Skip to main content
Back to Home
I Love My Class

Privacy Policy

Last updated: March 27, 2026

This Privacy Policy may be updated periodically. We will notify registered users of material changes via email at least 30 days before they take effect. Last updated: March 27, 2026. A Portuguese translation of this Privacy Policy is available upon request by contacting claudiocsdefreitas@gmail.com.

I Love My Class (“we,” “us,” or “our”) operates the ilovemyclass.com platform (the “Platform”), a social network and learning management system designed for educators, professors, teachers, and academic professionals. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the Platform.

By accessing or using the Platform, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Platform.

This Privacy Policy applies to all users worldwide, including users in the United States, the European Economic Area (EEA), the United Kingdom, Canada, Brazil, Australia, and all other jurisdictions. Where specific regional laws grant you additional rights, those rights are described in the applicable sections below.

1. Information We Collect

We collect the following types of information when you use the Platform:

1.1 Information You Provide

  • Account information: full name, email address, password, and professional role (e.g., professor, teacher, researcher)
  • Profile data: profile photo, bio, department, areas of expertise, and other information you choose to add to your profile
  • Social content: posts, comments, testimonials, community discussions, and direct messages you create on the Platform
  • Course content: course materials, syllabi, lesson plans, assignments, assessments, and educational resources you upload or create
  • Gradebook data: grades, scores, and feedback you enter for students in your classrooms
  • AI feature inputs: course content, learning outcomes, syllabi, and other educational materials you submit to AI-powered features such as Lesson Plan Generator, AI Course Analysis, and AI quiz generation
  • Payment information: billing details provided during subscription or purchase transactions, processed by our payment provider (Stripe). We do not store credit card numbers on our servers

1.2 Information from Google OAuth Sign-In

If you sign in or register using Google OAuth, we request access to the following Google account data (known as “OAuth scopes”):

  • email scope: Your Google email address, used to create and identify your I Love My Class account. This is the primary identifier for your account
  • profile scope: Your Google display name and profile picture, used to pre-populate your I Love My Class profile. You can change your name and profile picture at any time in your account settings

We do NOT request access to your Google contacts, calendar, Drive files, Gmail messages, or any other Google data beyond the email and profile scopes listed above. We do not post to your Google account or access any Google services on your behalf. Your Google OAuth token is used solely for authentication and is not stored on our servers beyond the session.

1.3 Information Collected Automatically

  • Usage data: pages visited, features used, actions taken, and timestamps
  • Device information: browser type, operating system, screen resolution, and device type
  • Connection data: IP address, referring URL, and general geographic location (country/region level)

1.4 Information We Do NOT Collect

  • Biometric data: We do not collect fingerprints, facial geometry, voiceprints, retina scans, or any other biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA) or any similar law
  • Precise geolocation: We do not collect GPS coordinates or precise location data
  • Protected health information: We do not collect health-related data as defined under HIPAA
  • Student personal data: Student participation features (attendance, team builder, live discussion) use anonymous IDs or first names only. We do not collect student Social Security numbers, dates of birth, or home addresses
  • Advertising data: We do not use advertising trackers, and we do not sell or share your data with third parties for advertising purposes

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide, operate, and maintain the Platform and its features
  • Authenticate your identity and verify your account
  • Personalize your experience, including displaying relevant content and connections
  • Process AI-powered feature requests (Lesson Plan Generator, AI Course Analysis, quiz generation) and return results to you
  • Send transactional emails related to your account (e.g., password resets, security alerts, account notifications)
  • Enforce our Terms of Service and protect against misuse, fraud, and security threats
  • Improve the Platform through aggregated, anonymized usage analytics
  • Respond to your requests, comments, or questions
  • Comply with legal obligations and enforce our rights
  • Process payments and manage subscriptions through our payment provider

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), the United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following legal bases:

  • Contract performance: Processing necessary to provide the Platform services you have requested, including account creation, course management, social features, and AI features (Article 6(1)(b) GDPR)
  • Legitimate interests: Processing necessary for our legitimate interests, including Platform security, fraud prevention, service improvement, and aggregated analytics, provided these interests are not overridden by your rights and freedoms (Article 6(1)(f) GDPR)
  • Consent: Processing based on your explicit consent, including marketing emails and optional features. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal (Article 6(1)(a) GDPR)
  • Legal obligation: Processing necessary to comply with applicable laws, regulations, and legal requests, including tax obligations, court orders, and regulatory requirements (Article 6(1)(c) GDPR)

Where we rely on legitimate interests, we have conducted balancing tests to ensure your rights and freedoms are not overridden. You may request details of these assessments by contacting us.

