Child safety is our core value

Effective date: April 22, 2026  |  Last updated: May 25, 2026

1. Who this policy covers

This Privacy Policy describes how TeachComplete ("TeachComplete," "we," "us," or "our") collects, uses, stores, discloses, and protects information when you use our website at teachcomplete.com and the TeachComplete web application (collectively, the "Service"). It applies to all users of the Service, including teachers, school administrators, and any student end-users whose information is entered into the Service by their teacher or school.

Privacy contact: matthew@teachcomplete.com.

2. Key definitions

• Personal Information — information that identifies, relates to, or can reasonably be linked to a specific individual.
• Student Data — any Personal Information about a student of any age, including education records as defined under FERPA.
• Child / Children — an individual under 13 years of age, as defined by the Children's Online Privacy Protection Act ("COPPA").
• Education Records — records directly related to a student and maintained by or on behalf of an educational institution, as defined under the Family Educational Rights and Privacy Act ("FERPA").
• School User — a teacher, administrator, or other employee of a school or district who uses the Service on behalf of that institution.

3. Our role — tools for teachers, not a direct-to-student service

TeachComplete is provided to teachers and school administrators. We do not market to, enroll, or collect information directly from students. Any Student Data in the Service is entered by a teacher or school acting in their capacity as an educator, with the authority granted to them by their school or district.

When a school or district provides TeachComplete to its teachers, TeachComplete acts as a "school official" with legitimate educational interests under FERPA (34 CFR §99.31(a)(1)) for the Student Data entered into the Service by that institution's users. We use Student Data only to provide and improve the Service as directed by the teacher or school.

4. Information we collect

4a. From teachers and school administrators (directly)

• Account identifiers: email address, password hash (never the plain password), and — if you use Google Sign-In — your Google account name and profile picture.
• Professional information you choose to provide: school name, grade level, subject taught, and similar context.
• Content you create: classes, rosters, lesson plans, unit plans, assignments, assessments, gradebook entries, teacher notes, and any other educational content you create in the Service.
• AI chat messages sent to our in-app AI assistant while using the Service.
• Communications you send to us (e.g., support emails).

4b. Student Data (entered by teachers, not collected from students)

Teachers may enter the following Student Data into the Service. The scope depends on what the teacher chooses to record:

• Student name or pseudonym and/or school-issued student ID;
• Grade level or class section;
• Assignment submissions, responses, and work product authored by the student as part of classwork;
• Scores, grades, attendance, and behavior notes;
• Teacher-authored notes about the student's learning, differentiation needs, or progress;
• AI-generated learning profiles derived from the above.

We actively encourage teachers to avoid entering personally identifying information. The Service is designed to function with pseudonyms, initials, or school-issued IDs in place of student legal names.

4c. Automatically collected (technical data)

• Server logs: IP address, browser type and version, operating system, referring URL, request timestamp, and response codes — retained for security monitoring and debugging.
• Authentication tokens: session tokens issued by Firebase Authentication and stored in your browser to keep you signed in.
• Minimal first-party cookies strictly necessary for authentication and core functionality.

We do not use third-party advertising cookies, marketing pixels, behavioral tracking, cross-site tracking, session-replay tools, or analytics designed to profile individual users.

5. Information we do not collect

For clarity, TeachComplete does not collect from students or teachers: precise geolocation, biometric identifiers, health or medical records, social-media contacts, advertising identifiers (MAID/IDFA), or any information beyond what a teacher voluntarily enters to run their classroom.

6. How we use information

We use the information described above only for these purposes:

• To operate, maintain, and secure the Service;
• To authenticate users and enforce access controls so each teacher's data is private to them and their school;
• To provide the AI-powered features you choose to use (lesson planning, feedback, differentiation, analytics), strictly in service of the teacher's classroom;
• To respond to support requests and communicate about account, security, or material policy changes;
• To detect, investigate, and prevent fraud, abuse, or unauthorized access;
• To comply with legal obligations and enforce our Terms of Service;
• To improve the Service — using aggregated, de-identified information that cannot reasonably be linked back to an individual student.

