Providers have secondary obligations to assist Controllers and follow their instructions

FOR STUDENTS AND PARENTS:

Since your teacher is the Data Controller for your data:

Your teacher is legally obligated to obtain parental consent for minors (not TeachTime)
Your teacher must respond to your data access requests
Your teacher is responsible if your data is misused or improperly collected
TeachTime assists your teacher but is not primarily responsible

FOR TEACHERS:

Since TeachTime is the Data Controller for your account data:

TeachTime is responsible for protecting your account information
You can exercise data rights directly with TeachTime
You must comply with privacy laws when you collect student data

2.3 Data Processing Agreement

By using TeachTime to manage student data, teachers agree to the following Data Processing terms:

Teachers warrant they have legal authority to collect and process student data
Teachers warrant they have obtained all necessary consents (including parental consent for minors)
Teachers authorize TeachTime to process student data solely for providing the Service
TeachTime will not process student data for any purpose other than providing the Service
TeachTime will implement appropriate security measures to protect student data
TeachTime will assist teachers in responding to data subject rights requests
TeachTime will delete or return student data upon termination of the teacher's account (subject to legal retention requirements)

Teachers are strictly prohibited from:

Entering student data without proper consent
Violating COPPA, GDPR, CCPA, or other privacy laws
Using TeachTime to collect data beyond what is necessary for teaching purposes
Sharing or selling student data to third parties without authorization

2.4 No Independent Use of Student Data

TeachTime does NOT:

Sell student or parent data to third parties
Use student or parent data for marketing or advertising
Create profiles of students for non-educational purposes
Disclose student data except as directed by the teacher or required by law

2.5 Teacher's Liability for Privacy Violations

If a teacher violates privacy laws (e.g., fails to obtain parental consent, collects excessive data, misuses student information):

The teacher, not TeachTime, is primarily liable
The teacher must indemnify TeachTime for any claims arising from the teacher's violations
TeachTime may terminate the teacher's account
TeachTime may report violations to regulatory authorities

Students, parents, and guardians should direct privacy complaints to the teacher first. If the teacher is unresponsive, contact TeachTime at [email protected].

3. GOVERNING LANGUAGE AND ENGLISH PROFICIENCY REQUIREMENT

3.1 English as the Sole Legally Binding Language

THIS PRIVACY POLICY IS DRAFTED, EXECUTED, AND PUBLISHED IN THE ENGLISH LANGUAGE.

THE ENGLISH VERSION OF THIS PRIVACY POLICY IS THE SOLE LEGALLY BINDING VERSION and shall control in all respects. Any translation of this Privacy Policy into any other language is provided for convenience only and shall have no legal effect whatsoever.

IN THE EVENT OF ANY CONFLICT, INCONSISTENCY, OR DISCREPANCY between the English version and any translated version of this Privacy Policy, THE ENGLISH VERSION SHALL PREVAIL AND CONTROL without exception.

3.2 User's Representation of English Proficiency

BY ACCEPTING THIS PRIVACY POLICY AND USING THE SERVICE, YOU REPRESENT AND WARRANT THAT:

YOU POSSESS SUFFICIENT PROFICIENCY IN THE ENGLISH LANGUAGE to fully read, understand, and comprehend all terms, conditions, rights, obligations, and legal consequences set forth in this Privacy Policy
YOU HAVE CAREFULLY READ AND FULLY UNDERSTOOD the English version of this Privacy Policy in its entirety
YOU ACKNOWLEDGE that you are legally bound by the English version, regardless of whether you have accessed or relied upon any translation
YOU WAIVE ANY CLAIM that you did not understand this Privacy Policy due to language barriers or reliance on translations

3.3 Prohibition on Use Without English Proficiency

IF YOU DO NOT POSSESS SUFFICIENT ENGLISH LANGUAGE PROFICIENCY TO FULLY UNDERSTAND THIS PRIVACY POLICY:

YOU ARE STRICTLY PROHIBITED FROM USING THE SERVICE
YOU MUST NOT CREATE AN ACCOUNT or access any features of TeachTime
YOU MUST IMMEDIATELY CEASE ALL USE of the Service
YOU MUST SEEK COMPETENT TRANSLATION ASSISTANCE from a qualified professional translator at your own expense before using the Service

TEACHTIME SHALL NOT BE LIABLE for any misunderstandings, misinterpretations, or claims arising from your use of translations or your lack of English proficiency.

3.4 No Obligation to Provide Translations

TeachTime is under NO OBLIGATION to provide translations of this Privacy Policy into any language other than English.

Any translations provided (whether by TeachTime, third-party services, or users) are:

For informational convenience only
Not reviewed or approved by TeachTime's legal counsel
Not guaranteed to be accurate, complete, or current
Not legally binding in any respect

3.5 Legal Proceedings and Disputes

In the event of any legal proceeding, arbitration, mediation, or dispute involving this Privacy Policy:

The English version shall be the sole admissible version
All interpretations shall be based on the English text
Translations shall NOT be admissible as evidence of the Policy's meaning or intent
Courts and arbitrators shall interpret the English version without reference to translations

3.6 Amendments and Updates

All amendments, modifications, or updates to this Privacy Policy shall be published in English first.

Non-English translations (if any):

May be updated at TeachTime's discretion with no guarantee of timeliness
Lag behind the English version without notice or liability
Do NOT extend the effective date of amendments (amendments are effective based on the English publication date)

YOU ARE RESPONSIBLE for regularly reviewing the English version of this Privacy Policy for changes.

4. INFORMATION WE COLLECT

4.1 Information Collected from Teachers (Data Controller)

When you create a teacher account, TeachTime collects:

4.1.1 Account Information

Name
Email address
Username and password (hashed and encrypted)
Phone number (optional)
Business name (optional)
Studio/teaching location address (optional)
Profile avatar/photo (optional)
Language preference
Timezone

4.1.2 Payment and Billing Information

PayPal subscription ID (processed by PayPal, not stored by TeachTime)
Billing history and transaction records
Subscription plan and status

Note: TeachTime does NOT collect or store credit card numbers, CVV codes, or full payment details. All payment processing is handled by PayPal.

4.1.3 Professional Information

Teaching credentials (if provided)
Subject areas (if provided)
Experience level (if provided)
Business policies and documents (if uploaded)

4.1.4 Legal Consent and Signature Records

When you create an account and accept our Terms of Service and Privacy Policy:

IP address (for verification and legal defense)
User agent (browser and device information)
Timestamp of acceptance
Document version accepted

When you electronically sign policy documents (teacher feature):

IP address (for signature verification)
Timestamp of signature
Digital signature image
Signed PDF document

4.2 Information Collected from Students and Parents (Data Processor)

IMPORTANT: This data is entered by your teacher, not collected directly by TeachTime. Your teacher is the Data Controller responsible for this data.

4.2.1 Student Account Information

Name
Username (generated by teacher)
Password (set by teacher or student, hashed and encrypted)
Email address (optional, if provided by teacher)
Phone number (optional, if provided by teacher)
Date of birth or age (if provided by teacher for minors)
Profile avatar/photo (optional)
Role (student, parent, parent-student, child)

4.2.2 Parent/Guardian Information

Parent name
Parent email address
Parent phone number
Relationship to student (parent, guardian, etc.)
Multiple child profiles linked to parent account

4.2.3 Lesson and Educational Information

Lesson schedule (dates, times, locations)
Lesson titles and descriptions
Attendance records (present, absent, makeup)
Teacher's notes about lessons (if entered)
Makeup lesson tokens (silver/gold) and expiry dates
Group activity enrollments and participation
Policy acknowledgment records

4.2.4 Usage Information

Login history and activity timestamps
Features accessed within the Service
Settings and preferences
Notification preferences

4.3 Information Collected Automatically (Data Controller)

4.3.1 Technical and Device Information

IP address
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Screen resolution
Unique device identifiers
Internet Service Provider (ISP)

4.3.2 Usage and Analytics Data

Pages visited and features used
Time spent on pages
Click patterns and navigation paths
Referral sources (how you found TeachTime)
Error logs and crash reports
Performance metrics

4.3.3 Cookies and Tracking Technologies

TeachTime uses cookies and similar technologies to:

Maintain user sessions (essential cookies)
Remember user preferences
Analyze Service usage (analytics cookies)
Improve Service performance

See Section 11 for detailed information about cookies.

