PRIVACY POLICY

Scholars Beacon LLC, doing business as Crackd

Last updated: April 27, 2026

This privacy notice for Scholars Beacon LLC, doing business as Crackd ("we," "us," or "our"), describes how and why we collect, store, use, and/or share your information when you use our services ("Services"), including when you visit our website at https://crackd.it, use our SAT preparation platform, interact with our AI tutoring features, or engage with us in other related ways.

If you have questions or concerns about this privacy notice, please contact us at getcrackd@gmail.com.

1. WHAT INFORMATION DO WE COLLECT?

Personal Information You Provide.

We collect personal information that you voluntarily provide when you register on the Services, use our platform features, or contact us. This may include:

• Names and email addresses
• Account credentials and authentication data
• Billing addresses and payment information (processed and stored by Stripe)
• Contact preferences

Student Data.

When you use our SAT preparation features, we collect educational data including:

• Practice test responses, scores, and performance metrics
• AI tutor conversation history (interactions with Prof. Coco)
• Audio recordings from voice tutoring sessions, retained as part of the conversation history
• Mastery rankings, progress data, and learning analytics
• Score report screenshots submitted for verification
• Study preferences and adaptive learning algorithm data

Information Automatically Collected.

When you visit or use the Services, we automatically collect certain technical information including your IP address, browser and device characteristics, operating system, referring URLs, and usage data such as pages viewed and features used. This information is used to maintain the security and operation of the Services and for internal analytics.

2. HOW DO WE USE YOUR INFORMATION?

We process your personal information for the following purposes:

• To provide and deliver the SAT preparation services you requested, including AI-powered tutoring, adaptive practice, and performance analytics
• To create and manage your account
• To personalize your learning experience using our adaptive algorithms and mastery ranking system
• To respond to your inquiries and provide customer support
• To send you service-related communications (not marketing)
• To maintain the security, integrity, and performance of the Services
• To comply with legal obligations

What we do NOT do with your information:

• We do not sell your personal information or student data to any third party
• We do not use student data for targeted advertising
• We do not build commercial or non-educational profiles of students
• We do not disclose student information except as described in this policy or as required by law

3. AI-POWERED FEATURES AND THIRD-PARTY AI PROVIDERS

Crackd uses artificial intelligence to power its tutoring, practice problem generation, and adaptive learning features. This section explains how AI is used and how your data is handled in that context.

How AI Is Used in Our Services.

Our AI tutor (Prof. Coco) uses large language models to provide personalized SAT preparation assistance, generate practice problems, explain solutions, and adapt to your learning needs. When you interact with the AI tutor, your messages, practice responses, and relevant context are sent to our AI providers for processing.

Third-Party AI Providers.

We use AI models from the following third-party providers to deliver our Services:

• Anthropic (Claude API)
• OpenAI (GPT API)
• Google (Gemini API, paid tier)

Data Handling by AI Providers.

All three providers are accessed exclusively under their commercial API terms, which contractually prohibit the use of customer data for model training. Specifically:

• Anthropic does not use API data for training and retains API logs for no more than 7 days by default under commercial terms.
• OpenAI does not train on API inputs or outputs by default under their business and API terms.
• Google Gemini API on the paid tier does not use customer data for model training and handles it under a data processing addendum.

Data Minimization.

We minimize the personal information sent to AI providers. Where possible, we use opaque user identifiers rather than real names or email addresses when processing AI requests.

Feedback and Improvement.

We may collect your feedback signals (such as thumbs up/down ratings) on AI-generated content to improve the quality of our Services. This feedback is used internally by Crackd to refine our prompts and service delivery; it is not shared with AI providers for their model training purposes.

4. STUDENT DATA PRIVACY AND EDUCATIONAL RECORDS

Crackd is designed and marketed for educational purposes, specifically SAT preparation for high school students. We are committed to protecting student data and complying with applicable student privacy laws.

Children Under 13.

We do not knowingly collect personal information from children under the age of 13. The Services require users to be at least 13 years of age. If a parent or guardian believes their child under 13 has provided us with personal information, please contact us at getcrackd@gmail.com and we will delete it.

