Hearthslate
FeaturesTry it freePricingBlog
Sign inGet started

Privacy Policy

Last updated: May 24, 2026 · Policy version 2026-05-01

Short version. Hearthslate is a homeschool platform. Parents create accounts and add their children as authorized users. We collect only what we need to run the lesson — and nothing we don't. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use any child's work to train AI models. We do not show advertisements to children. You can review, export, or delete your child's data anytime from Settings → Privacy. Our complete subprocessor list is on the Compliance page.

1. Who we are

Hearthslate is a service operated by Hearthslate Education ("Hearthslate," "we," "our," or "us"). You can reach our privacy team at privacy@hearthslate.com. For postal mail, see Section 14.

For purposes of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana comprehensive privacy laws, Hearthslate is a "business" and a "controller" of the personal information described below. Under state student-privacy laws (CA SOPIPA, NY Ed Law §2-d, CO HB 16-1423, IL SOPPA, CT SB 949), where applicable, we act as an "operator" or "third-party contractor" with respect to student data — see Section 7.

2. Information we collect

From parents

  • Identifiers: name, email address, state of residence, parent account ID.
  • Authentication data: the OAuth identifier returned by Google when you sign in with Google (we do not receive your Google password).
  • Commercial / payment information: Stripe-hosted billing details, subscription tier, transaction history. Full card numbers are tokenized by Stripe and never reach our servers.
  • Communications: messages you send to support@ or privacy@.
  • Internet activity: with your cookie consent only — pages visited, time-on-page, device/browser metadata via PostHog.

From children (including children under 13)

When you add a child to your family account, we collect only the categories of information necessary to provide the educational Service to that child:

  • The child's first name and grade level.
  • Academic activity and work product: lesson progress, quiz answers, written submissions, drawings, completed projects.
  • Audio recordings of read-aloud reading sessions, captured solely for the reading-fluency feature, and the transcripts and accuracy scores derived from them.
  • Whiteboard tutor and AI tutor conversations — the topics and questions the child asks and the responses generated.
  • Usage data: which lessons opened, time spent, completion status, time-of-day patterns used to power the daily plan.

We deliberately do not collect from children: last names, home or school address, phone number, photographs, video, precise geolocation, social security numbers, biometric identifiers (other than the read-aloud voice clips described above, which are scoped to the lesson and erasable on request), or any data that is not needed to deliver the lesson the child is using right now. 16 CFR §312.7 (no conditioning) is honoured: kids are never asked for information beyond what the lesson needs.

3. COPPA — children under 13

Hearthslate is intentionally designed for homeschool families, and many children using it are under 13. The Children's Online Privacy Protection Act of 1998 (15 USC §§6501–6506) and the FTC's implementing rule (16 CFR Part 312) apply to us, and we treat that compliance as a floor, not a ceiling.

§312.4 — Notice

This Privacy Policy is the direct notice required by 16 CFR §312.4. It identifies the operator (Section 1), the categories of information collected from children (Section 2), how that information is used (Section 4), the parties with whom it is shared (Sections 5 and 6 and the Compliance page), and the parental-rights procedures (this section, below).

§312.5 — Verifiable parental consent

Before any personal information is collected from a child, the parent or legal guardian creates an account, reviews this notice, and confirms consent at checkout. Consent is verified by the following methods (16 CFR §312.5(b)):

  • Payment-card verification through Stripe — a transaction is processed against a credit or debit card in the parent's name, which the FTC has recognized as a permissible verification method when combined with an explicit consent acknowledgement (the auto-renewal acknowledgment captured at checkout).
  • Email + confirmation link on account creation, with the parent's email of record.
  • Audit log — every consent action is timestamped, IP-stamped, user-agent-stamped, and recorded in an append-only audit ledger (see our Compliance page for the data model).

§312.6 — Parental rights

As a parent or legal guardian, federal law gives you the right to:

  • Review the personal information we have collected from your child. Request a complete export from Settings → Privacy or email privacy@hearthslate.com. We deliver the export within 30 days.
  • Refuse further collection or use of your child's personal information. You may do this at any time by cancelling your subscription, which halts new collection, or by emailing us to lock the account.
  • Delete your child's personal information. Initiate deletion from Settings → Privacy; we confirm completion within 30 days. Once completed, deletion is irreversible.

§312.7 — No conditioning

We do not condition a child's participation in any activity on the child disclosing more personal information than is reasonably necessary to participate in that activity.

§312.8 — Confidentiality and security

We use commercially reasonable procedures to maintain the confidentiality, security, and integrity of personal information collected from children. See Section 11 for specific controls.

§312.10 — Retention

We retain children's personal information only as long as reasonably necessary to fulfil the educational purpose for which it was collected — i.e. while the parent account is active. On cancellation, we retain data for a 90-day grace window so the family can re-activate without losing portfolios, and then we delete it. A parent may request earlier deletion at any time.

