Privacy Policy

Briveli is an adaptive math practice platform for students in grades K through 8. The service is operated by Briveli ("we," "us," or "our"). Our contact email is privacy@briveli.com.

The Children's Online Privacy Protection Act (COPPA) applies to online services directed at children under 13. We've designed Briveli from the ground up to comply with COPPA:

• Parent accounts only. Only parents or legal guardians may create accounts. Children do not have usernames, passwords, or email addresses in our system.
• Minimal child data.For each child profile, we store only the child's first name and grade level. We do not collect a child's last name, email address, home address, phone number, photo, or any other personally identifiable information.
• No child-directed advertising. We do not display advertising to children and we do not use child data for any marketing purpose.
• Parental controls. Parents can view, edit, or delete any child profile and its associated data from the dashboard at any time.

Briveli is sold directly to parents and guardians, not to schools or districts. We do not act as a "school official" under the Family Educational Rights and Privacy Act (FERPA). When a parent or guardian creates a Briveli account, they are the consumer of record and they own the resulting account and child profiles outright.

If a school, district, or teacher recommends Briveli to families and a parent chooses to sign up, no education records covered by FERPA are transferred to Briveli. We collect only the data described in Section 4 below, and only from the parent. We do not receive student rosters, school IDs, classroom rosters, IEPs, grades, or any other education records from a school. If a school eventually wants to license Briveli on behalf of students, we would do so under a written data-processing agreement that addresses FERPA and applicable state student-privacy laws (including California's SOPIPA and similar) before any education records change hands.

From parents (account holders)

• Email address (for account login and service communications)
• Payment information (processed by Stripe; we never see raw card numbers)
• Subscription status and billing history

From child profiles

• First name (entered by the parent)
• Grade level (Kindergarten through 8th grade, entered by the parent)
• Optional age-appropriate interests (for example, "animals," "space," or "sports") used to personalize math word problems. Parents choose these from a fixed allowlist, can pick up to three, and can clear or change them at any time from the dashboard.
• Practice data: answers submitted, time taken per problem, skill mastery estimates
• Session history: date, number of problems, accuracy rate

Automatically collected

• IP address and browser type (for security and fraud prevention; not linked to child profiles)
• Session tokens stored in browser cookies (for keeping you logged in)

We use the information we collect to:

• Provide and improve the Briveli service
• Run the adaptive learning engine (BKT) to personalize practice sessions
• Show parents progress reports and insights about their child's learning
• Process payments and manage subscriptions
• Send parents transactional emails (receipts, password resets)
• Detect and prevent fraud or abuse

We do not use your data to serve targeted advertising, build advertising profiles, or sell data to third parties.

We share data only with the following categories of service providers:

• Vercel (hosting and edge network): serves the application. Vercel processes request logs that may include IP addresses.
• Supabase (database and authentication, US-East-1): stores all account and practice data. Supabase is SOC 2 Type II certified.
• Stripe (payment processing): processes credit card transactions. Stripe is PCI DSS Level 1 compliant and handles all PCI compliance on our behalf. We never receive or store raw card numbers.
• Resend (transactional and bounce-handling email): delivers receipts, password resets, and other service emails to parents. Resend processes only the parent email address and the message body we send.
• Sentry (error monitoring): captures uncaught exceptions and performance traces so we can fix bugs quickly. We scrub child first names, parent emails, and other PII from URLs and breadcrumbs before they leave the browser (via a Sentry beforeSend hook), so error reports do not contain identifiable child information.
• Anthropic Claude API (AI hint and word-problem generation): when an AI feature runs, only the math problem context is sent to Anthropic — no child PII (no name, no profile metadata) is included in the prompt. You can turn this feature off in settings.
• Cloudflare (DNS, WAF, and email routing for briveli.com): provides DNS resolution, edge security, and forwards inbound mail for our domain. Cloudflare may process IP addresses and request metadata for security purposes.

We may disclose information if required by law or to protect the safety of users.

We retain your account data for as long as your account is active. Practice data for child profiles is retained to power the adaptive engine and progress history.

When you delete a child profile, all associated practice data is permanently deleted within 30 days. When you delete your parent account, all data (parent and child) is permanently deleted within 30 days.

You have the right to:

• Access the data we hold about you and your child profiles
• Correctinaccurate data (e.g., update a child's grade level)
• Delete a child profile or your entire account at any time from Settings → Privacy in your dashboard. Deletion is immediate and removes all family data; any active subscription is cancelled with Stripe.
• Exportyour data at any time from Settings → Privacy in your dashboard. You'll receive a JSON file containing every row we store about you and your children.
• Opt out of AI word problem generation in account settings

If you can't access your dashboard, or to exercise any other right, email privacy@briveli.com. California residents have additional rights under CCPA — the same dashboard tools and email address apply.

We use industry-standard security measures: all data is encrypted in transit (TLS 1.3) and at rest. Our database uses Row-Level Security policies so that each parent can only access their own family's data, even in the event of an application bug. Passwords are never stored; authentication is handled by Supabase Auth using bcrypt hashing.

No security system is perfect. If you believe you've discovered a security issue, please email security@briveli.com.

We use a single session cookie to keep you logged in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. If you block all cookies, you won't be able to stay logged in.

If we make material changes to this policy, we'll notify you by email at least 30 days before the changes take effect. Continued use of Briveli after that date constitutes acceptance of the updated policy.

Questions, concerns, or data requests? Email us at privacy@briveli.com. We respond to all privacy inquiries within 5 business days.