Privacy Policy

1. Who We Are

Squishy School is owned and operated by SignOut LLC, a limited liability company registered in the State of Montana, United States. Throughout this Privacy Policy, "we," "us," and "our" refer to SignOut LLC, and "Service" refers to the Squishy School web application, iOS application, Android application, and any related services or APIs.

Our principal place of business is in Montana, United States. If you have questions about this policy, contact us at privacy@squishyschool.com or support@squishyschool.com.

2. Scope of This Policy

This Privacy Policy applies to all users of the Service worldwide. It describes what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have. By creating an account or using the Service, you acknowledge that you have read and understood this policy. If you do not agree, do not use the Service.

3. Information We Collect

3.1 Information You Provide Directly

• Account information: First name, last name, email address, and password (hashed; we never store plaintext passwords). If you sign in through Apple Sign-In or a third-party OAuth provider, we receive the basic profile information permitted by that provider (typically name and email).
• Profile information: Class or school affiliation (if you join a class section), display name preferences.
• User-generated content: Discussion posts, comments, replies, votes, study group messages, uploaded files (PowerPoints, PDFs, images, audio recordings) submitted for AI question generation, and any feedback or support messages you send us.

3.2 Information Collected Automatically

• Study activity data: Questions answered, answer selections, response times, scores, XP earned, streaks, badges, session history, flashcard performance, study group participation and scores, and login reward claims.
• Device and technical data: Device type, operating system and version, browser type and version, screen resolution, IP address, time zone, language preference, and unique device identifiers (including push notification tokens for delivering notifications).
• Usage data: Pages viewed, features used, session duration, navigation paths, crash logs, and performance metrics.
• Cookies and local storage: We use essential cookies and browser local storage to maintain your session, store authentication tokens, and remember your preferences. We do not use third-party advertising cookies or tracking pixels.

3.3 Information from Third Parties

• Payment processors: When you subscribe to a paid tier, Apple App Store, Google Play Store, or RevenueCat transmit subscription status, transaction identifiers, and purchase history to us. We do not receive or store your full credit card number, bank account details, or billing address.
• Authentication providers: If you use Apple Sign-In or a third-party authentication provider, we receive the information described in Section 3.1.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Service: Create and manage your account, authenticate your identity, deliver study content, process AI-generated questions and flashcards from your uploaded materials, and run live study group sessions.
• Personalize your experience: Track your study progress, calculate XP and streaks, power leaderboards and class rankings, manage badge awards, deliver spaced repetition recommendations, and tailor the question feed to your performance.
• Process payments: Manage subscription status, verify in-app purchase receipts, handle billing events (renewals, cancellations, refunds), and enforce tier-based feature access.
• Send notifications: Deliver push notifications and in-app alerts related to your study activity (streak reminders, study group invitations, badge awards, login rewards). You can disable push notifications at any time in your device settings.
• Improve the Service: Analyze aggregate usage patterns to identify bugs, improve features, and develop new functionality. We do not use your personal data for automated decision-making that produces legal effects.
• Ensure safety and compliance: Enforce our Terms of Service, detect and prevent fraud or abuse, respond to legal requests, and protect the rights and safety of our users.
• Communicate with you: Respond to support inquiries, send service-related announcements (such as changes to these terms or planned maintenance), and deliver transactional emails related to your account.

5. Legal Bases for Processing (for EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you signed up for (account management, study features, subscriptions).
• Legitimate interests: Processing for Service improvement, security, fraud prevention, and aggregate analytics, where those interests are not overridden by your rights.
• Consent: Where you have given explicit consent, such as opting in to push notifications. You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws.

6. Third-Party Service Providers

We share personal data with the following categories of third-party service providers, solely to the extent necessary to operate the Service:

Each provider is bound by its own privacy policy and applicable data processing agreements. We encourage you to review their respective policies.