No advertising to children. No AI training on student work.

We display no third-party advertising in any student-facing surface. We contractually prohibit our AI subprocessors (Anthropic, and others if added) from using Hearthslate customer data, including children's work, to train their general-purpose models. These prohibitions are documented in our Anthropic Commercial Terms and recorded on the Compliance page.

4. How we use information

  • To deliver the Service: generate lessons, score work, build portfolios, produce transcripts and state-compliance records.
  • To process payments and manage subscriptions (Stripe).
  • To communicate with parents about their account, subscription status, and important platform updates. Marketing email is opt-in only.
  • To improve the Service by analysing aggregated usage patterns. With your cookie consent, we use PostHog to understand which features families use; without consent, no analytics events fire.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with our legal obligations and to enforce our Terms of Service.

We do not engage in any automated decision-making that produces legal or similarly significant effects on parents or children. Lesson generation is an assistive tool; final pedagogical decisions remain with the parent.

5. Sensitive personal information

California law (CPRA, Cal. Civ. Code §1798.140(ae)) defines a category of "sensitive personal information." The only categories of sensitive personal information we collect or process are:

  • Account log-in credentials (handled by NextAuth / Google OAuth — we don't store passwords directly).
  • Children's personal information, by virtue of the child being under 13.
  • Voice recordings of read-aloud reading sessions, where the child has used the reading fluency feature.

We use these categories only for the purposes described above — authentication, delivering the Service, and (for voice) returning the reading fluency score and transcript. We do not use sensitive personal information to infer characteristics about a consumer for any purpose other than providing the requested service. Under CPRA §1798.121, you have the right to limit our use and disclosure of sensitive personal information; because we already limit it to the purposes above, no further action is required, but you may confirm or escalate by emailing privacy@hearthslate.com.

6. How we share information

We do not sell personal informationwithin the meaning of the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, or MCDPA. We do not share personal information for "cross-context behavioural advertising." We honour Global Privacy Control (GPC) signals; if your browser sends GPC, our analytics layer disables sharing for that visit.

We share limited categories of personal information with the following service providers / processors, each bound by a written agreement that restricts the provider to processing data on our documented instructions and prohibits sale or independent use. The full, current list — including vendor, purpose, location, data received, and contract — is published at /trust.

  • Stripe, Inc. — payment processing.
  • Google LLC — "Sign in with Google" OAuth.
  • Anthropic PBC — AI inference for tutor and lesson generation (no training on customer data).
  • Vercel Inc. — hosting, edge compute, content delivery.
  • PostHog Inc. — product analytics (only with your cookie consent).
  • Resend, Inc. — transactional email delivery.

We may also disclose information in response to a valid legal request (subpoena, court order, or other legally enforceable process); to protect the safety of users or the public; or in connection with a corporate transaction (merger, acquisition, asset sale), in which case the acquiring party will be bound by this Policy or a successor with materially equivalent protections, and we will provide notice to affected users.

7. State student-privacy laws

Even though most Hearthslate users are homeschool families purchasing directly (not schools or districts), where state law treats us as an "operator" of a website or online service used for school purposes, we comply as if we were under contract with a local education agency:

  • California — SOPIPA (Cal. Bus. & Prof. Code §22584): no targeted advertising, no profile-building for non-school purposes, no sale of student information, security obligations, deletion on request.
  • New York — Education Law §2-d: parents' bill of rights, encryption in motion and at rest, breach notification within 7 calendar days to NYSED in addition to the parent.
  • Colorado — HB 16-1423: published subprocessor list, written policy, defined retention.
  • Illinois — SOPPA (105 ILCS 85): published list of subprocessors, mandatory data-security plan, breach notification within 30 days.
  • Connecticut — SB 949: data-security plan, employee privacy training, no targeted ads.

When Hearthslate is purchased or used by a school, district, or co-op, the additional contractual addenda required by that jurisdiction are available on request — email compliance@hearthslate.com.

8. Your rights under state comprehensive privacy laws

If you reside in a state with a comprehensive consumer-privacy law, you have the following rights with respect to your own personal information, and (as parent) with respect to your minor child's personal information:

  • Right to know / access — what categories of personal information we've collected, the sources, the purposes, and the categories of recipients.
  • Right to portability — a copy of your data in a structured, commonly used, machine-readable format.
  • Right to correct — inaccurate information about you.
  • Right to delete — your personal information, subject to legal-retention exceptions.
  • Right to opt out — of any sale or sharing of personal information for targeted advertising. We do not engage in either, so this opt-out is effectively perpetual.
  • Right to limit the use of sensitive personal information (CPRA only — see Section 5).
  • Right to appeal a denied request (VCDPA, CPA, CTDPA, UCPA, TDPSA): if we deny a request, the response explains how to appeal.
  • Right to non-discrimination: we will never charge you more, give you a worse product, or close your account for exercising any of these rights.

