1. Introduction
Launch (“we,” “us,” or “the Platform”) is a coding learning platform designed for students ages 5–13. This Privacy Policy describes what information we collect, how we use it, and the choices available to teachers, parents/guardians, and students.
Launch is operated by Austin Christian University (“ACU,” “we,” “us,” or “our”). You can contact us at any time:
- Email: privacy@launch.kids
- Phone: (737) 290-0914
- Mailing Address: 601 Westinghouse Rd, Georgetown, TX 78626
By using Launch you agree to the practices described in this policy. If you do not agree, please do not use the Platform.
2. Our Core Privacy Principle: Data Minimization
What we collect from children. We design Launch to minimize the personal information we collect from children to the smallest set required to operate the service. The only child-linked identifiers we hold are:
- A student display name supplied by an authorized educator—typically an auto-generated codename, though the field accepts a real first name if the educator chooses to enter one.
- Per-tab session identifiers and standard server request logs (IP address, user agent) subject to the internal-operations exception under 16 CFR 312.4(h).
- The text content of AI chat conversations and project code files. We scrub this content for structured personal information (email, phone, name disclosure patterns) before storage and before transmission to our language-model providers.
- Voice audio when a student uses the microphone feature. Audio is streamed to a transcription provider and is not retained on our servers.
We never use any of this for advertising, profiling, model training, or any commercial purpose beyond providing the service.
3. Information We Collect
3.1 Teacher/Educator Accounts
Teachers create accounts so they can manage teams and review student projects. We collect:
- Email address — used for authentication and account recovery.
- Password — salted and hashed by our authentication provider (Supabase Auth). We never store or have access to plaintext passwords for teacher accounts.
- First and last name — displayed on the teacher dashboard for personalization.
Teacher information is stored in our database (hosted by Supabase) and is protected by row-level security policies.
3.2 Student Sessions
Students join the Platform by entering a team code. No account is created. The following non-personal, session-level data is set:
- Team code & team ID — stored in httpOnly, secure cookies that expire after 24 hours. These identify the team, not the individual student.
- Age group — derived from the team’s configuration (e.g. “elementary” or “middle”). Used solely to adapt the user-interface complexity and AI communication style. Stored in an httpOnly cookie that expires after 24 hours.
- Codename & avatar — chosen by the student and stored exclusively in the browser’s local storage on the student’s own device. This data never leaves the device and is never transmitted to our servers.
- Progress data (XP, coins, level, streaks, animal cards) — stored exclusively in the browser’s local storage on the student’s own device. This data never leaves the device.
3.3 Student Coding Projects
When a student creates or saves a coding project, the project files, title, and description are stored in our database associated with the team ID—not with any individual student identity. There is no way for us to attribute a specific project to a specific child.
Text submitted to the AI assistant is passed through our PII scrubber, which automatically detects and redacts email addresses, phone numbers, Social Security numbers, credit card numbers, and first-person name disclosures (e.g. “my name is …”). We are actively extending this scrubbing to project titles and descriptions as well.
Where student code runs.
To run a project’s code and display the live preview, the project’s files are sent to an isolated cloud sandbox (provided by Vercel) that executes the code in a short-lived micro-virtual-machine dedicated to that single project session. Sandboxes are scoped per student per project; one student’s sandbox cannot read or modify another’s. Network egress from inside a sandbox is restricted to the package registry (npm) and the sandbox’s own preview origin. Sandboxes auto-stop after 90 seconds of inactivity and after a maximum total runtime of 5 hours, at which point all in-sandbox state (memory, scratch files, terminal output) is permanently discarded. The project files themselves remain stored in our database as described above; only an ephemeral copy is materialized inside the sandbox for the duration of the session.
Sandbox contents—including any data produced by the running code—are not used to train, fine-tune, or improve any AI model and are not retained by Vercel after the sandbox stops. See Section 5 for the underlying Data Processing Agreement covering this service.
3.4 AI Chat Messages
Students interact with an AI coding assistant. Messages sent to the AI are:
- Scrubbed of PII before leaving our server, using both deterministic regex patterns and an LLM-based name classifier.
- Sent to our AI providers for processing. Launch uses Google (Gemini language models, via Google Cloud’s Vertex AI) as its primary language-model provider, with OpenRouter as a fallback. OpenRouter, when engaged as a fallback, routes requests to underlying foundation models (e.g. OpenAI, Anthropic, Google Gemini, DeepSeek).
- Not stored by us. Chat messages are not retained on Platform servers after they are processed. Retention by our AI providers varies by provider and is governed by each provider’s own terms—not by an aggregate zero-retention promise from us. We have signed Data Processing Agreements with Google, our primary provider, and OpenRouter, our fallback provider. See the sub-processor table in Section 5 for the current, provider-specific retention status.