4. Social Features and Visibility

The Platform includes social networking features. The visibility of your information depends on the feature:

  • Profile: Your profile information (name, photo, bio, institution) is visible to other authenticated users on the Platform
  • Posts and feed: Posts you create in the social feed are visible to your connections and other authenticated users
  • Direct messages: Messages are strictly private between the sender and recipient only. No other users, including administrators, can read your direct messages without explicit audit authorization
  • Communities: Posts in communities are visible to community members. Community visibility settings (public, private, institution-only) determine who can join
  • Testimonials: Testimonials require approval from the recipient before they are publicly displayed

5. AI Features -- Data Processing Transparency

The Platform offers AI-powered features including Lesson Plan Generator, AI Course Analysis, and AI quiz generation. This section explains how your data is processed when you use these features:

  • Data sent to AI providers: When you use AI-powered features, your input data -- specifically course content, learning outcomes, and curriculum structure -- is sent to OpenAI (our AI sub-processor) via their API solely for analysis purposes. Data is processed via OpenAI's API solely for analysis purposes and is not used to train AI models. For details on OpenAI's data handling, see OpenAI's API Data Usage Policies and their Data Processing Addendum
  • No model training: We do NOT use your data to train AI models. Your content is used solely for generating the specific output you requested. Third-party AI providers process your data under API-specific data usage policies that prohibit use of API inputs and outputs for model training
  • Third-party processing: OpenAI, our sole AI sub-processor, processes data under their privacy policy and data processing agreement. We require contractual commitments from AI providers regarding data handling, security, and confidentiality
  • Retention by AI providers: AI-generated outputs are not stored by third-party providers beyond the processing session, subject to their retention policies for abuse monitoring (typically 30 days or less)
  • Our retention of AI data: We may retain AI inputs and outputs to improve service quality, debug issues, enforce usage limits, and fulfill our contractual obligations to you. This data is subject to the same security measures and retention schedules described in this policy
  • Sensitive data warning: You should NOT input sensitive personal information, student personally identifiable information (PII), Social Security numbers, protected health information (PHI), or financial account numbers into AI features. AI features are designed for course content and curriculum analysis, not for processing student personal data
  • Scope of AI features: AI features are designed exclusively for educational content purposes, including generating lesson plans, analyzing curriculum alignment, and creating assessment questions. They are not designed for and must not be used for processing student personal data, making decisions about individual students, or any purpose outside of course content creation and analysis

6. Student Data Privacy -- General Principles

Protecting student data is central to the Platform's design. The following principles apply across all features that may involve student data:

  • Data processor role: With respect to student education records, I Love My Class acts as a “service provider” (under US law) and “data processor” (under GDPR and similar international laws). Educators and their institutions are the “data controllers” who determine the purposes and means of processing student data
  • Educator responsibility: Educators are responsible for obtaining any necessary consents, permissions, or authorizations required by their institution or applicable law before inputting student data into the Platform
  • No advertising or profiling: We do NOT use student data for advertising, behavioral profiling, targeted marketing, or any purpose other than providing the requested educational service
  • No third-party sharing: Student data is never shared with third parties except as strictly necessary to provide the Platform's services (e.g., database hosting, application delivery)
  • De-identification by design: Student-facing features (Team Builder, Live Discussion, Quiz Generator - Instant Feedback) are built with de-identification as a foundational design principle, avoiding collection of protected education records wherever possible
  • No student profiles or cross-session tracking: We do not create persistent student profiles and do not track students across sessions, features, or classrooms