When Crackd Is Used Under a School District Contract.

When a school district or educational institution contracts with us to provide Crackd to their students, additional protections apply to the student data collected under that contract:

• Student data collected under a district contract is not owned by Crackd. Student-generated content (including AI tutor conversations, voice recordings, practice responses, and other work product) is the property of the student or their parent/legal guardian.
• We will not use student data collected under a district contract for any purpose other than providing and improving the contracted educational services.
• We will delete student data upon request by the student, parent/guardian, or the contracting educational institution, in accordance with applicable law and the terms of the contract.
• We will notify the contracting educational institution of any data breach involving student records without unreasonable delay, and in no event later than sixty (60) days after discovery, or sooner if required by applicable state law.
• We will not use student data collected under district contracts to train or improve AI models, whether our own or those of third parties.

Compliance with Student Privacy Laws.

We are committed to complying with applicable student data privacy laws, including:

• Family Educational Rights and Privacy Act (FERPA)
• Connecticut Student Data Privacy Act (§§ 10-234aa through 10-234dd)
• California Student Online Personal Information Protection Act (SOPIPA)
• Other applicable state student data privacy laws

Where a district-specific Data Processing Agreement (DPA) or Student Data Privacy Addendum is executed between Crackd and an educational institution, the terms of that agreement will govern the handling of student data and will take precedence over this general privacy policy to the extent of any conflict.

5. WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION?

We share data with third-party service providers ("subprocessors") who perform services on our behalf, including AI model providers, database and cloud infrastructure providers, payment processing, video hosting, and email delivery. A complete and current list of our subprocessors, including their purpose, data categories, and links to their privacy terms, is maintained at crackd.it/subprocessors. We will notify contracting educational institutions at least 30 days before adding or changing any subprocessor that handles student data.

Analytics and Marketing Services.

We use analytics and conversion-tracking services (such as Google Analytics 4, Google Ads, Meta Pixel, and Reddit Pixel) on our public marketing pages and checkout confirmation page only. These services are not loaded on authenticated student application pages and do not receive student educational data, including practice responses, AI tutor conversations, or progress records. Google Analytics is configured with Google Signals, Ads Personalization, and account-level data sharing disabled, and event retention set to two months. Student data under district contracts is excluded from analytics and marketing services entirely.

Business Transfers.

We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business. In the event of such a transaction involving student data, we will ensure that the acquiring entity is bound by obligations no less protective than those in this policy and any applicable district contracts.

Legal Requirements.

We may disclose your information where required by law, subpoena, court order, or governmental regulation, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We retain your personal information only for as long as necessary to fulfill the purposes described in this privacy notice, unless a longer retention period is required by law.

General Users (Direct Signup).

Account data and associated educational data are retained while your account is active and for up to twelve (12) months after account termination. After this period, data is deleted or anonymized.

District-Contracted Students.

Student data collected under a district contract is retained for the duration of the contract. Upon contract termination or expiration, or upon request by the district, student, or parent/guardian, we will delete or return all student data within a reasonable timeframe as specified in the applicable Data Processing Agreement, and in no event later than sixty (60) days after the request or contract end date.

AI Provider Retention.

Data sent to our AI providers for processing is subject to their respective retention policies under their commercial API terms. As of the date of this policy, Anthropic retains API logs for up to 7 days, OpenAI retains for up to 30 days, and Google Gemini (paid tier) handles data under its data processing addendum. These providers do not use Crackd’s data for model training.

Backups.

Data may persist in encrypted backup systems for a limited period after deletion from active databases. Backups are encrypted at rest and access is restricted. Backup data is automatically purged according to our retention schedule.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We implement appropriate technical and organizational security measures designed to protect the security of your personal information. These measures include:

Encryption in Transit.

All data transmitted between your browser and our servers, between our servers and our database, and between our servers and third-party AI providers is encrypted using TLS 1.2 or higher. Our TLS configuration is regularly tested against industry standards.

