Privacy Policy

Last Updated: March 20, 2026

1. Information We Collect

We collect only the information necessary to provide and improve the CardSTEM service:

• Account information: Name and email address, collected via Clerk authentication when you create an account.
• Program data: Program names, student first names, and assessment scores entered by facilitators.
• Parent access: Access codes linked to student progress reports. No parent accounts are required.
• Orders: Contact information, organization name, and shipping address submitted when placing an order.
• Lead capture: Name, email, organization, role, and message submitted through our contact form.

2. How We Use Information

We use the information we collect to:

• Provide and improve the CardSTEM service, including the facilitator dashboard, curriculum tools, and assessment platform.
• Process orders and communicate about order status.
• Send certification and program-related notifications.
• Analyze usage patterns to improve the product and user experience.

3. Information Sharing

We do not sell personal information. We share data only with the following service providers, solely for the purpose of operating CardSTEM:

• Clerk — authentication and user management.
• Railway — application hosting and infrastructure.
• Gmail — transactional notifications and lead capture emails.

We do not share student data with any third parties.

4. Student Data Protection

We take student data protection seriously and comply with COPPA and FERPA guidelines:

• Student records contain first names only. No last names or other personally identifiable information is stored beyond what facilitators choose to enter.
• Grown-up access is code-based, not account-based. Grown-ups do not need to create accounts or provide personal information to view learner progress.
• Assessment data is used solely for educational progress tracking within the CardSTEM platform.

5. Data Retention

Account data is retained while your account is active and will be deleted upon request. Program and student data is retained for 2 years after program completion, then anonymized. To request deletion of your data, contact support@cardstem.academy.

6. Security

We implement industry-standard security measures to protect your data:

• HTTPS encryption for all data in transit.
• Authenticated API access for all platform endpoints.
• Rate limiting to prevent abuse and enumeration attacks.
• Parameterized database queries to prevent SQL injection.
• No plain-text passwords stored. Authentication is managed by Clerk.

7. Cookies

We use Clerk's authentication cookies only, which are necessary for you to stay signed in. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

8. Your Rights

You have the right to:

• Request access to the personal data we hold about you.
• Request deletion of your account and associated data.
• Opt out of non-essential communications.

To exercise any of these rights, contact support@cardstem.academy.

9. Children's Privacy

CardSTEM does not collect data directly from children. All student data is entered by adult facilitators who are responsible for their programs. Children do not create accounts or interact with the platform directly.

10. Changes

We may update this Privacy Policy from time to time. We will notify users of material changes via email. The updated policy will be posted on this page with a revised "Last Updated" date.

11. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at support@cardstem.academy.

Back to Home