PlayPath

Privacy Policy

Last updated: March 14, 2026

PlayPath ("we," "us," or "our") is an educational game platform designed for K-12 students, teachers, and parents. We are committed to protecting the privacy of all our users, especially children. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. What Data We Collect

Account Data

  • Adult users (teachers, parents): Name, email address, and authentication credentials.
  • LTI students (accessing through a school LMS):Pseudonymous identifiers provided by the school's learning management system. We do not collect student names or email addresses directly.

Learning Data

  • Challenge responses and answers
  • Mastery scores and skill progression
  • Session history and completion records

Learning data is stored using anonymous hash IDs and is not linked to a user's identity. This architectural separation means that even in the event of a data breach, learning records cannot be traced back to individual students.

Telemetry Data

  • Interaction events (e.g., button clicks, navigation patterns)
  • Timing data (e.g., time spent on challenges)

Telemetry data is retained for 90 days and is used solely for platform improvement. Telemetry is never collected for students under 13.

Consent Records and Audit Logs

Records of parental consent, school agreements, and data access audit logs are retained for 7 years to comply with legal requirements.

2. How We Use Your Data

  • Personalized learning:Adapting challenge difficulty and content to each student's mastery level.
  • Teacher analytics: Providing teachers with aggregated, anonymized insights into classroom progress.
  • Platform improvement: Analyzing usage patterns to improve the learning experience (adult users only).

3. Third-Party Services

We use the following third-party services:

  • PostHog (analytics): Used for adult users only. Analytics tracking is never enabled for students or children.
  • Sentry (error monitoring): Used for application error tracking. No personally identifiable information (PII) is included in error reports.
  • OpenRouter (AI): Used to generate educational content (challenges, hints, explanations). All content is pre-generated; no student data is sent to AI services during student sessions.
  • LMS platforms (grade passback):When accessed through a school's LMS via LTI, grade data may be passed back to the school's system as directed and controlled by the school.

4. Data Anonymization

PlayPath uses a hash-ID architecture to decouple learning data from user identity. When a student interacts with the platform, their learning records (responses, scores, progress) are stored under a cryptographic hash that cannot be reversed to reveal the student's identity. This means:

  • Learning data and identity data are stored separately.
  • If a user requests deletion, their identity is removed while anonymized learning data may be retained for aggregate research.
  • Teachers see student progress through a secure mapping that exists only within the platform.

5. Children's Privacy (COPPA)

We comply with the Children's Online Privacy Protection Act (COPPA) and take additional steps to protect children under 13:

  • No data collection without consent:We do not collect personal information from children without verifiable parental consent or authorization from the child's school.
  • School as FERPA agent:When students access PlayPath through their school's LMS via LTI integration, the school acts as the FERPA-authorized agent and provides consent on behalf of parents for legitimate educational purposes.
  • Parental controls:Parents can view, export, and delete their child's data at any time through the parent portal or by contacting us.
  • No analytics tracking for minors:We do not use analytics services (such as PostHog) to track children's activity on the platform.
  • No live AI during student sessions:AI services are used only for pre-generating educational content. No student data is transmitted to AI providers during a student's session.

6. Education Records (FERPA)

We comply with the Family Educational Rights and Privacy Act (FERPA) when processing education records:

  • School control:Schools maintain control over all education records. PlayPath acts as a "school official" with a legitimate educational interest under FERPA.
  • Limited sharing: Education record data is shared only as directed by the school and is never used for non-educational purposes.
  • Parent access:Parents can access their child's education records through the parent portal. Schools may also provide access through their own systems.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to access: You may request a copy of all personal data we hold about you. We provide data export functionality in your account settings.
  • Right to deletion: You may request that we delete your personal data. When you request deletion, your identity data is permanently removed. Anonymized learning data (which cannot be linked back to you) may be retained for aggregate educational research.
  • Right to rectification: You may request that we correct any inaccurate personal data we hold about you.
  • Right to data portability: You may request your data in a structured, commonly used, machine-readable format (JSON or CSV).

8. Data Retention

  • Account data: Retained while your account is active. Deleted upon account deletion request.
  • Learning data: Retained in anonymized form indefinitely for educational research. Linked mappings are deleted upon account deletion.
  • Telemetry data: Retained for 90 days, then automatically purged.
  • Consent records and audit logs: Retained for 7 years to comply with legal requirements.

9. How to Contact Us

If you have questions about this Privacy Policy, or if you would like to exercise any of your rights, please contact us at:

privacy@playpath.app

10. Requesting Deletion or Data Export

You can request deletion or export of your data in two ways:

  • Self-service: Use the data management options in your account settings to export or delete your data.
  • Email: Send a request to privacy@playpath.app. We will verify your identity and process your request within 30 days.

For student data managed through a school, please contact the school administrator, who can submit requests on behalf of students and parents.