Teach Space Privacy Policy

Version: 1.0
Effective Date: March 30, 2026
Last Updated: March 30, 2026

Note: Step-by-step instructions, lists of supported file formats and video platforms, and other operational details are available in the FAQ section within the App.

1. Introduction

1.1. This Privacy Policy (the "Policy") describes how Teach Space LLC, a company registered in the State of Wyoming, United States (the "Company," "we," "us," or "our"), collects, uses, stores, protects, and discloses information about users of the Teach Space mobile application (the "App").

1.2. This Policy is incorporated by reference into our Terms of Service. By using the App, you confirm that you have read, understood, and agree to the practices described in this Policy.

1.3. The Company seeks to collect only the minimum amount of information necessary to provide the Service (data minimization principle).

1.4. The Company uses commercially reasonable efforts to protect user data; however, no system can guarantee absolute security. By using the App, you acknowledge and accept this risk.

2. Information We Collect

2.1. Information Provided at Registration

Information	Required	Purpose
Email address	Yes	Account identification, sign-in, access recovery
Password	Yes	Authentication (stored solely as an encrypted bcrypt hash)
First and last name	Yes	Display of your profile to other Users within the App
Role (teacher / student / parent)	Yes	Determines available functionality and access rights
Acceptance of the Terms and Policy	Yes	Timestamped record of your acceptance of these documents (audit trail)
Confirmation of age 16+	Yes (for the Student role only, when self-registering)	Timestamped record of your confirmation that you are at least 16 years of age (audit trail)

2.2. Profile Data (Provided at Your Discretion)

Profile photo (avatar) — uploaded by you; stored in cloud storage.
Bio (about you) — free-form text field.
Location — free-form text field completed by you manually; the App does not request or determine device geolocation.
Preferred currency — used to display lesson pricing in your chosen currency.

2.3. Information Generated Through Use of the Service

Messages — text messages and attached files (images, documents) sent in chats between Users (Teachers, Students, and Parents).
Files — images, documents, and scanned documents uploaded by Users to lessons, homework, and messages. Permitted formats and size limits are listed in the FAQ. Video file uploads are not supported; video content is available only through external links to supported platforms.
Video links — URLs of video materials hosted on supported external platforms, added by Teachers to lessons and assignments. The current list of supported platforms is available in the FAQ. The Company does not host video content; only links and public metadata (platform name, thumbnail) are stored.
Whiteboard drawings — graphical whiteboard data linked to subjects, lessons, or homework, including the version history of drawings.
Lesson data — schedules, attendance status, lesson price, payment status.
Homework — assignment content, student answers, grades.
Reviews — free-form text and numeric ratings (1–5) that Users submit about other Users.
Tags — user-defined labels for organizing lessons and assignments.
Reports and blocks — when a User submits a report regarding objectionable content or User behavior, we record the reporter's identifier, the target of the report (a User, message, or material), the selected reason, an optional free-form description, and a timestamp. When a User blocks another User, we record the identifiers of both parties and a timestamp. This data is used solely for content moderation and platform-safety purposes.

2.4. Technical Information Collected Automatically

Online/offline status and last-seen timestamp — used to display presence status in chats.
Device push token — identifier of your device for the potential future delivery of push notifications.
IP address — recorded in the audit log for specific actions (sign-in, settings changes) for security purposes.
Subscription data — subscription identifier, plan, status, billing period, and start and end dates.

2.5. Information We Do NOT Collect

In the interest of full transparency, the App:

Does not collect device GPS geolocation data.
Does not use the IDFA (Identifier for Advertisers) or any other advertising identifiers.
Does not use Apple's App Tracking Transparency (ATT) framework, because it does not track users.
Does not use third-party behavioral analytics or tracking services (such as Google Analytics, Firebase Analytics, Segment, Amplitude, Mixpanel, or the like). The App uses Sentry solely for automatic error and crash reporting to improve the stability of the Service; personally identifiable information (PII) is not transmitted to Sentry (the sendDefaultPii: false option is enabled).
Does not use advertising SDKs or advertising networks.
Does not track user behavior outside the App.
Does not perform automated decision-making or user profiling.
Does not sell, and will never sell, personal information to third parties.
Does not share personal information within the meaning of "sharing" under the CCPA.

