This policy defines how long S.T.E.W.A.R.D. Tutor retains personal information collected from children under 13, teachers, and parents, and the procedures for secure deletion. This policy is required under the Children's Online Privacy Protection Rule (16 CFR § 312.10) and is publicly available as mandated by the 2025 COPPA amendments.
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Student learning interactions (chat logs, responses) | Duration of active subscription + 90 days | Permanent database deletion |
| Student mastery records | Duration of active subscription + 90 days | Permanent database deletion |
| Student session history | Duration of active subscription + 90 days | Permanent database deletion |
| Engagement milestones | Duration of active subscription + 90 days | Permanent database deletion |
| Diagnostic assessment results | Duration of active subscription + 90 days | Permanent database deletion |
| Scaffolding and difficulty data | Session duration only (in-memory) | Automatic — not persisted beyond session |
| Student PINs (hashed) | Duration of active enrollment | Row deletion from users table |
| IEP/504 accommodation flags (encrypted) | Duration of active enrollment | Row deletion + encryption key rotation |
| Parental consent records | 3 years after consent or revocation | Permanent database deletion |
| Teacher account data | Duration of subscription + 90 days | Permanent database deletion |
| Subscription and billing data | 7 years (tax/accounting requirement) | Permanent deletion after retention period |
| AI audit logs (anonymized) | 1 year | Batch deletion via scheduled job |
| Security incident records | 3 years | Archival then permanent deletion |
| Claude API interaction data (at Anthropic) | 7 days (Anthropic policy) | Automatic deletion by Anthropic |
We collect only the minimum data necessary for educational service delivery. Student names are first-name-only. No last names, email addresses, phone numbers, social media, location, biometric, or device data is collected from students. PII is stripped from all data sent to the AI provider — only anonymized academic interactions reach the Claude API.
Deletion operations are logged with timestamps and verified through automated integrity checks. Backup systems are purged on the same schedule. Encrypted fields use AES-256-GCM; upon deletion, the encryption key material associated with deleted records is destroyed.
Questions about data retention or deletion requests should be directed to our designated data security coordinator at [email protected].