2.1 — Account Registration

When you create a Parent/Guardian Account, we collect:

• Full name (first and last name)
• Email address
• Password (stored in hashed form via Firebase Authentication — we never store plaintext passwords)
• Account type (parent/guardian)
• Location (city and state, voluntarily provided)

2.2 — Learner Account Information

When a parent or guardian creates a Learner Account for a minor, they provide:

• Display name or username (parents choose)
• Age or grade level (optional, for personalization)
• Avatar selection (system-generated, no photo upload required)
• Learner Access settings (which Platform sections the learner can access)

Important: Learner Accounts are created and managed exclusively by the associated parent or guardian. We do not collect personal information directly from children. All Learner Account data is provided and controlled by the parent. See Section 8 (Children's Privacy) for full COPPA compliance details.

2.3 — Profile Information

You may optionally provide additional profile information, including:

• Bio/description
• Profile avatar or photo
• Interests and subjects (e.g., "Math," "Science," "Arts")
• Homeschool approach (e.g., "Classical," "Montessori," "Unschooling")
• Social links (optional)
• Location (city, state — used for local event discovery and community matching)

2.4 — User-Generated Content

When you use the Platform's features, you may provide:

• Resource Library: Uploaded files, resource titles, descriptions, categories, tags, ratings, and comments
• Event Calendar: Event titles, descriptions, locations (including street addresses for in-person events), dates, times, virtual meeting links, capacity settings, and RSVP information
• Study Groups: Group names, descriptions, icons, colors, privacy settings, posts, comments, chat messages, and shared resources
• Marketplace: Product listings (titles, descriptions, images, pricing, shipping dimensions/weight, condition, category), purchase history, shipping addresses, and seller profile information
• Messaging: Messages sent through the Platform's notification and messaging system
• Reviews and Ratings: Star ratings and written reviews for resources and marketplace products

2.5 — Payment Information

When you subscribe to Premium or make Marketplace purchases, payment information is collected:

• Credit/debit card details — Processed and stored exclusively by Stripe, our PCI-DSS compliant payment processor. We never receive, process, or store your full card number, CVV, or expiration date.
• Billing address — Stored by Stripe for payment verification
• Transaction history — We store records of transactions (amounts, dates, product IDs, order status) in our database for order management and customer support
• Stripe Connect information (sellers only) — Sellers connect their Stripe accounts for payouts. Stripe collects additional identity and banking information directly under their own privacy policy.

2.6 — Shipping Information

When purchasing physical products through the Marketplace:

• Shipping address (street address, city, state, ZIP code)
• Recipient name
• Phone number (optional, for carrier delivery notifications)

This information is shared with the seller for order fulfillment and with Shippo for shipping label generation and tracking.

2.7 — Automatically Collected Information

When you access or use the Platform, we automatically collect:

• Device and browser information: Device type, OS, browser type/version, screen resolution, language
• Usage data: Pages visited, features accessed, time spent, click patterns, search queries, error logs
• Log data: IP address, access times, HTTP request details, user agent string

2.8 — Cookies and Local Storage

We use cookies and browser local storage for:

• Authentication tokens — To keep you logged in across sessions (managed by Firebase Authentication)
• Session management — To maintain your session state
• Theme preferences — To remember your display preferences (e.g., light/dark mode)
• Onboarding state — To track whether you've completed the onboarding flow

We do not use third-party advertising cookies or tracking pixels. We do not sell ad space on the Platform. We do not use cookies for behavioral advertising or cross-site tracking.

2.9 — Information from Third-Party Services

Firebase Authentication (Google Sign-In): If you sign in with Google, we receive your Google account display name, email address, profile photo URL, and unique identifier. We do not receive your Google account password.

Stripe: When you complete a payment, Stripe may share transaction confirmation (success/failure), last four digits of your payment method, Stripe customer ID, payout status (sellers), and dispute/chargeback notifications.

Shippo: Tracking numbers, carrier information, delivery status updates, and rate quotes.

3.1 — Providing and Operating the Platform

• Creating and managing your account
• Authenticating your identity when you sign in
• Displaying your profile to other users (as configured in your privacy settings)
• Enabling you to upload, share, and download resources
• Processing event creation, RSVPs, and Family RSVPs
• Facilitating study group creation, membership, posts, chat, and resource sharing
• Processing Marketplace listings, purchases, payments, shipping, and returns
• Delivering messages and notifications through the Platform
• Providing the Parent Dashboard and learner activity monitoring
• Managing Premium subscriptions and billing

3.2 — Improving the Platform

• Analyzing usage trends and patterns to improve features and user experience
• Identifying and fixing technical issues, bugs, and errors
• Monitoring Platform performance and reliability
• Understanding which features are most valuable to our community

3.3 — Safety, Security, and Content Moderation

• Detecting, preventing, and responding to fraud, abuse, and security incidents
• Enforcing our Terms of Service, Seller Terms, and Community Guidelines
• Moderating user-generated content (text validation and image moderation)
• Investigating reports of prohibited content or conduct
• Protecting the rights, property, and safety of our users and the public

