Privacy Policy.

Effective date: 2026-04-27. We'll update the date at the top of this page when we change anything material.

This policy explains what data GED Hall Pass collects, why, who we share it with, and your rights. We use plain language; see Terms of Service for the legally-binding contract.

1. What we collect

You give us

• Account info: email, display name, password (hashed — never stored in plain text).
• Learner profile: goal test date, experience level, weekly study hours. All optional.
• Practice activity: which questions you attempted, your answers, how long you took, and the correctness flag.
• Essays + tutor conversations: body text and AI feedback, stored so you can review and trend.
• Voice TTS requests: the text we converted to speech, for daily-quota tracking.

Automatically

• Session cookie: a signed JWT we set after sign-in. No third-party tracking cookies.
• Server logs: Cloudflare records the IP, user-agent, and request path of every API call. Retention is 24 hours by default.

2. Why we collect it

• Make the product work — every item above is used directly to render your dashboard, grade your work, or generate AI feedback.
• Bill your subscription — Stripe (our payment processor) gets your email and the plan you chose. We never see your card details.
• Send you a weekly digest if you opted in. You can opt out any time on your account page.
• Fight abuse + debug issues — server logs, scoped to 24h retention.

3. Who we share it with

We use a small set of trusted vendors. Each gets the minimum data needed to do its job.

• Cloudflare — hosting, edge database (D1), file storage (R2). Provides the infrastructure GED Hall Pass runs on.
• AIMLAPI — the AI gateway that powers Professor Hall, lesson generation, essay scoring, and text-to-speech. We send the relevant text payload (your essay, your tutor message, the lesson topic). We do not send your name or email.
• Stripe — billing. Receives your email and plan; returns subscription status via signed webhook.
• MailChannels — outbound email (verifications, password resets, weekly digests, teacher invites). Receives only what's in the email itself.

We do not sell your data. We do not allow advertisers to use it.

4. Your rights

• Access / portability: visit your account page and click Download my data to get a JSON archive of everything we have on you.
• Deletion: on the same page, Delete my account wipes your data permanently within 7 days. (We keep aggregate, anonymized counts for service-health reporting.)
• Correction: email hello@ged-hall-pass.pages.dev with what's wrong; we'll fix it within 7 days.
• Opt out of email: any email we send (besides legally required transactional ones) has an opt-out link.

If you live in the EU/UK (GDPR) or California (CCPA), the rights above are guaranteed by law and we comply. If you live elsewhere, we extend them anyway as a matter of policy.

5. Children

GED Hall Pass is built for adult learners (16+). We don't knowingly collect data from children under 13. If you believe a minor has signed up, contact us and we'll remove the account.

6. Security

Passwords are hashed with PBKDF2-SHA256 (120,000 iterations). Session tokens are HS256-signed JWTs in HttpOnly + Secure + SameSite=Lax cookies. All traffic is over TLS. Internal data sits on Cloudflare D1 / R2 with at-rest encryption.

No system is bulletproof. If we ever suffer a security incident affecting your data, we'll email you within 72 hours of confirming the scope.

7. Contact

Questions, requests, or complaints: hello@ged-hall-pass.pages.dev.