We do not use student chat messages to train, fine-tune, or improve any AI model.
3.5 Voice Input
Students may optionally use voice input to dictate messages to the AI assistant. When a student uses this feature:
- Audio is recorded temporarily in the browser and sent to OpenAI’s transcription API (
gpt-4o-mini-transcribe). - The audio is converted to text. We do not store audio files on Platform servers; the audio stream is forwarded to OpenAI for transcription only. Audio is sent to OpenAI’s transcription API and is subject to OpenAI’s standard API data handling, which includes up to 30 days of retention for abuse monitoring; OpenAI does not use API data for model training.
- The resulting text transcript is then PII-scrubbed before being sent to the AI assistant, following the same process described in Section 3.4.
Student audio is used only for real-time transcription. It is not retained on Launch servers, and is subject to OpenAI’s standard API retention (up to 30 days for abuse monitoring; not used for model training) once forwarded for transcription.
3.6 Operational Telemetry & Error Reporting
Launch uses two limited forms of operational telemetry, both scoped to the COPPA “internal operations” exception (16 CFR 312.4(h)), which permits data collection necessary to maintain, analyze, and improve the service. Neither system captures student content, runs advertising, nor tracks students across sessions.
Error reporting (Sentry).
When the Platform encounters a JavaScript exception or server error, a scrubbed error report is sent to Sentry for diagnostic purposes. Every error report is passed through our PII scrubber (the same pipeline described in Section 3.4) before leaving our server—stack traces, error messages, and breadcrumbs are stripped of emails, phone numbers, Social Security numbers, credit card numbers, and first-person name disclosures. Session replay, autocapture, and user profiling are explicitly disabled. Student error reports carry no user.id, no user.email, and no persistent identifier.
Operational telemetry (server-side).
The Platform records a limited set of structured events to a server-side table for the sole purpose of measuring operational health—response times, install and compile success rates, device capabilities, and drop-off patterns. Each event is scoped to a per-tab session identifier held in the browser’s sessionStorage, which is discarded automatically when the tab is closed. No cookie, localStorage entry, or fingerprinting technique is used to identify students. No cross-session identifier is created. Every string field is PII-scrubbed on receipt. Student telemetry is retained for 30 days; teacher telemetry for 180 days (teachers consent to extended analytics as part of their account terms).
What we do not do.
- No third-party analytics SDK (PostHog, Mixpanel, Google Analytics, or similar) runs on student pages.
- No advertising pixels, behavioral profiling, or targeted content.
- No session replay, video capture, or scroll/click autocapture.
- No cross-session tracking and no persistent identifier assigned to students.
- No device fingerprinting libraries.
Our hosting infrastructure (Vercel) may also collect standard server logs (IP addresses, request timestamps, user-agent strings) as part of normal web-server operations. These logs are used solely for security monitoring and abuse prevention, are not linked to any student identity, and are automatically purged per Vercel’s retention policies.
4. How We Use Information
| Data | Purpose |
|---|---|
| Teacher email & password | Authentication, account recovery |
| Teacher name | Dashboard personalization |
| Team code / team ID | Session routing so students see projects belonging to their team |
| Age group | Adapting UI complexity and AI communication style |
| Project files | Persisting student work so it can be loaded, reviewed by teachers, and continued in future sessions |
| Chat messages (transient) | Providing real-time AI coding assistance |
| Voice audio (transient) | Real-time speech-to-text conversion only |
| Error reports (PII-scrubbed) | Detecting and fixing bugs that interrupt student learning |
| Operational telemetry (PII-scrubbed) | Measuring compile/preview success rates, page timings, and drop-off to improve the platform |
5. Third-Party Service Providers
We use the following third-party services to operate the Platform. We seek a Data Processing Agreement (“DPA”) with each and request no-retention terms where available; actual retention varies by provider, as shown in the table below, and DPAs with several of these providers are still being finalized. Our standing requirement is that no provider use data received for model training, profiling, or any purpose other than providing the contracted service.