4.4 Information from Third-Party Sources

4.4.1 Facebook Lead Ads Integration

Lead name, email, phone number (if teacher connects Facebook)
Custom form field responses
Facebook Page ID and integration metadata

4.4.2 Landing Page Form Submissions

Name, email, phone number submitted through contact forms
Custom field responses
Source tracking information

4.4.3 PayPal Payment Information

Subscription status and billing date
Transaction confirmation IDs
Cancellation and refund records

4.5 Information You Provide Voluntarily

Customer support inquiries and correspondence
Feedback, suggestions, and feature requests
Survey responses (if applicable)
Marketing communication preferences
User-generated content (policy documents, signatures, etc.)

4.6 Information We Do NOT Collect

TeachTime does NOT knowingly collect:

Social Security Numbers
Government-issued identification numbers (except as required for legal compliance)
Financial account numbers or credit card information (handled by PayPal)
Health information or medical records
Biometric data
Precise geolocation data (only approximate location from IP address)
Information from children under 13 without verifiable parental consent (COPPA)
Information from children under applicable age of consent without parental authorization (GDPR)

5. HOW WE USE YOUR INFORMATION

5.1 Primary Purposes of Data Processing

TeachTime uses personal information for the following purposes:

5.1.1 Providing the Service

Creating and managing user accounts
Displaying lesson schedules and calendars
Managing makeup lesson tokens
Tracking attendance records
Facilitating communication between teachers and students
Providing AI-powered assistance (optional)
Generating calendar exports and integrations
Processing electronic signatures on policy documents

5.1.2 Billing and Payment Processing

Processing subscription payments via PayPal
Managing subscription plans and upgrades
Handling cancellations and refunds
Sending billing-related notifications
Maintaining transaction records for accounting purposes

5.1.3 Customer Support and Communication

Responding to support inquiries
Troubleshooting technical issues
Providing product updates and announcements
Sending transactional emails (password resets, account confirmations)
Delivering in-app notifications and push notifications

5.1.4 Security and Fraud Prevention

Authenticating user identities
Detecting and preventing unauthorized access
Investigating security incidents
Preventing abuse and violations of Terms of Service
Monitoring for fraudulent activity

5.1.5 Service Improvement and Analytics

Analyzing usage patterns to improve features
Identifying bugs and technical issues
Conducting research and development
Optimizing Service performance
Understanding user preferences and behavior

5.1.6 Legal Compliance and Protection

Complying with legal obligations
Responding to lawful requests from authorities
Enforcing Terms of Service and policies
Protecting rights, property, and safety of TeachTime and users
Establishing, exercising, or defending legal claims

5.2 Legal Basis for Processing (GDPR)

For users in the European Union, TeachTime processes personal data based on the following legal grounds:

5.2.1 Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide the Service you requested
Managing your account and subscription
Delivering core Service features

5.2.2 Legitimate Interests (Article 6(1)(f) GDPR)

Security and fraud prevention
Service improvement and analytics
Customer support and communication
Business operations and administration

5.2.3 Legal Obligation (Article 6(1)(c) GDPR)

Compliance with tax and accounting laws
Responding to lawful government requests
Regulatory compliance

5.2.4 Consent (Article 6(1)(a) GDPR)

Marketing communications (if applicable)
Optional cookies and tracking
Processing children's data (parental consent obtained by teacher)

5.3 What We Do NOT Do With Your Information

TeachTime does NOT:

Sell personal information to third parties (as defined by CCPA)
Share personal information for cross-context behavioral advertising
Use student data for advertising or marketing purposes
Create profiles of students for non-educational purposes
Disclose student data to third parties except as described in Section 6
Use AI-generated data for training models on student information
Retain personal information longer than necessary

5.4 Aggregate and De-Identified Data

TeachTime may create aggregate, de-identified, or anonymized data from personal information. This data:

Cannot be used to identify specific individuals
May be used for research, analytics, and business purposes
May be shared with third parties for legitimate business purposes
Is not subject to this Privacy Policy once properly anonymized

However, we will not attempt to re-identify de-identified data.

6. CHILDREN'S PRIVACY AND PARENTAL CONSENT (COPPA/GDPR COMPLIANCE)

6.1 Critical Notice About Children's Privacy

THIS SECTION IS CRITICALLY IMPORTANT FOR TEACHERS, STUDENTS, PARENTS, AND GUARDIANS.

6.2 Age Requirements and Restrictions

6.2.1 Minimum Age for Independent Use

To use TeachTime independently without parental consent, you must be:

18 years of age or older (general requirement), OR
13 years of age or older in the United States with verifiable parental consent (COPPA), OR
13-16 years of age in the European Union (depending on Member State) with verifiable parental consent (GDPR Article 8)

6.2.2 COPPA Compliance (United States)

TeachTime complies with the Children's Online Privacy Protection Act (COPPA).

For users in the United States:

Children under 13 may NOT use TeachTime without verifiable parental consent
Verifiable parental consent must be obtained BEFORE any personal information is collected
Parents have the right to review, delete, and refuse further collection of their child's information

6.2.3 GDPR Article 8 Compliance (European Union)

TeachTime complies with GDPR Article 8 regarding processing of children's data.

For users in the European Union:

Children under the age of digital consent (13-16, depending on Member State) may NOT use TeachTime without parental authorization
Parental consent must be obtained BEFORE processing any child's personal data
Parents have full rights to access, rectify, erase, and object to processing of their child's data

6.3 Teacher's Obligation to Obtain Parental Consent

THIS IS A BINDING LEGAL OBLIGATION ON TEACHERS:

6.3.1 Verifiable Parental Consent Requirement

If a teacher creates a student account for a child under 18 (or under the applicable age of consent), the teacher MUST:

1. OBTAIN VERIFIABLE PARENTAL CONSENT from the child's parent or legal guardian BEFORE ENTERING ANY PERSONAL INFORMATION into TeachTime

2. VERIFY THE AUTHENTICITY of the parental consent (DO NOT accept fraudulent or forged consent)

3. MAINTAIN COMPLETE RECORDS of parental consent for the duration of the child's account plus a MINIMUM OF THREE (3) YEARS

4. PROVIDE CONSENT DOCUMENTATION TO TEACHTIME WITHIN 48 HOURS upon request (failure to provide is grounds for immediate account termination)

5. IMMEDIATELY NOTIFY TEACHTIME if parental consent is withdrawn

FAILURE TO COMPLY WITH THESE REQUIREMENTS IS A MATERIAL BREACH OF THE TERMS OF SERVICE AND MAY RESULT IN:

Immediate account suspension or termination
Personal liability for COPPA/GDPR violations and penalties
Indemnification obligations for all claims, damages, and regulatory actions
Reporting to child protection authorities and regulatory agencies

6.3.2 What Constitutes "Verifiable Parental Consent"

Under COPPA and GDPR, verifiable parental consent requires:

Written consent (physical or electronic signature)
Identification of the child by name
Identification of the parent/guardian
Description of data collection and use
Parent's explicit permission for the specific data collection
Date of consent

Acceptable methods:

Signed consent form (physical or digital)
Electronic signature via email or platform
Video recorded consent
Government-issued ID verification (for high-risk processing)

NOT acceptable:

Verbal consent without documentation
Implied consent or assumption
Unchecked boxes or pre-selected options
Consent obtained after data collection has begun

6.3.3 Teacher's Representation and Warranty

BY CREATING A STUDENT ACCOUNT FOR A MINOR, THE TEACHER REPRESENTS AND WARRANTS UNDER PENALTY OF PERJURY THAT:

THEY HAVE OBTAINED VALID, VERIFIABLE PARENTAL CONSENT in accordance with COPPA, GDPR, and all applicable child privacy laws
THE CONSENT MEETS ALL COPPA, GDPR, AND APPLICABLE LEGAL REQUIREMENTS including proper identification of parent/guardian and child
THE CONSENT IS AUTHENTIC AND NOT FRAUDULENT and was obtained through legally acceptable methods
THEY MAINTAIN COMPLETE AND ACCURATE RECORDS OF CONSENT that can be provided for inspection at any time
THEY WILL IMMEDIATELY PROVIDE EVIDENCE OF CONSENT TO TEACHTIME WITHIN 48 HOURS upon request

THIS REPRESENTATION AND WARRANTY IS A MATERIAL INDUCEMENT FOR TEACHTIME TO ALLOW THE TEACHER TO USE THE SERVICE FOR MINOR STUDENTS. FALSE REPRESENTATION CONSTITUTES:

Fraud and material breach of Terms of Service
Violation of child protection laws (COPPA 15 U.S.C. § 6501 et seq., GDPR Articles 6 & 8)
Grounds for immediate account termination without refund
Personal liability for all fines, penalties, and damages
Criminal referral to appropriate authorities where applicable

See TeachTime Terms of Service Section 2.5 for complete teacher obligations and indemnification requirements.