To exercise any of these rights, email privacy@hearthslate.com or use the in-app controls at Settings → Privacy. We verify your identity (matching against the account email on file and, if necessary, a verified payment method) and respond within 45 days (CCPA) or 60 days (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA), as applicable. You may designate an authorized agent in writing; we will request reasonable verification of the agency relationship.

California "Shine the Light" (Civ. Code §1798.83): we have not disclosed personal information to third parties for their direct marketing in the prior calendar year.

9. Cookies and similar technologies

We use two categories of cookies and local storage:

  • Strictly necessary — NextAuth session cookies that keep you signed in, CSRF tokens, and the consent record itself. These do not require opt-in (ePrivacy Art. 5(3) exemption).
  • Analytics — PostHog product analytics. These require explicit consent. Without consent, the analytics SDK is not loaded and no analytics cookies are set.

You can change your cookie preferences at any time using the "Cookie preferences" link at the bottom of every marketing page. Disabling analytics will not change what features you can access; it only prevents us from learning which features you used.

We honour the Global Privacy Control (GPC) signal — required by California CPRA §1798.135(b)(1) — as a valid request to opt out of sale and sharing for that browser.

10. International users (EU / UK / EEA)

Hearthslate is operated from the United States and primarily intended for U.S. users. If you use the Service from the European Economic Area, the United Kingdom, or Switzerland, the GDPR (or UK-GDPR) applies in addition to U.S. law. Our lawful bases for processing are:

  • Contract (Art. 6(1)(b)) — providing the Service you've subscribed to.
  • Legal obligation (Art. 6(1)(c)) — payment-record retention, FTC and tax obligations.
  • Consent (Art. 6(1)(a)) — analytics cookies, marketing email.
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, balanced against your privacy rights.

Personal information you provide is transferred to and stored on servers in the United States. Where required, we rely on the EU Standard Contractual Clauses (2021/914) and equivalent UK IDTA for cross-border transfers. You may exercise GDPR rights (access, rectification, erasure, restriction, portability, objection, automated-decision opt-out, and the right to lodge a complaint with your supervisory authority) by emailing privacy@hearthslate.com.

11. Data security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information:

  • TLS 1.2+ in transit; AES-256 encryption at rest for sensitive fields.
  • Production access is least-privilege, MFA-enforced, and audit-logged.
  • Tokenized payment processing — we never store full card data.
  • Append-only audit ledger for all consent, deletion, and access-control events.
  • Quarterly internal access reviews; vendors re-evaluated annually.

No system is perfectly secure. If we discover a security incident affecting your information, we will notify affected users without undue delay and in any event within the windows required by applicable law (e.g., 72 hours to supervisory authorities under GDPR Art. 33; the timeframe required by your state breach-notification law; and 7 days to NYSED for affected New York students under Ed Law §2-d).

12. Data retention schedule

  • Parent account & profile: for the life of the account, plus 90 days for re-activation, then deletion.
  • Child profiles & academic work: same 90-day window unless the parent requests immediate deletion.
  • Read-aloud voice recordings: 30 days from session, then automatic deletion of the audio (transcripts and scores are kept with the portfolio).
  • Payment / tax records: 7 years, as required by federal and state tax law (this is a legal-retention exception to the right to delete).
  • Audit log: 7 years, append-only, retained for compliance proof.
  • Marketing email contacts: until you unsubscribe.

13. Changes to this policy

We may update this Privacy Policy. If we make a material change — particularly a change in the categories of children's information we collect, the parties we share it with, or how we use it — we will (a) email every parent of record, (b) increment the policy version above and (c) for changes affecting children, obtain renewed verifiable parental consent before the change takes effect for existing accounts (16 CFR §312.4(c)).

14. Contact

For privacy questions, requests to access or delete information, or any other privacy concern, write to:

  • Email: privacy@hearthslate.com
  • For COPPA-specific requests: privacy@hearthslate.com — subject line "COPPA Request"
  • For school/district contracts & DPAs: compliance@hearthslate.com
  • Postal: Hearthslate Education, [registered address]

A human reads every privacy email. We respond within 5 business days for general inquiries and within the statutory window (30–60 days, depending on law) for formal rights requests.

Hearthslate

The all-in-one homeschool platform. Live tutoring, curriculum planning, state compliance, and family records — built for the way families actually learn.

Product

FeaturesWhiteboard tutorReading coachAI tutorLife skillsPricing

Resources

BlogGetting startedCurriculum guidesState compliance

Company

AboutSign inGet started

© 2026 Hearthslate Education. All rights reserved.

Terms
Try the demoGet started
Privacy
Refunds
Trust
About
Blog