| Provider | Service | Data Received | Retention |
|---|---|---|---|
| Supabase | Database & Auth | Teacher accounts, team config, project files | Until deleted by teacher or us |
| Gemini language models, via Google Cloud Vertex AI (default provider) | PII-scrubbed chat messages and project file content; no student identifiers | Up to 30 days for abuse monitoring under a signed Data Processing Agreement; not used for model training | |
| OpenRouter | AI model routing (fallback provider) | PII-scrubbed chat messages | Per OpenRouter’s published policy, under a signed Data Processing Agreement; no-retention terms requested where available |
| Underlying foundation models (e.g. OpenAI, Anthropic, Google Gemini, DeepSeek) | AI language models invoked via our fallback provider (OpenRouter) | PII-scrubbed chat messages | Per upstream provider’s contractual terms with our routing provider; no direct contractual relationship (our primary Gemini access is direct via Google Cloud Vertex AI, listed above) |
| OpenAI | Voice transcription | Audio stream (transient) | Subject to OpenAI’s standard API data handling: up to 30 days of retention for abuse monitoring; not used for model training |
| Vercel | Hosting & CDN | Standard server logs | Per Vercel retention policy |
| Vercel Sandbox | Isolated cloud micro-VMs for code execution | Project files (per-student, ephemeral copy) | Auto-stops after 90 s idle; 5 h max; all sandbox state discarded on stop |
| Sentry | Error monitoring | PII-scrubbed error reports. No student content, no user.id for students, session replay disabled. | 90 days |
All student-originated text is PII-scrubbed before transmission to third-party providers. We request no-retention terms from each AI provider where available and require each to refrain from using any data received for model training or improvement; actual retention varies by provider as shown in the table above. We have signed Data Processing Agreements with Google, our primary language-model provider—under which prompt and response data may be retained for up to 30 days for abuse monitoring and is not used for model training—and with OpenRouter, our fallback provider. Sentry receives only PII-scrubbed error reports and is contractually prohibited from using them for any purpose other than providing the error-monitoring service.
6. COPPA Compliance
The Children’s Online Privacy Protection Act (“COPPA”) requires operators of websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children.
Our compliance approach is architectural data minimization: we collect the smallest set of child-linked information needed to run the service (described in Section 2) and never use it for advertising, profiling, or model training.
- Students authenticate with a short team code—no individual email addresses or passwords are created for students.
- All text sent to third-party AI services is PII-scrubbed before transmission.
- Voice audio is processed in real time for transcription only and is not retained on our servers.
- Operational telemetry is scoped to the COPPA “internal operations” exception (16 CFR 312.4(h)): no advertising, no behavioral profiling, no session replay, no cross-session identifiers, and no third-party analytics SDK runs on student pages. See Section 3.6 for details.
Teachers who create teams and invite students are encouraged to inform parents/guardians that their child will be using Launch and to share this Privacy Policy.
7. FERPA Compliance
When Launch is used by a school or school district, student coding projects may constitute education records under the Family Educational Rights and Privacy Act (“FERPA”). In such cases:
- Launch acts as a “school official” with a “legitimate educational interest” in student work solely to provide the coding education service.
- We do not disclose education records to any third party except as required to operate the service (see Section 5) or as required by law.
- Because projects are associated with teams rather than individual student identities, our data minimization architecture also reduces FERPA exposure.
- Schools may request a FERPA-aligned Data Processing Addendum by emailing privacy@launch.kids.
8. Data Security
We protect information through multiple layers of defense:
- Content Security Policy (CSP) — HTTP headers restrict which domains the browser may communicate with, preventing data exfiltration by malicious code.
- Row-Level Security (RLS) — database-level access controls ensure teachers can only access their own teams and projects.
- PII Scrubbing — automated, multi-layer redaction of personal information from all text before it reaches AI services.
- httpOnly Cookies — session cookies cannot be accessed by client-side JavaScript, preventing cross-site scripting (XSS) attacks from reading session data.
- Rate Limiting — API endpoints are rate-limited to prevent abuse.
- Sandboxed Code Execution — student code runs inside isolated Vercel Sandbox micro-virtual-machines, scoped per student per project. Each sandbox auto-stops after 90 seconds of inactivity (and a 5 hour absolute ceiling), at which point all in-sandbox state is permanently discarded. Sandboxes have restricted network egress, cannot access our application database directly, and cannot communicate with one another. See Section 3.3 for details.
- Cross-Origin Isolation — the live preview iframe is served from an origin separate from the Launch application, so a project’s code cannot read or modify Launch session cookies, localStorage, or other application state.
- Output Sanitization — student-generated project output is sanitized to prevent attempts to access cookies, localStorage, or sessionStorage from within project previews.
9. Data Retention & Deletion
9.1 Student Data
- Session cookies (team code, team ID, age group) automatically expire after 24 hours.
- Local storage data (codename, avatar, progress) persists on the student’s device until the browser data is cleared. We have no access to or control over this data.
- Projects associated with a team are retained until the teacher deletes them or the teacher deletes the team.
- AI chat messages are processed in real time and are not retained on Launch servers. Retention by our AI providers varies by provider and is governed by each provider’s own terms—see the sub-processor table in Section 5.
