Privacy Policy

Version 2.0.0-draft · Last updated 2026-06-02

DRAFT — Not yet legally reviewed. The text below names the canonical operator (Inspiration Dance LLC) but has not yet been counsel- reviewed. Use for orientation only; districts evaluating procurement should request a counsel-vetted copy.

Last updated: June 2, 2026

[DRAFT — Not yet legally reviewed] This document is the Phase 2 drafter's working text for AA-280. It has not been reviewed by counsel. Do not rely on this text. The Operator's counsel is the certifying authority; PUI-16 closure flips this flag.

1. Introduction

Avatar Animator is an educational creative-coding platform operated by Inspiration Dance LLC ("Operator," "we," "us," or "our") at https://codecandance.com (the "Service" or "Platform"). This Privacy Policy explains what information we collect, how we use and share it, how long we keep it, and the choices you have. It applies to everyone who uses the Service:

district account (their "Customer").

a Customer account; and individual adult sign-ups on the Free or Paid tier.

the account (for Customer accounts, the Customer; for individual sign-ups, the person who created the account).

The Service is designed for students in grades 6–12. We take particular care to comply with the children's-privacy and student-data-privacy laws that apply to that audience, including the federal Children's Online Privacy Protection Act ("COPPA," 16 CFR Part 312), the Family Educational Rights and Privacy Act ("FERPA," 20 USC §1232g; 34 CFR Part 99), California's SOPIPA (Cal. Bus. & Prof. Code §22584) and AB 1584 (Cal. Educ. Code §49073.1), Connecticut Public Act 16-189 (Conn. Gen. Stat. §10-234aa et seq.), and Illinois SOPPA (105 ILCS 85).

A separate Data Processing Addendum governs the Operator's processing of Customer Data on behalf of school and district Customers; a separate Sub-Processors registry lists every third-party service the Operator engages.

2. Information We Collect

We collect only what we need to run the Service. The categories below are the source-of-truth for our data practices; the registry at /sub-processors names every vendor that touches each category.

a. Account identity. Email address (used as login), display name, role (Student User / Authorized User / Account Owner), and a Cognito-managed account identifier. Passwords are stored only as a one-way bcrypt hash; we never see or store the plain-text password.

b. Authentication and SSO secrets. When a Customer uses Single Sign-On through Google, Clever, ClassLink, or LTI 1.3, we store the OAuth or LTI credentials and signing keys needed to honor those federated sessions. These secrets are encrypted at rest with AES-256-GCM.

c. Project content. Block-based code workspaces ("Blockly projects"), project metadata (name, thumbnail, character configuration, wearable configuration), and saved generated assets.

d. Educational Records. For Student Users enrolled in a curriculum or assigned work by a teacher, we record assignment status (started, submitted, scored), completion scores, time on lesson, hints requested, code-run counts, teacher feedback, and grade-override events. Educational Records are processed on behalf of the Customer; they belong to the educational agency, not to the Operator.

e. AI prompts and outputs. The prompts you type into our AI features (background image generation, music generation, lyrics, face filter, the Sam tutor chatbot, conversational AI) and the assets those prompts produce (images, audio, video, generated text). Section 12 (AI Features) describes exactly what is and is not transmitted to the AI providers.

f. Usage analytics. Pages visited within the Service, features used (such as which blocks were placed and how many times code was run), session duration, device type, browser user-agent, and screen dimensions. Used to operate the Service and to understand how the Platform is used; not used for advertising and not sold.

g. Audit log. A compliance ledger of security-relevant and FERPA- relevant events (SSO configured, FERPA deletions, roster uploads, assignment events, grade overrides, LMS pushes, DPA acceptances, license threshold crossings, billing webhooks). The audit log is append-only.

h. Billing information. For Account Owners who purchase a paid subscription, cardholder name, email, and billing address. Students never transact; payment data is collected only from adult subscribers. Card numbers themselves are handled by Stripe; we receive only a reference identifier (see Section 13).

i. Roster data. When a Customer onboards through OneRoster CSV upload or through a roster-sync integration (Clever, ClassLink, Google Classroom), we ingest the Customer-provided roster: student name, school, grade, and email. Roster data is Customer Data; the upstream roster provider remains the controller of its own records.

j. DPA acceptance records. When a Customer signs the Data Processing Addendum, we record the signer's name, email, IP at acceptance, the accepted DPA version, and the timestamp. These records form a compliance ledger and are retained accordingly.

k. Hardware-pairing data (LED Cap / Vest). When you pair a connected LED Cap or Vest device, we collect a session-scoped device-pairing token, the BLE device identifier, and operational telemetry events. This data is processed by iLumaCap, the Operator's own internal hardware backend — it is Operator infrastructure, not a third-party vendor (see Section 15).

l. Sales-lead information. If you submit a quote-request or contact form as an adult prospect, we collect your name, email, organization, and your message. This category applies only to adult prospects and never contains student data.

