Privacy Policy

Effective date: December 18, 2025

This Privacy Policy explains how FinSpark, LLC. (“FinSpark”, “we”, “us”, “our”) collects, uses, shares, retains, and protects information in connection with the FinSpark educational financial literacy service for students in grades 3–12. This Policy applies to Parent Accounts and Student Accounts and supplements the FinSpark Terms of Service. By using FinSpark you agree to the practices described here. If you are a parent or legal guardian, please read the sections on Parental Consent and Children’s Privacy carefully.

Data Collection and Use

What we collect

  • Parent account information. Parent account name, email, billing name, billing address, and payment method metadata (last four digits, payment transaction ID).
  • Student account information. Student account name, email, grade, student academic snapshot.
  • Student academic snapshot. An anonymized snapshot of a student’s report card fields used only to generate custom quizzes (for example: subject names; score ranges or proficiency flags; grade level). We remove direct identifiers (student name, email, student ID) and strip metadata before any external processing.
  • Consent and verification records. Exact attestation text, typed signature, timestamp, IP address, user agent, verification method used, and payment transaction record.
  • Usage and technical logs. Authentication logs, feature usage events, error logs, and system logs necessary for security, fraud prevention, and service operation.
  • Support and communications. Messages you send to us, support requests, and related correspondence.

How we use data

  • Provide and operate the service. Deliver quizzes, deliver lessons, learning content, account management, billing, and customer support.
  • Generate custom quizzes. Create tailored quizzes from our question library using an anonymized report card snapshot only after verifiable parental consent.
  • Billing and fraud prevention. Process payments, prevent fraud, and comply with financial and tax obligations.
  • Security and compliance. Detect and respond to security incidents, enforce Terms of Service, and comply with legal obligations.
  • Service improvement. Improve product features, content quality, and user experience using aggregated, de‑identified analytics.

Legal basis for processing

For parents and adult users, processing is based on contract performance, consent where required, and our legitimate interests in operating and securing the service. For children under applicable laws, processing for custom quiz generation is performed only after verifiable parental consent as described below.

Parental Consent and Custom Quiz and Lesson Flow

Parental control requirement

Only a parent or legal guardian may create and operate a Parent Account and authorize custom AI processing. By creating a Parent Account you represent that you are the child’s legal guardian.

Verifiable parental consent

Before any anonymized student data is sent to an AI service to generate a custom quiz or and lesson, we obtain explicit, verifiable parental consent. The consent flow includes:

  • Presentation of the anonymized report card fields that will be used;
  • A preview of the proposed quiz questions;
  • An attestation in which the parent types their full legal name and checks explicit consent checkboxes; and
  • A payment authorization when the service is paid.

We log the attestation text, timestamp, IP address, user agent, payment transaction ID, the anonymized snapshot used, and the verification method. Parents may revoke consent at any time; revocation prevents future AI processing and triggers our deletion procedures as described below.

Student account restrictions

AI features are blocked on Student Accounts. Students cannot invoke AI processing or send data to the AI service. Only Parent Accounts may initiate the custom quiz and or lesson flow.

Data Sharing, AI Processing, and Third Parties

Anonymization and minimization

We apply a documented de‑identification process before any student academic snapshot leaves our systems. We remove direct identifiers and strip metadata that could reasonably identify the child. We retain an internal pseudonym to link the snapshot to the child’s account only for the limited purposes described in this Policy.

AI vendor use and contractual protections

We use third‑party AI services under written agreements that prohibit the vendor from using your inputs for model training or other secondary uses unless we obtain separate, verifiable parental consent. We will not send student names, emails, or other direct identifiers to the AI vendor as part of the custom quiz flow. If we change vendors or vendor policies that affect data use, we will notify parents and obtain any required consents.

Other disclosures

  • Service providers. We share data with vendors who perform services on our behalf (payment processors, hosting providers, analytics, customer support). We require vendors to maintain confidentiality and security and to use data only for the services they provide.
  • Legal requirements. We may disclose information to comply with legal obligations, respond to lawful requests, or protect the rights, property, or safety of FinSpark, our users, or others.
  • Business transfers. In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction; we will notify parents where required by law.

Retention, Deletion, and Revocation

Retention periods

We retain data only as long as necessary for the purposes described and as required by law. Typical retention periods include:

  • Parental consent and verification records: 7 years from the date of consent.
  • Payment and billing records: 7 years for accounting and fraud prevention.
  • Anonymized report card snapshots used for quiz generation: 2 years unless the parent requests earlier deletion.
  • System logs and security records: 1 year for operational and security purposes, unless longer retention is required by law.

Deletion and revocation

Parents may revoke consent and request deletion of their child’s data at any time by contacting us (see Contact below) or using the account settings where available. After a verified deletion request we will:

  1. Stop any future AI processing for that child;
  2. Delete or irreversibly de‑identify the child’s data from active systems within a reasonable timeframe; and
  3. Remove data from backups according to our backup retention schedule and document any legal exceptions.

We will confirm completion of deletion requests. Some data may remain in aggregated or de‑identified form that cannot reasonably be re‑identified.

Security, Access, and Children’s Privacy

Security measures

We maintain administrative, technical, and physical safeguards to protect data, including encryption in transit and at rest, role‑based access controls, logging, and regular security reviews. Access to student data is limited to authorized personnel with a legitimate need.

Auditability and logs

We log all AI invocations, parental attestations, and access to student data. These logs are retained according to the retention schedule and are available for audit and compliance purposes.

Children’s privacy and COPPA compliance

FinSpark is designed to comply with the Children’s Online Privacy Protection Act (COPPA) and similar laws. We do not collect personal information from children under 13 without verifiable parental consent. For custom quiz generation we rely on parental consent and the de‑identification measures described above. Parents control the data associated with their child’s account and may revoke consent or request deletion at any time.

Your Rights and Choices

Access and correction

Parents may access and correct account information and request copies of the data we hold about their child. To request access or correction, contact us using the details below.

Deletion and portability

Parents may request deletion of their child’s data or request a portable copy of data in a commonly used format. We will respond to requests in accordance with applicable law and this Policy.

Marketing communications

Parents may opt out of promotional emails by following the unsubscribe instructions in those messages or by contacting us.

How to revoke consent

To revoke parental consent for AI processing or to request deletion, contact us at the address below. We will verify the requestor’s identity and process the request promptly.

Contact Information and Changes

Contact us

For questions, data requests, deletion requests, or privacy concerns contact:
privacy@finspark.example
FinSpark, LLC.
[Mailing address as provided in corporate information]

Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If changes are material, we will provide notice to Parent Accounts and obtain any required consents. Continued use after notice constitutes acceptance of the updated Policy.

Acknowledgment

By using FinSpark, creating a Parent Account, or purchasing services you acknowledge that you have read and understood this Privacy Policy, that you are the child’s legal guardian if you operate a Parent Account, and that you consent to the data practices described herein.