Encryption at Rest.

All data stored in our database (MongoDB Atlas) is encrypted at rest using AES-256 encryption. Database backups are also encrypted. Application server storage uses encrypted volumes (AWS EBS with AES-256).

Access Controls.

Access to production systems and student data is restricted to authorized personnel using role-based access controls and multi-factor authentication. Administrative actions are logged.

Secrets Management.

API keys, database credentials, and other sensitive configuration values are stored in encrypted secrets management systems, not in source code or unprotected configuration files.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

8. WHAT ARE YOUR PRIVACY RIGHTS?

All Users.

Depending on your location, you may have the following rights regarding your personal information:

• The right to access the personal information we hold about you
• The right to request correction of inaccurate personal information
• The right to request deletion of your personal information
• The right to withdraw consent to processing, where applicable
• The right to opt out of marketing communications
• The right to data portability, where applicable

To exercise any of these rights, please contact us at getcrackd@gmail.com. We will respond to your request in accordance with applicable law.

Parents and Guardians.

Parents and legal guardians of student users have the right to review their child’s personal information, request corrections, and request deletion. These rights may be exercised by contacting us directly or, where applicable, through the student’s school district.

Students in District-Contracted Accounts.

Students whose accounts are provisioned through a school district contract may exercise their rights directly or through their parent/guardian or school district. Student-generated content created through the Services is the property of the student or their parent/guardian.

9. UNITED STATES STATE-SPECIFIC RIGHTS

California Residents.

If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) provides you with specific rights regarding your personal information, including the right to know, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at getcrackd@gmail.com.

California residents under 18 with a registered account may request removal of publicly posted content by contacting us at the email above.

Connecticut Residents.

If you are a Connecticut resident, the Connecticut Data Privacy Act (CTDPA) provides you with rights including the right to access, correct, delete, and obtain a copy of your personal data, and the right to opt out of targeted advertising and the sale of personal data. We do not sell personal data or engage in targeted advertising. To exercise your rights, contact us at getcrackd@gmail.com.

Other State Privacy Laws.

We are committed to complying with applicable state privacy laws, including those of Virginia (VCDPA), Colorado (CPA), and other states that have enacted consumer data privacy legislation. Residents of these states may exercise their applicable rights by contacting us at getcrackd@gmail.com.

10. DATA BREACH NOTIFICATION

In the event of a data breach involving student records or personal information, we will:

• Notify affected contracting educational institutions without unreasonable delay, and in no event later than sixty (60) days after discovery of the breach, or sooner if required by applicable law
• Notify affected individuals as required by applicable state breach notification laws
• Cooperate with educational institutions and regulatory authorities in investigating and remediating the breach
• Take prompt steps to contain the breach and prevent further unauthorized access

11. DO-NOT-TRACK SIGNALS

Most web browsers include a Do-Not-Track ("DNT") feature. Because no uniform technology standard for recognizing DNT signals has been finalized, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will inform you in a revised version of this privacy notice.

12. UPDATES TO THIS NOTICE

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date. If we make material changes, we will notify you by prominently posting a notice on our website or by sending you a direct notification. We will notify contracting educational institutions of material changes to this policy at least thirty (30) days before the changes take effect.

13. SUBPROCESSOR LIST

A current list of third-party subprocessors that may process personal information or student data on our behalf is maintained at crackd.it/subprocessors. This list includes each subprocessor’s name, purpose, data categories, and a link to their privacy terms or data processing agreement. Material changes to the subprocessor list will also be reflected in our Privacy Policy revision history.

14. CONTACT US

If you have questions or comments about this privacy notice, our data practices, or would like to exercise your privacy rights, you may contact us at:

Scholars Beacon LLC

11040 Bollinger Canyon Road, Suite E 917

San Ramon, CA 94582

United States

Email: scholarsbeacon@gmail.com

Phone: (925) 413-1523

If you are a parent, guardian, student, or school administrator with questions about how student data is handled, we encourage you to contact us directly. We are committed to transparency and will work with you to address any concerns.