3. Children's Data (Under 16)

3.1. Data Minimization for Minors

3.1.1. Self-registration in the App is available only to individuals who are at least 16 years of age. Children under the age of 16 cannot create their own account. The Company does not knowingly permit children under 16 to self-register and does not knowingly collect personal data from children in that age group outside of the Parent-managed flow described below.

3.1.2. A child's account may be created only by a parent or legal guardian (the "Parent"). At account creation, the following are provided:

Name — a free-form name chosen by the Parent. It need not be the child's real name and functions as a pseudonym (nickname).
Emoji avatar — selected from a predefined set. Photograph uploads are not available for child profiles.

3.1.3. For a child's account, the following are neither collected nor required: last name, email address, phone number, date of birth, photograph, geolocation data, or any other personal information.

3.1.4. COPPA (United States). For children under 13 who are residents of the United States, the Parent-managed account flow described in this Section 3 is designed to provide "verifiable parental consent" within the meaning of the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and its implementing regulations (16 CFR Part 312). By creating an account for a child, the Parent provides informed and verifiable consent for the limited collection and use of the child's information described in this Policy. Parents may at any time (a) review their child's information through the "My Children" section of the App, (b) refuse further collection by deleting the child's account, or (c) request deletion of the child's information by contacting support@teachspace.app. For COPPA-specific inquiries, contact us at the same address with the subject line "COPPA Inquiry."

3.2. Child's Access to the App

3.2.1. A child signs in to the App solely using a PIN code generated by the Parent. A child has no separate password, email address, or other sign-in credentials.

3.3. Parental Control

3.3.1. The Parent has full and unrestricted access to all of the child's activity within the App:

Sees all of the child's lessons, homework, schedule, and grades.
Is automatically added by the system as a participant in every chat between the child and the Teacher and can see the full content of the correspondence, including all uploaded files. The Parent cannot be removed from the child's chat.
The child can exchange messages only with the linked Teacher — communication with other Users is technically impossible.
Sees all files uploaded by the child (for example, photographs of completed assignments or scans of worksheets).

3.3.2. The child may upload files to homework and chats with the Teacher within the overall limits of the Service (see FAQ) — for example, photographs or scans of completed worksheets, or screenshots of solutions. All files uploaded by the child are accessible to the Parent and the Teacher.

3.3.3. Only the Parent may delete a child's account. Before deleting their own account, the Parent must first delete each linked child account via the corresponding function in the App; automatic cascade deletion of child accounts does not apply — this is intended to ensure that any decision to delete a child's learning progress is made deliberately by the Parent.

3.4. Parental Responsibility

3.4.1. By creating an account for a child, the Parent represents and warrants that they are the child's legal guardian and provides informed consent for the child to use the App as described in this Policy.

3.4.2. All responsibility for the child's use of the App, including any content created by the child (whiteboard drawings, assignment answers), rests solely with the Parent.

3.4.3. If we learn that we have inadvertently collected personal information from a child under the age of 16 without the Parent's consent, we will take reasonable steps to delete it.