7. What we will never do with Student Data

TeachComplete commits that we will never:

• Sell, rent, or license Student Data to any third party for any purpose;
• Use Student Data for advertising or marketing, whether targeted to the student, the teacher, the parent, or anyone else;
• Build student profiles for any non-educational purpose;
• Use Student Data to train or improve third-party AI/machine-learning models, and we will not permit our service providers to do so either (see §10);
• Disclose Student Data except as described in this policy (to service providers under contract, with teacher/school authorization, or as required by law with notice where legally permitted);
• Retain Student Data longer than needed to provide the Service, or beyond the retention terms set by the teacher's school or district.

8. Children under 13 (COPPA)

TeachComplete is not directed at children and does not knowingly collect Personal Information directly from children under 13. All Student Data about children under 13 is entered into the Service by a teacher or school acting in an educational capacity.

We rely on the teacher's school or district to provide the appropriate notice and, where required by COPPA or state law, obtain verifiable parental consent prior to a teacher entering Personal Information about a child under 13 into the Service. Schools acting as COPPA authorizing agents may consent on behalf of parents only for purposes limited to the educational context, consistent with FTC guidance.

If we learn that we have inadvertently received Personal Information directly from a child under 13 without the required authorization, we will promptly delete that information. Parents and guardians who believe their child's information has been submitted improperly can contact matthew@teachcomplete.com for prompt review and deletion.

9. FERPA and state student-privacy laws

FERPA. When TeachComplete receives Education Records from a school, we treat those records as a "school official" with a "legitimate educational interest" under 34 CFR §99.31(a)(1). We act under the direct control of the school with respect to the use and maintenance of those records, and we do not redisclose them except as permitted by FERPA or directed by the school.

California. For users in California, we comply with the Student Online Personal Information Protection Act (SOPIPA, Cal. Bus. & Prof. Code §22584). We do not engage in targeted advertising using Student Data, do not create profiles of students for non-educational purposes, do not sell Student Data, and do not disclose Student Data except as permitted by SOPIPA.

New York. For users in New York, we comply with New York Education Law §2-d and implementing regulations (8 NYCRR Part 121). A copy of our Parents Bill of Rights for Data Privacy and Security is available on request at matthew@teachcomplete.com.

Other states. We comply with applicable student-data-privacy laws in each state in which our users operate. Schools and districts may request a data-processing addendum tailored to their state requirements by contacting us.

10. Service providers and sub-processors

We rely on a small set of established service providers to operate the Service. We share only the information necessary for each provider's function, and we require each provider to protect data at least as strictly as described in this policy. Current sub-processors:

• Google Cloud Platform / Firebase — cloud hosting (Firebase Hosting), database (Cloud Firestore), object storage (Cloud Storage), authentication (Firebase Authentication), API delivery (Cloud Functions + Cloud Run), and CDN. All data is hosted in the United States.
• Google LLC — only if you sign in with Google. Google provides OAuth-based identity; Google does not receive Student Data through this integration.
• Anthropic PBC — provider of the Claude AI models used for in-app AI features. TeachComplete sends prompts through Anthropic's commercial API, which per Anthropic's published terms is not used to train Anthropic's models. Anthropic retains API inputs and outputs only as needed for abuse detection under their standard retention policy.

If we add or materially change sub-processors, we will update this list. You can always request the current list at matthew@teachcomplete.com.

11. AI features and Student Data

When a teacher uses an AI feature (lesson planning, feedback generation, differentiation, analytics), the request is sent through Anthropic's API. To protect student privacy, TeachComplete:

• Recommends teachers use non-identifying student names or IDs;
• Does not share Student Data with the AI provider for any purpose other than generating the teacher's requested output;
• Does not permit the AI provider to use Student Data to train their models;
• Treats AI output as a draft — the teacher is always responsible for reviewing and editing before using AI output with students.

12. Google user data (Calendar and Drive integrations)

If you choose to use TeachComplete's optional Google Calendar or Google Drive integrations, this section explains exactly what data we receive from Google, why, and how we handle it.

12a. Scopes we request and what each is used for

• https://www.googleapis.com/auth/userinfo.email and userinfo.profile — basic identity (email address, name, profile picture) when you sign in with Google. Used solely to create and authenticate your TeachComplete account.
• https://www.googleapis.com/auth/calendar  (requested only when you click "Connect Google Calendar") — Used to (a) read your existing calendar events so we can display them inside the TeachComplete weekly schedule, and (b) write your TeachComplete lesson and class events back to your primary Google Calendar (or a sub-calendar you select) when you enable two-way sync. We only create, read, or update events that TeachComplete itself authored; we never modify or delete events created by you or by other applications.
• https://www.googleapis.com/auth/drive.file  (requested only when you click an "Attach from Google Drive" button) — This is a per-file scope: TeachComplete only sees Google Drive files you explicitly select via Google's official Picker widget. We do not have, and never request, access to browse, list, or search your wider Google Drive. For each file you attach, we read its text content once at the moment you select it, store that text snapshot inside your TeachComplete account for use by the AI grader or chat assistant, and never re-access the original Drive file again.

