Privacy Policy

1. Introduction

BookPulse, operated by Baarstad Consulting Services ("we," "us," or "our"), is an interactive English Language Arts reading platform for classrooms serving grades 4 through 12. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. We are committed to protecting the privacy of all users, particularly the students who use our platform.

2. Information We Collect

Teacher Information

When teachers create an account, we collect: name and email address (via Google OAuth or email/password registration), school or institution name (optional), and authentication credentials. If you subscribe to our Plus plan, payment information is processed directly by Stripe — we never see or store your credit card numbers.

Student Information

We collect minimal student data by design. Students join classes using a teacher-provided class code and provide only: first name, last initial, and a password. Passwords are cryptographically hashed before storage and cannot be read by anyone, including BookPulse staff. We do not collect student email addresses, full last names, dates of birth, photos, or any other personally identifiable information. Student task responses (written answers to reading comprehension activities) are stored in association with their first name, last initial, and classroom assignment.

Automatically Collected Information

We use httpOnly session cookies to maintain login sessions. We do not use third-party analytics services, advertising trackers, marketing cookies, or tracking pixels. We do not sell any user data.

3. How We Use Information

We use teacher information to: provide and maintain accounts, process payments, send service-related communications (welcome emails, receipts, surveys via Resend), and improve the Service. We use student information solely to deliver the educational service: displaying tasks, recording responses, generating AI feedback (when enabled by the teacher), and providing teachers with student progress data. We never use student data for advertising, profiling, or any purpose unrelated to the educational service.

4. Third-Party Service Providers

We share data only with the following service providers, each used solely to operate BookPulse:

• Anthropic (Claude Haiku) — When a teacher enables AI feedback for a class, de-identified student response text is sent to Anthropic's Claude API to generate educational feedback. Only the task prompt and the student's written response are sent. No student names, email addresses, or identifying information are included. Anthropic does not use API data for model training. See Anthropic's privacy policy at anthropic.com/privacy.
• Stripe — Processes teacher subscription payments (Basic from $9/month, Plus from $14.99/month). No student data is shared with Stripe. See stripe.com/privacy.
• Resend — Sends transactional emails to teachers only (welcome emails, receipts, surveys). No student emails are collected or sent. See resend.com/legal/privacy-policy.
• Supabase — Hosts our database and provides teacher authentication infrastructure. Data is encrypted at rest. US-East region. See supabase.com/privacy.
• Vercel — Hosts the BookPulse web application. US-based edge network. See vercel.com/legal/privacy-policy.
• Google — Provides OAuth authentication for teacher login. Only email address and display name are accessed during login. See policies.google.com/privacy.
• Upstash Redis — Provides rate limiting for sensitive API endpoints (including AI feedback evaluation). IP addresses are processed to enforce per-IP request limits and prevent abuse. No student education record data is stored. See upstash.com/trust/privacy.

We do not sell, rent, or trade any user information. We may disclose information if required by law or to protect the safety of our users.

5. COPPA Compliance

BookPulse is designed to comply with the Children's Online Privacy Protection Act (COPPA). We rely on teacher consent (as school officials acting as agents for parents) for the limited collection of student information. We collect only the minimum student information necessary to provide the educational service. We do not condition participation on providing more information than is reasonably necessary. Teachers can review and delete student data at any time from their class dashboard.

6. FERPA Compliance

BookPulse operates as a "school official" under FERPA, providing educational services under the direction and control of the school. Student records within BookPulse are considered education records used solely for instructional purposes. We do not disclose student records to third parties for non-educational purposes. For complete details, see our FERPA Compliance page.

7. Cookies

BookPulse uses only functional cookies required to operate the service:

• httpOnly session cookies for student authentication
• Supabase authentication cookies for teacher sessions

We do not use marketing cookies, tracking cookies, or third-party advertising cookies. Because we use no non-essential cookies, a cookie consent banner is not required.

8. Data Retention and Deletion

• Teacher account data is retained for the duration of the subscription. Upon account deletion, all teacher data is purged within 30 days.
• Student data (first name, last initial, password hash, and response content) is retained while the class is active. Teachers may delete individual students or entire classes and all associated data at any time from their dashboard. When a teacher deletes their account, all associated student data is also deleted.
• AI-processed data sent to Anthropic is retained by Anthropic for up to 30 days for safety monitoring and abuse detection only. Anthropic does not use API data for model training.

Written deletion requests sent to support@readbookpulse.com or via our contact form are honored within 30 days.

9. Your Rights

You have the right to: access the personal information we hold about you, request correction of inaccurate information, request deletion of your data, and withdraw consent for marketing communications. To exercise any of these rights, contact us at support@readbookpulse.com or via our contact form. Schools and districts may request bulk deletion of all student data associated with their teachers.

10. Data Security

We implement security measures to protect user data, including encrypted connections (HTTPS/TLS), database encryption at rest, row-level security policies, cryptographic password hashing, and server-side authentication enforcement. For complete details about our security practices, see our Security page.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For material changes affecting student data practices, we will notify teachers via email and provide at least 30 days' notice before the changes take effect.

12. Contact

For questions or concerns about this Privacy Policy or our data practices, please contact us at support@readbookpulse.com or visit our contact page.