Privacy Policy

Effective date: 2026-06-20

Stroke Dojos ("we", "us", "our") is an educational product for teaching Traditional Chinese handwriting. We respect your privacy and are committed to protecting personal information collected through our website and services.

Information We Collect

How We Use Information

We use data to provide and improve our services, respond to support requests, secure admin features, and perform analytics. We do not sell personal data. Specifically, learning signals and access-code usage are aggregated to:

Analytics, Time-Series & Logging

Our analytics pipeline is documented in docs/analytics/ANALYTICS_PLAN.md. In summary:

Dashboards (admin panel)

Aggregate the events above into the following tiles at /admin/analytics:

  1. Adoption funnel — codes issued → validated → joined → activity.
  2. Daily active devices — unique deviceHash per day, split across worksheets, courses, and lesson joins.
  3. Score distribution histogram (0–100) with drill-down per lesson.
  4. Time-on-task p50/p90 per activity type.
  5. Course completion rate (activityCount / lessonCount).
  6. Practice heatmap (hour-of-day × weekday).
  7. Quota burn per organization vs allocation.
  8. Failure log — top error messages in the last 24 hours.
  9. Per-student follow-up: attempts, accuracy, time-on-task, score timeline.

GDPR / One-shot deletion

On request we run the deleteUserData Cloud Function which deletes every raw_events, daily_aggregates, and timeseries_events document that contains the supplied organizationId or deviceHash. Deletion completes within 30 days.

If your organisation requires a verbose-logging toggle, contact us — admins can disable client console.debug output via the appSettings.verboseLogging flag.

Third-Party Services

We may use third-party services for analytics and AI processing. If you or an admin uses an external AI service, API keys should be kept on a secure server — we do not embed provider keys in public client builds. Consult the admin documentation for recommended server-side proxy setup.

Infrastructure providers we use today: Google Cloud Firestore, Cloud Storage, Cloud Functions, and Cloud Logging (Google LLC). Hosting: Cloudflare Pages for the public website and admin panel.

Children's Data

Our platform is education-focused. We do not knowingly collect personally identifiable information from children under 13 without parental consent. What we do collect for children: a salted SHA-256 hash of the device identifier, the activity type, score (0–100), and time-on-task — all linked to an access code, not to a name. What we do not collect: the child's full name (unless an admin explicitly typed it on the access code form), home address, contact details, photos, or audio.

If you believe we have collected a child's data without consent, contact us to request deletion. We will action deletion within 30 days.

Data Retention & Security

We take reasonable measures to protect data, including secure hosting, encryption at rest (Firestore + Cloud Storage default), TLS in transit, and access controls for admin features.

Your Rights

You may request access, correction, or deletion of personal data we hold about you by contacting us (see Contact below). We support a one-shot deletion routine that removes every event document whose key chain contains your organizationId or hashed deviceId.

Changes to this Policy

We will update this page whenever the event catalogue, retention windows, or third-party providers change. The effective date at the top of this page always reflects the latest revision. Material changes will be announced in the admin panel at least 14 days before they take effect.

Contact

For privacy requests or questions, email: flezapphk@gmail.com

This policy may be updated — the effective date at the top shows the latest revision.