3.4 — Communications

• Sending transactional emails (account verification, password resets, order confirmations, shipping updates) via Postmark
• Sending Platform notifications (RSVP confirmations, group invitations, new messages)
• Responding to your support requests and inquiries
• Notifying you of changes to our Terms, Privacy Policy, or Platform features

3.5 — Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities and law enforcement
• Establishing, exercising, or defending legal claims

4.1 — With Other Users

Certain information is visible to other Platform users based on your activity:

• Profile: Display name, avatar, bio, interests, location (city/state), join date — as configured in your privacy settings
• Resource Library: Your display name and avatar appear on resources you upload, and on ratings/comments you leave
• Events: Your display name appears on events you create; RSVP status may be visible to the event organizer
• Study Groups: Your display name and avatar are visible to group members; your posts, comments, and chat messages are visible within the group
• Marketplace: Seller profile information (display name, response time, rating) is visible on listings; buyer names and shipping addresses are shared with sellers to fulfill orders

4.2 — With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Firebase (Google) — Account credentials, user data, uploaded files, database records. Purpose: Authentication, Firestore database, Cloud Storage, Hosting, Cloud Functions
• Stripe — Payment method details, billing address, transaction amounts, seller identity/banking info. Purpose: Payment processing, subscription billing, seller payouts
• Shippo — Shipping addresses, package dimensions, weight, recipient name. Purpose: Shipping rate calculation, label generation, tracking
• Postmark — Email addresses, email content. Purpose: Transactional email delivery (welcome emails, order notifications, support)

Each service provider is contractually obligated to use your data only for the purpose of providing their service:

• Google Privacy Policy
• Stripe Privacy Policy
• Shippo Privacy Policy
• Postmark Privacy Policy

4.3 — For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the Platform
• Protect the personal safety of users of the Platform or the public
• Protect against legal liability

4.4 — Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar business transaction, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before your information becomes subject to a different privacy policy.

4.5 — Aggregated or De-identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you. For example, we may share statistics about the number of users, resources uploaded, or events created — but this data does not identify any individual.

5.1 — Where Your Data Is Stored

Your data is stored in the United States using the following infrastructure:

• Firebase Firestore — User accounts, profiles, resources metadata, events, groups, marketplace listings, messages, and all structured data
• Firebase Cloud Storage — Uploaded files (resource attachments, product images, profile avatars, group banners)
• Firebase Authentication — Hashed credentials and authentication tokens
• Stripe — Payment method data, billing information, and transaction records (stored on Stripe's PCI-DSS certified infrastructure)

5.2 — Security Measures

We employ industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• Encryption at rest: Data stored in Firebase is encrypted at rest using Google's default encryption
• Authentication security: Passwords are hashed and salted using Firebase Authentication's secure algorithms — we never store or have access to plaintext passwords
• Access controls: Platform data is protected by Firebase Security Rules that enforce role-based access (e.g., parents can only access their own data and their learners' data)
• Payment security: All payment data is handled by Stripe, which is PCI-DSS Level 1 certified — the highest level of payment security certification
• Content validation: User input is validated and sanitized on both client and server to prevent injection attacks, XSS, and other vulnerabilities
• Cloud Functions security: Sensitive operations (payment processing, data modifications, content moderation) are performed server-side in Firebase Cloud Functions, not in client-side code
• Image moderation: Uploaded images are automatically scanned for inappropriate content

5.3 — Security Limitations

While we implement commercially reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you become aware of a security breach or any unauthorized access to your account, please contact us immediately at support@rootsathome.com.

6.1 — Active Accounts

We retain your personal information for as long as your account is active. Specific retention periods:

• Account information: Duration of account existence
• Profile information: Duration of account existence
• User-generated content (resources, posts, comments, reviews): Until deleted by the user or removed by moderation
• Transaction records (orders, payments, subscriptions): 7 years after the transaction date (for tax and legal compliance)
• Messages: Duration of account existence, or until deleted by the user
• Server logs and analytics: 90 days (rolling)
• Content moderation records (reports, actions taken): 3 years after resolution
• Support correspondence: 3 years after the last communication

6.2 — Deleted Accounts

When you delete your account:

• Your profile and account credentials are permanently deleted
• Your personal information is removed from active databases within 30 days
• User-generated content that has been shared with or downloaded by other users may persist in an anonymized or de-identified form
• Transaction records are retained for 7 years as required for tax compliance, but are no longer associated with a personally identifiable account
• Backup copies may persist in our backup systems for up to 90 days before automatic deletion
• Data held by third-party service providers (Stripe, Shippo, Postmark) is subject to their respective retention policies

6.3 — Legal Holds

We may retain information beyond the standard retention periods if required by law, legal proceedings, government investigations, or to enforce our Terms of Service.

7.1 — Access and Portability

You have the right to:

• Access the personal information we hold about you
• Request a copy of your data in a portable, machine-readable format
• Review all data associated with your account through your account settings and Profile page

To request a data export, email support@rootsathome.com with the subject line "Data Access Request."

