Trust & student data at FlashMath
Teachers, administrators, and parents put students in our hands. This page explains — without legal jargon — what we collect, why, who touches it, and how to get it deleted. The binding versions live in our Education Privacy Policy and Education Terms.
No ads. No selling data.
We never sell personal information, never show advertising to students, and never build advertising profiles. Our only business model is subscriptions.
Schools stay in control
For school accounts, the district owns its student data. FlashMath acts as a school official under the school's direction — export or deletion is available on request.
We collect the minimum
Teacher-created student accounts need only a display name — no student email, no address, no phone number. Practice results exist so teachers can teach.
Everything is auditable
Administrative actions on school accounts are written to an append-only audit trail that district admins can review — entries can be added, never edited or removed.
FERPA & COPPA posture
FERPA: where student data counts as an education record, FlashMath operates as a “school official” with a legitimate educational interest, under the school's direct control. The school owns its records; we use them only to provide the service, and we support the school's access, export, and deletion obligations.
COPPA: for students under 13 on school plans, the school consents on behalf of parents for educational use — the model the FTC authorizes for classroom tools. We collect only what the service needs, and parents can review or delete their child's information through the school or by contacting us directly.
What we collect — and what we don't
We collect
- A display name or identifier chosen by the teacher or school
- Username and grade level / classroom assignment
- Practice activity: problems attempted, accuracy, speed, progression
- Game results and in-app achievements
- Technical basics needed to run the service (IP address, device type, logs)
We don't
- No student email, home address, or phone number for teacher-created accounts
- No location tracking
- No advertising identifiers or third-party ad trackers
- No social security numbers, health data, or biometric identifiers
- No sale or rental of personal information — ever
An audit trail that can't be rewritten
Every administrative action on a school account — roster changes, permission changes, data exports, AI feature toggles — is recorded in an append-only audit trail. Entries can be added but never edited or deleted, and district administrators can review the full history from their dashboard. If something happens to a student account, there is always a record of who did what, and when.
How AI features handle student data
FlashMath's AI features (coaching hints, teacher insights, and voice practice) are built so the AI provider sees as little as possible:
- Off by default for schools. Districts choose which AI features are enabled; individual features can be turned off at any time.
- Student voice audio used in speech practice is processed by OpenAI only under an explicit district opt-in, is used solely to power the feature, and is not used to train OpenAI's models.
- Text-based AI (coaching and insights, processed by Anthropic) works from practice performance context — it does not need, and is not sent, student contact information.
- No model training on student data. Our agreements with AI providers prohibit using student data to train their models.
Subprocessors
These are the vendors that may process data on our behalf, what they do for us, and what student data (if any) they touch:
| Vendor | Purpose | Student data involved |
|---|---|---|
| Anthropic | AI coaching and teacher-facing insights (text) | Practice performance context (no names required); not used to train models |
| OpenAI | Speech features, including student voice practice | Voice audio, only where the district has opted in; not used to train models |
| Stripe | Subscription billing | None — billing contacts only (teachers, schools, parents) |
| Resend | Transactional email delivery | None for managed students (they have no email address) |
| Optional single sign-on and cloud infrastructure | Sign-in identity only when a school chooses Google SSO |
We notify subscribing schools before adding a subprocessor that would process student data.
Compliance & certifications
Student Data Privacy Consortium (SDPC) — National Data Privacy Agreement
TODO: legal sign-off pending — NDPA signing status will be published here.
SOC 2
TODO: legal sign-off pending — SOC 2 audit status will be published here.
Data deletion & questions
Schools can request a full export or deletion of their students' data at any time. Parents should start with their child's school (it controls the account), and can also reach us directly. Deletion requests are honored within a reasonable period — typically well inside 90 days — unless the law requires retention.
Contact: education@flashmath.io (subject line “Data request”). Security researchers can use the same address to report vulnerabilities.