GradeGlow Privacy Policy

Version: 1 · Last updated: 2026-04-19 · Effective date: set at TestFlight build cut

GradeGlow is an iOS app that helps parents review their child's homework using AI. This policy explains what we collect, what we don't, how we handle it, and how you can have it removed. We wrote this in plain language; if anything is unclear, write to us at the address in section 8.

1. What we collect

We collect only what we need to run the app. Concretely:

Install ID. A random identifier generated on your device the first time you open the app. It lets our backend tell one installation from another for rate-limit and quota purposes. It is NOT tied to your Apple ID unless you sign in with Apple (section 4). It is NOT tied to your device hardware (we don't read the IDFA, device serial, or MAC address). You can reset it by reinstalling the app.
Session token. A short-lived credential minted by our backend when your app starts. It lives for 30 days and is replaced automatically. It is stored on your device's Keychain and is never shared.
Usage events. For every request to our backend endpoints (including analysis requests, anonymous session bootstrap /auth/guest, and Sign in with Apple /auth/apple), we record a small set of metadata: the endpoint hit, a timestamp, the response status code, a hashed IP address (HMAC — not reversible), the install ID that made the request, and whether the request was rate-limited or blocked. For analysis requests specifically, we also record the model used (gemini-3.1-flash-lite-preview or the fallback gemini-2.5-flash), token counts reported by the AI provider, and the analysis latency. We use this metadata to enforce quotas, investigate bugs, and bill-proof our infrastructure costs. We do NOT record the request body (see section 2 — photos are never logged).
Apple sub (subject identifier). If you choose to sign in with Apple (section 4), we store the stable, opaque identifier that Apple issues for your account. This is NOT your Apple ID email or name.
Apple email claim. If you share it during Sign in with Apple, we store either your real email or Apple's private-relay address. We use this only to display your account state in the app's Profile screen. We do not send you marketing email. We do not share it with third parties.

2. What we do NOT collect

We explicitly do not collect:

Homework photo bodies. When you take a photo of homework for analysis, the image is sent to the AI provider's API to generate a study guide, and then it is discarded. We do not log the image body on our backend. We do not store it in a database. We do not retain it after the analysis response returns to your app.
Any response text. The AI's output study guide is returned to your device and is not mirrored or cached on our backend.
OCR text extracted from your images. Not logged, not retained.
Student names or personal identifiers you type into the app (e.g., "John's math homework"). These stay on your device.
Biometrics (Face ID / Touch ID are device-only; we never receive a biometric signal).
Location data. The app does not request or use location services.
Contacts, calendar, or any system-managed personal data.
Advertising identifiers (IDFA). We do not integrate with ad networks.
Third-party analytics or crash reporting. We ship no Firebase, Segment, Mixpanel, Sentry, or similar SDK in the iOS app.

3. Children and COPPA applicability

GradeGlow is designed for parents, not for children. The Profile screen and app controls are parent-facing. Children are not expected to operate the app themselves, and the app does not create child accounts, collect child-identifying information, or market to users under 13.

The images analyzed by the app may depict a child's homework (handwriting, worksheet content, drawings). Per section 2, we do not retain these images after the analysis completes. The AI provider (Google) processes the image in-flight per their published terms; see section 5.

If you believe a child under 13 has created a GradeGlow account or had their information collected in violation of COPPA, contact us at the address in section 8 and we will delete the associated records within 30 days.

We do not knowingly build profiles of minors. If future versions of GradeGlow introduce any child-directed feature, we will publish a revised policy and — where COPPA applies — require verified parental consent before collecting any child-identifying data.

4. Sign in with Apple — what happens to your data

Sign in with Apple is optional. The app works anonymously by default (with lower daily quotas). If you tap "Sign in with Apple":

Your device uses Apple's native ASAuthorizationController to produce an identity token. We never see your Apple ID password.
The app sends this identity token to our backend over TLS.
Our backend verifies the token's signature against Apple's public keys and extracts two claims: the stable sub identifier (see section 1) and, if you share it, your email (section 1).
We create a record linking your install to a new user ID and mark your account as "free tier" (50 analyses per day, up from 20 in anonymous mode).
A nonce tied to the sign-in attempt is validated to prevent token replay; the nonce is not retained after verification.

If you later sign out within the app (Profile → Sign out), your local session is cleared. Server-side, the session expires naturally within 30 days. In a future release we will add explicit backend revocation on sign-out.

If you request account deletion (section 6), we delete the users row, the auth_identities row tying your Apple sub to our user record, and any pending sessions. Usage event metadata tied to the user ID is either deleted or anonymized per section 7.

5. Third-party processors

GradeGlow's backend is hosted on Cloudflare and calls Google's Gemini API for analysis. Apple provides the identity layer for Sign in with Apple.

Processor	What we send them	What they do with it	Their privacy terms
Cloudflare (Workers, D1, Durable Objects)	Your install ID, session token, usage-event metadata, homework image as a POST body to our Worker (transient — discarded post-analysis)	Host our backend, enforce rate limits, store minimal metadata. Cloudflare does not log image bodies for us.	cloudflare.com/privacypolicy
Google (Gemini API via our Worker)	Your homework image (encoded as bytes), a prompt to analyze it	Generate a study guide. Google's AI service handling is covered by their Generative AI Additional Terms.	policies.google.com/privacy + Generative AI Terms
Apple (Sign in with Apple)	An identity token request from your device; Apple returns a signed token to your device which we verify	Authenticate your Apple ID without sharing your password.	apple.com/legal/privacy

We do NOT use any advertising networks, tracking SDKs, analytics vendors, or customer-data platforms.

6. Your rights — access, export, deletion

You can:

Ask us what we have on you. Write to the address in section 8 referencing your install ID (visible in-app under Profile → About, in a future release) or your Apple sub. We will send you a machine-readable dump of your records within 30 days.
Delete your account and associated data. Same request channel. Deletion covers: your users row, linked auth_identities rows, any active sessions, and usage-event records tied to your user ID. Anonymous install records that were never linked to an Apple account are deleted by install ID.
Reset your anonymous session. Uninstall and reinstall. A new install ID is generated.
Opt out of Sign in with Apple. Use the app without signing in; the anonymous quota applies.

Response SLA: 30 days from request receipt.

7. Retention

We keep data only as long as needed. Current retention windows:

Data category	Retention window	Why
Anonymous install records (install ID, counters)	Indefinite while the install is active; deleted on explicit request	Required to enforce rate limits per install
Session tokens	30 days (natural expiry); deleted on sign-out (client-side today)	Short-lived by design
Usage events (endpoint, timestamp, status, tokens, latency)	30 days (matches session TTL)	Operational debugging + infrastructure cost projection; no individual-user value beyond the window
Apple `sub` + linked user record	Until the user requests deletion	Required to recognize you on subsequent sign-ins
Homework image bodies	Not retained. Discarded immediately after the AI response returns.	Explicit non-goal of this service
Homework analysis responses (study guide text)	Not retained. Returned to the device and not mirrored.	See above

If retention policy changes in a later version, this document is updated and the app ships with a notice describing the change.

8. Contact

Privacy requests, deletion requests, and questions about this policy:

Email: privacy@gradeglow.app

In-app: A link to this policy is accessible from the app's Profile → About section.

We respond within 30 days to requests covered by section 6.