7. Team Builder -- Student Data Privacy

The Team Builder feature is designed with student data privacy as a foundational requirement, using de-identification by design:

  • De-identification by design: Students are identified only by session-specific de-identified animal nicknames. Student names, email addresses, and institutional IDs are never stored in or transmitted through the team formation system. Nicknames are randomly assigned per session and do not persist across sessions
  • Encryption: All student responses are encrypted using AES-256-GCM encryption, the same standard used by financial institutions and government agencies. Each session generates a unique encryption key
  • Immediate deletion: All student response data is permanently deleted immediately after team generation. Abandoned sessions are cleaned up within 24 hours as a safety net. This deletion is irreversible
  • Access controls: Only the instructor who created the session can view collected responses. Students cannot view other students' data. System administrators cannot access encrypted student response data. Submission timestamps are not exposed to instructors
  • Re-identification risk controls: The system automatically detects small class sizes and limits the number of sensitive demographic attributes that can be combined to reduce the risk of re-identification through attribute combinations
  • No persistent identifiers: Participant identifiers are scoped to the browser tab session and are not stored in persistent storage. No cross-session tracking occurs

8. Live Discussion and Quiz Generator - Instant Feedback -- Student Data Privacy

The Live Discussion and Quiz Generator - Instant Feedback features also prioritize student anonymity:

  • Student entries in Live Discussion and Quiz Generator - Instant Feedback sessions are fully anonymous
  • No student names, email addresses, or identifying information are collected or stored in connection with session entries
  • Only the instructor who created the session can manage the discussion or feedback session
  • Session data is subject to the same encryption, access control, and deletion protections described for Team Builder in Section 7
  • No persistent student profiles are created and no cross-session tracking occurs

9. Data Storage and Security

We take the security of your data seriously and implement multiple layers of protection:

  • Database: Data is stored in PostgreSQL via Supabase with Row Level Security (RLS) policies that enforce access controls at the database level
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS (TLS 1.2+)
  • Encryption at rest: Data stored in our databases is encrypted at rest using industry-standard encryption (AES-256)
  • Infrastructure: The Platform is hosted on secure cloud infrastructure (Vercel and Supabase) with access controls, monitoring, and regular security updates
  • Authentication: Passwords are hashed using secure algorithms. We support email verification and enforce rate limiting to prevent abuse
  • Data protection impact assessments: We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR for high-risk processing activities

10. No Sale of Personal Data

We do NOT sell, rent, trade, or otherwise transfer your personal information to third parties for their marketing or commercial purposes. This applies to all definitions of “sale” under applicable law, including the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and all other applicable privacy statutes. We do not “share” personal information for cross-context behavioral advertising as defined under the CPRA. Your data is used solely for the operation and improvement of the Platform. This commitment is fundamental to our mission of serving educators and protecting student data.

11. Third-Party Services

We use a limited number of third-party services solely for the operation of the Platform. We conduct due diligence on all third-party providers to ensure they maintain appropriate security measures and data handling practices. These services process data only as necessary to provide their functionality:

  • Supabase (US): Database hosting, authentication (including Google OAuth token exchange), and real-time functionality. Receives: email, hashed passwords, profile data, all user-created content. Supabase is SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 certified
  • Vercel (US): Application hosting and content delivery network (CDN). Receives: HTTP requests, IP addresses, and browser metadata for serving the application
  • OpenAI (AI Sub-Processor): AI content generation for Lesson Plan Generator, AI Course Analysis, and quiz generation features. Data sent includes course content, learning outcomes, and curriculum structure. Data is processed via OpenAI's API solely for analysis purposes and is NOT used for model training. OpenAI processes data as a sub-processor under a data processing agreement. See OpenAI's API Data Usage Policies and their Data Processing Addendum
  • Stripe (US): Payment processing for subscriptions and purchases. Stripe is PCI DSS Level 1 compliant. Receives: billing name, email, and payment method details. We do NOT store credit card numbers on our servers; all payment data is handled directly by Stripe
  • Resend (US): Transactional email delivery (e.g., password reset emails, account notifications). Receives: recipient email address and email content
  • Sentry (US): Error monitoring and performance tracking. Receives: anonymized error reports, browser type, and stack traces when errors occur. Sentry does NOT receive your personal content, course data, or student information

These third-party services are bound by their own privacy policies and data processing agreements and are used strictly for Platform operation. We do not share your data with advertising networks, data brokers, or analytics companies. We require all sub-processors to maintain security standards consistent with this Privacy Policy.

