Privacy Policy
Last updated: March 2026
1. Overview
This Privacy Policy explains how TeacherForge (“we”, “us”, “our”), operated at teacherforge.io, collects, uses, stores, and protects your personal information when you use our AI-powered teaching material generation service (“Service”).
We are committed to protecting your privacy and handling your data transparently. We collect only what is necessary to provide the Service and do not sell your personal information.
2. What We Collect
Information you provide
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, login, verification, transactional emails | Until account deletion |
| Display name | Personalisation (optional; defaults to email prefix) | Until account deletion |
| Password | Authentication (stored as a bcrypt hash with random salt — we never store or see your plaintext password) | Until account deletion |
| Passkey credential (optional) | Passwordless authentication via WebAuthn — we store a credential ID and public key, never biometric data | Until account deletion |
| Google account link (optional) | Google OAuth sign-in — we store your Google user ID and email | Until account deletion |
Content you create
| Data | Purpose | Retention |
|---|---|---|
| Configuration choices (topics, grammar targets, level, etc.) | Sent to AI providers to generate your materials; saved in templates for re-use | Until you delete them or delete your account |
| Generated materials (JSON, PDF, DOCX) | Stored so you can preview and re-download your materials | Until you delete them or delete your account |
Information collected automatically
| Data | Purpose | Retention |
|---|---|---|
| IP address | Anti-abuse protection (limiting signups per IP to prevent farming) | 24 hours (database); pruned automatically |
| Device cookie | Anti-abuse protection (prevents repeated signups from the same browser) | 1 year (browser cookie) |
Information we do NOT collect
- We do not use analytics or tracking cookies (no Google Analytics, no Facebook Pixel, no similar services).
- We do not collect usage telemetry beyond what is described above.
- We do not build advertising profiles or share data with advertisers.
3. How We Use Your Data
We use your information to:
- Create and manage your account.
- Verify your email address.
- Generate teaching materials through our AI pipeline and deliver the results.
- Process payments (via Lemon Squeezy).
- Send transactional emails (verification codes, receipts).
- Prevent abuse and enforce usage limits.
- Respond to support requests.
- Comply with legal obligations.
We do not use your data for advertising, profiling, or any purpose unrelated to providing the Service.
4. Lawful Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account creation, email verification, material generation | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Anti-abuse measures (IP tracking, device cookie) | Legitimate interest (Art. 6(1)(f)) — preventing fraud and abuse |
| Transactional emails | Performance of contract (Art. 6(1)(b)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
5. Third-Party Services
We share data with the following third-party service providers, solely to operate the Service:
AI Model Providers
What we send: Your configuration choices and generated
material data (question text, answer keys).
Purpose: AI-powered content generation, quality checking, and
auto-correction.
Note: We use third-party AI model providers based in the
United States. We select providers that offer commercial data processing
terms and do not use your data to train their models. We may change
providers or route requests across multiple providers as we improve the
Service.
Lemon Squeezy
What they receive: Your email address and payment information
(entered directly on their checkout page — we never see or store your
card number).
Purpose: Payment processing, billing, tax/VAT collection as
Merchant of Record.
Privacy policy:
lemonsqueezy.com/privacy
Resend
What they receive: Your email address and email content.
Purpose: Delivering transactional emails (verification codes,
receipts). Resend processes data in the United States.
Privacy policy:
resend.com/legal/privacy-policy
Google (optional sign-in)
What they share with us: Your Google email address and
display name, if you choose to sign in with Google.
Purpose: Account creation and authentication via Google OAuth.
Privacy policy:
policies.google.com/privacy
We do not sell, rent, or trade your personal information to any third party. Data is shared with the above providers only as necessary to deliver the Service.
6. Cookies and Local Storage
We use only functional cookies and browser storage. We do not use advertising, analytics, or tracking cookies.
| Name | Type | Purpose | Duration |
|---|---|---|---|
| tf_device | HTTP cookie (httponly) | Anti-abuse — prevents repeated account creation from the same browser | 1 year |
| tf_session | HTTP cookie (httponly, secure) | Authentication — stores your login session token (JWT) | 7 days (token expiry) |
Because we use only strictly necessary/functional cookies, no cookie consent banner is required under GDPR. However, you can clear cookies and local storage at any time through your browser settings.
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwords are hashed using bcrypt with a random salt. We never store plaintext passwords.
- All data in transit is encrypted via HTTPS/TLS.
- Generated files are stored securely and deletable at any time.
- Authentication tokens expire after 7 days.
- Access to production systems is restricted to authorised personnel.
No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.
8. Your Rights
For all users
Regardless of your location, you can:
- Request a copy of the personal data we hold about you.
- Request correction of inaccurate information.
- Request deletion of your account and associated data.
- Delete individual generated materials from your account.
Additional rights under GDPR (EEA and UK residents)
Under the General Data Protection Regulation, you also have the right to:
- Access (Art. 15) — obtain a copy of your personal data and information about how it is processed.
- Rectification (Art. 16) — correct inaccurate or incomplete personal data.
- Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
- Restriction (Art. 18) — request that we limit processing of your data in certain circumstances.
- Portability (Art. 20) — receive your personal data in a structured, machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interests.
To exercise any of these rights, email us at . We will respond within 30 days.
Additional rights under CCPA (California residents)
Under the California Consumer Privacy Act, California residents have the right to:
- Know what personal information we collect, use, and disclose.
- Delete personal information we hold about you.
- Opt-out of sale — we do not sell your personal information, so this right is satisfied by default.
- Non-discrimination — we will not discriminate against you for exercising your privacy rights.
9. Data Retention
| Data type | Retention period |
|---|---|
| Account information (email, name, password hash) | Until you delete your account |
| Generated material files (JSON, PDF, DOCX) | Until you delete them or delete your account |
| IP addresses (anti-abuse) | 24 hours (database); pruned automatically |
| Device cookie | 1 year (stored in your browser) |
| Payment records | Held by Lemon Squeezy per their retention policy |
When you delete your account, we remove your personal data and generated materials within 30 days, except where retention is required by law (for example, financial records for tax purposes).
10. International Data Transfers
Your data may be processed by our third-party AI providers, which operate in the United States. If you are located outside the United States, your data will be transferred internationally.
For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards provided by our service providers to ensure adequate protection of your personal data.
11. Children’s Privacy
TeacherForge is designed for adult educators. The Service is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at .
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users by email without undue delay and, where required by law (such as GDPR Art. 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service and updating the “Last updated” date at the top of this page. We encourage you to review this Policy periodically.
14. Contact
For any privacy-related questions, data requests, or concerns:
If you are in the EEA and are unsatisfied with how we handle your data, you have the right to lodge a complaint with your local data protection supervisory authority.