6.4 TeachTime's Role as Data Processor for Children's Data

IMPORTANT: TeachTime is a Data Processor (Service Provider) for student data, including children's data. This means:

The teacher (Data Controller) is responsible for obtaining parental consent, NOT TeachTime
TeachTime does not verify whether teachers have obtained proper parental consent
TeachTime relies entirely on teacher representations regarding consent
TeachTime processes children's data only at the direction of the teacher
The teacher bears legal liability for COPPA/GDPR violations, not TeachTime

However, TeachTime commits to:

Not selling children's personal information
Not using children's data for advertising or marketing
Not collecting more information than necessary for the Service
Implementing appropriate security measures to protect children's data
Deleting children's data upon request from teacher or parent
Cooperating with parental rights requests

6.5 Parental Rights Under COPPA

If you are a parent or legal guardian of a child under 13 in the United States, you have the following rights:

6.5.1 Right to Review

You have the right to:

Review your child's personal information collected by TeachTime
Receive a description of the types of information collected
Request copies of your child's data

How to exercise: Contact your child's teacher first. If unresponsive, contact TeachTime at [email protected].

6.5.2 Right to Delete

You have the right to:

Request deletion of your child's personal information
Have the account terminated and all data removed (subject to legal retention requirements)

How to exercise: Contact your child's teacher to request deletion. If unresponsive, contact TeachTime at [email protected].

6.5.3 Right to Refuse Further Collection

You have the right to:

Withdraw consent for further collection or use of your child's information
Refuse permission for your child's continued use of TeachTime

How to exercise: Contact your child's teacher to withdraw consent. If unresponsive, contact TeachTime at [email protected].

6.5.4 Right to Consent

You have the right to:

Be notified before any personal information is collected from your child
Provide informed consent for collection and use of your child's information
Understand how your child's information will be used

Note: Your child's teacher is responsible for obtaining this consent. Contact the teacher if you have questions.

6.6 Parental Rights Under GDPR (Article 8)

If you are a parent or legal guardian of a child under the age of digital consent in the European Union, you have the following rights:

6.6.1 All GDPR Rights on Behalf of Your Child

Right to access your child's data
Right to rectification (correction) of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent at any time

See Section 15 for detailed GDPR rights.

6.6.2 Responsibility for Exercising Rights

Contact your child's teacher first to exercise these rights, as the teacher is the Data Controller.

If the teacher is unresponsive or refuses your request, contact:

TeachTime: [email protected]
Your local Data Protection Authority (see Section 19)

6.7 What Information Do We Collect from Children?

TeachTime collects from children (via the teacher) only what is necessary for the Service:

Name
Username and password
Email address (if provided by parent/teacher)
Lesson schedule and attendance
Teacher's notes about lessons

TeachTime does NOT collect from children:

Social Security Numbers or government IDs
Financial information
Precise geolocation data
Health or medical information
Unnecessary personal information

6.8 How Do We Use Children's Information?

Children's information is used ONLY for:

Providing the lesson scheduling service
Displaying the child's schedule
Tracking attendance
Managing makeup lesson tokens
Communicating with the parent/guardian (if email provided)

Children's information is NOT used for:

Advertising or marketing
Behavioral profiling
Selling to third parties
Any purpose beyond providing the educational scheduling service

6.9 How to File a Complaint About Children's Privacy

If you believe a teacher has violated COPPA or GDPR by:

Creating a child's account without your consent
Collecting excessive information about your child
Misusing your child's data

Take the following steps:

1. Contact the teacher immediately and request deletion of your child's account

2. If the teacher is unresponsive, contact TeachTime at [email protected] with details

3. File a complaint with regulatory authorities:

- United States (COPPA): Federal Trade Commission at ftc.gov/complaint

- European Union (GDPR): Your local Data Protection Authority (see Section 19)

- California (CCPA): California Privacy Protection Agency

6.10 TeachTime's Response to Children's Privacy Violations

If TeachTime becomes aware that a teacher has violated children's privacy laws:

We will immediately suspend or terminate the teacher's account
We will delete the child's information upon parental request
We will cooperate with regulatory investigations
We will report violations to appropriate authorities
The teacher will be held liable under the Terms of Service indemnification clause

TeachTime takes children's privacy extremely seriously and will not tolerate violations.

7. INFORMATION SHARING AND DISCLOSURE

7.1 No Selling of Personal Information

TeachTime does NOT sell personal information to third parties as defined by CCPA, CPRA, and other privacy laws.

We have NOT sold personal information in the past 12 months and do not intend to sell personal information in the future.

7.2 Categories of Third Parties We Share Data With

TeachTime may share personal information with the following categories of third parties for the purposes described below only:

7.2.1 Payment Processors

PayPal: For processing subscription payments
Information shared: Teacher name, email, subscription plan, payment amount
Purpose: Billing and subscription management
Privacy policy: [paypal.com/privacy](https://www.paypal.com/privacy)

7.2.2 Hosting and Infrastructure Providers

Railway (hosting provider): For application hosting and data storage
Information shared: All data stored in the Service (as necessary for hosting)
Purpose: Providing infrastructure and data storage
Data location: [TO BE SPECIFIED - likely US]

7.2.3 Email Service Providers

Resend: For sending transactional and notification emails
Information shared: Email addresses, names, email content
Purpose: Delivering email notifications and communications
Privacy policy: [resend.com/legal/privacy-policy](https://resend.com/legal/privacy-policy)

7.2.4 AI Service Providers

Google Gemini: For AI-powered assistant feature (optional, teacher feature only)
Information shared: Teacher questions and system context (NO student personal data)
Purpose: Providing AI assistance to teachers
Privacy policy: [policies.google.com/privacy](https://policies.google.com/privacy)

7.2.5 Social Media Integration Providers

Facebook/Meta: For Facebook Lead Ads integration (optional)
Information shared: Lead data from Facebook forms (name, email, phone)
Purpose: Capturing leads from Facebook advertising
Privacy policy: [facebook.com/privacy](https://www.facebook.com/privacy)

7.2.6 Calendar Integration Services

Google Calendar, Apple Calendar, Outlook, Yahoo, Samsung: For calendar export features
Information shared: Lesson date, time, title, description (exported by user action)
Purpose: Allowing users to add lessons to personal calendars
Note: Users initiate this sharing; it is not automatic

7.2.7 Google Calendar API Integration

TeachTime offers optional Google Calendar synchronization for teachers to automatically sync their lessons, group activities, and holidays to their Google Calendar.

Data Accessed: We access your Google Calendar to create and manage a dedicated "TeachTime" calendar in your Google account.
Data Stored: We store your Google account email, calendar ID, and OAuth tokens to maintain the sync connection.
Data Synced: Lesson schedules, group activities, and holidays are automatically synced to your TeachTime calendar.
Access Scope: We only access the TeachTime calendar we create. We do not read, access, or modify any other calendars or Google data.
Data Sharing: We do not share your Google Calendar data with any third parties.
Disconnection: You can disconnect your Google Calendar at any time from Settings. Disconnecting will delete the TeachTime calendar from your Google account.
Google API Services User Data Policy: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7.3 Disclosure to Law Enforcement and Legal Authorities

TeachTime may disclose personal information to law enforcement, government authorities, or other third parties if:

Required by law (subpoena, court order, warrant)
To comply with legal processes
To protect rights, property, or safety of TeachTime, users, or the public
To investigate fraud, security issues, or Terms violations
To enforce Terms of Service or other agreements

We will notify affected users of such disclosures unless legally prohibited from doing so.