12. Cookies and Local Storage

The Platform uses only essential cookies and local storage values that are necessary for the Platform to function properly. We do NOT use any third-party tracking cookies, advertising cookies, or analytics cookies. We do not engage in behavioral tracking or targeted advertising.

12.1 Specific Cookies and Storage Used

Below is a complete list of cookies and local storage values used by the Platform:

NameTypePurposeDuration
sb-*-auth-tokenCookieSupabase authentication token that maintains your login session and verifies your identity across page requests. Set with httpOnly and Secure flags for securitySession (1 hour access token; refresh token rotates)
themeLocal storageStores your preferred color theme (light, dark, or system default) via the next-themes libraryPersistent until cleared
ilc-cookie-consentLocal storageRecords whether you have acknowledged the cookie consent banner so it does not reappear on subsequent visitsPersistent until cleared

12.2 No Third-Party Tracking

We do not use Google Analytics, Facebook Pixel, or any other third-party tracking or advertising technology. No cookies are set by external advertising networks or data brokers. Your browsing activity on the Platform is not tracked, profiled, or shared with any third party.

12.3 Cookie Consent

When you first visit the Platform, a cookie consent banner is displayed to inform you about our use of essential cookies. Since we only use cookies that are strictly necessary for the operation of the Platform, consent is not legally required under most jurisdictions. However, we provide the banner for transparency so you are fully informed about our practices. You can manage browser cookies at any time through your browser settings.

13. Do Not Track Signals

We honor Do Not Track (“DNT”) browser signals. When we detect a DNT signal from your browser, we do not alter our data collection or use practices because we do not engage in behavioral tracking, cross-site tracking, or targeted advertising regardless of your DNT setting. Our data practices are the same for all users whether or not a DNT signal is sent.

14. FERPA and Student Privacy (United States)

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. I Love My Class functions as a “school official” with a “legitimate educational interest” under FERPA when processing student education records on behalf of educational institutions. We implement the following safeguards:

  • Student education records (grades, assignments, attendance) are protected with strict access controls at the database level using Row Level Security (RLS)
  • Only educators with a legitimate educational interest (the teacher who created the grade and the specific student the grade belongs to) can access grade data
  • Classroom data is isolated per classroom -- students in one classroom cannot see data from another classroom unless they are a member of both
  • The Team Builder, Live Discussion, and Quiz Generator - Instant Feedback features operate in a de-identified mode by design, avoiding the collection of protected education records entirely. Student responses use session-specific nicknames, are encrypted, and are permanently deleted immediately after session completion
  • Automatic re-identification risk controls limit the combination of sensitive demographic attributes in small class settings
  • Audit logging tracks sensitive operations involving student data
  • We do not disclose education records to third parties without proper consent or a qualifying FERPA exception
  • Student data is used solely for the educational purpose for which it was provided and is not used for advertising, marketing, or building student profiles

15. GDPR Rights (European Economic Area and United Kingdom)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and/or the UK GDPR:

  • Right of access (Article 15): You can request a copy of the personal data we hold about you, along with information about how it is processed
  • Right to rectification (Article 16): You can update or correct inaccurate personal data through your profile settings or by contacting us
  • Right to erasure (Article 17): You can request the complete deletion of your personal data, subject to legal retention requirements and legitimate interests
  • Right to data portability (Article 20): You can request an export of your data in a structured, commonly-used, machine-readable format (JSON)
  • Right to restriction of processing (Article 18): You can request that we restrict the processing of your personal data under certain circumstances
  • Right to object (Article 21): You can object to the processing of your personal data for certain purposes, including processing based on legitimate interests
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal
  • Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated

UK-specific provisions: For users in the United Kingdom, your rights are governed by the UK GDPR and the Data Protection Act 2018. Transfers of personal data from the UK are made using UK-approved data transfer mechanisms, including the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.