7. Data Sharing, Selling, and Tracking

• We do not sell your personal data. We have never sold personal data and have no plans to do so. This applies to all users regardless of jurisdiction.
• We do not share your data for advertising. We do not provide personal data to advertising networks, data brokers, or analytics companies for targeted advertising purposes.
• We do not track you across other apps or websites. We do not participate in cross-app or cross-site tracking. Our iOS app respects Apple's App Tracking Transparency (ATT) framework; we do not request tracking permission because we do not track.
• Aggregate data: We may use aggregated, de-identified data (data that cannot reasonably identify you) for internal analytics, reporting, and Service improvement. This data is not shared with third parties in identifiable form.
• Legal disclosure: We may disclose personal data if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of SignOut LLC, our users, or the public.
• Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you via email or prominent notice on the Service before your data becomes subject to a different privacy policy.

8. Data Retention

• We retain your account information and study data for as long as your account is active.
• If you delete your account (see Section 10), we will remove your personal data from active production systems within 30 days.
• Encrypted backups containing your data may be retained for up to 90 days after account deletion before being permanently purged.
• Uploaded files (PowerPoints, PDFs, images, audio) submitted for AI generation are processed and then automatically deleted from our storage within 72 hours of processing completion. The generated questions and flashcards are retained as part of your study data.
• We may retain certain anonymized or aggregated data indefinitely for analytics and Service improvement purposes.
• Payment records may be retained as required by applicable tax and accounting laws.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256 (AWS and Neon managed encryption).
• Secure authentication through Amazon Cognito with SRP (Secure Remote Password) protocol.
• Password hashing (passwords are never stored in plaintext).
• Role-based access controls limiting employee access to personal data on a need-to-know basis.
• Regular security reviews of our infrastructure and dependencies.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

10. Your Rights and Choices

10.1 All Users

Regardless of where you live, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data and account. You can initiate account deletion directly within the app under Settings, or by emailing us. We will process deletion requests within 30 days.
• Data portability: Request a copy of your data in a structured, machine-readable format (JSON).
• Opt out of notifications: Disable push notifications through your device settings at any time. Disable email communications by using the unsubscribe link in any email or by contacting us.

10.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale/sharing: We do not sell or share (as defined by CCPA/CPRA) your personal information. No opt-out is required, but you may still contact us to confirm.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to correct: You may request correction of inaccurate personal information.
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA.

To submit a verifiable consumer request, email privacy@squishyschool.com. We will verify your identity before processing any request.

10.3 Montana Residents

SignOut LLC is registered in Montana. If you are a Montana resident, you have rights under the Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, including the rights to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not engage in any of these activities. To exercise your rights, contact privacy@squishyschool.com.

10.4 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including:

• Right to restriction of processing.
• Right to object to processing based on legitimate interests.
• Right to withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal).
• Right to lodge a complaint with your local data protection supervisory authority.

10.5 Other U.S. State Privacy Laws

We comply with applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), and other state privacy laws as they take effect. Residents of these states may exercise their applicable rights by contacting privacy@squishyschool.com.

11. Children's Privacy (COPPA Compliance)

The Service is designed for college-level and professional school students and is not directed to children under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we become aware that we have inadvertently collected personal data from a child under 13, we will take immediate steps to delete that data. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@squishyschool.com.

12. Apple App Tracking Transparency

Our iOS application does not track you across apps or websites owned by other companies. We do not use the IDFA (Identifier for Advertisers) or any equivalent tracking identifier. We do not request App Tracking Transparency permission because we do not engage in tracking as defined by Apple.

13. Google Play Data Safety

In accordance with Google Play's Data Safety requirements:

• We collect name, email, and study activity data as described in this policy.
• Data is encrypted in transit and at rest.
• You can request account and data deletion through the app or by contacting us.
• We do not share personal data with third parties for advertising.
• We do not sell personal data.

14. International Data Transfers

Our servers and service providers are located in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence. By using the Service, you consent to this transfer. For EEA/UK users, we rely on standard contractual clauses or other approved transfer mechanisms where required by applicable law.

15. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via email or in-app notification for material changes.
• Where required by law, obtain your consent before applying changes retroactively.

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

We will respond to all privacy-related inquiries within 30 days, or sooner if required by applicable law.