4. How We Use Information

4.1. We use the information we collect for the following purposes:

Purpose	Legal Basis (GDPR)	Description
Providing the Service	Performance of a contract	Operating lessons, schedules, chats, homework, and all features of the App
Authentication and security	Performance of a contract; legitimate interests	Verifying identity at sign-in, issuing tokens, detecting suspicious activity
Communications with you	Performance of a contract	Sending verification codes and system notifications
Subscription management	Performance of a contract	Tracking subscription status and applying plan limits
File storage	Performance of a contract	Uploading, storing, and providing access to learning materials
Logging	Legitimate interests	Maintaining audit logs to ensure security and resolve disputes
Administration and technical support	Legitimate interests	Access by authorized Company personnel (administrators and managers) to Service data for the purposes of technical support, content moderation, dispute resolution, and platform security

4.2. We do not use your information for:

Targeted or behavioral advertising.
Marketing communications (we do not send marketing messages).
User profiling or automated decision-making.
Sale or rental to third parties.
Training of artificial intelligence or machine learning models.
Any purposes not expressly set forth in this Policy.

5. How We Store and Protect Data

5.1. Storage

5.1.1. Account and Service data are stored in a PostgreSQL database on secured servers.

5.1.2. User-uploaded files (images, documents, and scans) are stored in Amazon Web Services S3 cloud storage (eu-central-1 region, Frankfurt, European Union). Access to files is provided via short-lived presigned URLs; no direct public access to the files is permitted.

5.1.3. Passwords are stored solely as cryptographic hashes (bcrypt with a cost factor of 12, i.e., 2^12 key-derivation iterations) and cannot be recovered in their original form by us or by any third party.

5.1.4. Whiteboard data (drawings) is stored in the database in a structured format (JSON) together with version history. Access to whiteboard data is provided within the scope of the active subscription plan.

5.2. Security Measures

5.2.1. We employ a combination of technical and organizational safeguards, including:

Cryptographic password hashing (bcrypt).
JWT-based authentication with limited-lifetime access tokens and refresh token rotation that detects and blocks reuse of compromised tokens.
Storage of authentication tokens in hardware-backed device keystores (Keychain on iOS, Keystore on Android), which provide operating-system-level encryption.
Rate limiting to protect against brute-force attacks on passwords and codes.
Audit logging of actions, including IP address, to detect anomalies.
Storage-quota controls to prevent abuse.
One-time verification codes with limited lifetimes and attempt limits.
Removal of EXIF metadata (including geolocation, camera model, and capture date) from images: the mobile App's image picker is configured to exclude EXIF data before upload, and the server additionally strips EXIF from profile avatar images as a second layer of protection.
Server-side encryption of all files in cloud storage (AES-256).

The specific lifetimes of tokens and verification codes, as well as the image formats supported for EXIF scrubbing, are listed in the FAQ.

5.3. Data Transmission

5.3.1. All data transmitted between the App and our servers is sent over encrypted protocols (HTTPS for HTTP requests; WSS for WebSocket connections).

5.4. Security Limitations

5.4.1. Notwithstanding the safeguards we employ, the Company cannot guarantee absolute security of data during transmission over the internet or storage on electronic media. You transmit data at your own risk.

5.4.2. Data breach notification. In the event of a personal data breach, the Company will notify the competent data protection supervisory authority within 72 (seventy-two) hours after becoming aware of the breach, as required by Article 33 of the GDPR and analogous provisions of applicable law. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company will, without undue delay, inform affected Users of the breach, its likely consequences, and the measures taken. If notification within 72 hours is not feasible, the Company will provide the notification together with reasons for the delay.

6. To Whom We Disclose Data

6.1. Service Providers (Data Processors)

We share the minimum amount of data necessary with the following third parties solely to operate the Service:

Recipient	Data	Purpose	Location
Amazon Web Services (AWS)	User-uploaded files (images, documents, scans)	Cloud file storage	EU (Frankfurt)
RevenueCat, Inc.	Numeric user ID; subscription data (plan, status, billing period, purchase/renewal dates, product ID, store of purchase, currency, cancellation reason where applicable)	Subscription and in-app purchase management	United States
Apple Inc.	Purchase data (processed by Apple; we have no access to payment details)	Payment processing for iOS subscriptions	United States
Google LLC	Purchase data (processed by Google; we have no access to payment details)	Payment processing for Android subscriptions	United States
Functional Software, Inc. (Sentry)	De-identified error and crash data (stack traces, device and OS information, app version). PII is not transmitted (the `sendDefaultPii: false` option is enabled).	Stability monitoring and crash reporting	United States
Twilio Inc. (SendGrid)	User email address	Delivery of transactional email (verification codes, password-reset codes). No marketing email is sent.	United States
Expo (650 Industries, Inc.)	Device push token; short notification preview (sender name, up to 100 characters of the message preview)	Delivery of push notifications to user devices	United States