To exercise any of these rights, please contact us at claudiocsdefreitas@gmail.com with “GDPR Request” in the subject line. We will respond to your request within 30 days. This period may be extended by up to 60 additional days for complex requests, in which case we will notify you of the extension and the reasons for it within the initial 30-day period.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information
  • Right to delete: You have the right to request the deletion of your personal information, subject to certain exceptions
  • Right to correct: You have the right to request correction of inaccurate personal information
  • Right to opt-out of sale or sharing: We do NOT sell your personal information and do not share it for cross-context behavioral advertising. There is no need to opt out, but we state this explicitly for transparency
  • Right to limit use of sensitive personal information: We only use sensitive personal information for purposes permitted under the CPRA
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality, or service level for exercising your rights
  • Authorized agents: You may designate an authorized agent to make requests on your behalf by providing written authorization to the agent and verifying your identity with us

California “Shine the Light” law: We do not share personal information with third parties for their direct marketing purposes. If this practice changes, we will provide you with the ability to opt out.

SOPIPA compliance: To the extent the Platform processes student data covered by the Student Online Personal Information Protection Act (SOPIPA), we comply with all applicable requirements, including prohibitions on using student data for non-educational purposes, targeted advertising, and creating student profiles for purposes other than providing the educational service.

To exercise your California privacy rights, contact us at claudiocsdefreitas@gmail.com with “California Privacy Request” in the subject line. We will verify your identity before processing your request.

17. US State Privacy Laws

In addition to California, we recognize and comply with privacy rights granted by other US state privacy laws:

17.1 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and Other State Laws

If you reside in a state with a comprehensive consumer privacy law, you may have rights including:

  • The right to confirm whether we are processing your personal data
  • The right to access your personal data
  • The right to correct inaccuracies in your personal data
  • The right to delete your personal data
  • The right to obtain a portable copy of your personal data
  • The right to opt out of the sale of personal data (we do not sell personal data), targeted advertising (we do not engage in targeted advertising), or profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)

To exercise these rights, contact us at claudiocsdefreitas@gmail.com. If your request is denied, you may appeal by contacting us with “Privacy Appeal” in the subject line.

17.2 New York Education Law 2-d

For student data originating from New York educational institutions, we comply with New York Education Law Section 2-d and its implementing regulations, including maintaining data security and privacy standards, limiting use of student data to the educational purpose for which it was provided, and providing transparency regarding our data practices.

17.3 Illinois Biometric Information Privacy Act (BIPA)

We do NOT collect, capture, purchase, receive through trade, or otherwise obtain any biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (740 ILCS 14). This includes, but is not limited to, fingerprints, retina or iris scans, voiceprints, scans of hand or face geometry, and any other biometric data.

17.4 State Breach Notification Laws

We comply with all applicable state data breach notification laws. In the event of a data breach, we will notify affected users and the relevant state authorities within the timeframes required by each applicable state law, which in most cases require notification without unreasonable delay.

18. International Privacy Law Compliance

We are committed to complying with privacy laws in all jurisdictions where our users reside. The following sections describe our compliance with specific international privacy frameworks:

18.1 PIPEDA (Canada)

For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Canadian users may file a complaint with the Office of the Privacy Commissioner of Canada if they believe their rights have been violated.

18.2 LGPD (Brazil)

For users in Brazil, we comply with the Lei Geral de Proteção de Dados (LGPD). Brazilian users have rights including confirmation of processing, access to data, correction, anonymization or deletion of unnecessary data, portability, information about sharing with third parties, and the right to revoke consent. To exercise your rights under the LGPD, contact us at claudiocsdefreitas@gmail.com with “LGPD Request” in the subject line.

