Privacy
Privacy policy
QC+AI Studio stores only the learner, security, support, and operational data needed to run the public study experience. The tables below describe the app-controlled data classes, their lifetimes, and the exact first-party cookies currently used on the public deployment.
What the app stores
The public deployment stores only the data needed to run lessons, notes, quizzes, builder activity, project work, support intake, first-party local-account security, and browser performance telemetry for the public site. That can include an email address and password hash for local accounts, guest-linked learner activity, support-request details submitted by the user, and non-advertising browser metrics such as LCP or CLS.
Retention schedule
| Data class | What is stored | Retention | Removal trigger |
|---|---|---|---|
| Guest continuity cookies | Random guest identifier and CSRF token only. | 365 days from issuance or refresh. | Expires automatically or is replaced when the guest session is reset. |
| Guest-linked study activity | Notes, quiz attempts, builder runs, project drafts, progress, and analytics tied to a guest ID. | Up to 365 days. | Automatic retention cleanup removes stale guest records older than one year. |
| Local account sessions | Session token hash, CSRF token, and expiry metadata. | 30 days maximum or until logout. | Logout, session expiry, or startup cleanup for expired sessions. |
| Local account and learner records | Email, password hash, notes, quiz history, builder activity, projects, peer reviews, and learner profile data. | Until the user deletes the account or requests removal. | Delete-account flow removes the local account and the linked learner records in the live app. |
| Public web-vitals telemetry | Page path, metric name, metric value, connection type, and browser user-agent string. | 30 days. | Automatic retention cleanup removes older browser-performance samples. |
| Support requests | Name, email address, organization, message, page URL, request type, and user-agent string. | 540 days. | Automatic retention cleanup removes older support records after the review/support window closes. |
Provider-managed infrastructure logs may exist outside the app database. Those hosting-layer controls are not individually configured from this public web app surface, so the table above focuses only on app-controlled retention.
Cookie inventory
| Cookie | Purpose | Lifetime | Category | When it is set |
|---|---|---|---|---|
| qcai_guest_id | Keeps a guest learner on the same study path across lessons, builder, dashboard, and project surfaces. | 365 days | Strictly necessary | Set when a visitor opens a guest-supported study surface that needs continuity. |
| qcai_guest_csrf | Protects guest-side mutations against cross-site request forgery. | 365 days | Strictly necessary | Set alongside the guest continuity cookie when guest mutation protection is needed. |
| qcai_session_token | Maintains a first-party local account session after sign-in. | 30 days maximum | Strictly necessary | Set only after a successful local-account registration or login. |
| qcai_auth_csrf | Protects authenticated account mutations such as logout and delete-account. | 30 days maximum | Strictly necessary | Set alongside the local-account session cookie after sign-in. |
Current deployment status: the public site uses strictly necessary first-party cookies only.
How data is used
Stored learner activity is used to deliver progress tracking, adaptive-path recommendations, project review flows, builder/community surfaces, support follow-up, operational debugging, and abuse prevention. Browser telemetry is used to monitor page quality rather than to target ads or build cross-site marketing profiles.
Deletion and rights requests
Local-account deletion is available directly from the account page. That live flow removes the local account record, active sessions, and linked learner records stored under that account. Privacy or correction requests can also be sent through the support page or to na27@hood.edu.
Infrastructure and subprocessors
The public deployment runs on Google Cloud infrastructure for hosting, storage, and managed data services. Optional integrations may include Auth0 for federated sign-in and OpenAI or Pinecone for grounded AI features when those integrations are explicitly configured. Those services are not required for every public page view.
Lawful basis and rights where applicable
Where privacy laws require a lawful-basis explanation, the platform relies on the processing needed to provide the requested learning service, maintain platform security, respond to user-initiated support requests, and monitor public site quality. Depending on the applicable jurisdiction, learners may have rights to request access, correction, deletion, or additional information.
Education and minors
QC+AI Studio is written for advanced learners and is not designed as a children's entertainment service. It is best suited to higher-education, graduate, professional, or supervised advanced-secondary settings. Learners who are minors should use the platform only with appropriate school, institution, or guardian oversight.
Implementation notes
- The current public deployment does not rely on advertising cookies or third-party marketing trackers to deliver lessons.
- If a future deployment enables optional federated identity or AI integrations, those providers may set their own provider-managed cookies only during the user-initiated flow that needs them.
- Provider-managed infrastructure logs are controlled at the hosting layer and are not individually configurable from this public web app surface.
Contact
Privacy questions, rights requests, or data-handling concerns can be directed to na27@hood.edu. The public support and disclosure surfaces are also available on the support page, status page, and accessibility page.