Legal · updated May 17, 2026
Privacy
This is the policy we follow for every Think ASL user — school students who launch via LTI, independent learners and interpreters who sign up with a magic link. Plain English first; the contract terms follow.
The short version
- Camera frames never leave your device. Recognition runs in your browser. Only the recognized letter or digit reaches our server, and only when you submit an answer.
- We don't record audio. The curriculum is silent video. There is no microphone in the product.
- We don't run third-party trackers. No Google Analytics, no Hotjar, no Pendo, no Mixpanel. First-party event counts only.
- We don't sell or share data for advertising. Ever. We honor Global Privacy Control.
- We don't auto-caption ASL. Captions are hand-authored English transcripts of the voice-over.
- You can delete your data. See section 7. School students: ask your school admin; SLA is 14 days. Independent learners: email us; SLA is 30 days.
1. What we collect from LTI launches
When a school student launches Think ASL from their LMS, the platform sends an OIDC id_token containing standard LTI 1.3 claims. We use and store: the platform issuer (iss), the LMS subject ID (sub), the user's name, the user's email if the platform releases it, the LTI role (mapped to school-admin / school-teacher / school-student), the context (course ID and title), the resource link (which lesson or quiz was launched), and the deployment ID. We do not request or store address, phone, date of birth, parent contact, IEP/504 flags, demographic categories, behavioural records, or free-text fields beyond name and email. We do not consume the profile picture or locale claims in v1.
2. What we collect beyond the launch
Quiz attempts. Each attempt's question, your answer (as letter tokens or typed text), the score, the timestamp, and the time taken. Retained for one year, then archived with name and email redacted for the audit record.
Lesson progress. Status (not-started / watched / passed / mastered), best score, attempt count. For school students this is permanent (it's the school's gradebook record). For independent learners this is deletable on request.
Calibration data. Per-user handshape baselines, about 2KB, computed at first camera use. Stored against your account; deletable on request.
Session cookie. A JWT good for 30 days, stored as an HTTP-only cookie. The server-side nonce cache holds the cookie's signature for 5 minutes during auth handshakes.
Payments. If you pay us, Stripe holds the cardholder data (we never see it). We store your email, the last 4 digits of the card, and the subscription metadata for 7 years for tax purposes.
CEU certificates. Issued certificates are permanent — the PDF lives in our object storage, and the certificate record (name, credit value, date, ID) lives in the control sheet. Certificates can be revoked, but the record is not deleted.
3. What we never collect
Camera frames. The recognizer runs in your browser via TensorFlow.js. Frames are processed locally; only the recognized letter ever reaches our server, and only when you submit an answer for grading. No path in this product uploads video.
Audio. The curriculum is silent video. There is no microphone capture, no voice recording, no transcription of anything you say.
Screen contents. No screen-share, no screen recording, no proctoring overlay.
Behavioural or affective signals. We do not score attention, emotion, engagement, or anything of the kind.
4. Where data lives
The system of record is a Google Sheet (control sheet) plus one per-school sub-sheet for each school under contract. School student PII lives only in the per-school sub-sheet; the control sheet keeps opaque (school_id, user_id) pairs and nothing else. Cloudflare Workers KV holds sessions, nonces, and the tool keypair. Cloudflare R2 holds issued CEU PDFs. Stripe holds payment instruments. Vimeo holds the lecture and quiz videos under private-embed restrictions.
5. Subprocessors
- Cloudflare, Inc. — Workers compute, KV, R2, DNS. Sessions, opaque
sub, certificate PDFs. - Google LLC (Workspace) — Sheets, Apps Script, Gmail relay for magic-link mail. Names, emails, quiz attempts, certificates, audit log.
- Stripe, Inc. — Payment processing. Cardholder name, email, last 4, subscription metadata.
- Vimeo, Inc. — Private-embed lecture and quiz videos. Vimeo sees the viewer's IP and user agent at playback time.
We do not use a third-party analytics SDK that fingerprints learners. If we add a subprocessor we update this list before the change goes live.
6. Regulatory posture
FERPA (US). Think ASL acts as a school official under FERPA when used by a US K–12 or post-secondary institution under contract. The school owns the educational record; we are the custodian. Data is not used for any purpose beyond delivering the educational service to that school. On contract termination, the school's sub-sheet is exported in full to the school and deleted from our infrastructure within 30 days unless the school requests an extension in writing.
COPPA (US, under 13). Think ASL is marketed for grades 6 and up. We do not knowingly collect data on children under 13 outside a school-launched LTI session, where the school is responsible for parental consent under the COPPA school-authorisation pathway.
GDPR (EU/UK). For EU/UK schools, we act as a processor to the school's controller role. We sign a Data Processing Addendum on request. Lawful basis is contractual necessity. For direct sign-ups, we are the controller; lawful basis is consent plus contractual necessity for paid plans.
State privacy laws (US). We do not sell or share data for cross-context behavioural advertising. We honor Global Privacy Control. Subject-rights requests are handled per section 7.
7. Deletion
School students (LTI-provisioned). Your school admin emails us with your name and the school's ID. We redact your name and email in the per-school sub-sheet, hash the user ID in your quiz attempts, and preserve the score aggregates for the school's gradebook. Any CEU certificate is revoked rather than deleted (the PDF is a legal record; the public verification surface flips to REVOKED). SLA: 14 calendar days from the school's request.
Independent learners. Email thinkasl@madeby1891.com from the email on file. SLA: 30 calendar days for full deletion, or 14 days for the "redact PII but keep aggregate" path.
Interpreters. Same as independent learners. Unrevoked CEU certificates keep their cert ID and credit value but the recipient name is hashed on the verification surface ("name redacted on request"). This keeps the cert auditable for the sponsoring body without exposing you.
Full data export. Available on request. CSV of every row keyed to your user ID, plus all certificate PDFs zipped. Delivered via signed download link valid for 7 days.
8. Breach notification
If we detect or are informed of unauthorised access to school student PII, we notify the school's admin contact within 72 hours of confirmed detection, with scope, timeline, and remediation. This matches the GDPR 72-hour clock and is the strictest applicable standard.
9. Children's content guardrails
The original 2011 textbook was authored for an adult higher-ed and ITP audience. Fallon Brizendine's revision pass flags any content unsuitable for a school audience and the build script blocks deploy until each flag is signed off. We do not ship a school version that contains content the editor flagged for removal.
10. Contact and questions
Email thinkasl@madeby1891.com or use the contact form. For school district privacy review, ask for the data-handling narrative — it is more detailed than this public page and includes the 1EdTech submission addenda.
This page is the public summary. The full operational policy lives in the project documentation at docs/lti-certification/PRIVACY-NARRATIVE.md and is the version shared with district counsel under NDA.