18.3 POPIA (South Africa)

For users in South Africa, we comply with the Protection of Personal Information Act (POPIA) and its conditions for lawful processing, including accountability, processing limitation, purpose specification, information quality, openness, security safeguards, and data subject participation. South African users may lodge a complaint with the Information Regulator.

18.4 Australian Privacy Act

For users in Australia, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australian users have the right to access and correct their personal information and may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if they believe their privacy has been violated.

18.5 PDPA (Singapore and Thailand)

For users in Singapore, we comply with the Personal Data Protection Act 2012 (PDPA). For users in Thailand, we comply with the Personal Data Protection Act B.E. 2562 (2019). Users in these jurisdictions have rights to access, correct, and request deletion of their personal data, and may contact the relevant data protection authority with complaints.

18.6 APPI (Japan)

For users in Japan, we comply with the Act on the Protection of Personal Information (APPI) regarding the handling of personal information. Japanese users have the right to request disclosure, correction, discontinuation of use, and deletion of their personal information. We handle cross-border transfers of personal data in accordance with APPI requirements.

19. International Data Transfers

Your personal data is processed and stored in the United States using infrastructure provided by Supabase and Vercel. If you are accessing the Platform from outside the United States, please be aware that your data will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

  • EU/EEA users: Transfers of personal data from the EEA to the United States are made under Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), or other approved transfer mechanisms under Chapter V of the GDPR. We implement supplementary measures where necessary to ensure an adequate level of protection
  • UK users: Transfers comply with the UK GDPR and the Data Protection Act 2018, using UK-approved data transfer mechanisms including the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs
  • Canadian users: Transfers are made in compliance with PIPEDA requirements for cross-border data transfers, including ensuring comparable levels of protection
  • Users in other jurisdictions: By using the Platform, you acknowledge and consent to the transfer of your data to the United States for processing and storage. We ensure appropriate safeguards are in place for all cross-border data transfers in accordance with applicable local laws

20. Automated Decision-Making and AI Processing

In accordance with Article 22 of the GDPR and similar provisions under other applicable laws:

  • AI features on the Platform involve automated processing of educational content, but do NOT make decisions that produce legal effects or similarly significant effects concerning any individual user
  • AI-generated outputs (lesson plans, curriculum analyses, quiz questions) are recommendations and suggestions only. Human review and approval by the educator is always required before any AI output is used in an educational setting
  • No automated decisions are made regarding student grading, assessment, admission, discipline, or any other matter that would produce legal or similarly significant effects on students
  • Users have the right to request human intervention, express their point of view, and contest any decision regarding AI-generated content
  • You may opt out of AI features entirely and continue to use all other Platform features without limitation

21. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Platform's services. Specific retention practices include:

  • Account data: Retained while your account is active. Upon account deletion (available via Settings → Account), your authentication record is deleted immediately, freeing your email address for re-registration. Your account data is archived for 90 days to allow recovery if the deletion was accidental, after which all data is permanently and irreversibly deleted
  • Course content and gradebook data: Retained while the associated classroom or course exists. Deleted when the educator deletes the course or classroom, or upon account deletion
  • AI-generated content: AI inputs and outputs are retained for as long as the associated session, analysis, or course content exists. When the parent resource is deleted, associated AI data is deleted as part of the cascading deletion process
  • Team Builder responses: Permanently deleted immediately after team generation. Abandoned sessions are cleaned up within 24 hours
  • Live Discussion and Quiz Generator - Instant Feedback sessions: Session data is subject to the same immediate deletion practices as Team Builder
  • Guest and anonymous sessions: All data associated with guest or anonymous participation (Team Builder, Live Discussion, Quiz Generator - Instant Feedback) is deleted within 24 hours if not already deleted upon session completion
  • Social content: Retained while your account is active. Deleted posts use soft-delete and are permanently purged within 30 days
  • Audit logs: Retained for a minimum of one year or as required by applicable law and institutional compliance requirements, whichever is longer
  • Payment records: Transaction records are retained as required by applicable tax and financial regulations (typically 7 years), even after account deletion

22. Data Export

You can request an export of your personal data in JSON format. This export includes your profile information, posts, messages, connections, course content, and other data associated with your account. To request a data export, contact us at claudiocsdefreitas@gmail.com. We will fulfill data export requests within 30 days.

