Privacy Policy

1600Lab (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what data we collect, how we collect it, why we collect it, who we share it with, and your rights as a user. We wrote this in plain English on purpose — no legal jargon.

We collect the following categories of personal information:

• Identifiers: your email address, name, and account ID provided when you create an account via Clerk.
• Self-reported age: a numeric age you provide during the age verification step at account creation. We do not independently verify this age with documents.
• Internet or other electronic network activity: your practice history — which questions you answered, whether each was correct, which subtopics you practiced, and when.
• AI coach messages: if you use the AI coach feature, the text messages you send in that conversation are processed in real time to generate a response. See the “Who We Share It With” section for details on how these messages are handled.
• Commercial information: subscription status and billing records (processed by our payment provider; we do not store card numbers).
• Referral data: if you generate a referral code, we store your account ID and email address linked to that code. If you redeem a referral code, we permanently record the association between your account and the referrer's account. This record cannot be deleted because it is the basis for the access benefit granted.
• Leaderboard data: your chosen display name, total XP, and streak count are published on the public leaderboard, which is readable by anyone — including unauthenticated visitors — without signing in. Do not use your real name as your display name if you prefer not to appear publicly.
• Inferences drawn from personal information: your XP, streaks, accuracy rates, level, and performance trends derived from your practice activity.

We do not collect sensitive personal information such as Social Security numbers, financial account credentials, precise geolocation, health data, or biometric data.

We collect data through two primary systems:

• Clerk — handles authentication (sign-in, sign-up) and stores your email, name, and age verification status securely on their infrastructure.
• Supabase — our database provider, where your practice history, progress data, referral records, and leaderboard entry are stored. Supabase operates servers primarily in the United States.

The legal basis for processing your data is performance of a contract (providing the service you signed up for) and legitimate interests (improving question quality). We use your data to:

• Run the app and display your personal progress
• Personalize practice sessions based on your performance history
• Track your streaks, XP, and accuracy over time
• Display your ranking on the public leaderboard (display name, XP, streak)
• Operate the referral program and grant access benefits
• Improve overall question quality based on aggregate (not individual) performance patterns
• Send important service communications (account changes, policy updates)

We share limited data with these service providers solely to operate the platform. None of them receive your personal data for advertising, and we do not share your data with data brokers.

• Clerk — authentication provider. Receives your email, name, and age to manage your account. Clerk Privacy Policy
• Supabase — database provider. Stores your practice history, progress data, referral records, and leaderboard entry in the United States. Supabase Privacy Policy
• Vercel — hosting infrastructure. Processes all web traffic and retains standard server logs (IP address, request metadata) per their policy. Does not receive your practice data. Vercel Privacy Policy
• Anthropic — AI provider used to generate reading/writing practice questions and to power the AI coach. For question generation, we send only practice parameters (subtopic, difficulty level). For the AI coach, the text messages you type in the coach chat are sent to Anthropic to generate a response. Do not include sensitive personal information in coach messages. Anthropic Privacy Policy
• OpenAI — AI provider used to generate math practice questions. We send only practice parameters — no personal data is sent to OpenAI. OpenAI Privacy Policy
• Lemon Squeezy — our payment processor for Elite subscriptions. Lemon Squeezy collects your payment information (card details, billing address) directly. We do not receive or store your card number. Lemon Squeezy Privacy Policy
• Wolfram Alpha — used to verify math answer correctness. We send only the mathematical expression being checked — no personal data is transmitted. Wolfram Alpha Privacy Policy
• Desmos — graphing calculator embedded within certain math questions. The Desmos JavaScript library runs in your browser. Desmos may receive technical usage data per their own policy. We do not send your personal data to Desmos. Desmos Privacy Policy

We do not sell your personal data to any third party. We do not share personal information with data brokers. We never have and we never will.

The leaderboard is publicly visible without login. Your display name, total XP, and streak are shown to all visitors. This data is not linked to your email address on the leaderboard view, but choosing a display name that identifies you (such as your real name or a username you use elsewhere) may allow others to associate the entry with you.

To remove yourself from the leaderboard or change your display name, contact us at 1600lab@gmail.com. We will process your request within 30 days.

We retain your data for as long as your account is active. If you delete your account, we will delete all associated personal data within 30 days, with the following exception: referral redemption records that form the basis of an access benefit already granted may be retained in anonymized or pseudonymized form for program integrity purposes.

Aggregate, anonymized data (not linked to your identity) may be retained indefinitely for product improvement purposes.

In the event of a security breach that compromises personal data, we will:

• Notify affected users via the email address associated with their account without undue delay, and no later than 72 hours after becoming aware of the breach where feasible
• Notify the relevant supervisory authority (including Brazil's ANPD and EU supervisory authorities where applicable) within the timeframes required by applicable law
• Describe in the notification the nature of the breach, the data affected, the likely consequences, and the measures we are taking to address it

If you believe your account has been compromised, contact us immediately at 1600lab@gmail.com.

• Right to access: you can request a copy of the personal data we hold about you
• Right to delete: you can request deletion of your account and all associated personal data at any time
• Right to correct: you can request correction of inaccurate personal data we hold about you
• Right to data portability: you can request your practice data in a machine-readable format
• Right to opt out of sale or sharing: we do not sell or share your data. There is nothing to opt out of, but you may submit a request to confirm this at any time.

