Privacy Policy

From adult account holders (parents, teachers, admin, Elite learners):

• Email address and password (hashed with industry-standard algorithms; we never see the plain password).
• Display name, role, and — for Elite tier — birth year and credential status (diploma / GED / last grade completed) used solely to route curriculum.
• Support messages you send us.

From learner profiles created by adults:

• First name or nickname (no last name required).
• Avatar choice, grade band, and learning preferences.
• Learning progress (items attempted, mastery level, standards coverage, hours on task).
• Messages exchanged with the parent or with a sibling on the same account.

Automatically:

• Basic device/browser info and approximate region (security and diagnostics).
• Anonymous usage events (e.g. "math item completed") to improve the curriculum.

We do notuse third-party advertising trackers and do notshow advertising to learners.

When a teacher or school district uses Civra with their students, Civra acts as a "School Official"with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA, 34 CFR § 99.31(a)(1)).

• The school remains the sole controllerof student education records. We process data only on the school's documented instructions.
• We do not disclose personally identifiable information from education records to any third party without the school's prior written consent or a lawful exception.
• Student data is never used to train external AI models, build advertising profiles, or for any purpose beyond delivering the educational service.
• Schools and parents retain the right to inspect, correct, or delete student records, and we honor verified deletion requests on the school's authority.
• A signed Data Processing Addendum (DPA) is available on request for any school or district.

• To deliver the learning experience (lessons, mastery tracking, transcripts, standards-aligned reporting).
• To enable parent/sibling messaging and support correspondence.
• To keep accounts secure and prevent abuse.
• To improve curriculum quality (using aggregated, anonymous data only).
• To respond to support inquiries — including via AI assistants (see §8).

We do notsell, rent, or share personal information with marketers.

• Lovable Cloud — hosting, database, authentication, file storage.
• Lovable AI / OpenAI / Google / Groq — model providers powering tutoring and support replies. Only the messages required to generate a response are transmitted, and providers do not train on your data via the APIs we use.
• ElevenLabs — text-to-speech for early-literacy and citizenship pronunciation practice. Voice synthesis output is streamed; no learner voice recordings are persisted by default (see §7).

Providers process data only on our instructions, under written agreements (DPAs).

Civra operates on a Zero Trustsecurity posture. Every request — internal or external — is authenticated, authorized, and encrypted. There are no implicit trust zones.

• Data Minimization.We collect the minimum data required to deliver mastery. We do not request Social Security Numbers, government ID numbers, biometrics, or financial account data for learning use.
• Ephemeral Voice Processing (Elite Tier).Voice AI interactions used for citizenship interview practice, language pronunciation, or Socratic dialogue are processed in memoryand are never written to permanent disk storageunless you explicitly save the session to your personal Vault.
• Encrypted at every layer.TLS 1.3 in transit; AES-256 encryption at rest for databases and Vault storage; passwords hashed with bcrypt/argon2.
• Row-Level Security (RLS).Every database query is scoped at the database engine itself to the authenticated user — not at the application layer — preventing cross-account data exposure even in the event of an application-layer bug.
• Secrets isolation.API keys and signing secrets live in a hardened secret store, never in source code or client-side bundles.
• Continuous monitoring.Anomalous access patterns trigger automated alerts and rate-limiting.

Civra uses AI as a Socratic tutor — a tool that asks questions, traces reasoning, and accelerates mastery. We are explicit about what AI is and is not:

• AI is a tutor, not counsel.AI explanations of citizenship law, immigration procedure, financial planning, or medical/health-literacy content are educational only. They are nota substitute for licensed legal, financial, or medical advice.
• Hallucination disclosure.AI models can produce confidently-stated errors. Mastery transcripts and standards-coded items are validated against the underlying curriculum bank — not generated freeform — precisely to mitigate this risk.
• No covert AI.When you are speaking to an AI tutor, the interface labels it as such. We do not disguise AI as a human teacher.
• No identifying contact data to AI providers.We do not knowingly transmit a learner's full name, address, telephone number, or other identifying contact information to AI providers.

Access to information inside Civra is governed by the principle of least privilege. What each role can see:

• Parent / Guardian.Full progress, mastery codes, transcript, hours on task, and message history for every learner profile they created. May edit or delete any learner under their account.
• Teacher.Progress, mastery codes, and standards coverage for students enrolled in their classroom. No access to the student's home account, family messages, or sibling profiles.
• Sibling (peer leaderboard).Display name and Gem totals only. No access to mastery codes, item history, messages, age, or real name.
• Elite Learner (adult, self-managed).Full access to their own data only. May export or purge at will.
• Civitas Staff.No standing access to learner records. Support engineers receive scoped, audit-logged, just-in-time access only after the account holder opens a support ticket and only for the duration of the investigation. All staff access requires Multi-Factor Authentication (MFA)and is logged immutably.

Civra serves a global learner base. Where data crosses borders, we use lawful transfer mechanisms:

• European Union / EEA (GDPR).Transfers from the EEA to the United States are governed by the European Commission's Standard Contractual Clauses (SCCs, 2021/914), supplemented by Transfer Impact Assessments where appropriate.
• United Kingdom.Transfers from the UK rely on the UK International Data Transfer Addendumto the SCCs (the "UK Extension"), under UK GDPR.
• Switzerland.Transfers honor the Swiss-US Data Privacy Framework and revised SCCs.
• Japan.When a learner's profile is locked to Japan (e.g. JLPT preparation), data handling aligns with the Act on the Protection of Personal Information (APPI), including notice-and-consent for cross-border transfer.
• Brazil.Processing for learners in Brazil follows the Lei Geral de Proteção de Dados (LGPD).
• Canada.Processing follows PIPEDAand applicable provincial law.
• Character / Country Lock.When the learning UI is locked to a specific country profile, data residency preferences and the corresponding regional privacy regime are applied to that profile's records.

You may contact our Data Protection Officer to receive a copy of the relevant transfer agreements.

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you and your learners.
• Correct inaccurate data.
• Export your data in a portable, machine-readable format.
• Restrict or object to specific processing.
• Withdraw consent at any time (without affecting prior lawful processing).
• Lodge a complaint with your national data protection authority.
• Opt out of any "sale" or "sharing" of personal information (we do neither).

Use the in-app Support widget or email us; we respond within 30 days (15 days under CPRA where shorter).

You may invoke a full data wipeat any time. This is not a soft delete. When triggered:

• Account credentials are revoked immediately.
• All mastery logs, transcripts, Vault files, voice-session metadata, chat history, and learner profiles are purged from primary systems within 72 hours.
• Encrypted backup snapshots are rotated out within the standard backup lifecycle (no later than 35 days), after which the data is cryptographically irretrievable.
• Anonymized, aggregated analytics with no link to your account may be retained for curriculum research.
• Records we are legally required to retain (tax, fraud prevention, formal legal hold) are isolated, access-restricted, and deleted at the end of the statutory retention period.

Trigger a wipe from Account Settings → Danger Zoneor by emailing the Privacy Officer with the subject line "Right to be Forgotten."