Privacy Policy

Last updated: April 2026

1. Who we are

LoomLesson is a U.S.-based service that helps teachers generate classroom resources. This page describes what personal information we collect from teachers, how we handle it, and the choices you have.

2. What we collect

• Account data. Your email address and display name when you sign up (entered directly or pulled from your Google account). We store a hashed password if you sign up with email/password — the plaintext password is never stored.
• Generated resources. The prompts you submit, the resources we produce, and any edits you make. This is what lets the product show you your library.
• Usage data. Rate-limit counters, Loom balance, generation logs, and high-level error diagnostics. We keep a user-scoped event log so we can troubleshoot and enforce abuse protections.
• Billing data. If you upgrade to Pro or School, Stripe stores your payment method on their systems — we store a Stripe customer id and subscription status, never card numbers.
• Google OAuth tokens. If you authorize Google Drive or Google Classroom export, we store the access / refresh tokens so we can create files on your behalf.

3. Student data

LoomLesson is a teacher tool. The product is designed so teachers can generate materials without entering student names, identifiers, IEP numbers, or grades into the system. Features that touch student-adjacent work (IEP Goal Tracker, Grading, Student Rooms) ask you to use pseudonymous labels; please do not paste identifying student information into text fields or photos.

We have not completed a formal FERPA or COPPA certification and do not represent ourselves as “compliant” with either statute. Schools and districts that require a signed Data Processing Agreement (DPA) before adopting LoomLesson can reach out to privacy@loomlesson.com — we're happy to discuss the scope of data involved and sign a DPA where it makes sense.

4. Student Rooms

The "Student Rooms" feature lets a teacher create an AI tutor room and share a code so students can chat. Students do not create an account. We store their chat messages, linked to the teacher's account, so the teacher can review. We do not ask students for personal information; please instruct students not to enter it. Because this feature may be used by minors, teachers are responsible for obtaining any parental consent required under local or school policy before sharing a Room code.

5. How we use data

• To operate the product: generating resources, storing them, showing usage / balance.
• To run abuse protections and rate limits.
• To process payments via Stripe and refund requests.
• To email you transactional messages (password resets, team invites you create, receipts).
• To respond when you contact support.

We do not sell, rent, or share your data with advertisers.

6. Who we share data with (sub-processors)

• Supabase — Postgres database + file storage (resources, profile, logs).
• Anthropic — AI model inference (prompts + completions).
• OpenAI — image generation for illustrated resources.
• Stripe — payments + subscription billing.
• Google APIs — only when you authorize Drive / Classroom export.
• Resend — transactional email delivery.
• Vercel — hosting and serverless runtime.
• Cloudflare Turnstile — optional abuse CAPTCHA for signups.

7. Retention

Resources, account data, and OAuth tokens are retained for the lifetime of your account. You can delete a resource at any time (soft-deleted, purged within 30 days). Deleting your account removes your profile, resources, logs, and subscription state within 30 days, except as required to keep financial records for tax / chargeback purposes.

8. Security

• HTTPS/TLS everywhere.
• Passwords hashed with scrypt; never stored in plaintext.
• Database encrypted at rest.
• Service-role database access restricted to the server; the browser never sees private user data for other accounts.
• Webhook signatures verified on every incoming Stripe event.

9. Your rights

You can request export or deletion of your data at any time by emailing privacy@loomlesson.com. Residents of California, the EU, and UK: you have the rights described in the CCPA / GDPR to access, correct, or delete your personal information. We fulfill these requests free of charge within 30 days.

10. Changes to this policy

We'll post changes to this page and update the “last updated” date. Material changes get an email to your account address at least 14 days before they take effect.