7.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction involving TeachTime:

Personal information may be transferred to the successor entity
Users will be notified via email and/or prominent notice on the Service
The successor entity will be bound by this Privacy Policy (or a substantially similar policy)
Users will have the opportunity to delete their accounts before the transfer

7.5 Data Sharing Within Multi-Tenant Architecture

Important for Teachers:

Each teacher's data is isolated in a separate tenant (multi-tenant architecture)
Teachers cannot access other teachers' data
Students can only access their own teacher's data
TeachTime employees may access data for technical support, security, and service provision purposes only

7.6 Service Providers and Contractors

TeachTime may engage service providers and contractors to perform functions on our behalf, such as:

Technical support and maintenance
Customer service
Data storage and backup
Security monitoring
Analytics and research

These service providers:

Are contractually obligated to protect personal information
May only use data for the specific purposes we authorize
Must comply with this Privacy Policy and applicable laws
Are subject to confidentiality obligations

7.7 Analytics and Performance Monitoring

TeachTime may use analytics tools to understand Service usage and performance, including:

Google Analytics (if applicable): Website and application analytics
Error tracking services: For identifying bugs and crashes
Performance monitoring tools: For Service optimization

Note: We configure analytics tools to respect privacy as much as possible (e.g., IP anonymization, minimal data collection).

7.8 What We Do NOT Share

TeachTime does NOT share:

Student personal information with advertisers or marketers
Children's information with third parties for their own marketing purposes
Personal information for cross-context behavioral advertising
Data with unauthorized third parties
More information than necessary to accomplish the stated purpose

8. DATA SECURITY MEASURES

8.1 Commitment to Data Security

TeachTime implements reasonable administrative, technical, and physical security measures to protect personal information from unauthorized access, disclosure, alteration, and destruction.

8.2 Technical Security Measures

8.2.1 Encryption

Data in transit: All data transmitted between users and TeachTime servers is encrypted using TLS/SSL (Transport Layer Security)
Data at rest: Sensitive data (passwords, payment information) is encrypted in the database
Password hashing: User passwords are hashed using bcrypt (industry-standard one-way hashing)

8.2.2 Access Controls

Authentication: Secure login with username/password
Authorization: Role-based access control (teacher, student, parent roles)
Session management: Secure session tokens with expiration
Multi-tenant isolation: Strict data isolation between teacher accounts

8.2.3 Network Security

Firewall protection: Server-level firewall rules
Rate limiting: Protection against brute-force attacks and abuse
DDoS mitigation: Infrastructure-level protection (via Railway hosting)
Security headers: Helmet.js security headers (CSP, XSS protection)

8.2.4 Application Security

Input validation: Sanitization and validation of all user inputs
SQL injection prevention: Parameterized queries and ORM usage
XSS prevention: Content Security Policy and output encoding
CSRF protection: Anti-CSRF tokens for state-changing operations

8.3 Administrative Security Measures

8.3.1 Access Management

Principle of least privilege: Employees and contractors have access only to data necessary for their job functions
Administrative access controls: Limited number of personnel with administrative access
Logging and monitoring: System access logs for audit purposes

8.3.2 Employee and Contractor Obligations

Confidentiality agreements: All personnel sign confidentiality agreements
Security training: Personnel receive data security training
Background checks: Where legally permissible and appropriate

8.4 Physical Security Measures

For Third-Party Hosting (Railway):

TeachTime relies on Railway's physical security measures for data centers
Railway implements industry-standard physical security controls
Data centers are SOC 2 compliant (verify with hosting provider)

8.5 Incident Response and Breach Notification

8.5.1 Security Incident Response

TeachTime monitors for security incidents
We have an incident response plan for addressing breaches
We investigate and remediate security incidents promptly

8.5.2 Data Breach Notification

In the event of a data breach:

GDPR (EU users): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (if required by GDPR Article 33)
CCPA (California users): We will notify affected users without unreasonable delay if the breach involves unencrypted personal information
Other jurisdictions: We will comply with applicable breach notification laws

Notification will include:

Description of the breach
Types of information affected
Steps we are taking to address the breach
Steps users can take to protect themselves
Contact information for questions

8.6 Limitations of Data Security

IMPORTANT: No security measures are 100% effective.

Despite our best efforts:

Data breaches can occur due to hacking, unauthorized access, or technical failures
We cannot guarantee absolute security of personal information
You are responsible for keeping your password secure and reporting unauthorized access
You should use strong passwords and not share login credentials

If you suspect unauthorized access to your account, notify TeachTime immediately at [email protected] and change your password.

8.7 User Responsibilities for Security

You can help protect your data by:

Using strong, unique passwords (at least 12 characters with mix of letters, numbers, symbols)
Not sharing your password with anyone
Logging out of your account when using shared devices
Keeping your email account secure (password reset vulnerability)
Reporting suspicious activity immediately
Using up-to-date browsers and operating systems

9. DATA RETENTION AND DELETION

9.1 General Retention Policy

TeachTime retains personal information for as long as necessary to:

Provide the Service to you
Comply with legal obligations
Resolve disputes
Enforce agreements
Protect against fraud and abuse

9.2 Retention Periods by Data Type

9.2.1 Account Data (Teachers)

Active accounts: Retained indefinitely while account is active
After account deletion: Most data deleted within 30 days
Legal retention: Some data (billing records, transaction history) retained for 7 years for tax/accounting compliance

9.2.2 Student and Parent Data

While teacher account is active: Retained as long as teacher maintains account
After teacher account deletion: Student/parent data deleted with teacher's account (within 30 days)
After student account deletion: Individual student data deleted within 30 days of teacher's deletion request

9.2.3 Lesson and Schedule Data

Lessons and group activities: Retained indefinitely as historical attendance records
Makeup tokens (all statuses): Retained indefinitely as part of attendance history
Holidays and working hours: Retained indefinitely

9.2.4 Backup Data

Backup retention: Data in backups may persist for up to 90 days after deletion
Backup purpose: Disaster recovery and service continuity
No restoration: Backed-up data is not restored unless for disaster recovery

9.2.5 System Logs and Audit Trails

Security logs: Retained for 1 year for security monitoring
Access logs: Retained for 90 days
Audit trails: Retained for 3 years for legal compliance

9.3 Data Deletion Procedures

9.3.1 Account Deletion by Teachers

When a teacher deletes their account:

1. Immediate effect: Account access is terminated

2. 30-day grace period: Data is soft-deleted (marked for deletion but recoverable)

3. Permanent deletion: After 30 days, data is permanently deleted from production databases

4. Backup retention: Data in backups may persist for up to 90 additional days

What is deleted:

Teacher account information
All student and parent accounts created by the teacher
All lesson and schedule data
All tokens and attendance records
All settings and preferences

What is NOT deleted (legal retention requirements):

Billing and transaction records (7 years for tax compliance)
Consent logs and acceptance records (3 years for legal defense)
Security incident logs related to the account

9.3.2 Student Account Deletion

Teachers can delete individual student accounts:

Student's personal information is deleted within 30 days
Historical lesson data may be anonymized rather than deleted (for teacher's records)
Audit trail of deletion is maintained

Parents can request deletion of their child's account:

Contact teacher first
If teacher is unresponsive, contact TeachTime at [email protected]
TeachTime will assist in deleting the child's account

9.3.3 Partial Data Deletion

Users may request deletion of specific data (e.g., specific notes, specific attendance records) by contacting the teacher (for student data) or TeachTime (for teacher data).

9.4 Data Retention for Legal Compliance

TeachTime is required to retain certain data for legal, regulatory, and tax compliance purposes:

Financial records: 7 years (tax law compliance)
Transaction logs: 7 years (financial regulations)
Consent records: 3 years minimum (COPPA, GDPR compliance)
Audit trails: 3 years (contractual and legal obligations)
Data breach records: As required by applicable law

This data cannot be deleted upon user request due to legal obligations.

9.5 Anonymization and Aggregation

Rather than deleting certain data, TeachTime may anonymize or aggregate it:

Anonymized data: Cannot be linked back to individuals
Aggregated data: Combined with other data so individuals cannot be identified
Use: Anonymized/aggregated data may be retained indefinitely for analytics, research, and business purposes

9.6 Data Portability Before Deletion

Before deleting your account, you should:

Export your data using the Service's export features
Download copies of important information (schedules, attendance records)
Save any documents or files you uploaded

TeachTime is not responsible for providing data after account deletion.

10. YOUR PRIVACY RIGHTS (GDPR/CCPA/GLOBAL)

10.1 Overview of Data Subject Rights

Depending on your location and applicable laws, you may have the following rights regarding your personal information.