12b. What we never request

TeachComplete does not request — and our app's source code does not contain — any of the broader Google Drive scopes (drive, drive.readonly, drive.metadata, drive.metadata.readonly). We have no ability to see files you have not personally selected via the Picker. We do not request Gmail, Contacts, Photos, Tasks, Keep, or any other Google scopes.

12c. How Google user data is stored and retained

• Google Calendar: we cache event titles, times, and our own event IDs in Cloud Firestore so the schedule view can render quickly. OAuth refresh tokens are stored encrypted at rest in Firestore and used only by our Cloud Functions to re-issue short-lived access tokens. Disconnecting Calendar (via the Settings button or by revoking access in your Google account permissions page) deletes the stored tokens and stops the sync. Cached events are purged on the next sync run after disconnect, and within 30 days of an account deletion request.
• Google Drive: we store only the text snapshot extracted at the moment a student or teacher picks the file, plus the file's display name, MIME type, and the Google-provided web view link. Snapshots are deleted together with the lesson, submission, or chat thread they belong to, and at the latest within 30 days of an account-wide deletion request. We do not retain OAuth tokens for Drive — each Picker session re-prompts (or silently re-uses Google's existing grant for that session).

12d. Limited Use of Google user data

TeachComplete's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, with respect to data obtained from Google Calendar or Google Drive APIs, TeachComplete:

• Uses the data only to provide or improve user-facing features that are prominent in the TeachComplete application (lesson scheduling, calendar sync, attaching a Drive file to a lesson plan or student submission, AI grading of an attached file);
• Does not transfer the data to others except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
• Does not use the data for serving advertisements, including retargeted, personalized, or interest-based advertising;
• Does not allow humans to read the data unless we have obtained your explicit consent to read specific files, it is necessary for security purposes (such as investigating abuse), it is required by law, or the data has been aggregated and is used for internal operations in a manner that cannot be linked back to any individual user.

This Limited Use commitment applies to data obtained from Google API scopes in addition to (and consistent with) the broader commitments made elsewhere in this Privacy Policy.

12e. How to revoke Google access

You can revoke TeachComplete's access to Google Calendar or Google Drive at any time, from either side:

• Inside TeachComplete: click "Disconnect" on the Google Calendar settings panel to revoke the stored Calendar token. (Drive uses on-demand per-file access only — there is nothing stored to disconnect.)
• From your Google account: visit myaccount.google.com/permissions, find "TeachComplete" in the list of connected apps, and click "Remove access."

13. Disclosure of information

We disclose information only in these limited situations:

• Service providers under contract — as listed in §10, bound to protect the data and use it only to provide services to us.
• At your direction — if you (or your school) instruct us to share data, for example when exporting or transferring your account.
• Legal process — if required by law, subpoena, or court order. Where legally permitted, we will notify the affected user or school before disclosure so they can seek a protective order.
• Safety — to protect the rights, property, or safety of TeachComplete, our users, or the public, including investigating suspected fraud or abuse.
• Business transfer — if TeachComplete is ever acquired, merges, or sells substantially all of its assets, data may transfer as part of that transaction, subject to a commitment that the acquirer will honor this Privacy Policy (or provide notice and a chance to delete data before any material changes).

We never sell or rent Personal Information or Student Data.

14. Data retention and deletion

We retain your data for as long as your account is active, or for as long as directed by the school or district responsible for the Student Data. You or your school can request deletion of all or part of your data at any time by emailing matthew@teachcomplete.com.

Timelines:

• Deletion requests are actioned within 30 days of a verified request.
• Backups containing deleted data roll off our backup systems within 90 days.
• Server logs are retained for up to 90 days for security purposes.
• Inactive accounts may be deleted after 24 months of inactivity, with email notice sent to the account holder beforehand.