Each service provider maintains its own privacy policy, which you may review on its website. The Company does not control, and is not responsible for, the data practices of third parties.

6.2. We Do NOT Share Data With:

Advertising networks or platforms.
Data brokers.
Analytics or marketing platforms.
Any third parties other than those listed in Section 6.1.

6.3. Other Disclosures

6.3.1. We may disclose your data in the following circumstances:

In response to a lawful request from a governmental authority (court order, subpoena, law-enforcement request) in accordance with applicable law.
To protect the rights, property, or safety of the Company, our Users, or the public, where we reasonably and in good faith believe disclosure to be necessary.
In connection with a reorganization, merger, acquisition, or sale of Company assets — provided that the successor assumes the obligations of this Policy with respect to previously collected data.
With your express consent, in cases not otherwise provided for in this Policy.

6.4. Internal Administrative Access

6.4.1. A limited number of authorized Company personnel (administrators and managers) have access to User data through internal administrative tools solely for the following purposes: technical User support; content moderation; resolution of disputes between Users; platform security; and diagnosis and remediation of technical issues.

6.4.2. Administrative access is provided on a least-privilege basis. Administrator actions that affect user accounts or user data are recorded in an audit log. The Company does not use administrative access for any purpose unrelated to providing and operating the Service.

6.4.3. Report review. Reports submitted by Users through the in-App "Report" function (see Terms §5.3) are reviewed by authorized personnel within 24 (twenty-four) hours of submission. Where a violation is confirmed, the Company takes appropriate action, which may include removal of the offending content and suspension or termination of the violator's account. Report records are retained for up to 12 (twelve) months after resolution for audit and dispute-resolution purposes, after which they are deleted.

7. Authentication Token Storage and Tracking Technologies

7.1. Mobile App. The mobile App does not use cookies. Authentication is performed using JWT tokens of two types — an access token and a refresh token. Both are stored in hardware-backed device keystores: the iOS Keychain and the Android Keystore, which provide operating-system-level encryption. Specific token lifetimes are listed in the FAQ.

7.2. Web-based Service (where available). Where a web version of the Service is made available (for example, a web dashboard), authentication is maintained using only essential cookies that are set HttpOnly, Secure, and SameSite=Strict. These cookies store only the session token needed to keep you signed in and are not used for tracking, analytics, advertising, or any non-essential purpose. No consent banner is required because no non-essential cookies are used.

7.3. We do not use:

Non-essential cookies (first-party or third-party).
Tracking pixels, web beacons, or similar technologies.
Device fingerprinting.

8. Your Rights

8.1. General Rights of All Users

Regardless of your location, you have the right to:

Access — request information about what data of yours we hold and how it is processed.
Correction — update or correct inaccurate data through the App's profile settings or by contacting us.
Deletion — delete your account and all associated data via the "Delete account" function in the App. The deletion process is described in Section 9.
Export — request a copy of your personal data by written request to support@teachspace.app. Requests are processed manually: after verifying your identity, we will compile the data in a structured, machine-readable format (JSON) and send it to you within 30 days of receipt of the request.
Withdrawal of consent — where we rely on your consent (for example, for push notifications or for optional profile data), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. You may do so by disabling the relevant feature in the App, revoking the corresponding permission in your device settings, or contacting us. You may also delete your account at any time.