See Section 14 (CCPA) and Section 15 (GDPR) for detailed information specific to those laws.

10.2 Right to Access

You have the right to request confirmation of whether we process your personal information and to obtain a copy of that information. What you can request:

What personal information we have about you
Why we collected it
How we use it
Who we share it with
How long we keep it

How to exercise:

Teachers: Contact TeachTime at [email protected]
Students/Parents: Contact your teacher first; if unresponsive, contact TeachTime

Response time: Within 30 days (45 days for complex requests)

10.3 Right to Correction (Rectification)

You have the right to request correction of inaccurate or incomplete personal information. How to exercise:

Teachers: Update your profile in the Service or contact TeachTime at [email protected]
Students/Parents: Ask your teacher to update your information; if unresponsive, contact TeachTime

10.4 Right to Deletion (Right to Be Forgotten)

You have the right to request deletion of your personal information in certain circumstances. When deletion applies:

The information is no longer necessary for the purposes it was collected
You withdraw consent (where consent was the basis for processing)
You object to processing and there are no overriding legitimate grounds
The information was unlawfully processed
Deletion is required to comply with a legal obligation

When deletion does NOT apply:

We need the information to comply with legal obligations
The information is necessary to establish, exercise, or defend legal claims
The information is required for archiving purposes in the public interest

How to exercise:

Teachers: Contact TeachTime at [email protected] to delete your account
Students/Parents: Contact your teacher to delete your account; if unresponsive, contact TeachTime

10.5 Right to Restrict Processing

You have the right to request that we restrict how we use your personal information in certain circumstances. When restriction applies:

You contest the accuracy of the information (restriction during verification)
Processing is unlawful but you prefer restriction over deletion
We no longer need the information but you need it for legal claims
You have objected to processing (restriction pending verification of grounds)

How to exercise: Contact TeachTime at [email protected] (or your teacher for student data)

10.6 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another service provider. What this means:

You can request a copy of your data in a portable format (e.g., CSV, JSON)
You can transfer this data to another service
TeachTime will assist in direct transfer where technically feasible

Applies to:

Data you provided to TeachTime
Data processed based on consent or contract
Data processed by automated means

How to exercise: Contact TeachTime at [email protected] with your portability request

10.7 Right to Object

You have the right to object to processing of your personal information in certain circumstances.

Direct marketing: You can always object to processing for direct marketing purposes (opt-out)

Legitimate interests: You can object to processing based on legitimate interests (we must stop unless we have compelling legitimate grounds)

How to exercise: Contact TeachTime at [email protected]

10.8 Right to Withdraw Consent

Where we process your personal information based on consent, you have the right to withdraw that consent at any time. Effect of withdrawal:

We will stop processing your information for the consented purpose
Withdrawal does not affect the lawfulness of processing before withdrawal
Withdrawal may mean we cannot provide certain services

How to exercise: Contact TeachTime at [email protected] or adjust your settings in the Service

10.9 Right to Opt-Out of Sale and Sharing

Under CCPA/CPRA, you have the right to opt-out of the "sale" or "sharing" of your personal information. Note: TeachTime does NOT sell or share personal information as defined by CCPA/CPRA.

If this changes, we will provide a clear "Do Not Sell or Share My Personal Information" link.

10.10 Right to Limit Use of Sensitive Personal Information

Under CCPA/CPRA, you have the right to limit the use and disclosure of sensitive personal information.

Sensitive personal information includes:

Social Security Numbers, driver's license numbers
Account login credentials
Precise geolocation
Racial/ethnic origin, religious beliefs
Health information, genetic data
Sexual orientation
Contents of mail, email, text messages

TeachTime's position: We collect minimal sensitive information (login credentials only) and use it only for necessary Service purposes.

How to exercise: If applicable, contact TeachTime at [email protected]

10.11 Right to Non-Discrimination

You have the right to non-discriminatory treatment for exercising your privacy rights. TeachTime will NOT:

Deny you goods or services
Charge different prices or rates
Provide different quality of service
Suggest you will receive different pricing or quality

for exercising any privacy rights.

10.12 How to Exercise Your Rights

10.12.1 Contact Methods

For Teachers (Data Controllers for their own account data):

Email: [email protected]
Subject line: "Privacy Rights Request"
Include: Your name, email, account username, specific request

For Students/Parents (Data Subjects of teacher-controlled data):

1. First, contact your teacher to request access, correction, or deletion

2. If teacher is unresponsive (within 10 days), contact TeachTime at [email protected]

3. Include: Your name, your teacher's name, specific request

10.12.2 Verification of Identity

To protect your privacy, we must verify your identity before fulfilling requests:

Teachers: We will verify using your account email or phone number
Students/Parents: We may require additional information to verify you are the data subject or authorized parent/guardian
Parents of minors: We may request proof of parental relationship (e.g., matching last name, school records)

10.12.3 Response Time

Initial response: Within 10 days acknowledging receipt
Full response: Within 30 days (may extend to 45 days for complex requests with notification)

10.12.4 No Fee (Usually)

We will fulfill most requests free of charge.

We may charge a reasonable fee if:

Requests are manifestly unfounded or excessive
Requests are repetitive
You request additional copies beyond the first free copy

10.12.5 Right to Refuse

We may refuse requests that are:

Manifestly unfounded or excessive
Prohibited by law
Would adversely affect others' rights
Require us to disclose confidential business information
Would interfere with ongoing legal proceedings

If we refuse a request, we will explain why.

10.13 Automated Decision-Making and Profiling

TeachTime does NOT engage in:

Automated decision-making with legal or similarly significant effects
Profiling for advertising or marketing purposes
AI-based decisions that affect your rights

The AI assistant feature:

Is optional and teacher-facing only
Does not make automated decisions about users
Does not process student personal data

11. INTERNATIONAL DATA TRANSFERS

11.1 Cross-Border Data Transfers

TeachTime is operated from [SPECIFY COUNTRY - Israel/United States].

When you use the Service, your personal information may be transferred to, stored in, and processed in:

The United States (hosting infrastructure via Railway)
Israel (if applicable - TeachTime operations)
Other countries where our service providers are located

These countries may have data protection laws that differ from your country.

11.2 Legal Mechanisms for International Transfers

11.2.1 For European Union Users (GDPR)

When transferring personal data from the EU/EEA to countries outside the EU/EEA, TeachTime relies on:

Standard Contractual Clauses (SCCs):

We use the European Commission's approved Standard Contractual Clauses for data transfers
SCCs are legally binding contracts that ensure adequate data protection

Adequacy Decisions:

Where the European Commission has determined a country provides adequate data protection (e.g., EU-US Data Privacy Framework, if applicable)

Supplementary Measures:

We implement additional technical and organizational measures to protect data during international transfers
These may include encryption, access controls, and regular security audits

11.2.2 For California Users (CCPA/CPRA)

Under CCPA/CPRA, we may transfer personal information outside of California for business purposes (providing the Service).

Safeguards:

Contractual obligations with service providers
Security measures to protect data in transit and at rest
No "selling" of personal information as defined by CCPA

11.2.3 For Other Jurisdictions

For users in other countries, we rely on:

Contractual protections with service providers
Technical security measures (encryption, access controls)
Compliance with local data export laws where applicable

11.3 Data Locations

Your data may be stored in the following locations:

Primary database: [SPECIFY - likely US via Railway]
Backup storage: [SPECIFY]
Email service provider (Resend): [SPECIFY - likely US]
Payment processor (PayPal): Multiple locations per PayPal's infrastructure

11.4 Your Rights Regarding International Transfers

If you are in the EU/EEA:

You have the right to obtain information about safeguards we use for international transfers
You may request copies of Standard Contractual Clauses
You may object to international transfers if you believe adequate safeguards are not in place

Contact TeachTime at [email protected] for information about international transfers.

11.5 Risks of International Data Transfers

You acknowledge that international data transfers may pose risks, including:

Different data protection standards in other countries
Potential access by foreign governments under local laws
Differences in legal remedies available

TeachTime takes reasonable steps to mitigate these risks but cannot guarantee absolute protection.

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser when you visit a website. Cookies allow websites to recognize your device and remember information about your visit.

12.2 Types of Cookies We Use

12.2.1 Essential Cookies (Strictly Necessary)

Purpose: These cookies are necessary for the Service to function and cannot be disabled.

