Last updated: March 30, 2026
Privacy Policy
CourseCove ("we," "us," or "our") operates the coursecove.io platform (the "Service"), a scheduling, client management, and payment platform for independent educators including tutors, music teachers, and coaches. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.
We are committed to transparency and plain language. If anything in this policy is unclear, contact us at privacy@coursecove.io.
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, and password when you create an educator account.
- Client and student information: Educators may enter client names, contact details, scheduling preferences, and lesson notes. Where clients are minors, this may include a parent or guardian's contact information.
- Payment information: Billing details necessary to process payments. CourseCove does not store credit card numbers or full payment credentials directly. All payment processing is handled by Stripe Connect (see Section 7).
- Communications: Messages you send through the platform, support requests, and feedback.
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, timestamps, and general interaction patterns, collected via PostHog analytics (accessible to CourseCove administrators only).
- Device and connection data: Browser type, operating system, IP address, and referring URL.
- Error and performance data: Crash reports and performance metrics collected via Sentry for the purpose of maintaining service reliability.
1.3 Information We Do Not Collect
- We do not use tracking cookies on the student-facing portal.
- We do not collect biometric identifiers.
- We do not purchase personal information from third-party data brokers.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service, including scheduling, client management, and payment processing.
- Authenticate users and secure accounts.
- Process payments through Stripe Connect on behalf of educators.
- Send transactional communications such as appointment confirmations, payment receipts, and account notifications.
- Send marketing communications where you have opted in (you may unsubscribe at any time; see Section 9).
- Power AI-assisted features such as lesson note suggestions, using Anthropic Claude with privacy safeguards (see Section 6).
- Monitor for abuse, enforce our terms, and comply with legal obligations.
- Perform rate limiting via Upstash Redis to protect platform integrity.
We do not sell your personal information. We have never sold personal information and have no plans to do so.
3. Data Encryption and Security
We take the security of your data seriously and implement multiple layers of protection:
- Encryption at rest: Personally identifiable information (PII) is encrypted using AES-256-GCM envelope encryption. Each record uses a unique data encryption key, which is itself encrypted by a master key.
- Searchable encrypted fields: Where we need to search encrypted data (for example, to look up a client by name), we use HMAC-based blind indexes. These indexes allow lookups without decrypting the underlying data.
- Encryption in transit: All data transmitted between your browser and our servers uses TLS (HTTPS).
- Database security: Our database infrastructure is hosted on Supabase with row-level security policies, ensuring users can only access their own data.
- Access controls: Internal access to production data is restricted to authorized personnel on a need-to-know basis.
4. Data Retention and Deletion
- Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
- Account deletion: When you request account deletion, we initiate a 30-day soft-delete grace period. During this window, your account is deactivated and your data is inaccessible, but it can be recovered if you change your mind. After the 30-day period, all personal data is permanently and irreversibly purged from our systems (hard delete).
- Legal retention: We may retain certain data beyond the deletion period where required by law (for example, financial transaction records for tax compliance).
- Backup systems: Deleted data may persist in encrypted backups for a limited period consistent with our backup rotation schedule, after which it is permanently removed.
5. Cookies and Similar Technologies
CourseCove uses a minimal cookie approach:
- Authentication session cookies: We use session cookies provided by Supabase to keep you logged in. These are strictly necessary for the Service to function and cannot be disabled.
- No tracking cookies on the student portal: The student-facing portal does not use any analytics or tracking cookies.
- Analytics (educator dashboard only): PostHog analytics is used on the educator dashboard for internal product improvement. This is limited to CourseCove administrators and is not used for advertising.
We do not use third-party advertising cookies or participate in cross-site tracking networks.
6. Artificial Intelligence Features
CourseCove uses AI-powered features to help educators with tasks like drafting lesson notes and generating scheduling suggestions. These features are powered by Anthropic Claude. Here is how we protect your data when using AI:
- PII stripping: Before any data is sent to Anthropic's Claude API, personally identifiable information is stripped from the request. Names, email addresses, phone numbers, and other identifying details are removed or replaced with anonymous placeholders.
- Human review requirement: AI-generated output is always reviewed by the educator before it becomes visible to students or clients. No AI-generated content is shown to students without explicit educator approval.
- No model training: Data sent to Anthropic Claude through our API integration is not used by Anthropic to train their models. We use Anthropic's commercial API, which is governed by their commercial terms that prohibit training on customer data.