23. Data Breach Notification

In the event of a data breach affecting your personal data, we will take the following actions:

  • User notification: We will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach where required by the GDPR, or within the timeframes required by other applicable laws
  • Supervisory authority notification: We will notify the relevant supervisory authorities and data protection regulators as required by applicable law, including GDPR Article 33, applicable US state breach notification laws, and other international breach notification requirements
  • Information provided: Notifications will include the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects
  • Mitigation: We will take immediate steps to contain and remediate the breach, including securing affected systems, conducting a thorough investigation, and implementing measures to prevent recurrence
  • Documentation: We maintain records of all data breaches, including facts, effects, and remedial actions taken, regardless of whether notification is required

24. Children's Privacy and COPPA

The Platform is designed for educators and academic professionals and is strictly intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18. In accordance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under 13. We extend this protection to all individuals under 18.

If we become aware that a user is under 18, we will immediately suspend the account, delete all associated personal data within 48 hours, and take steps to prevent future access. If you believe that an individual under the age of 18 is using the Platform, please report it immediately to claudiocsdefreitas@gmail.com.

Student participation in Team Builder, Live Discussion, and Quiz Generator - Instant Feedback sessions does not require an account and does not collect any personally identifiable information, as described in Sections 7 and 8. These features are designed to operate without collecting personal information from any participant regardless of age.

25. Email Communications and CAN-SPAM Compliance

We comply with the CAN-SPAM Act and equivalent international email regulations. We may send you the following types of email:

  • Transactional emails: Account-related communications such as password resets, security alerts, account verification, and important service notices. These are necessary for the operation of your account and cannot be opted out of
  • Marketing emails: Updates about new features, tips for using the Platform, and community highlights. These are opt-in only, and you can unsubscribe at any time using the unsubscribe link included in every marketing email

All marketing emails include a clear and conspicuous unsubscribe mechanism. Unsubscribe requests are honored within 10 business days. We do not use misleading subject lines or deceptive header information. All emails clearly identify I Love My Class as the sender and include our physical mailing address.

26. Security Measures

We implement a comprehensive set of security measures to protect your data:

  • Email verification to confirm account ownership
  • Secure password hashing using industry-standard algorithms
  • Rate limiting on sensitive operations (login attempts, post creation, message sending, sign-up attempts) to prevent abuse
  • Row Level Security (RLS) policies at the database level ensuring users can only access data they are authorized to see
  • HTTPS encryption for all data in transit (TLS 1.2+)
  • AES-256 encryption at rest for all stored data
  • Stateless JWT authentication with short-lived access tokens (1 hour) and refresh token rotation
  • Regular security reviews, vulnerability assessments, and updates
  • Incident response procedures for security events
  • Access controls and principle of least privilege for all internal systems

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable measures.

27. Data Protection Officer and Contact Information

For all privacy inquiries, data protection requests, and questions about this Privacy Policy, please contact us at:

Response times: We will respond to all privacy requests within 30 days of receipt. For GDPR requests, this period may be extended by up to 60 additional days for complex requests, with notification provided within the initial 30-day period. For CCPA/CPRA requests, we will respond within 45 days, extendable by an additional 45 days with notice.

For questions specifically about student data privacy in the Team Builder, Live Discussion, or Quiz Generator - Instant Feedback features, you may also contact your institution's data protection officer.

28. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you through the Platform or via email to the address associated with your account at least 30 days before the changes take effect. We encourage you to review this policy periodically.

Your continued use of the Platform after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you should discontinue use of the Platform and may request deletion of your account and associated data.

29. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at claudiocsdefreitas@gmail.com.

For questions specifically about student data privacy in the Team Builder, Live Discussion, or Quiz Generator - Instant Feedback features, you may also contact your institution's data protection officer.

If you are not satisfied with our response to your privacy concern, you may have the right to lodge a complaint with your local data protection authority or supervisory authority.