Examples:

Authentication cookies (keep you logged in)
Session management cookies
Security cookies (CSRF protection)
Load balancing cookies

Expiration: Session cookies (deleted when you close browser) or short-term persistent cookies

12.2.2 Functional Cookies

Purpose: These cookies enable enhanced functionality and personalization.

Examples:

Language preference cookies
Timezone settings
User interface preferences
Remember me functionality

Expiration: Persistent (typically 6-12 months)

12.2.3 Analytics Cookies (If Applicable)

Purpose: These cookies help us understand how users interact with the Service.

Examples:

Google Analytics (if used)
Page view tracking
Feature usage analytics
Error tracking

Expiration: Persistent (typically 1-2 years)

Opt-out: You may opt out of analytics cookies through your browser settings or third-party opt-out mechanisms (e.g., Google Analytics Opt-out Browser Add-on)

12.3 Other Tracking Technologies

12.3.1 Web Beacons (Pixels)

We may use web beacons (small transparent images) in emails to track:

Whether emails were opened
Whether links were clicked
Engagement with email content

12.3.2 Local Storage

We may use browser local storage to:

Cache data for better performance
Store user preferences
Maintain application state

12.4 Third-Party Cookies

We do NOT use third-party cookies for advertising or tracking across websites.

However, third-party services we integrate with may set their own cookies:

PayPal: May set cookies during payment processing
Facebook: May set cookies if you connect Facebook Lead Ads integration
Google: May set cookies for calendar export or analytics (if applicable)

These third parties have their own privacy policies and cookie policies.

12.5 Managing Cookies

12.5.1 Browser Settings

You can control cookies through your browser settings:

Block all cookies: May prevent the Service from functioning
Block third-party cookies: May prevent some integrations from working
Delete cookies: May log you out and reset preferences

Browser-specific instructions:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Cookies
Edge: Settings > Cookies and Site Permissions

12.5.2 Opt-Out Options

Analytics cookies:

Google Analytics Opt-out: [tools.google.com/dlpage/gaoptout](https://tools.google.com/dlpage/gaoptout)

Do Not Track signals: See Section 12

12.6 Cookie Consent (EU/EEA Users)

For users in the European Union and European Economic Area:

Under the ePrivacy Directive (2002/58/EC) and GDPR (Articles 4(11), 6(1)(a), 7), TeachTime complies with the following cookie consent requirements:

12.6.1 Legal Basis for Cookies

Essential Cookies (No Consent Required):

Strictly necessary cookies (authentication, session management, security) do NOT require user consent
These cookies are necessary for the Service to function and fall under GDPR Article 6(1)(b) (contract performance)
Users cannot opt-out of essential cookies while using the Service

Non-Essential Cookies (Consent Required):

Functional cookies (language preference, timezone, UI settings) require explicit, affirmative consent
Analytics cookies (if used) require explicit, affirmative consent
Marketing/advertising cookies (NOT used by TeachTime) would require consent

12.6.2 Consent Mechanism

How We Obtain Consent:

TeachTime implements a cookie consent banner/interface that:

Appears on first visit before any non-essential cookies are set
Clearly identifies the types of cookies and their purposes
Provides granular control to accept or reject categories of cookies
Requires affirmative action (consent is NOT implied by continued browsing)
Does NOT use pre-ticked boxes or pre-selected consent options
Saves your preferences for future visits (using an essential cookie)

Consent is valid only if it is:

Freely given: You can refuse without losing access to core Service features
Specific: Consent is requested for each category of non-essential cookies
Informed: We explain what each cookie does and who processes data
Unambiguous: Clear affirmative action (clicking "Accept" or similar)
Withdrawable: You can change your preferences at any time

12.6.3 Right to Refuse Non-Essential Cookies

You have the absolute right to:

Refuse all non-essential cookies without losing access to core Service features
Accept only certain categories of cookies (e.g., functional but not analytics)
Withdraw consent at any time by:

- Accessing cookie settings in the Service (if provided)

- Deleting cookies through your browser settings

- Adjusting the cookie consent banner (if displayed again)

Effect of refusing non-essential cookies:

You will still have full access to lesson scheduling, account management, and all core features
You may lose personalization features (e.g., language preference, UI settings may not persist)
Your experience may be less optimized but fully functional

12.6.4 Cookie Consent Records

TeachTime maintains records of your cookie consent including:

Date and time of consent
Cookie categories accepted or rejected
Consent mechanism used (banner version)
IP address (for verification purposes)

These records are kept for up to 3 years to demonstrate GDPR compliance (Article 7(1)).

12.6.5 Changes to Cookie Usage

If we introduce new categories of cookies or change cookie purposes:

We will update this Cookie Policy
We will request fresh consent for new non-essential cookies
Existing consent does not extend to new cookie categories

12.6.6 Cookie Consent for Children

For users under 16 (or applicable age of consent in your EU Member State):

Parental consent is required for non-essential cookies (GDPR Article 8)
Teachers creating accounts for minors must ensure parental consent extends to cookie usage
Parents can withdraw cookie consent at any time

13. DO NOT TRACK SIGNALS

13.1 What is Do Not Track?

"Do Not Track" (DNT) is a browser setting that signals to websites that you do not want to be tracked across websites.

13.2 TeachTime's Response to DNT

Currently, TeachTime does NOT respond to Do Not Track signals.

There is no industry-wide standard for how to interpret and respond to DNT signals. Until a standard is established, we do not alter our data collection practices based on DNT signals.

13.3 Alternative Privacy Controls

Instead of DNT, you can control tracking through:

Browser cookie settings: Block third-party cookies
Analytics opt-out tools: Google Analytics opt-out browser add-on
Privacy-focused browsers: Brave, Firefox with strict privacy settings
Browser extensions: Privacy Badger, uBlock Origin

14. THIRD-PARTY LINKS AND SERVICES

14.1 Links to Third-Party Websites

The Service may contain links to third-party websites, services, or resources, including:

PayPal for payment processing
Facebook for lead integration
Google Calendar, Apple Calendar, Outlook for calendar export
External documentation or help resources

TeachTime is NOT responsible for:

The privacy practices of third-party websites
The content or security of third-party services
How third parties collect or use your information

14.2 Third-Party Privacy Policies

When you click a link to a third-party website or service:

You are subject to that third party's terms and privacy policy
You should review their privacy policy before providing information
TeachTime makes no representations about their practices

14.3 Third-Party Integrations

Optional integrations you may enable:

Facebook Lead Ads: Subject to Facebook's Privacy Policy
PayPal subscriptions: Subject to PayPal's Privacy Policy
Calendar exports: Subject to the calendar provider's privacy policy

By enabling these integrations, you authorize data sharing with those third parties.

15. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

15.1 Scope of CCPA/CPRA

This section applies to California residents only.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide California residents with specific privacy rights.

15.2 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information from California residents:

15.3 Sources of Personal Information

We collect personal information from:

Directly from you: When you create an account or use the Service
Automatically: When you interact with the Service (cookies, logs)
From teachers: When teachers enter student/parent information
From third parties: Facebook Lead Ads, landing page submissions, PayPal

15.4 Purposes for Collecting Personal Information

We collect personal information for the following business and commercial purposes:

Providing the Service (lesson scheduling, account management)
Processing payments and subscriptions
Customer support and communication
Security and fraud prevention
Service improvement and analytics
Legal compliance

See Section 4 for detailed information about how we use your information.

15.5 Categories of Third Parties We Share With

We share personal information with the following categories of third parties:

Service providers: Hosting, email, payment processing, analytics
Business partners: (None currently)
Affiliates: (None currently)
Government entities: When required by law
Other users: Teachers share student data within their tenant

See Section 6 for detailed information about information sharing.

15.6 Sale and Sharing of Personal Information

TeachTime does NOT "sell" or "share" personal information as defined by CCPA/CPRA.

We have NOT sold personal information in the past 12 months
We have NOT shared personal information for cross-context behavioral advertising in the past 12 months

If this changes, we will:

Provide a clear "Do Not Sell or Share My Personal Information" link
Obtain opt-in consent for selling/sharing personal information of minors under 16
Honor opt-out requests within 15 days

15.7 Retention of Personal Information

We retain personal information for as long as reasonably necessary for the purposes described in this Policy. See Section 8 for detailed retention periods.

