Privacy Policy

Last updated: February 2026

1. Introduction

1nicorn Academy ("we," "us," or "our") respects your privacy and is committed to protecting the personal data of our students, parents, and visitors. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your data.

2. Information We Collect

Account Information: Name, email address, password (hashed), and profile details provided during registration.

Student Information: Age, school name, quiz responses, project submissions, and session participation data.

Parent/Guardian Information: Name, email, phone number (for verification via Twilio), and billing information processed by Stripe.

Usage Data: Pages visited, demo interactions, session attendance, and anonymized analytics.

Device Data: Browser type, IP address (for region detection), and device type. We do not use tracking cookies beyond essential session cookies.

3. How We Use Your Information

  • Provide and improve our educational services
  • Process enrollment, authentication, and payments
  • Match students with appropriate cohorts and regions
  • Communicate about enrollment status, class schedules, and updates
  • Send relevant educational content (with opt-out available)
  • Detect and prevent fraud or abuse

4. Protection of Minors (COPPA & GDPR-K)

1nicorn Academy serves students aged 13-17. We take the protection of minors seriously:

  • We require verified parental consent via phone verification before enrollment
  • We do not sell, share, or rent personal data of minors to third parties
  • We do not display student real names publicly unless explicitly opted in
  • Parents may request access to, correction of, or deletion of their child's data at any time
  • We collect only the minimum data necessary for educational service delivery

5. Third-Party Services

We use the following services that process data on our behalf:

  • Supabase — Database, authentication, and file storage (hosted in the US)
  • Stripe — Payment processing (PCI DSS compliant)
  • Twilio — Phone verification for parental consent
  • Vercel — Website hosting and edge delivery
  • Google OAuth — Optional social login (only email and name are accessed)

Each service operates under its own privacy policy and data processing agreements.

6. Data Security

We implement industry-standard security measures including: row-level security (RLS) on all database tables ensuring users can only access their own data, HTTPS encryption for all data in transit, hashed passwords, and regular security audits of our infrastructure.

7. Data Retention

We retain account data for the duration of the account's existence plus 12 months after deletion request. Payment records are retained for 7 years as required by tax regulations. Session recordings are retained for 6 months after the cohort ends.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

9. International Transfers

Our services operate globally. Data may be transferred to and processed in the United States or other countries. We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR and other applicable regulations.

10. Contact

For privacy inquiries or to exercise your rights, contact us at: privacy@1nicornacademy.com