We do not knowingly collect from students: government identifiers (SSN, driver's license), biometric identifiers, location data more precise than a country/region inferred from IP, browsing history outside the Service, contacts, or photos/media from your device beyond what you intentionally upload to the Service.

3. How We Use Information

We use the information we collect to:

output before they reach you or your classmates).

We do not:

activity, and we do not amass a profile of a student user except as needed to provide the educational service the student is using.

These commitments mirror our direct obligations under California SOPIPA (Cal. Bus. & Prof. Code §22584(b)) and Connecticut §10-234cc, and the parallel contract requirements of California AB 1584 (Cal. Educ. Code §49073.1) and Illinois SOPPA (105 ILCS 85). They also mirror our contractual posture as a "Service Provider" under the California Consumer Privacy Act ("CCPA"; Cal. Civ. Code §1798.140(ag)).

4. How We Share Information

We share information only with the categories of third parties listed in our Sub-Processors registry. The registry is the authoritative, vendor-by-vendor list; the categories below summarize it for readability.

Platform and store its data.

process sign-in and roster data on Customer instruction.

email.

and DeepMotion process AI prompts and return generated outputs (see Section 12 for the exclusions that apply to district Customers).

response to your search queries.

(described in Section 11 and Section 14).

a quote-request form is submitted; HubSpot never receives student data.

Section 15).

We also disclose information when required by law, in response to a valid legal process, to protect the rights, safety, or property of the Operator, our users, or the public, or in connection with a merger, acquisition, or sale of assets — in which case the acquirer must agree to honor this Privacy Policy and the applicable student-data-privacy commitments.

Notice of new Sub-Processors and right to object. When we add a new Sub-Processor that will process Customer Data, we give every Customer at least thirty (30) days advance notice. Customers may object on data- protection grounds within ten (10) business days of the notice; if no commercially reasonable alternative is available within thirty (30) days, the Customer may terminate the affected services without penalty and we will delete or return the affected Customer Data per Section 9.

5. Children's Privacy (COPPA)

The Service is designed for grades 6–12, which includes children under 13 years of age. We comply with the federal Children's Online Privacy Protection Rule (16 CFR Part 312) for any Student User under 13.

School-authorization model. For Student Users whose accounts are created through a Customer (school or district), the Customer acts as the parents' agent to provide COPPA-required consent on the parents' behalf, consistent with 16 CFR §312.5(a)–(b) and the Federal Trade Commission's guidance in COPPA FAQ M.5 ("Schools and the Children's Online Privacy Protection Rule," available at https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions). Under this model, the Customer authorizes our collection and use of personal information from those students solely for the educational purposes described in this Privacy Policy and in the underlying contract with the Customer. We do not use that personal information for any commercial purpose unrelated to providing the Service to the Customer.

Free-tier individual sign-up. When a child under 13 attempts to create a Free-tier account outside a school-authorized roster, we obtain verifiable parental consent before collecting personal information, or we do not create the account. Parents may also act on their child's behalf at any time to access, correct, or delete the child's information (see Section 10).

Data minimization. We collect from children only what is reasonably necessary to provide the Service, and we do not condition a child's participation on disclosing more information than is reasonably necessary.

Parental access and deletion. Parents may review their child's information, request its deletion, or revoke consent by contacting darryl@inspirationdancecompany.ai. We will verify the parental relationship before completing the request.

6. Educational Records (FERPA)

For Student Users accessing the Service through a Customer, the Customer is the educational agency that controls the Educational Record under FERPA. The Operator processes Educational Records on the Customer's behalf as a "school official" with a "legitimate educational interest" under 34 CFR §99.31(a)(1)(i)(B), subject to the Customer's direct control over use and maintenance of the records.

Customer has authorized.

instructs or as 34 CFR §99.31 and §99.33 permit, and we maintain internal access logs to support the Customer's recordkeeping.

treat any data item as public unless the Customer instructs us to.