15.8 Your CCPA/CPRA Rights

15.8.1 Right to Know

You have the right to request that we disclose:

Categories of personal information collected about you
Categories of sources from which information was collected
Business or commercial purpose for collecting information
Categories of third parties with whom we share information
Specific pieces of personal information we have about you

15.8.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, etc.).

15.8.3 Right to Correct

You have the right to request correction of inaccurate personal information.

15.8.4 Right to Opt-Out

You have the right to opt-out of the "sale" or "sharing" of your personal information (not applicable to TeachTime currently).

15.8.5 Right to Limit Use of Sensitive Personal Information

You have the right to limit the use of sensitive personal information to necessary business purposes (TeachTime already does this).

15.8.6 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

15.9 How to Exercise Your CCPA/CPRA Rights

To submit a request:

1. Email: [email protected]

2. Subject line: "CCPA Privacy Rights Request"

3. Include:

- Your name and email address

- Type of request (know, delete, correct)

- Specific information you're requesting

Verification:

We will verify your identity using your account email or other information
For sensitive requests, we may require additional verification

Response time:

We will respond within 45 days (may extend to 90 days for complex requests with notice)

Authorized agents:

You may designate an authorized agent to make requests on your behalf
We will require proof of authorization (power of attorney or signed permission)

15.10 California's "Shine the Light" Law

California Civil Code Section 1798.83 allows California residents to request information about disclosures of personal information to third parties for direct marketing purposes.

TeachTime's position: We do NOT disclose personal information to third parties for their direct marketing purposes.

15.11 Minors Under 16 (CCPA/CPRA)

For California residents under 16:

We do NOT sell or share personal information of minors under 16
We require opt-in consent from parents for sale/sharing (not applicable)
Teachers are required to obtain parental consent before entering minor student data

See Section 5 for children's privacy information.

16. EUROPEAN UNION DATA PROTECTION RIGHTS (GDPR)

16.1 Scope of GDPR

This section applies to individuals in the European Union and European Economic Area.

The General Data Protection Regulation (GDPR) provides EU/EEA residents with comprehensive data protection rights.

16.2 Legal Basis for Processing (Article 6 GDPR)

We process your personal data based on the following legal grounds:

16.2.1 Contract Performance (Article 6(1)(b))

Providing the Service you requested
Managing your account
Processing payments

16.2.2 Legitimate Interests (Article 6(1)(f))

Security and fraud prevention
Service improvement and analytics
Customer support
Business operations

Your rights: You may object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your interests.

16.2.3 Legal Obligation (Article 6(1)(c))

Complying with tax and accounting laws
Responding to legal requests
Regulatory compliance

16.2.4 Consent (Article 6(1)(a))

Marketing communications (if applicable)
Non-essential cookies
Processing children's data (obtained by teacher from parent)

Your rights: You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

16.3 Your GDPR Rights

16.3.1 Right of Access (Article 15)

You have the right to obtain:

Confirmation of whether we process your personal data
A copy of your personal data
Information about processing (purposes, categories, recipients, retention period)

How to exercise: Email [email protected] with subject "GDPR Access Request"

16.3.2 Right to Rectification (Article 16)

You have the right to:

Correct inaccurate personal data
Complete incomplete personal data

How to exercise: Update your profile in the Service or email [email protected]

16.3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the purposes it was collected
You withdraw consent and there is no other legal basis
You object to processing and there are no overriding legitimate grounds
Data was unlawfully processed
Deletion is required for legal compliance

Exceptions (when we cannot delete):

Compliance with legal obligations
Establishment, exercise, or defense of legal claims
Archiving in the public interest, scientific/historical research

How to exercise: Email [email protected] with subject "GDPR Erasure Request"

16.3.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

You contest the accuracy of data (during verification period)
Processing is unlawful but you prefer restriction over erasure
We no longer need the data but you need it for legal claims
You objected to processing (pending verification of grounds)

How to exercise: Email [email protected]

16.3.5 Right to Data Portability (Article 20)

You have the right to:

Receive your personal data in a structured, machine-readable format
Transmit your data to another controller

Applies to:

Data you provided to us
Data processed based on consent or contract
Data processed by automated means

How to exercise: Email [email protected] requesting data portability

16.3.6 Right to Object (Article 21)

You have the right to object to:

Processing based on legitimate interests: We must stop unless we have compelling legitimate grounds
Direct marketing: We will stop immediately (always honored)
Profiling for direct marketing: We will stop immediately

How to exercise: Email [email protected] or click unsubscribe in marketing emails

16.3.7 Rights Related to Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

TeachTime's position: We do NOT engage in automated decision-making with legal or similarly significant effects.

16.4 Children's Data Under GDPR (Article 8)

For children under the age of digital consent (13-16, depending on EU Member State):

Parental consent is required for processing
Teachers are responsible for obtaining parental consent
Parents may exercise all GDPR rights on behalf of their children

See Section 5 for detailed children's privacy information.

16.5 International Data Transfers

Your personal data may be transferred outside the EU/EEA. Safeguards:

Standard Contractual Clauses (EU Commission-approved)
Adequacy decisions (where applicable)
Supplementary measures (encryption, access controls)

See Section 10 for detailed information about international transfers.

16.6 Data Protection Officer (DPO)

TeachTime does NOT currently have a designated Data Protection Officer as we do not meet the GDPR thresholds requiring mandatory DPO appointment (Article 37).

For GDPR-related inquiries, contact:

Email: [email protected]
Subject line: "GDPR Inquiry"

If we are required to appoint a DPO in the future, contact information will be provided here.

16.7 How to Exercise Your GDPR Rights

To submit a request:

1. Email: [email protected]

2. Subject line: "GDPR Rights Request - [Type of Request]"

3. Include:

- Your name and email

- Specific right you're exercising (access, erasure, etc.)

- Description of your request

Verification:

We will verify your identity using your account email or other information
We may request additional information to verify your identity

Response time:

We will respond within 1 month (30 days)
May extend to 3 months for complex requests (we will notify you and explain the delay)

No fee:

Requests are generally free of charge
We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests

Right to refuse:

We may refuse requests that are manifestly unfounded or excessive
If we refuse, we will explain why and inform you of your right to complain to a supervisory authority

16.8 Right to Lodge a Complaint

If you believe we have violated your GDPR rights, you have the right to lodge a complaint with your local supervisory authority. See Section 19 for a list of EU/EEA Data Protection Authorities.

17. CHANGES TO THIS PRIVACY POLICY

17.1 Right to Modify

TeachTime reserves the right to modify this Privacy Policy at any time to reflect:

Changes in our data processing practices
Changes in applicable laws and regulations
New features or services
Feedback from users or regulators

17.2 Notification of Changes

Material changes:

When we make material changes to this Policy, we will notify you by:

Email notification to your registered email address (for teachers)
In-app notification when you log in
Prominent notice on our website
Updated "Last Updated" date at the top of this Policy

Non-material changes:

For minor updates (e.g., clarifications, formatting, contact information), we will:

Update the "Last Updated" date
Post the revised Policy on our website

17.3 Effective Date of Changes

Changes take effect:

Immediately for new users who accept the updated Policy
30 days after notification for existing users (for material changes)
Upon continued use after the 30-day period

17.4 Reviewing Changes

We encourage you to:

Review this Policy periodically
Check the "Last Updated" date
Contact us if you have questions about changes

17.5 Your Options if You Disagree

If you do not agree with changes to this Policy:

You may delete your account before the changes take effect
You must stop using the Service
Continued use after the effective date constitutes acceptance of the updated Policy

For students/parents: If your teacher continues using the Service, your data will be subject to the updated Policy. Contact your teacher if you have concerns.

17.6 Historical Versions

Upon request, we may provide previous versions of this Privacy Policy for your review.

Contact [email protected] to request historical versions.

18. CONTACT INFORMATION AND DATA PROTECTION OFFICER

18.1 How to Contact TeachTime

For privacy-related inquiries, complaints, or to exercise your rights:

Email: [email protected]

Subject line: "Privacy Inquiry" (or specify: GDPR, CCPA, COPPA, etc.)

Response time: We aim to respond to all inquiries within 10 business days (within 30 days for formal rights requests).