15. Security

We implement administrative, physical, and technical safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption in transit using TLS 1.2 or higher on all network connections;
• Encryption at rest using Google-managed encryption on databases (Cloud Firestore) and object storage (Cloud Storage);
• Strict per-user data scoping — all data records are keyed to the authenticated user's Firebase user identifier, and every API request re-verifies the caller's identity (Firebase ID token + custom-claim role) before returning any data;
• Managed authentication via Firebase Authentication with support for strong passwords and OAuth sign-in through Google;
• Limited administrative access — only personnel with a need-to-know access production systems, and all access is logged;
• Regular review of dependencies, cloud configurations, and audit logs.

No system is perfectly secure. While we work hard to protect data, we cannot guarantee absolute security, and you are responsible for keeping your account credentials safe.

16. Breach notification

If we become aware of a security incident that results in the unauthorized access, acquisition, or disclosure of Personal Information or Student Data, we will:

• Investigate promptly and take reasonable steps to contain the incident;
• Notify affected teachers and schools without unreasonable delay and, where required by law, within the timeframes specified by that law (for example, 72 hours for certain breaches under state student-privacy laws);
• Provide available information about the incident, the types of information involved, steps we are taking, and steps users and schools can take to protect themselves;
• Cooperate with schools, districts, and regulators as required.

17. Teacher and school rights

As a teacher or school user, you have the right to:

• Access the information we hold about your account;
• Correct inaccurate information, directly through the app or by contacting us;
• Export your data in a portable format;
• Delete your data or terminate your account entirely;
• Restrict or object to certain processing where legally applicable;
• Request a Data Processing Addendum if you are a school or district with specific contractual requirements.

To exercise any of these rights, email matthew@teachcomplete.com. We will respond within 30 days, and will verify the requester's identity before acting on a request that involves Personal Information.

18. Parent and student rights

Because Student Data is entered and controlled by the teacher or school, parent and student requests are usually best directed to the school in the first instance. However, TeachComplete will honor the following regardless of source:

• Parental review. A parent or legal guardian may request to review their child's information held in the Service and, where verified and consistent with FERPA and school policy, receive a copy.
• Parental correction. A parent may request correction of their child's information.
• Parental deletion. A parent may request deletion of their child's Personal Information. We will either delete the information or coordinate with the teacher/school to do so, and we will not re-collect the information once deleted.
• Revocation of consent for collection and use of the child's Personal Information, where consent is the applicable legal basis.

To make a request, parents or guardians can email matthew@teachcomplete.com. We will coordinate with the relevant school to verify identity and the educational relationship, and will respond within 30 days.

19. Schools and districts

Schools and districts are responsible for ensuring that their teachers use the Service in compliance with applicable law and school policy, including obtaining any required consents. Schools may request a formal Data Processing Addendum (DPA) and, where applicable, sign state-specific addenda such as the NDPA (National Data Privacy Agreement). Contact matthew@teachcomplete.com to initiate.

20. International users

The Service is operated in the United States and all data is stored in the United States. If you access the Service from outside the U.S., you understand that your information will be processed and stored in the United States, which may have data-protection laws different from your jurisdiction.

21. California residents (CCPA/CPRA)

If you are a California resident, you have the right under the California Consumer Privacy Act (as amended by the CPRA) to know what Personal Information we hold about you, to request deletion, to correct inaccurate information, to opt out of the sale or sharing of Personal Information (we do not sell or share), and to be free from retaliation for exercising these rights. Information collected in connection with K–12 education is generally subject to FERPA and SOPIPA rather than the CCPA; nonetheless, we honor these rights on request.

22. Do Not Track

Our Service does not use cross-site tracking and does not change behavior based on Do Not Track browser signals because we do not engage in the cross-site tracking that DNT is designed to limit.

23. Third-party links

The Service may contain links to third-party websites or services (for example, Google sign-in or documentation). This policy does not cover the privacy practices of those third parties. We encourage you to review their privacy notices.

24. Changes to this policy

We may update this Privacy Policy as the Service evolves and as laws change. When we make a material change, we will update the "Effective date" and "Last updated" above and, where practical, provide notice through the Service or by email. Your continued use of the Service after an update takes effect means you accept the updated policy.

25. Contact us

Questions about this policy, data requests, parental reviews, breach reports, or anything else?

Email: matthew@teachcomplete.com

We respond to privacy inquiries within 30 days, and usually much sooner.