Customer; we support the Customer in responding.

For B2C / Free individual accounts that are not provisioned through a Customer, FERPA does not apply because no educational agency has designated us a school official for that user. Those users are protected by this Privacy Policy and by COPPA where applicable.

7. State-Specific Disclosures

California. When the Service is provided to a California local educational agency, we are bound by California AB 1584 (Cal. Educ. Code §49073.1) as a contractor. Pupil records remain the property of and under the control of the local educational agency; we do not retain pupil records after the contract ends except as the contract permits. We are also subject directly to California SOPIPA (Cal. Bus. & Prof. Code §22584): no targeted advertising, no profile-building on a pupil except for K-12 educational purposes, no sale of pupil information, and disclosure only for K-12 purposes / legal compliance / judicial process / safety / compliant service providers under contractual restrictions. For California consumers generally, we operate as a "Service Provider" under the CCPA / CPRA (Cal. Civ. Code §1798.140(ag)); we do not "sell" or "share" Personal Information as those terms are defined in §1798.140. Pupils may export their pupil-generated content as a portable file (see Section 10) and re-import it into a separate personal account; we do not currently provide an in-app one-click transfer mechanism.

Connecticut. When the Service is provided to a Connecticut local or regional board of education, we are a "contractor" under Conn. Gen. Stat. §10-234aa and an "operator" under §10-234cc. Student information, student records, and student-generated content are not the property of, and are not under the control of, the Operator. We notify the board of education of any unauthorized release within the timeframes set out at §10-234dd (thirty days for student information; sixty days for directory information, student records, and student-generated content), and our operational target is to notify within seventy-two hours. We do not retain student data after contract expiration except as permitted by state or federal law or by the disaster-recovery exception.

Illinois. When the Service is provided to an Illinois school district, we comply with the Illinois Student Online Personal Protection Act (105 ILCS 85), including its direct operator obligations (no targeted advertising, no profile-building on students, no sale of student data, no disclosure outside school purposes / legal compliance / judicial process / safety / compliant service providers) and the contract requirements between the Operator and the school district.

8. Data Security

We protect your information with industry-standard administrative, technical, and physical safeguards, including TLS 1.2+ in transit, AWS-KMS-backed AES-256 at rest for the database, SSE-S3 (AES-256) at rest for object storage, AES-256-GCM application-level encryption for SSO client secrets, bcrypt one-way hashing for passwords, scoped IAM and least-privilege application accounts, and append-only audit logging of security-relevant events. Our technical posture and operational practices are described in our Security documentation, which is the source of truth and which we update separately from this Privacy Policy. No system is completely secure; if you believe your account has been compromised, contact us immediately.

9. Data Retention

We retain data only as long as we need it. The table below states the retention window by the triggering event; the AI cache and analytics windows are independent of account-level retention.

| Trigger | Retention window | |---|---| | Individual account deletion (user closes own account, or parent / Customer IT admin requests deletion of one user) | 30 days from request to full purge | | Customer contract termination (DPA expires or is terminated; ALL Customer Data) | 45 days from the termination effective date | | SOPIPA non-mandatory data of a disenrolled K-12 pupil (pupil leaves the school but the Customer contract remains) | 60 days from disenrollment | | AI cache (per category) | 24 hours for conversational AI and curriculum chat; 7 days (168 hours) for navigation chat; no expiry for image, music, and wearable-design caches — per our server configuration at server/lib/ai-cache.ts:67-75 | | Identified usage analytics (any row carrying a user identifier or pseudonymous user ID linkable to an account) | 24 months maximum, after which the rows are deleted or de-identified | | De-identified, aggregated usage analytics (e.g., total daily active users, feature-engagement counts) | Indefinite; such aggregates are not Personal Information as defined under CCPA §1798.140(v) or COPPA §312.2 | | Audit log and DPA acceptance ledger | Indefinite (compliance ledger); user identifiers in audit-log rows are redacted on a FERPA deletion |

Our de-identification standard for aggregate analytics is: removal of all direct identifiers (email, display name, Cognito subject ID, IP, browser fingerprint), removal of all indirect identifiers reasonably linkable to a person, and aggregation to a minimum k-anonymity threshold of k=5 for any user-attributable count.

AI-generated content that you have explicitly published into a shared library may persist after your account is deleted, but it will no longer be associated with your account.

10. Your Rights and Choices

You have the right to:

feature.

