Privacy Policy
This Privacy Policy describes how Question Base AI Inc., a Delaware corporation operating the nopad service ("nopad," "we," "us," or "our"), collects, uses, and shares information when you use nopad.
nopad is a homeschool coaching service for parents. Children do not interact with nopad directly — the service is parent-facing. Parents enroll on the website, communicate with our AI coach via SMS, and provide information about their children so we can generate appropriate learning materials.
1. Information we collect
From you, the parent
- Account info: your phone number, name, time zone, and the Cognito user identifier created when you sign up.
- Payment info: when you subscribe, we collect payment information via our processor (Stripe). We do not see or store your full card number — Stripe holds that.
- SMS content: every message you send to and receive from S.O.F.I. is stored on our servers so our AI coach has conversational context. The content is associated with your account.
- Consent records: when you opt in to SMS during onboarding, we record the verbatim consent text you saw, the timestamp, the phone number, and the version of the consent copy. This satisfies A2P 10DLC audit requirements.
- Usage data: when you open exercise links or scroll through materials, we collect basic analytics (page views, click events) to understand engagement.
About your child
- Name, birthdate, and (optionally) gender, which you provide during onboarding.
- Free-text observations you provide about the child (interests, struggles, preferences). These seed and grow our AI's memory about the child.
- Engagement signals: when scheduled exercises are opened, how often, and whether they are completed.
Children do not provide information directly to nopad. We do not knowingly collect information from children. See the Children's Privacy section below.
2. How we use this information
- To provide the Service. Your phone number routes SMS; your child's information lets our AI generate exercises tuned to them; your subscription state determines your access.
- To improve nopad. Aggregate usage patterns (e.g., "how often parents complete onboarding") inform product decisions. We do not use the contents of individual messages to train third-party AI models.
- To communicate with you. Operational messages (account, payment, opt-in confirmations) via email or SMS.
- To comply with the law. We respond to lawful requests from authorities. We also retain A2P consent records to demonstrate opt-in compliance.
3. SMS messaging in detail
nopad uses SMS as its primary delivery channel. When you opt in:
- We send your messages through Twilio, our SMS provider. Twilio relays the messages to your mobile carrier, which delivers them to your phone.
- Twilio and your carrier necessarily see message content and routing metadata (sender number, recipient number, timestamp). Their handling of that data is governed by their own privacy policies.
- Message frequency is approximately one to four messages per day per child.
- Message and data rates may apply from your mobile carrier.
- You can opt out at any time by replying STOP. Reply HELP for help. Opting out stops all nopad messages within minutes.
- We do not share your phone number or SMS content with any third party for marketing purposes. SMS opt-in data is not sold.
We retain SMS content for as long as your account is active so our AI coach has continuity across conversations. On account deletion, SMS content is removed within 30 days from active systems.
4. Third parties that receive your data
We share data only with vendors who help us run the Service. We require each to use the data only to provide their service to us:
| Vendor | What they see | Why |
|---|---|---|
| Twilio | Phone numbers, SMS content, opt-out status | Send and receive SMS; A2P 10DLC compliance |
| Stripe | Payment information, email (if provided), billing history | Process subscriptions; handle invoicing |
| Amazon Web Services | All data we store (hosted in us-east-1) | Hosting, databases, file storage, authentication |
| Anthropic (via AWS Bedrock) | SMS content, child observations, exercise prompts | Generate AI coach responses and exercise materials |
| OpenAI | Image generation prompts (no personal info; child name is not sent) | Generate illustrations for reading exercises |
How we work with AI providers
nopad uses third-party AI models — currently Anthropic (accessed through AWS Bedrock) for coach responses and learning materials, and OpenAI for illustrations — to do the core work of the Service. We disclose this plainly because it matters to parents. Under our agreements with these providers:
- They process the data only to return a result to nopad for the specific request (a coach response, an exercise, an image).
- They do not train their models on your data or your child's data.
- They do not retain the data beyond what is needed to handle the request, and do not use it for any purpose of their own.
Wherever practical we minimize what is sent. Image-generation prompts sent to OpenAI never include your child's name or other identifiers.
We do not sell or rent personal information to anyone. We may disclose information when legally required (subpoena, court order, regulatory request) or in connection with a corporate transaction such as a merger, acquisition, or sale of assets — in which case your information remains subject to this policy or a successor policy that is at least as protective.
5. Children's privacy (COPPA)
How we handle children's data. nopad is designed so that only the parent (or legal guardian) interacts with the Service. Children do not have accounts, do not log in, and do not message S.O.F.I. directly.
All information about a child is provided by the parent who is the verified account holder for that child.
Because parents may provide information about children under the age of 13, we operate the Service in compliance with the U.S. Children's Online Privacy Protection Act (COPPA). The parent's opt-in during onboarding, together with the payment they make to subscribe, constitutes verifiable parental consent for the limited information collected about their child. We collect only what is reasonably necessary to generate learning materials, and we do not condition a child's participation on disclosing more than is needed.