- Voice audio is processed in real time and is not retained on Launch servers. Audio forwarded to OpenAI for transcription is subject to OpenAI’s standard API retention (up to 30 days for abuse monitoring; not used for model training).
- Operational telemetry (timings, event counts, device class) scoped to a student session is retained for 30 days, then automatically pruned. Telemetry contains no student content and no cross-session identifier.
- Error reports sent to Sentry are retained for 90 days per Sentry’s account configuration. Student error reports carry no persistent identifier.
9.2 Teacher Data
Teacher accounts (email, name, authentication credentials) are retained for as long as the teacher maintains an active account. Teachers may request account deletion at any time by contacting privacy@launch.kids. Upon deletion:
- The teacher’s profile and authentication data are permanently deleted.
- All teams created by the teacher are deleted.
- All projects associated with those teams are permanently deleted.
9.3 Inactive Accounts
Teacher accounts that have been inactive for more than 12 months may be flagged for deletion. We will send a notification to the teacher’s email address 30 days before deletion. If no action is taken, the account and all associated data will be permanently deleted.
10. Rights of Teachers, Parents & Guardians
10.1 Teachers
Teachers may at any time:
- Access and update their account information via the teacher dashboard.
- Delete individual student projects from their teams.
- Delete entire teams and all associated projects.
- Request a complete export of all data associated with their account.
- Request permanent deletion of their account and all associated data.
10.2 Parents & Guardians
Parents and guardians may:
- Review this Privacy Policy at any time at launch.kids/privacy.
- Contact us at privacy@launch.kids with any questions or concerns.
- Ask the educator who enrolled their child to remove that child’s access and delete their information.
If a parent believes that their child has provided personal information to us despite our safeguards, please contact us immediately at privacy@launch.kids and we will investigate and delete any such information.
10.3 Parental rights — how to exercise them
To review, delete, or refuse further collection of personal information about your child, email privacy@launch.kids from the email address associated with the educator account that enrolled your child. We will respond within 30 days. For students enrolled by a school, please contact the school administrator first—they have direct access to delete your child’s information in our system. If the school is unresponsive, contact us at privacy@launch.kids and we will fulfill the request directly.
11. Absolute Prohibitions
We will never:
- Require a child’s real name—the student display name defaults to an auto-generated codename, and we never request real names. (As noted in Section 2, the display-name field will accept a real first name if an educator chooses to enter one.) We also never collect a student’s email address, home address, phone number, or other contact identifiers.
- Use student data—in any form—for marketing, advertising, commercial profiling, or behavioral targeting.
- Use student data (text, voice, or project code) to train, fine-tune, or improve any AI model, whether our own or any third party’s.
- Store audio recordings of student voices on Launch servers. Voice input is transcribed in real time and is not retained by Launch; audio forwarded to OpenAI for transcription is subject to OpenAI’s standard API retention (up to 30 days for abuse monitoring; not used for model training).
- Sell, rent, lease, or trade student data to any third party for any purpose.
- Use student data to create individual behavioral or academic profiles.
- Allow third-party advertising, behavioral analytics, session replay, or cross-session tracking on student pages. (Error-monitoring reports sent to Sentry carry no student content and no persistent student identifier—see Section 3.6.)
12. International Data Transfers
Our AI providers (Google and OpenRouter) may process or route requests to language-model providers operating in various jurisdictions. Retention by these providers varies and is governed by each provider’s own terms (see the sub-processor table in Section 5); we request no-retention terms where available. We have signed Data Processing Agreements with both Google and OpenRouter. Because all student text is PII-scrubbed before transmission, the data transferred internationally does not include direct personal identifiers.
13. State Privacy Law Compliance
In addition to federal COPPA and FERPA compliance, Launch is designed to comply with state student privacy laws, including but not limited to:
- California (SOPIPA, CalOPPA, CCPA/CPRA) — We do not use student data for non-educational purposes, do not sell personal information, and do not engage in targeted advertising.
- New York (Education Law § 2-d) — We maintain data security protections and do not sell or release student data.
- Colorado, Connecticut, Illinois, Virginia, and other state student privacy laws — Our data minimization architecture is designed to meet or exceed the requirements of all current state student privacy legislation.
School districts requiring state-specific data processing agreements may contact us at privacy@launch.kids.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will:
- Post the updated policy on this page with a new “Last Updated” date.
- Notify teachers via email at least 30 days before the changes take effect.
- If any change would result in the collection of personal information from students, we will obtain verifiable parental consent as required by COPPA before implementing such a change.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@launch.kids
- Phone: (737) 290-0914
- Mailing Address: 601 Westinghouse Rd, Georgetown, TX 78626
We will respond to all privacy-related inquiries within 30 days.