"sale" or "sharing" of Personal Information as those terms are defined in §1798.140; we do not "sell" or "share" today.

How to request deletion. To request deletion of your account and the data associated with it, contact us at darryl@inspirationdancecompany.ai. For Student Users whose accounts were created through a Customer (school or district), deletion requests may also be initiated by the Customer's IT administrator through the Customer's admin interface; in either path, the Operator will complete the deletion within thirty (30) days per Section 9. For parents acting on behalf of a child under 13 under COPPA, the same contact path applies; we will verify the parental relationship before completing the deletion. We do not today offer a self-service "delete my account" button in the Free-tier or Authorized-User interface; when we do, this policy will be updated to describe that path.

Parental rights. Parents and guardians of Student Users under 13 may exercise these rights on behalf of their child under 16 CFR §312.6 (parental access, deletion, and refusal of further collection).

11. Cookies and Similar Technologies

We do not use third-party tracking cookies, advertising cookies, or marketing-analytics cookies (such as Google Analytics, Meta Pixel, or ad-network re-targeting cookies). We use only first-party functional cookies necessary for authentication and session management.

Our error-monitoring sub-processor, Sentry, operates via JavaScript- SDK instrumentation; it associates errors with a pseudonymous session- scoped or user-scoped identifier transmitted in request bodies, not via cookies. Sentry's identifier is the Operator's pseudonymous user ID when an authenticated session exists, or a session-scoped random ID for Anonymous sessions; it is not used for any purpose other than error correlation and is subject to the scrubbing rules described in Section 14 and at server/lib/sentry.ts + client/src/lib/sentry.ts.

12. AI Features

The Service offers several AI-powered features: background image generation, music generation, lyric generation, face filters, the Sam tutor chatbot, and conversational AI. Each AI feature routes a prompt to an AI Sub-Processor named in our Sub-Processors registry and returns a generated output. The following commitments apply to every AI feature.

No Personal Information in prompts. When you invoke an AI feature, we transmit only the prompt text you provided (together with standard request metadata required by the AI provider) to the AI Sub-Processor. We do not transmit your username, email address, account identifier, display name, or any other Personal Information in the prompt body. The server-side AI request handler at server/routes.ts (for example, the /api/ai/converse, /api/generate-background, /api/generate-lyrics, /api/generate-music, and /api/socratic-chat endpoints) passes only the user's typed prompt and feature-specific parameters (such as style or voice selection) to the provider. Workspace state passed to the Sam tutor describes block types, counts, and assignment progress; it does not include the student's name, email, or any account identifier.

Content safety. Every AI prompt and every generated output is passed through a two-layer content-safety screen (a word filter plus the OpenAI moderation API) before being delivered. The filter is a screening layer, not a guarantee.

No training on Customer Data. The Operator does not opt into any AI Sub-Processor's foundational-model training program for Customer Data, even where the provider's default terms would permit it. OpenAI API, RunwayML, MusicGPT, TwelveLabs, Perplexity Enterprise/API, and DeepMotion are operated on their no-training-by-default or opt-out-of-training configurations; per-vendor commitments are documented in the Sub-Processors registry §AI Generation.

AI cache. To reduce cost and latency, AI outputs may be cached on the Operator's infrastructure per the retention windows in Section 9 (AI cache row).

Accuracy disclaimer. AI outputs may reflect biases or inaccuracies inherent in the AI Sub-Processor's training data. The Operator does not certify the accuracy, educational appropriateness, or fitness-for-purpose of any AI output.

Exclusions for district Customers. Under our Data Processing Addendum, we do not use the following Sub-Processor categories for Customer Data processing under district or school contracts: AI music-generation vendors lacking a published Data Processing Addendum or operating without an identifiable counterparty under US or EU jurisdiction; motion-capture or video-understanding vendors operating from jurisdictions without a US-equivalent data-protection framework or lacking a published DPA framework; unofficial content-marketplace APIs and scrapers without an identifiable counterparty; and embedded third-party content frames that rely on the embedded service's first-party cookies and tracking pixels with no Operator-side scoping. See the DPA and Sub-Processors registry for the operative list.

13. Billing (Account Owners Only)

If you are an Account Owner who pays for the Service, billing data is collected and processed through Stripe. We never see your card number; we hold only a Stripe customer reference. Students never transact on the Service.