To exercise any of these rights, email us at 1600lab@gmail.com. We will respond within 30 days. We do not charge a fee for handling these requests.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: you may request disclosure of the specific pieces and categories of personal information we have collected about you, including the categories of sources, purposes for collection, and categories of third parties with whom we share it
• Right to delete: you may request deletion of personal information we hold about you, subject to certain legal exceptions
• Right to correct: you may request correction of inaccurate personal information
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of, but we state this explicitly as required by California law.
• Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined by the CPRA.
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

The categories of personal information we have collected in the past 12 months are: Identifiers, Internet or other electronic network activity information, and inferences drawn from personal information. We have not sold or shared any personal information in the past 12 months.

To submit a California privacy request, email 1600lab@gmail.com with the subject line “California Privacy Request.” We will respond within 45 days as required by law.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following applies to you under the General Data Protection Regulation (GDPR) or applicable data protection laws:

• Legal basis for processing: we process your data based on contractual necessity (to provide the service), legitimate interests (improving question quality), and your consent where applicable
• Right of access (Art. 15 GDPR): you may request a copy of your personal data
• Right to rectification (Art. 16 GDPR): you may request correction of inaccurate data
• Right to erasure (Art. 17 GDPR): you may request deletion of your personal data
• Right to restrict processing (Art. 18 GDPR): you may request that we limit how we process your data
• Right to data portability (Art. 20 GDPR): you may request your data in a portable format
• Right to object (Art. 21 GDPR): you may object to processing based on legitimate interests

Data may be transferred to and processed in the United States, which may not offer the same level of data protection as your home country. We rely on standard contractual clauses and the privacy practices of our sub-processors (listed above) to safeguard international transfers. To exercise your GDPR rights, email 1600lab@gmail.com.

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD — Law 13,709/2018) applies to the processing of your personal data. The following provisions apply to you in addition to the rights described elsewhere in this policy.

Legal bases for processing (Art. 7 LGPD): we process your personal data under the following legal bases:

• Execution of a contract or preliminary procedures (Art. 7, V) — to provide you the service you signed up for
• Legitimate interests of the controller (Art. 7, IX) — to improve question quality based on aggregate performance data, provided such interests do not override your fundamental rights
• Consent (Art. 7, I) — where indicated at the time of collection for optional features

Your rights under LGPD (Art. 18):

• Confirmation of processing: you may confirm whether we process your personal data
• Access: you may request access to your personal data
• Correction: you may request correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion: you may request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
• Portability: you may request portability of your data to another service provider
• Deletion of consent-based data: you may request deletion of data processed on the basis of your consent
• Information about sharing: you may request information about which public and private entities we share your data with
• Information about the possibility of not consenting: you may request information about the consequences of not providing consent
• Revocation of consent: you may revoke previously given consent at any time, free of charge

International data transfer: your data is stored and processed in the United States by our sub-processors (Clerk, Supabase, Vercel). These transfers are made to countries and providers that offer an adequate level of protection or are governed by contractual guarantees consistent with LGPD Art. 33.

Data Protection Officer (Encarregado): for LGPD matters, our designated contact is reachable at 1600lab@gmail.com with the subject line “LGPD — Proteção de Dados.” We will respond within 15 days. You also have the right to file a complaint with Brazil's national supervisory authority, the Autoridade Nacional de Proteção de Dados (ANPD), at www.gov.br/anpd.

1600Lab is designed for students aged 13 and older. We collect your self-reported age at account creation. We do not independently verify this age with identity documents. If the age you provide indicates you are under 13, your account and all associated data are deleted immediately per our COPPA obligations.

If you believe a child under 13 has provided us personal information, contact us at 1600lab@gmail.com and we will delete it promptly.

We use only functional cookies — cookies that are strictly necessary to operate the service. Specifically:

• Authentication session cookies — set by Clerk to keep you signed in. These expire when you sign out or after a defined session period.
• Preference storage — we store your color mode preference (dark/light) in localStorage, not cookies. This data never leaves your device.

We do not use advertising cookies, tracking pixels, analytics cookies, or any third-party behavioral tracking. We do not use Google Analytics, Meta Pixel, or any similar tracking technology. No cookie syncing or cross-site tracking occurs on 1600Lab.

Some browsers send a “Do Not Track” (DNT) signal. Because we do not engage in behavioral tracking or cross-site data collection, our practices are consistent with DNT preferences regardless of whether your browser sends this signal. No action on your part is needed.

We implement industry-standard safeguards to protect your data:

• All data in transit is encrypted via TLS (HTTPS)
• Database access is restricted by row-level security policies — your data is only accessible to you and authorized service operations
• API keys and credentials are stored as environment secrets, never in client-side code
• Rate limiting is applied to all write endpoints to prevent abuse

No system is 100% secure. See the “Data Breach Notification” section above for how we handle security incidents.

We may update this policy as the service evolves. We will notify users of significant changes via email at least 14 days before they take effect. Continued use of the app after changes constitutes acceptance of the updated policy. The effective date at the top of this page will always reflect the most recent version.

Questions about this policy or your data? Email us at 1600lab@gmail.com.