18.2 Data Controller Information

For teacher account data:

Data Controller: TeachTime
Contact: [email protected]
Location: [TO BE SPECIFIED BY LAWYER]

For student/parent data:

Data Controller: The teacher who created your account
Data Processor: TeachTime (processing on behalf of your teacher)
Contact: Contact your teacher first; if unresponsive, contact TeachTime at [email protected]

18.3 Data Protection Officer (DPO)

TeachTime does NOT currently have a designated Data Protection Officer.

We do not meet the GDPR thresholds requiring mandatory DPO appointment:

We are not a public authority
Our core activities do not consist of large-scale systematic monitoring
We do not process large-scale sensitive data as a core activity

If a DPO is appointed in the future, contact information will be provided here.

18.4 EU Representative (If Required)

If TeachTime is required to appoint an EU representative under GDPR Article 27:

Representative information will be provided here once appointed.

19. LEGAL BASIS FOR PROCESSING (GDPR)

This section summarizes our legal basis for processing personal data under GDPR (see also Section 15.2).

19.1 Processing Based on Contract (Article 6(1)(b))

What we process:

Account information (name, email, username)
Lesson schedules and calendars
Attendance and token records
Subscription and payment information

Why: Necessary to perform our contract with you (providing the Service)

19.2 Processing Based on Legitimate Interests (Article 6(1)(f))

What we process:

IP addresses, device information, usage logs
Analytics and performance data
Security and fraud detection data

Our legitimate interests:

Preventing fraud and security threats
Improving Service quality
Understanding user needs
Business operations and administration

Balancing test: Our legitimate interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests.

19.3 Processing Based on Legal Obligation (Article 6(1)(c))

What we process:

Financial records and transaction logs
Tax and accounting information
Records required for regulatory compliance

Why: Required by law (tax regulations, financial reporting, legal discovery)

19.4 Processing Based on Consent (Article 6(1)(a))

What we process:

Marketing communications (if applicable)
Non-essential cookies
Optional features and integrations

Your rights:

Withdraw consent at any time
Withdrawal does not affect prior lawful processing
We will respect your withdrawal and stop processing for the consented purpose

19.5 Processing of Children's Data

For children under the age of digital consent:

Legal basis: Parental consent (Article 8 GDPR)
Obtained by: The teacher (Data Controller)
TeachTime's role: Data Processor relying on teacher's consent

See Section 5 for detailed children's privacy information.

20. COMPLAINTS TO SUPERVISORY AUTHORITIES

20.1 Right to Complain (GDPR)

If you are in the EU/EEA and believe we have violated your privacy rights:

You have the right to lodge a complaint with your local Data Protection Authority (DPA) or supervisory authority.

20.2 How to File a Complaint

Step 1: We encourage you to contact us first at [email protected] to resolve the issue.

Step 2: If you are not satisfied with our response, you may file a complaint with:

Your local DPA (where you reside)
TeachTime's lead supervisory authority (where we are established)
The DPA where the alleged infringement occurred

20.3 EU/EEA Data Protection Authorities

Find your local DPA:

EU DPA directory: [edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en)
Country-specific DPAs: Listed on the European Data Protection Board website

Examples (not exhaustive):

Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
France: Commission Nationale de l'Informatique et des Libertés (CNIL)
United Kingdom: Information Commissioner's Office (ICO)
Ireland: Data Protection Commission (DPC)

20.4 Other Jurisdictions

United States (COPPA violations):

Federal Trade Commission (FTC): [ftc.gov/complaint](https://www.ftccomplaintassistant.gov/)

California (CCPA violations):

California Privacy Protection Agency: [cppa.ca.gov](https://cppa.ca.gov/)

Other countries:

Contact your local privacy regulator or consumer protection agency

20.5 No Retaliation

TeachTime will NOT retaliate against users who:

Exercise their privacy rights
File complaints with regulators
Raise privacy concerns

SUMMARY AND FINAL ACKNOWLEDGMENT

By using TeachTime, you acknowledge and agree that you have read, understood, and consent to this Privacy Policy. Key takeaways:

✓ TeachTime is a Data Processor for student/parent data (your teacher is the Data Controller)

✓ Your teacher is responsible for obtaining parental consent for minors

✓ We do NOT sell your data to third parties

✓ We do NOT use student data for advertising or marketing

✓ You have rights to access, correct, delete, and control your data

✓ Children's privacy is critical - see Section 5 for COPPA/GDPR requirements

✓ Data may be transferred internationally with appropriate safeguards

✓ You can contact us at [email protected] for privacy inquiries

If you have questions about this Privacy Policy, please contact us at [email protected].

Last Updated: October 4, 2025 Version: 1.0 END OF PRIVACY POLICY

PRIVACY POLICY

TeachTime Application

TABLE OF CONTENTS

1. INTRODUCTION AND SCOPE

1.1 Purpose of This Policy

1.2 Scope and Application

1.3 Consent to This Policy

1.4 Compliance Framework

1.5 Special Notice for Minors

2. TEACHTIME'S ROLE: DATA PROCESSOR VS. DATA CONTROLLER

2.1 Critical Legal Distinction

2.1.1 When TeachTime is a Data Processor (Service Provider)

2.1.2 When TeachTime is a Data Controller (Business)

2.2 Why This Distinction Matters

2.3 Data Processing Agreement

2.4 No Independent Use of Student Data

2.5 Teacher's Liability for Privacy Violations

3. GOVERNING LANGUAGE AND ENGLISH PROFICIENCY REQUIREMENT

3.1 English as the Sole Legally Binding Language

3.2 User's Representation of English Proficiency

3.3 Prohibition on Use Without English Proficiency

3.4 No Obligation to Provide Translations

3.5 Legal Proceedings and Disputes

3.6 Amendments and Updates

4. INFORMATION WE COLLECT

4.1 Information Collected from Teachers (Data Controller)

4.1.1 Account Information

4.1.2 Payment and Billing Information

4.1.3 Professional Information

4.1.4 Legal Consent and Signature Records

4.2 Information Collected from Students and Parents (Data Processor)

4.2.1 Student Account Information

4.2.2 Parent/Guardian Information

4.2.3 Lesson and Educational Information

4.2.4 Usage Information

4.3 Information Collected Automatically (Data Controller)

4.3.1 Technical and Device Information

4.3.2 Usage and Analytics Data

4.3.3 Cookies and Tracking Technologies

4.4 Information from Third-Party Sources

4.4.1 Facebook Lead Ads Integration

4.4.2 Landing Page Form Submissions

4.4.3 PayPal Payment Information

4.5 Information You Provide Voluntarily

4.6 Information We Do NOT Collect

5. HOW WE USE YOUR INFORMATION

5.1 Primary Purposes of Data Processing

5.1.1 Providing the Service

5.1.2 Billing and Payment Processing

5.1.3 Customer Support and Communication

5.1.4 Security and Fraud Prevention

5.1.5 Service Improvement and Analytics

5.1.6 Legal Compliance and Protection

5.2 Legal Basis for Processing (GDPR)

5.2.1 Contract Performance (Article 6(1)(b) GDPR)

5.2.2 Legitimate Interests (Article 6(1)(f) GDPR)

5.2.3 Legal Obligation (Article 6(1)(c) GDPR)

5.2.4 Consent (Article 6(1)(a) GDPR)

5.3 What We Do NOT Do With Your Information

5.4 Aggregate and De-Identified Data

6. CHILDREN'S PRIVACY AND PARENTAL CONSENT (COPPA/GDPR COMPLIANCE)

6.1 Critical Notice About Children's Privacy

6.2 Age Requirements and Restrictions

6.2.1 Minimum Age for Independent Use

6.2.2 COPPA Compliance (United States)

6.2.3 GDPR Article 8 Compliance (European Union)

6.3 Teacher's Obligation to Obtain Parental Consent

6.3.1 Verifiable Parental Consent Requirement

6.3.2 What Constitutes "Verifiable Parental Consent"

6.3.3 Teacher's Representation and Warranty

6.4 TeachTime's Role as Data Processor for Children's Data

6.5 Parental Rights Under COPPA

6.5.1 Right to Review

6.5.2 Right to Delete

6.5.3 Right to Refuse Further Collection

6.5.4 Right to Consent

6.6 Parental Rights Under GDPR (Article 8)

6.6.1 All GDPR Rights on Behalf of Your Child

6.6.2 Responsibility for Exercising Rights

6.7 What Information Do We Collect from Children?