Mind Match — Privacy Policy

Mind-Match is committed to protecting user and student privacy.

1. Children's Privacy (COPPA)

• We do not knowingly collect personal information from children under 13.
• The Service is not directed to children under 13.
• Account registration requires a date-of-birth screen; users under 13 cannot register an individual account.
• Schools and districts may onboard students under 13 only under a written Data Privacy Agreement (see §5) and only as agents of the school for educational purposes (see §4).
• Parents may contact us to request review or deletion of their child's data at help@appgeniusstudios.com.

2. Information We Collect

A. Information You Provide

• Name (optional)
• Email
• Username
• Date of birth (used for the COPPA age screen; year retained, full DOB not displayed)
• School affiliation (if provided)
• Avatar image (if uploaded)

B. Automatically Collected

• Device type and browser
• IP address (used for security, regional content, and abuse prevention)
• Usage data (features used, session timing)
• Quiz performance and game-result records
• Advertising identifiers (non-school accounts only — disabled for any account flagged as a student)

3. How We Use Information

We use data to:

• Operate and improve the Service
• Provide competitive features (matchmaking, leaderboards, badges)
• Maintain security and prevent abuse
• Deliver advertisements (non-school accounts only)
• Comply with legal obligations

4. Student Data Protections (FERPA + State Student Privacy Laws)

When a school or district designates Mind-Match as a "school official" with a legitimate educational interest under the Family Educational Rights and Privacy Act (34 CFR § 99.31(a)(1)(i)(B)), Mind-Match is bound by FERPA's restrictions on the use and re-disclosure of student education records. Designation is established by the Data Privacy Agreement described in §5; absent that designation, Mind-Match does not assume FERPA "school official" status unilaterally.

For accounts onboarded by a school, Mind-Match commits that:

• Student data is processed only for the educational purposes authorized by the school.
• Ownership of student data remains with the school or district.
• We do not sell student personal information.
• We do not use student data for targeted or behavioral advertising.
• We do not build non-educational profiles of students.
• We delete student data within 45 days of a verified school request, or on contract termination, whichever is sooner.

5. Data Privacy Agreements (DPA) for Schools

Schools and districts may request a written Data Privacy Agreement before adopting Mind-Match. We respond to DPA requests, including:

• Student Data Privacy Consortium (SDPC) National DPA-style templates,
• State-specific supplements (e.g., New York Education Law § 2-d Parents' Bill of Rights, Illinois SOPPA Exhibit, California AB 1584 addenda),
• District-supplied DPA templates.

To request a DPA or supplemental information, email help@appgeniusstudios.com.

6. SOPIPA Compliance (California)

For California K-12 users:

• No targeted advertising using student data.
• No sale of student information.
• No non-educational profiling.
• Data deletion upon school request.

7. Multi-State Student Privacy Compliance

Mind-Match complies with applicable student data privacy statutes in states including but not limited to:

• California (SOPIPA, AB 1584)
• Colorado (HB 16-1423)
• Connecticut (Public Act 16-189)
• Virginia
• Utah (Student Data Protection Act)
• Texas (TX Ed Code § 32.151)
• Illinois (SOPPA, 105 ILCS 85)
• New York (Education Law § 2-d)

Where required by state law, we:

• Limit data use to educational purposes
• Prohibit sale of student data
• Implement reasonable security safeguards
• Honor deletion requests

8. U.S. State Consumer Privacy Rights

Residents of certain states (including California, Virginia, Colorado, Connecticut, and Utah) may have rights to:

• Access personal data
• Request deletion
• Request correction
• Opt out of targeted advertising and the sale or sharing of personal information

To exercise these rights, including the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising under the California CPRA, submit a request to help@appgeniusstudios.com or use the Do Not Sell or Share My Personal Information link in our footer.

We do not sell personal information for monetary consideration. We may share limited identifiers with advertising partners on non-school accounts; you may opt out using the link above.

9. GDPR (EEA & UK Users)

If you are located in the EEA or UK, our legal bases for processing are:

• Contractual necessity
• Legitimate interest
• Consent (where required)

You may:

• Access your data
• Request deletion
• Object to processing
• Request portability

10. Advertising, Sub-Processors & Third Parties

We rely on the following sub-processors to operate the Service. Schools may request the most current sub-processor list at any time.

• Google Cloud / Firebase (USA) — authentication, Firestore database, Cloud Functions, Cloud Storage, Hosting, push notifications.
• Google AdSense and AdMob (USA) — advertising on non-school accounts only. Disabled for any account marked as a student via entitlements.
• Anthropic, PBC (USA) — administrative tooling for question generation and review. No student personal data is sent.
• Twilio, Inc. (USA) — transactional SMS (e.g., two-factor authentication codes), where enabled.
• Cloudflare, Inc. (USA) — bot/abuse protection and email-address obfuscation on public pages.
• Plesk-managed web hosting (USA) — static hosting for the apex marketing site (mind-match.app).

We do not control third-party privacy practices. Users may manage ad preferences through device settings or Google Ad Settings.

11. Data Security

We implement reasonable administrative, technical, and physical safeguards including:

• Encrypted transmission (HTTPS/TLS)
• Secure authentication (Firebase Authentication, optional 2FA)
• Role-based access controls
• Restricted database permissions (Firestore Security Rules)

12. Accessibility

Mind-Match aims to conform to WCAG 2.1 Level AA and supports school accessibility requirements under Section 504 of the Rehabilitation Act and Title II of the Americans with Disabilities Act (ADA). We continue to improve keyboard navigation, color contrast, and screen-reader support across our gameplay surfaces.

If you encounter an accessibility barrier or need an accommodation, contact help@appgeniusstudios.com with the page URL and a description of the issue. We respond within 5 business days.

13. Data Retention

We retain data only as long as necessary for:

• Account functionality
• Legal compliance
• Security and dispute resolution

Users may request deletion. Student records are deleted within 45 days of a verified school request or on contract termination.

Encrypted backups. When personal data is deleted from our live systems, copies may persist in our automated encrypted backups for up to 14 days, after which they are permanently purged on a rolling schedule. Backup data is not retrieved or used for any purpose other than disaster recovery, and access is restricted to a small set of authorized engineers. Deletion of a parental-consent revocation, FERPA school request, or GDPR / CPRA erasure request is recorded in our internal audit log on the day of deletion regardless of backup expiry.

14. Data Breach Notification

In the event of a data breach involving personal data or student information, we will notify affected schools and users without undue delay and as required by applicable law (including state-specific timelines).

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be announced via the Service.

Continued use constitutes acceptance.

16. Contact Information

App Genius Studios
help@appgeniusstudios.com