- Data minimization: We send only the minimum context necessary for the AI feature to function. Full client records are never sent to the AI provider.
You may choose not to use AI-powered features. Opting out of AI features does not affect your ability to use the core scheduling, client management, and payment features of the Service.
7. Third-Party Services
We use the following third-party service providers to operate CourseCove. Each provider receives only the data necessary for them to perform their function:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting and authentication | Account credentials (hashed), encrypted application data |
| Stripe Connect | Payment processing | Billing name, payment method details, transaction amounts (Stripe is PCI DSS Level 1 certified; see Section 8) |
| Resend | Transactional and marketing email delivery | Email address, name, email content |
| PostHog | Product analytics (admin only) | Anonymized usage events, page views (educator dashboard only; not used on student portal) |
| Sentry | Error tracking and performance monitoring | Error context, stack traces, browser/device metadata |
| Anthropic Claude | AI-assisted features | De-identified text snippets only (PII stripped before transmission) |
| Upstash Redis | Rate limiting | Hashed identifiers, request counts, timestamps |
We require all third-party providers to maintain appropriate security measures and to process data only as instructed by us, consistent with this policy and applicable data protection laws.
8. Payment Security (PCI DSS)
CourseCove integrates with Stripe Connect to process payments between clients and educators. This means:
- CourseCove does not store, process, or transmit credit card numbers. Card details are entered directly into Stripe's secure payment forms (Stripe Elements), which are embedded in our interface but hosted by Stripe.
- Stripe is certified as a PCI DSS Level 1 Service Provider, the most rigorous level of certification in the payments industry. Stripe's PCI compliance covers the collection, storage, and processing of cardholder data.
- We use Stripe's tokenization system, meaning CourseCove only receives a token reference for each payment method, never the actual card number.
- Educators who receive payments through Stripe Connect onboard directly with Stripe, and their identity verification is handled by Stripe in accordance with Stripe's own privacy policy.
For more information, see Stripe's Privacy Policy and Stripe's Security Documentation.
9. Email Communications (CAN-SPAM and CASL Compliance)
9.1 Transactional Emails
We send transactional emails that are necessary for the operation of the Service, including appointment confirmations, payment receipts, schedule changes, and account security notifications. These messages do not require opt-in consent because they relate directly to your use of the Service.
9.2 Marketing Emails
We may send marketing communications about new features, tips, or promotions. These emails are sent only with your explicit consent and comply with the following requirements:
- Clear identification of CourseCove as the sender with a valid physical postal address.
- Honest, non-deceptive subject lines that reflect the email's content.
- A prominent, functional unsubscribe link in every marketing email.
- All opt-out requests are honored within 10 business days as required by the CAN-SPAM Act.
9.3 Canadian Users (CASL)
For users in Canada, we comply with Canada's Anti-Spam Legislation (CASL). We obtain express consent before sending commercial electronic messages, clearly identify ourselves as the sender, and provide a working unsubscribe mechanism in every message. Unsubscribe requests are processed promptly.
10. Children's Privacy (COPPA Compliance)
CourseCove is designed for use by educators (adults), not by children directly. However, because our platform serves educators who teach minors, we take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA), including the amended COPPA Rule effective April 22, 2026.
10.1 How Children's Data Enters CourseCove
Children do not create accounts on CourseCove. Educators (adults) enter information about their students, which may include minors under 13. This information is entered and managed by the educator, not the child.
10.2 Data Minimization for Minors
We encourage educators to collect and enter only the minimum information necessary to manage their teaching relationships. We do not require or request detailed personal profiles for minor students beyond what is needed for scheduling and communication.
10.3 Parental Consent and Access
- Where the student-facing portal may be accessed by a child under 13, verifiable parental consent is obtained before any personal information is collected from the child directly.
- Parents or guardians may request to review, correct, or delete their child's personal information by contacting us at privacy@coursecove.io or by contacting their educator directly.
- We do not condition a child's participation in any activity on the disclosure of more personal information than is reasonably necessary.
10.4 No Third-Party Disclosure for Advertising
We do not disclose children's personal information to third parties for advertising or marketing purposes. In accordance with the amended COPPA Rule, we obtain separate verifiable parental consent before any disclosure of a child's personal information to third parties for purposes that are not integral to the Service. [NEEDS LEGAL REVIEW: Confirm specific verifiable parental consent methods meet the amended COPPA Rule requirements effective April 22, 2026, including knowledge-based authentication and text-plus methods.]