8.2. Additional Rights for EU/EEA Residents (GDPR)

If you are a resident of the European Union or the European Economic Area, you additionally have the right to:

Restriction of the processing of your personal data in certain circumstances.
Object to processing based on our legitimate interests.
Data portability — receive your data in a structured format for transmission to another controller.
Lodge a complaint with the data protection supervisory authority in your country.

Legal bases for processing:

Basis	Application
Performance of a contract (GDPR Art. 6(1)(b))	Providing the Service, authentication, subscription management
Consent (GDPR Art. 6(1)(a))	Optional profile data, push notifications
Legitimate interests (GDPR Art. 6(1)(f))	Security, logging, prevention of abuse

8.3. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA/CPRA"):

Right to know — the categories and specific pieces of personal information we collect, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties to whom we disclose it.
Right to delete — request deletion of personal information we have collected from you.
Right to correct — request correction of inaccurate personal information we maintain about you.
Right to limit use of sensitive personal information — direct us to limit the use and disclosure of any sensitive personal information (SPI) to purposes necessary to provide the Service. We do not use SPI for purposes that would require this limit to be exercised; see §8.3.2 below.
Right to opt out of sale or sharing — we do not sell personal information and do not share personal information for cross-context behavioral advertising, so no opt-out is necessary.
Right to non-discrimination — we will not deny you the Service, charge different prices, provide a different level or quality of Service, or suggest that we may do any of those things because you exercised your CCPA/CPRA rights.

8.3.1. Categories of Personal Information We Collect

CCPA Category	Examples of Data Collected	Sources	Business/Commercial Purpose	Categories of Third Parties to Whom Disclosed	Retention
Identifiers	First and last name, email address, account ID, IP address (audit log only), device push token	Directly from you; automatically from your device	Account creation, authentication, communications, push-notification delivery, security and audit logging	Email provider (SendGrid/Twilio); push-notification provider (Expo); error-monitoring provider (Sentry, de-identified only); subscription provider (RevenueCat)	Until account deletion + up to 30 days; audit logs up to 12 months
Commercial information	Subscription plan, subscription status, billing period, purchase/renewal dates, product ID, store of purchase, cancellation reason	Directly from you; from Apple, Google, or RevenueCat	Subscription management; plan-limit enforcement; accounting	Subscription provider (RevenueCat); Apple/Google (for payment processing)	For the duration of the subscription + up to 12 months
Internet or other electronic network activity	Online/offline status, last-seen timestamp, sign-in events in the audit log	Automatically from your use of the App	Presence display in chats; security	None (internal only)	Until account deletion; audit logs up to 12 months
Visual information	Photographs, document scans, whiteboard drawings, and other images or documents you upload to lessons, homework, chats, or profile	Directly from you	Providing the Service (storing and displaying learning materials you create or share)	Cloud storage provider (AWS S3, EU)	Until account deletion + up to 30 days
Professional/employment-related information (Teacher profile)	Self-provided "about me" / bio, preferred currency	Directly from you (optional)	Displaying your profile to other Users	None (stored on our infrastructure)	Until account deletion

8.3.2. Sensitive Personal Information (SPI)

The Company does not collect or use sensitive personal information for purposes that would trigger the CCPA right to limit its use. Passwords are stored only as irreversible cryptographic hashes (bcrypt) and are used solely for authentication; they are never disclosed, shared, inferred from, or used for any other purpose. We do not collect precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, health data, or data concerning sexual orientation.

8.3.3. Authorized Agents

You may authorize another person to make a CCPA/CPRA request on your behalf. We require written proof of authorization (such as a power of attorney) and verification of both your identity and the agent's identity before acting on the request.

8.3.4. No Financial Incentives

The Company does not offer any financial incentives or price/quality differences in exchange for the collection, retention, sale, or sharing of personal information.