7.2 — Correction

You have the right to update or correct inaccurate personal information. You can update most information directly through your account settings; for other corrections, contact us at support@rootsathome.com.

7.3 — Deletion

You have the right to delete your account and personal information:

• Self-service deletion: Use the account deletion feature in your account settings
• Assisted deletion: Email support@rootsathome.com with the subject line "Account Deletion Request"

Upon receiving a deletion request, we will:

• Verify your identity
• Delete your account and personal information within 30 days
• Notify you when the deletion is complete

Note: Deletion of your Parent Account will also delete all associated Learner Accounts.

7.4 — Communication Preferences

• Transactional emails (order confirmations, password resets, security alerts) — Cannot be opted out of while your account is active, as they are necessary for Platform operation
• Platform notifications — Managed through your account notification settings
• Marketing emails — We do not currently send marketing emails. If we begin to in the future, you will be able to opt out at any time via an unsubscribe link

7.5 — Cookie Controls

• Block all cookies: Note that this may prevent you from logging in or using certain Platform features
• Delete cookies: You can clear cookies at any time through your browser settings
• Do Not Track: We currently do not respond to Do Not Track ("DNT") signals, as there is no industry-standard technology for recognizing DNT signals in all browsers

8.1 — Our Commitment

We are committed to protecting the privacy of children. The Platform is designed with COPPA (Children's Online Privacy Protection Act) compliance as a foundational principle.

8.2 — How We Handle Children's Data

• No direct collection from children: We do not knowingly collect personal information directly from children under the age of 13. All Learner Account information is provided by the parent or guardian through their Parent Account.
• Parent-controlled accounts: Learner Accounts are created, managed, and supervised by the associated parent or guardian. Parents determine which Platform sections their learners can access via the Learner Access controls.
• Minimal data collection: Learner Accounts collect only a display name/username (chosen by the parent), an avatar (system-generated), and activity data (visible to the parent via the Parent Dashboard).
• No tracking or advertising for children: We do not display targeted advertising to any users, and we do not track children for advertising purposes.
• No third-party data sharing for children: We do not share Learner Account data with third parties except as necessary to provide the Platform's services (e.g., Firebase for data storage).

8.3 — Parental Rights Under COPPA

Parents and guardians have the following rights regarding their children's information:

• Review: Parents can review all information associated with their child's Learner Account at any time through the Parent Dashboard and account settings
• Edit: Parents can modify their child's display name, avatar, Learner Access settings, and other account information at any time
• Delete: Parents can delete their child's Learner Account at any time, which will permanently remove all associated data
• Revoke consent: Parents can revoke their consent for the collection and use of their child's information by deleting the Learner Account
• Restrict access: Parents can modify Learner Access controls to restrict which Platform sections their child can access

8.4 — Verifiable Parental Consent

• Only authenticated Parent Account holders (verified to be 18+) can create Learner Accounts
• The act of creating a Learner Account constitutes verifiable parental consent under COPPA
• Parents must actively configure Learner Access controls during account setup, demonstrating informed consent

8.5 — Reporting Concerns

If you believe we have inadvertently collected personal information from a child under 13 without verifiable parental consent, please contact us immediately at support@rootsathome.com. We will promptly investigate and delete any such information.

9.1 — California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. If this practice ever changes, we will provide a "Do Not Sell My Personal Information" link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, email support@rootsathome.com with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.

9.2 — Virginia Residents (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) provides you with:

• Right to access, correct, and delete your personal data
• Right to data portability
• Right to opt out of targeted advertising, sale of personal data, and profiling
• Right to appeal our decision regarding your data rights request

9.3 — Colorado Residents (CPA)

If you are a Colorado resident, the Colorado Privacy Act (CPA) provides you with similar rights to those described under CCPA and VCDPA, including access, correction, deletion, portability, and opt-out rights.

9.4 — Connecticut Residents (CTDPA)

If you are a Connecticut resident, the Connecticut Data Privacy Act (CTDPA) provides similar protections, including the right to access, correct, delete, and obtain a copy of your personal data.

9.5 — Other States

Privacy laws are evolving across the United States. If your state has enacted a consumer privacy law that grants you specific rights, we will honor those rights to the extent required by applicable law. Contact us at support@rootsathome.com to exercise any state-specific privacy rights.

12.1 — Automated Content Screening

We use automated systems to screen user-generated content for:

• Inappropriate text: Automated text validation checks for profanity, hate speech, harassment, and other prohibited content
• Inappropriate images: Automated image moderation scans uploaded images for adult, violent, or otherwise inappropriate visual content

These automated systems may process your User Content in real-time when you upload, post, or share content. Content flagged by our automated systems may be blocked from posting or flagged for manual review.

12.2 — User Reporting

Other users may report your content or profile if they believe it violates our Terms of Service. Reported content is reviewed by our team. We maintain records of reports and their resolutions.

12.3 — No Automated Decision-Making with Legal Effects

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Content moderation decisions are subject to human review and appeal.