10.5 Data Retention for Children's Information
Personal information relating to children is retained only as long as reasonably necessary to fulfill the purpose for which it was collected. When an educator deletes a minor student's record, it follows the same 30-day soft-delete and hard purge process described in Section 4.
10.6 Security Program
In accordance with the amended COPPA Rule, we maintain a written information security program appropriate to the sensitivity of children's information. This includes designated security coordination, regular risk assessments, and oversight of service providers who may access children's data.
11. Your California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. The following rights apply as of January 1, 2026, including the latest CPPA regulatory updates:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You may request that we delete personal information we have collected from you. Upon receiving a verified request, we will delete your information and direct our service providers and contractors to do the same, subject to certain legal exceptions (for example, completing a transaction or complying with a legal obligation).
- Right to correct: You may request that we correct inaccurate personal information we maintain about you.
- Right to opt-out of sale or sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising. Because we do not engage in these practices, there is no need to submit an opt-out request. If our practices ever change, we will provide a clear "Do Not Sell or Share My Personal Information" link on our website.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
- Right to limit use of sensitive personal information: To the extent we process sensitive personal information, we use it only as necessary to provide the Service.
How to Submit a Request
To exercise any of the rights above, contact us at privacy@coursecove.io. We will verify your identity before processing your request and respond within 45 days, as required by law. If we need additional time, we will notify you of the extension and the reason.
Retention Periods
In accordance with CPRA requirements, we disclose that personal information is retained as described in Section 4 (Data Retention and Deletion). Financial transaction records may be retained longer as required by tax and financial regulations.
12. Canadian Privacy Rights (PIPEDA)
If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). We comply with the following PIPEDA principles:
- Accountability: CourseCove is responsible for personal information under our control. We have designated a privacy officer who can be reached at privacy@coursecove.io.
- Consent: We obtain meaningful consent for the collection, use, and disclosure of your personal information. We use express consent for sensitive information and may rely on implied consent for routine processing that a reasonable person would expect.
- Limiting collection: We collect only the personal information necessary for the purposes we have identified.
- Limiting use, disclosure, and retention: Personal information is used and disclosed only for the purposes for which it was collected, and is retained only as long as necessary to fulfill those purposes.
- Accuracy: We take reasonable steps to ensure personal information is accurate, complete, and up-to-date.
- Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information (see Section 3).
- Right to access: You may request access to your personal information held by CourseCove. We will respond to access requests within 30 days.
- Right to challenge compliance: You may challenge our compliance with these principles by contacting our privacy officer. If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada.
[NEEDS LEGAL REVIEW: Monitor status of the proposed federal private-sector privacy statute expected in 2026, which may introduce data portability rights and a penalty-based enforcement regime that could affect CourseCove's obligations to Canadian users.]
13. International Data Transfers
CourseCove's servers and third-party service providers are primarily located in the United States. If you access the Service from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate.
By using the Service, you acknowledge that your information may be transferred internationally. We ensure that such transfers are protected by appropriate safeguards, including encryption in transit and at rest, contractual data processing agreements with our service providers, and the security measures described in this policy.
14. Your Choices and Controls
- Account settings: You can update your profile information, email preferences, and notification settings from your account dashboard at any time.
- Marketing opt-out: You can unsubscribe from marketing emails by clicking the unsubscribe link in any marketing email, or by updating your preferences in your account settings.
- AI features: You may choose not to use AI-powered features. Core platform functionality is not dependent on AI.
- Data export: You may request a copy of your data in a structured, commonly used format by contacting us at privacy@coursecove.io.
- Account deletion: You may delete your account at any time through your account settings or by contacting us. See Section 4 for details on our deletion process.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you by email or through a prominent notice on the Service before the changes take effect.
- Where required by law, obtain your consent to material changes.
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@coursecove.io
- Privacy Officer: Reachable at the email address above
- Website: coursecove.io
For CCPA/CPRA requests, we will confirm receipt within 10 business days and provide a substantive response within 45 days. For PIPEDA access requests, we will respond within 30 days.
This privacy policy is provided for informational purposes and should be reviewed by qualified legal counsel before relying on it for compliance.