Privacy Policy

Last updated: 2026-05-03.

Summary

HallPassGo is a K–8 educational practice platform. We collect the minimum we need to deliver the service: an email + password (or Google sign-in) for adult accounts, a display name + grade for student profiles, and the practice activity that powers your dashboard. We do not sell your data, we do not run advertising, and we treat student data — especially for kids under 13 — as the sensitive material it is.

What we collect

• Account info: email, display name, password (stored as a salted PBKDF2 hash — we never see the plaintext), role (student / parent / teacher), grade and birth year for student accounts. Birth year is used only for age-gating under COPPA and is not displayed to other users. Profile picture if you sign in with Google.
• Usage data: the questions you answer, the responses you give, time spent, tutor messages, voice playback events, achievements + streak. This is what powers your dashboard, the daily-usage caps, and (for parents on Family-tier accounts) the weekly progress digest.
• Billing data: if you subscribe to a paid tier, our payment processor (Stripe) stores your card. We never see or store your card details — only the customer and subscription identifiers Stripe returns to us.
• Photo uploads (Premium feature): if you use the photo homework helper, the photo is uploaded to our object storage so the tutor can read it. Photos are retained for 30 days, then automatically deleted.
• Technical data: IP address, user agent, request timestamps. Used for abuse prevention and operational monitoring only. Not used for advertising or profiling.

How we use it

• To deliver the service: showing you appropriate questions for your grade and role, grading your answers, running the tutor, generating voice audio.
• To enforce limits: free-tier daily question cap, Plus-tier tutor message cap, Premium-tier voice character cap.
• To improve the service: aggregate analytics on which questions are commonly missed (no individual student data exposed) and on which features are used.
• To communicate: account-related emails (verify, password reset, billing notifications, weekly progress digest for parents on Family accounts). We do not send marketing email without your explicit opt-in.
• To detect and prevent abuse, fraud, or violations of our terms of service.

We do not use student work, tutor conversations, or photo uploads to train models for any purpose other than delivering the service to you.

COPPA & students under 13

HallPassGo does not knowingly collect personal information from children under 13 without verifiable parental consent. Students under 13 cannot create their own account.

To enroll an under-13 student, a parent or legal guardian creates a Family-tier account in their own name and adds the child as a managed profile. When a child profile is added by a parent, we collect only what's necessary to deliver the educational service: a display name (no email needed), grade level, practice attempts, tutor history, and (if they use it) voice playback data. Parents control the child's profile, can review or export the data at any time, and can delete the profile and its associated data on demand by emailing hall-aides@hallpassgo.com.

Children's data is never used for advertising, marketing, or any purpose other than delivering the educational service.

Who we share with

We do not sell your data. We do not share your data with advertising or marketing networks.

We use a small set of service providers ("subprocessors") that process limited data on our behalf, only to the extent needed to deliver the service:

• Stripe — processes payments. You interact with Stripe directly when you upgrade. Their privacy policy at stripe.com/privacy applies to that interaction.
• A cloud hosting provider — runs the website, the database, the file storage, and the audio cache.
• An AI service provider — powers the tutor and voice features. Tutor prompts and voice text are sent to fulfill the request. We do not authorize the provider to retain this data for model training.
• An email delivery provider — sends transactional emails (verify, password reset, weekly digest).
• A bot-protection provider — runs an invisible check during sign-up, sign-in, and password-reset to block automated abuse. The check sees general request information (browser environment, timing) but not your account credentials.
• Google Sign-In — if you choose to sign in with Google, Google authenticates you and shares your basic profile information (email, name, profile picture) with us.

For a current list of named subprocessors, email hall-aides@hallpassgo.com. We update this list when subprocessors change.

We may also disclose data if required by law (subpoena, court order, etc.) or to protect the safety, rights, or property of users or the public.

Your rights

You can:

• View and edit your profile in Account settings.
• Cancel your subscription at any time through Stripe Customer Portal (linked from Account settings).
• Request a copy of your data, or request deletion of your account and all associated data, by emailing hall-aides@hallpassgo.com. We respond within 30 days.
• If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) including the right to know, the right to delete, the right to correct, and the right to non-discrimination for exercising those rights. Same email handles all requests.
• If you are in the European Economic Area or the UK, you have additional rights under the GDPR including the right of access, rectification, erasure, restriction of processing, data portability, and objection. Same email handles all requests.

Parents of student accounts (children under 13 on Family-tier sub-profiles, or any student linked via the parent-link feature) can exercise the above rights on the child's behalf using the same email.

Data retention

We retain account and usage data while your account is active. After you delete your account, we wipe personally identifiable information within 30 days. Aggregate, de-identified analytics may be retained longer to inform product improvement.

Photo uploads for the photo homework helper are deleted automatically 30 days after upload.

Billing records are retained for up to 7 years to comply with US tax and accounting requirements.

Security

Passwords are stored as PBKDF2-SHA256 hashes with per-user random salts. Sessions use a single signed, HttpOnly cookie. All traffic to and from the service is encrypted in transit with HTTPS. Database and file storage at rest are encrypted by our cloud hosting provider. We follow the principle of least privilege internally: only the small operating team has production access, and that access is logged.

No system is perfectly secure. If we discover a breach that affects your data, we'll notify you by email without undue delay and in accordance with applicable law.

Cookies

We use a single HttpOnly session cookie (`hallpassgo_session`) to keep you signed in. We do not use third-party advertising cookies or tracking pixels. We do not set cookies for advertising or profiling purposes.

International users

HallPassGo is operated from the United States. If you access the service from outside the US, your data is transferred to and processed in the US. By using the service, you consent to that transfer.

Changes

If we make material changes to this policy, we'll email registered users at least 7 days before they take effect.

Questions or concerns? Email hall-aides@hallpassgo.com.