8.4. How to Exercise Your Rights

To exercise any of the foregoing rights, contact us at support@teachspace.app. We will respond within no more than 30 days (for GDPR requests) or 45 days (for CCPA requests). We may request verification of your identity to protect against unauthorized requests.

9. Data Retention and Deletion

9.1. Retention Periods

The Company retains your data while your account remains active. Access to your own historical content (messages, lessons, homework, earnings records, and saved whiteboards) is determined by your current subscription plan — older content may be temporarily hidden and is automatically restored when you upgrade to a plan that covers it. The Company deletes your data only in the circumstances described in §9.2 (account deletion) and §9.5 (prolonged inactivity).

Data	Retention
Account data (profile)	Until the account is deleted under §9.2 or §9.5, or blocked by the Company
Chat messages, lessons, homework, earnings records, whiteboards and whiteboard versions	Preserved while the account is active. Access to older records depends on the User's current subscription plan; visibility is not the same as deletion
Uploaded files (S3)	Preserved while the account is active. Files exceeding the storage quota of the current plan remain stored and visible, but new uploads are blocked until the total falls below the quota or a higher plan is activated. Physical deletion from storage occurs within 30 days after account deletion
Audit logs	Up to 1 year, then deleted
Push notification tokens	Until sign-out (logout) or account deletion; upon sign-out the token is immediately deleted from the server
Subscription logs (RevenueCat)	For the duration of the subscription plus up to 1 year for accounting purposes
Inactive accounts	See §9.5

Short-lived technical identifiers — verification codes, JWT access tokens, and refresh tokens — have automatically expiring lifetimes. Specific values are listed in the FAQ.

9.2. Data Deletion Procedure

9.2.1. When you delete your account through the App:

Profile data is flagged as deleted and immediately becomes unavailable to other Users and via the API.
Linked child accounts (if you are a Parent) must be deleted by you before deleting your own account; cascade deletion does not apply (see §3.3.3).
Messages and lesson data are flagged as deleted and no longer displayed.
Uploaded files in cloud storage (AWS S3) are marked for deletion and are physically deleted within 30 days after account deletion.
Whiteboard data (drawings) is flagged as deleted together with the account and is physically deleted within 30 days.
De-identified audit log records (from which an individual user cannot be identified) may be retained for up to 1 year for security, dispute resolution, and legal compliance purposes.
Subscription data held by RevenueCat is governed by RevenueCat's own retention policy, which the Company does not control.

9.2.2. Account recovery window. Within 30 days after deletion, you may restore your account by signing in with the previous email and password — the system will automatically restore access, and all data retained up to that point will again become available. After the 30-day period, the data is physically deleted and recovery is no longer possible.

The recovery mechanism applies only to accounts with an email and password (Teacher, Parent, or self-registered Student). Child accounts created by a Parent, which use PIN sign-in, cannot be recovered — after deletion, the Parent may only create a new account for the child with a new PIN.

Recovery also does not apply to an account blocked by the Company under §11.2 of the Terms of Service.

9.3. Plan-Based Access to Historical Data

9.3.1. No deletion on plan change. Downgrading a subscription plan, switching to the free plan, or allowing a paid subscription to lapse does not delete any of your data. Content that falls outside the limits of your current plan becomes temporarily inaccessible ("hidden") and is automatically restored in full when you upgrade to a plan that covers it.

9.3.2. Scope of plan-based access. The limits that define what is visible under your current plan (for example, the length of the history window, the number of linked Students, storage quota, and whiteboard saving) are determined by the plan terms shown in the App at the time of purchase and in the FAQ. The Company may revise plan limits over time.

9.3.3. Storage quota behavior. If the total size of your uploaded files exceeds the storage quota of your current plan, your existing files remain stored and visible within the App. Only new uploads are blocked, until the total falls below the quota — which you may achieve either by deleting files yourself inside the App or by upgrading to a higher plan. The Company does not automatically delete any files because of a plan change.

