Privacy Policy

Last updated: June 15, 2026

This Privacy Policy explains what information Scaffold (“we”, “us”) collects, how we use it, and the choices you have. It applies to the Scaffold website, applications, and AI features.

1. Information we collect

  • Account information: name, email address, a hashed password, and the role assigned to your account (learner or admin).
  • Subscription information: tier, status, and billing identifiers returned to us by Stripe (e.g. customer and subscription IDs, period end). We do not store payment-card numbers.
  • Session data: session identifiers, creation and last-used timestamps, and the IP address associated with login attempts. We also keep an audit log of failed login attempts to detect abuse.
  • Learning data: lessons completed, quiz attempts and scores, certificates issued, notes you write, and your current resume position.
  • AI tutor prompts and responses: the question text you submit to the AI tutor, the response generated by the model, the course and lesson context, the model name, and timestamps. See section 3.
  • Operational logs: standard server logs (request paths, status codes, error messages) used to operate and secure the service.
  • Product analytics & session replay: we use Microsoft Clarity to understand how the product is used. Clarity collects usage data such as pages viewed, clicks, scrolling, mouse movement, device and browser information, and approximate location, and may record a replay of your interactions with the interface. This helps us find usability problems and improve the service. Clarity is loaded only on our production site.

2. How we use information

  • To provide, maintain, and improve the service.
  • To authenticate you, secure your account, detect and prevent abuse (including automated activity, credential stuffing, and AI-tutor misuse), and enforce our Terms.
  • To process payments and manage subscriptions via Stripe, and to send transactional emails (e.g. verification, password reset, billing notices) via SendGrid.
  • To send service updates and, if you opt in, periodic learning digests. You can opt out at any time.

3. AI tutor data — what is logged

When you use the AI tutor we send your question, together with the relevant course material, to a third-party LLM provider. We store the question text, the response, the model used, character counts, and the timestamp in our database, associated with your account. We use this data to:

  • Operate and debug the AI tutor.
  • Detect and investigate abuse and enforce our Terms.
  • Improve safety prompts and refine the experience. We do not sell prompt content, and we do not use your prompts to train third-party models beyond what is necessary to produce a response.

Administrators of the Scaffold platform can review your prompt activity for safety and abuse-monitoring purposes. Do not include sensitive personal information, credentials, or confidential third-party data in your prompts.

4. Sharing

We share information only with the third parties needed to operate the service:

  • Stripe — processes payments and stores card data on our behalf.
  • SendGrid — sends transactional and notification emails.
  • Microsoft Clarity — provides product analytics, heatmaps, and session replay so we can understand usage and improve the service.
  • LLM provider(s) — receives the question text and course context required to generate a response.
  • Cloud infrastructure providers — host the application and database (e.g. compute, object storage, managed database).

We do not sell your personal information. We may disclose information when required by law, to enforce our Terms, or to protect the rights, safety, or property of Scaffold, our users, or others.

5. Retention

We keep account, learning, and AI-tutor data for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and prevent abuse. Login-attempt records and prompt logs are retained for at least twelve months for security purposes. You can request deletion of your account through the support widget; some data may persist in backups for a limited additional period.

6. Security

We use industry-standard safeguards to protect your information, including TLS in transit, hashed passwords, scoped database credentials, and access controls for administrator tools. No method of transmission or storage is perfectly secure.

7. Your choices and rights

You can update your name and email from your account settings, change your password, and end active sessions. Depending on your location, you may have additional rights (access, correction, deletion, portability, objection). Contact us through the support widget to exercise these rights.

8. Children

Scaffold is not directed to children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it.

9. International users

Your information may be processed in countries other than your own, including the United States. We rely on standard contractual safeguards where required.

10. Changes

We may update this Privacy Policy from time to time. We will post the updated version here and revise the “Last updated” date. Material changes will be communicated in-product or by email.

11. Contact

Questions about this policy can be sent through the in-product support widget or the /support page.

This document is provided as a general template and does not constitute legal advice. You are responsible for ensuring it meets your jurisdiction’s requirements, including GDPR/UK-GDPR, CCPA/CPRA, and any sector-specific rules that apply.