TOSS THE CHALK PRIVACY AND DATA AGREEMENT Effective Date: February 14, 2026 This Privacy and Data Agreement explains how Toss the Chalk (“we,” “us”) collects, uses, and shares information when you create an account or use Toss the Chalk (the “Service”). We are based in Maryland. 1) What We Collect We collect information you provide, information generated through your use of the Service, and limited technical information needed to operate securely. A. Account and Profile Data Email address First name and last name Phone number (if provided) Password hash (we do not store plain-text passwords) Account role (student/admin) Email verification and account status fields B. Session and Security Data Session identifiers stored in secure HTTP-only cookies Login/session state (for authenticated access) Basic request metadata needed to operate and secure the Service (for example, authentication events and security logs) C. Tutoring and Scheduling Data Lesson requests, lesson dates/times, duration, topic, notes, and status Tutor/admin availability and scheduling updates Cancellation and rescheduling requests D. Academic Performance Data Practice question responses and correctness Question category/type and timestamps Session-level performance summaries and coaching-related metrics E. Live Lesson Data Live lesson participation data (session IDs, join tokens, timing, annotations) Student answer submissions and tutor notes during live sessions If you later introduce a recording feature (audio/video/screen), we will disclose what is recorded and how it is stored before recording begins. F. Billing and Payment Data Lesson billing records, invoice records, amounts, due dates, and statuses Payment processor reference IDs (for example, customer/invoice IDs and checkout session references) We do not store full payment card numbers; payment details are handled by our payment processor. G. Communications Data Email verification and password-reset messages Invoice/payment communications Messages you send to support (if applicable) H. Device, Usage, and Log Data When you access the Service, we (and our service providers) may automatically collect: IP address Device/browser type and operating system Timestamps, pages/screens viewed, and actions taken within the Service Diagnostic logs (for example, error logs) and security logs (for example, login attempts) I. Cookies and Similar Technologies We use cookies and similar technologies to: Keep you signed in and maintain sessions Help protect the Service (fraud prevention/abuse detection) Remember certain preferences (where applicable) 2) How We Use Data We use information to: Create and manage accounts Authenticate users and protect account access Schedule and deliver tutoring sessions Provide practice, scoring, progress, and coaching features Generate invoices and process payments Send essential service emails (verification, reset, billing) Operate admin features and respond to support requests Maintain, secure, and improve the Service (including debugging and reliability) 3) AI and Automated Processing The Service includes AI-assisted features for question generation and tutoring support. What is sent: Free-text notes and student answers may be sent by or on behalf of a tutor/admin to configured AI providers only to generate outputs (for example, coaching suggestions or question content). PII minimization: We do not send personal data or PII (such as names, email addresses, phone numbers, or account identifiers) to AI providers. We instruct tutors/admins not to include PII in AI prompts, and we design AI workflows to use tutoring context without direct identifiers. No training: We configure AI providers so that submitted content is not used to train their models. AI outputs may be incorrect and should be reviewed by a tutor/admin before being relied on. 4) Who Can Access Data Students can access their own account and student data. Admin users can access student data needed to provide tutoring, scheduling, analytics, and billing. Access controls are enforced in application routes and session checks. Link and token access: Token-based live lesson or monitor links grant access to that session. Treat these links as private credentials and do not share them. 5) Third-Party Processors We use third-party services to operate parts of the Service: Stripe (payments and invoicing) Azure Communication Services Email (verification/reset/service email) Google services (admin integrations when enabled) Google Gemini API (AI-assisted generation/coaching features) These providers process data under their own terms and privacy policies. We share only what is necessary to provide the relevant functionality. 6) Data Sharing and Sale We do not sell personal information. We share data only with service providers needed to run the Service, with admins/tutors for educational operations, or when required by law. 7) Security Measures We use reasonable safeguards appropriate to the Service and its current implementation, including: Password hashing Role-based access controls and authenticated route checks Secure session cookie settings (HTTP-only, SameSite; Secure in production) Security and anti-caching response headers for authenticated pages/data Limited-access database credentials and separation of duties where feasible Database: We store Service data in MongoDB. We restrict database access to authorized systems and administrators and use authenticated connections. Where supported by our hosting configuration, data is protected in transit (for example, TLS) and may be encrypted at rest. No system can be guaranteed 100 percent secure, but we use reasonable safeguards appropriate to our implementation. Security Incidents: If we experience a security breach involving personal information, we will provide notices as required by applicable law. 8) Data Retention We retain data as long as needed for tutoring operations, billing records, account continuity, dispute handling, and legal/compliance obligations. When accounts are deleted, associated records may be removed from active systems, subject to backup retention and legal/accounting requirements. 9) User Rights and Choices Subject to applicable law, users may request to: Access or update account/profile data Reset password Delete account Ask questions about stored tutoring or billing records Some records (for example, billing/invoice records) may need to be retained for legal or accounting reasons. Maryland Privacy Rights If you are a Maryland resident, you may have additional rights under Maryland law, which may include rights to access, correct, delete, and obtain a copy of certain personal data, and to opt out of certain types of processing in some circumstances. To exercise rights, contact us using the information in Section 13. 10) Minors The Service may be used by students under 13 only with parental or legal guardian consent. We will take reasonable steps to obtain and maintain appropriate consent where required by law. 11) International Transfers Service providers may process data in different jurisdictions. By using the Service, you understand data may be processed where our providers operate. 12) Changes to This Agreement We may update this agreement from time to time. Updated versions become effective on posting with a revised Effective Date.