9.3.4. Linked Students. If the number of Students linked to a Teacher exceeds the new plan's limit, existing links are preserved; however, adding new Students is blocked until space is freed under the new plan or an appropriate paid plan is activated.

9.4. Request for Expedited Deletion

9.4.1. You may request expedited physical deletion of your data by contacting support@teachspace.app. We will use commercially reasonable efforts to fulfill the request within 30 days, except for data that must be retained under applicable law or to protect the Company's legitimate interests (for example, for dispute resolution or fraud prevention).

9.5. Inactive Accounts

9.5.1. To limit the long-term retention of data for abandoned accounts, the Company operates an automated inactivity policy in addition to user-initiated deletion.

9.5.2. Definition of activity. An account is considered "active" whenever the User signs in, opens the App while authenticated, or performs any authenticated action (for example, sending a message, scheduling a lesson, or uploading a file). Any such action resets the inactivity counter for that account.

9.5.3. Warning. If an account shows no activity for 12 (twelve) consecutive months, the Company will send a notification email to the address on file warning that the account will be deleted if no activity occurs within the next 30 days. The Company takes reasonable steps to avoid duplicate warnings, but transient delivery failures may occasionally result in a second notification being sent. Child accounts (which do not have their own email address) inherit the status of the Parent account linked to them and do not receive a separate warning.

9.5.4. Soft deletion. If no activity is recorded within 30 days after the warning email is sent, the account is soft-deleted automatically, in the same manner as a user-initiated deletion under §9.2.

9.5.5. Recovery window. The 30-day recovery window described in §9.2.2 applies to accounts soft-deleted under this Section in the same way. Within that window, the User may restore the account by signing in with their existing credentials.

9.5.6. Physical deletion. After the 30-day recovery window expires, the account and all associated data are physically deleted as described in §9.2.1, subject to the same limited exceptions for audit logs, subscription records, and legally required retention.

10. International Data Transfers

10.1. Primary database and file-storage servers are located in the European Union (AWS, eu-central-1 region, Frankfurt, Germany).

10.2. Some of our service providers are located in the United States:

Provider	Data	Transfer Mechanism
RevenueCat	User ID, subscription data	Data Privacy Framework / EU Standard Contractual Clauses (SCCs)
Apple / Google	Payment data	Processed under Apple's or Google's own terms
Sentry	De-identified error data (no PII)	Data Privacy Framework / EU Standard Contractual Clauses (SCCs)
SendGrid (Twilio)	Email address for transactional email	Data Privacy Framework / EU Standard Contractual Clauses (SCCs)
Expo	Device push token, notification preview	Data Privacy Framework / EU Standard Contractual Clauses (SCCs)

10.3. The Company is registered in the United States (Wyoming) and may access data from the United States for administrative and technical support purposes.

10.4. When data is transferred outside of the EEA, we secure the transfer through appropriate legal mechanisms (EU Standard Contractual Clauses, adequacy decisions, or other mechanisms provided for in Chapter V of the GDPR).

11. Device Permissions

11.1. The App may request the following permissions on your device:

Permission	Purpose	Required	When Requested
Camera	Scanning documents (worksheets, notebooks) for upload to homework and lessons	No	On first use of the document scanner
Photo library	Selecting existing photographs and images for upload to lessons, homework, and profile	No	On first upload of an image from the library
File access	Uploading documents (PDF, DOC, etc.) to lessons and homework	No	On first upload of a document
Push notifications	Delivery of notifications for new messages, lesson start, and other events in the App	No	On first sign-in to the App or on the first attempt to subscribe to notifications

11.2. All permissions are requested only upon first use of the corresponding feature (just-in-time permission) and may be declined. Declining a permission will limit that specific feature but will not prevent use of the remaining functionality of the App.

11.3. You may revoke granted permissions at any time through your device settings (Settings → Teach Space → Permissions).