We deliberately do not collect certain categories of information about your child, including biometric identifiers, religious affiliation, political affiliation, and voting history. We have no use for them and never ask for them.
Parental rights
As the parent, you have the right to:
- Review the information we have about your child. Request via email.
- Correct any inaccurate information — contact support and we will update it.
- Delete your child's profile at any time — contact support, and we remove all messages, observations, exercises, and identifiers within 30 days from active systems.
- Refuse further collection by canceling your subscription.
For COPPA-related questions or requests, contact help@questionbase.com or write to:
Question Base AI Inc., Attn: Privacy
1209 Orange Street
Wilmington, DE 19801, USA
6. Student data and educational-privacy commitments
Because nopad exists to support a child's learning at home, the information you provide about your child is "student data" under California's Student Online Personal Information Protection Act (SOPIPA) and similar laws in a growing number of other states. We treat it accordingly. With respect to information about your child, we commit that we will not:
- use it to serve targeted advertising to you or your child — nopad shows no advertising at all;
- build a profile of your child for any purpose other than generating their learning materials;
- sell or rent it, ever;
- disclose it to any third party other than the service providers listed in section 4, and then only to operate the Service for you.
We use student data solely to deliver and improve the educational service you signed up for, and we require our service providers, by contract, to do the same — including the commitment that our AI providers do not train their models on it.
7. Sensitive personal information
The free-text observations you share about your child — for example that a child finds a subject hard, or a note about how they learn best — can reveal information that some privacy laws treat as "sensitive." Parents sometimes also mention health, learning differences, or family circumstances.
We ask you to share only what is needed to tailor the learning materials, and to avoid entering medical diagnoses, health records, or other sensitive details. We use this information only to personalize your child's exercises — never to infer characteristics about your child for any other purpose, and never for advertising. Where the law gives you the right to limit our use of sensitive information, you may exercise it as described in Your privacy rights below; because we already restrict this information to providing the Service, no further limitation is needed for us to comply.
8. Data retention
We keep your account information and your child's information for as long as your subscription is active, because the Service depends on continuity — the AI coach needs the history to keep adapting. We do not keep it indefinitely "in case it is useful later."
When you delete your child's profile or your account, or after 6 months of inactivity, we remove the associated data — messages, observations, exercises, and identifiers — from active systems within 30 days. Encrypted backups are then overwritten on a rolling 35-day schedule.
Two narrow exceptions are kept only as long as the law requires, and contain no conversation content or child observations: A2P 10DLC consent records (to demonstrate SMS opt-in) and basic transaction records (for tax and accounting).
9. Security
We use commercially reasonable safeguards including encryption in transit (TLS) and at rest, scoped access controls (AWS IAM with permission boundaries), row-level security on the database so each parent's data is logically isolated, and audit logging of administrative actions. No system is perfectly secure; we cannot guarantee absolute security but we work to maintain practices appropriate for the kind of data we handle.
10. Your privacy rights and choices
You can access, correct, delete, and obtain a copy of the personal information we hold about you and your child. To make any of these requests, email help@questionbase.com. We will respond within 14 business days.
Depending on where you live, your rights may include:
- Know / access — what personal information we have collected, where it came from, why, and who we share it with.
- Delete — ask us to delete personal information about you or your child.
- Correct — fix inaccurate personal information.
- Portability — receive a copy in a portable, machine-readable format.
- Limit the use of sensitive personal information — though we already use it only to provide the Service.
We will not deny you service, charge you a different price, or give you a lower quality of service for exercising any of these rights.
We do not sell or share your information
nopad does not sell your or your child's personal information, and does not share it for cross-context behavioral advertising, as those terms are defined under California and other state privacy laws. We have not done so in the preceding 12 months. Because we do not sell or share, there is nothing to opt out of — but if you wish to record your preference, emailing us at help@questionbase.com serves as our "Do Not Sell or Share My Personal Information" request channel.
Global Privacy Control
Some browsers and extensions send a Global Privacy Control (GPC) signal to opt out of the sale or sharing of personal information. Our website does not sell or share personal information, and does not use advertising or cross-context tracking, so there is currently nothing for a GPC signal to opt out of. If that ever changes, we will honor GPC signals as a valid opt-out request where the law requires.
California residents
The California Consumer Privacy Act, as amended by the CPRA, gives California residents the rights listed above, including the right to limit the use of sensitive personal information and the right not to be discriminated against for exercising their rights. The categories of personal information we collect, our purposes for collecting it, and the third parties we disclose it to are described in sections 1, 2, and 4 above. We do not sell or share personal information.
Residents of other states
Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others — have similar rights to access, correct, delete, and obtain a copy of their personal information. You may exercise these rights by emailing help@questionbase.com.
11. International users
nopad is operated from the United States and is intended for parents and children located in the United States. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with local laws. By using nopad, you consent to your information being transferred to and processed in the United States.
12. Changes to this policy
We may update this Privacy Policy from time to time. The most current version is always posted on this page, and the "Effective" date shown at the top reflects when it last changed. We encourage you to review it periodically.
13. Contact
Privacy questions: help@questionbase.com
General support: help@questionbase.com