Adult subscribers are subject to Stripe Radar, a Stripe-operated fraud-detection service that uses aggregated transactional data across Stripe's merchant network to identify suspicious transactions. Stripe Radar does not opt the Operator's transactional data into Stripe's foundational-model training. Stripe is the controller for Stripe's own use of this data; see Stripe's Privacy Policy for details.

14. Anonymous Users

Anonymous (no-account) users may access demo features of the Service. The Operator does not persist any account identifier for Anonymous users across sessions. We may collect minimal, ephemeral telemetry from Anonymous sessions consisting of: a session-scoped pseudonymous ID (rotated each session, not linked to any account), page-visit and feature-engagement events scoped to the session, and standard HTTP request metadata (IP, User-Agent) processed by Sentry (see Section 4 — Error Tracking / Telemetry) for error monitoring purposes only. Anonymous-session telemetry is not associated with any natural person and is not retained beyond the Operator's standard error-monitoring retention window. The same Sentry scrubber that strips secrets, passwords, tokens, and parent emails from authenticated-session error reports applies to Anonymous-session error reports.

15. LED Cap / Hardware-Pairing Data

If you use the connected LED Cap or Vest accessory, the Service exchanges device-pairing tokens, BLE device identifiers, and operational telemetry with iLumaCap, the Operator's own internal hardware backend. iLumaCap is Operator infrastructure, not a third-party vendor; it is not listed in the Sub-Processors registry because we do not transfer hardware-pairing data to any third party for processing.

same AWS-KMS-backed AES-256 standard as other Operator infrastructure (subject to the verification noted in /security).

lifetime; they are cleared when you unpair the device or when the session expires per the device-pairing token TTL. BLE device identifiers may be retained as part of your device-association preference until you remove them. Telemetry events follow the 24-month identified-analytics cap described in Section 9.

16. International Users — GDPR Appendix

The Service is operated from the United States and is primarily directed to US K-12 education. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States. The following provisions apply specifically to data subjects in the European Economic Area, the United Kingdom, and Switzerland whose personal data is processed by the Service.

Operator role. For Customer-provisioned Student User and Authorized User accounts, the Operator acts as a processor under Regulation (EU) 2016/679 ("GDPR"), processing personal data on the documented instructions of the Customer (the controller). For Free-tier individual sign-ups not provisioned through a Customer, the Operator may be a controller for that individual account's data; the same processing principles described in this Privacy Policy apply.

Lawful basis. Where the Operator is a processor, the lawful basis for processing is the contract between the Customer and the Operator, together with the Customer's instructions. Where the Operator is a controller for an individual sign-up, the lawful bases are the performance of a contract with the data subject (account creation and service delivery), the Operator's legitimate interests in operating and improving the Service, and consent where required.

Data-subject rights. Data subjects in the EEA / UK / Switzerland may exercise the rights of access, rectification, erasure, restriction, portability, and objection. Requests should be directed through the controller (the Customer, for Customer-provisioned accounts) or to darryl@inspirationdancecompany.ai for accounts the Operator controls directly. The Operator will respond within the timelines required by applicable law.

International transfers. Where personal data is transferred from the EEA / UK / Switzerland to the United States, the transfer is performed under the European Commission's Standard Contractual Clauses or another lawful transfer mechanism as appropriate to the receiving Sub-Processor.

Operational scope. The Operator has not appointed an EU representative under GDPR Article 27 and does not currently maintain EU-residency infrastructure. International Customers requiring EU data residency or an Article 27 representative should contact darryl@inspirationdancecompany.ai before contracting.

Supervisory authority. Data subjects in the EEA / UK / Switzerland have the right to lodge a complaint with a competent supervisory authority.

A separate Data Processing Addendum (Phase 2D / shared/dpa-template.ts) governs the Article 28 controller-processor obligations for Customers that require an Article-28-aligned addendum.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes that affect how we handle Student User data or Customer Data, we will notify Customers and Account Owners through the Platform before the changes take effect and will update the "Last updated" date at the top of this document. Continued use of the Service after a material change takes effect constitutes acceptance of the updated policy.

18. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or have a privacy or compliance concern:

Inspiration Dance LLC Email: darryl@inspirationdancecompany.ai Subject line: Avatar Animator Privacy Inquiry

For our public Sub-Processors registry, see https://codecandance.com/sub-processors. For our Security documentation, see https://codecandance.com/security. For the Customer Data Processing Addendum, see https://codecandance.com/dpa.

This page is the server-rendered canonical version. For an interactive view, navigate via the in-app links once signed in.