12. Apple App Store and Google Play Store Disclosures

12.1. Apple App Store (iOS)

12.1.1. The App does not use the AppTrackingTransparency (ATT) framework and does not request tracking permission because it does not track users.

12.1.2. In accordance with Apple Privacy Nutrition Labels requirements, the App discloses the following data types: contact information (email), user content (messages, files), identifiers (user ID and device push token used solely for notification delivery, not linked to the user's identity for tracking purposes), purchase data (subscription history, transmitted to RevenueCat), and diagnostic data (crash reports, transmitted to Sentry, not linked to the user's identity). Data is not used to track users.

12.2. Google Play Store (Android)

12.2.1. In accordance with Google Data Safety Form requirements, the App discloses: collection of contact information (email), user content (messages, files), and identifiers; transmission of data to RevenueCat for subscription processing; transmission of de-identified crash data to Sentry (without PII); data encryption in transit; and the user's ability to delete data.

12.3. Priority of App Store Disclosures

12.3.1. The accurate and current content of the Apple Privacy Nutrition Labels and Google Data Safety Form is displayed directly on the App's listings in the App Store and Google Play Store and may be more detailed or more restrictive than the wording of this Policy. In the event of any discrepancy, the disclosures on the applicable app store listing will apply, provided that they do not conflict with this Policy or with the requirements of applicable law.

13. Do Not Track and Global Privacy Control Signals

13.1. Some browsers and devices transmit "Do Not Track" (DNT) or Global Privacy Control (GPC) signals. Because the App does not track users, does not use advertising identifiers, and does not share data with advertising or analytics platforms, these signals have no effect on the processing of your data — your data is not tracked in any event.

14. Additional State-Specific Rights

14.1. Nevada Residents

14.1.1. Under Nevada Senate Bill 220 (NRS 603A), Nevada residents have the right to submit a request to opt out of the sale of certain personal information to third parties.

14.1.2. The Company does not sell personal information as defined under Nevada law. If you are a Nevada resident and wish to confirm this, you may send a request to support@teachspace.app with the subject line "Nevada Privacy Request."

14.2. California Minors (Online Eraser)

14.2.1. Under California Business & Professions Code § 22581, California residents who are under 18 years of age and who are registered users of the App have the right to request removal of content or information they have publicly posted in the App. To exercise this right, contact support@teachspace.app with the subject line "California Minor Removal Request." Please note that content may remain on our servers in backup form for a limited period, as described in Section 9.

15. De-identified and Aggregated Data

15.1. The Company may create, use, and disclose de-identified and aggregated data (that is, data that cannot be used to identify an individual user) for any lawful purpose, including: improvement and development of the Service; statistical analysis; research; publication of aggregate statistics (for example, "X lessons have been conducted on the platform"); marketing materials; and presentations.

15.2. De-identified data is not personal information and is not subject to this Policy.

16. Changes to this Policy

16.1. We reserve the right to update this Policy from time to time as necessary. The Last Updated date is always shown at the top of the document.

16.2. You will be notified of changes via the App. Material changes (expansion of the categories of data collected, new processing purposes, transfers to new third parties) may require your renewed consent where required by applicable law.

16.3. Your continued use of the App after publication of changes constitutes your acceptance of the updated Policy. If you do not agree to the changes, stop using the App and delete your account.

17. Governing Language

17.1. This Policy may be translated into other languages for your convenience. In the event of any discrepancy or conflict between the English version and any translation, the English version shall govern.

18. Contact Information

For any questions relating to privacy and data protection, please contact:

Company: Teach Space LLC
Jurisdiction: State of Wyoming, USA
Privacy email: support@teachspace.app
Response time: Up to 30 days (GDPR) / up to 45 days (CCPA)

If you believe your rights have been violated, you may file a complaint with the data protection authority of your country (for EU/EEA residents) or with the Attorney General of your state (for U.S. residents).

By using Teach Space, you acknowledge that you have read, understood, and agreed to this Privacy Policy.