Privacy Policy
Last updated: March 2026
1. Overview
This Privacy Policy explains how TeacherForge (“we”, “us”, “our”), operated at teacherforge.io, collects, uses, stores, and protects your personal information when you use our AI-powered exam generation service (“Service”).
We are committed to protecting your privacy and handling your data transparently. We collect only what is necessary to provide the Service and do not sell your personal information.
2. What We Collect
Information you provide
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, login, verification, transactional emails | Until account deletion |
| Display name | Personalisation (optional; defaults to email prefix) | Until account deletion |
| Password | Authentication (stored as a salted PBKDF2-SHA256 hash — we never store or see your plaintext password) | Until account deletion |
Content you upload
| Data | Purpose | Retention |
|---|---|---|
| Uploaded PDF exams | Converted to images for AI analysis; used to generate new exam content | Deleted after generation completes |
| Generated exams (JSON, PDF, DOCX) | Stored so you can preview and re-download your exams | Until you delete them or your account |
Information collected automatically
| Data | Purpose | Retention |
|---|---|---|
| IP address | Anti-abuse protection (limiting signups per IP to prevent farming) | In-memory only; not persisted to disk; cleared on server restart |
| Device cookie | Anti-abuse protection (prevents repeated signups from the same browser) | 1 year (browser cookie) |
Information we do NOT collect
- We do not use analytics or tracking cookies (no Google Analytics, no Facebook Pixel, no similar services).
- We do not collect usage telemetry beyond what is described above.
- We do not build advertising profiles or share data with advertisers.
3. How We Use Your Data
We use your information to:
- Create and manage your account.
- Verify your email address.
- Process your uploaded exams through our AI pipeline and deliver generated content.
- Process payments (via Lemon Squeezy).
- Send transactional emails (verification codes, receipts).
- Prevent abuse and enforce usage limits.
- Respond to support requests.
- Comply with legal obligations.
We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
4. Lawful Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, email verification, exam generation | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Anti-abuse measures (IP tracking, device cookie) | Legitimate interest (Art. 6(1)(f)) — preventing fraud and abuse |
| Transactional emails | Performance of contract (Art. 6(1)(b)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Third-Party Services
We share data with the following third-party service providers, solely to operate the Service:
AI Model Providers
What we send: Content from your uploaded PDF (converted to
images) and generated exam data (question text, answer keys).
Purpose: AI-powered exam generation, quality checking, and
content validation.
Note: We use third-party AI model providers based in the
United States. We select providers that offer commercial data processing
terms and do not use your data to train their models. Providers may change
as we improve the Service.
Lemon Squeezy
What they receive: Your email address and payment information
(entered directly on their checkout page — we never see or store your
card number).
Purpose: Payment processing, billing, tax/VAT collection as
Merchant of Record.
Privacy policy:
lemonsqueezy.com/privacy
Resend
What they receive: Your email address and email content.
Purpose: Delivering transactional emails (verification codes,
receipts).
Privacy policy:
resend.com/legal/privacy-policy
We do not sell, rent, or trade your personal information to any third party. Data is shared with the above providers only as necessary to deliver the Service.
6. Cookies and Local Storage
We use only functional cookies and browser storage. We do not use advertising, analytics, or tracking cookies.
| Name | Type | Purpose | Duration |
|---|---|---|---|
| tf_device | HTTP cookie (httponly) | Anti-abuse — prevents repeated account creation from the same browser | 1 year |
| tf_token | localStorage | Authentication — stores your login session token (JWT) | 24 hours (token expiry) |
| tf_email, tf_name | localStorage | UI personalisation — shows your name in the navigation | Until you log out |
Because we use only strictly necessary/functional cookies, no cookie consent banner is required under GDPR. However, you can clear cookies and local storage at any time through your browser settings.
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwords are hashed using PBKDF2-SHA256 with 100,000 iterations and a random salt. We never store plaintext passwords.
- All data in transit is encrypted via HTTPS/TLS.
- Uploaded PDFs are deleted after processing completes.
- Authentication tokens expire after 24 hours.
- Access to production systems is restricted to authorised personnel.
No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.
8. Your Rights
For all users
Regardless of your location, you can:
- Request a copy of the personal data we hold about you.
- Request correction of inaccurate information.
- Request deletion of your account and associated data.
- Delete individual generated exams from your account.
Additional rights under GDPR (EEA and UK residents)
Under the General Data Protection Regulation, you also have the right to:
- Access (Art. 15) — obtain a copy of your personal data and information about how it is processed.
- Rectification (Art. 16) — correct inaccurate or incomplete personal data.
- Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
- Restriction (Art. 18) — request that we limit processing of your data in certain circumstances.
- Portability (Art. 20) — receive your personal data in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interests.
To exercise any of these rights, email us at . We will respond within 30 days.
Additional rights under CCPA (California residents)
Under the California Consumer Privacy Act, California residents have the right to:
- Know what personal information we collect, use, and disclose.
- Delete personal information we hold about you.
- Opt-out of sale — we do not sell your personal information, so this right is satisfied by default.
- Non-discrimination — we will not discriminate against you for exercising your privacy rights.
9. Data Retention
| Data type | Retention period |
|---|---|
| Account information (email, name, password hash) | Until you delete your account |
| Uploaded PDF files | Deleted immediately after generation completes |
| Generated exam files (JSON, PDF, DOCX) | Until you delete them or your account |
| IP addresses (anti-abuse) | In-memory only; not written to disk; cleared on server restart |
| Device cookie | 1 year (stored in your browser) |
| Payment records | Held by Lemon Squeezy per their retention policy |
When you delete your account, we remove your personal data and generated exams within 30 days, except where retention is required by law (for example, financial records for tax purposes).
10. International Data Transfers
Your data may be processed by our third-party AI providers (Anthropic and xAI), which operate in the United States. If you are located outside the United States, your data will be transferred internationally.
For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards provided by our service providers to ensure adequate protection of your personal data.
11. Children’s Privacy
TeacherForge is designed for adult educators. The Service is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at .
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users by email without undue delay and, where required by law (such as GDPR Art. 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service and updating the “Last updated” date at the top of this page. We encourage you to review this Policy periodically.
14. Contact
For any privacy-related questions, data requests, or concerns:
If you are in the EEA and are unsatisfied with how we handle your data, you have the right to lodge a complaint with your local data protection supervisory authority.