Effective Date: May 12, 2026 · Last reviewed: May 12, 2026
Potato Class is operated by Growing Standard LLC (“we,” “our,” or “us”). We are committed to protecting the privacy of children and all users of our educational math and reading application. This policy describes what information we collect, how we use it, and the choices available to parents, guardians, and school administrators.
Users may sign in with Google, Apple, or Clever SSO to enable cloud sync and classroom features. When signed in, we receive only the name and email address (or Clever user ID + district ID + school ID) provided by the sign-in service. Users may also use the app anonymously without signing in — in anonymous mode, all data is stored locally in the browser and is not transmitted to any server.
We collect information about a student’s learning activity, including grade level, math skills practiced, questions answered, accuracy rates, stars earned, and assessment results. Math assessment data includes per-domain proficiency across four grade-appropriate math domains, math placement level (grade equivalent), per-domain grade-level placement, assessment response times (for rush detection), testing window history, and reliability metrics. Reading assessment data includes reading level (across Fountas & Pinnell, Lexile, DRA, and Grade Equivalent systems), per-skill reading proficiency across 16 skill areas, assessment response times, and testing window history. For signed-in users, this data is synced to our cloud database (Google Firebase Firestore) to enable cross-device access and classroom features. For anonymous users, this data is stored only in browser localStorage.
We collect information about a student’s reading activity, including current book selection, library browsing history, and reading tool annotations (highlights and notes). For signed-in users, this data is synced to the cloud. For anonymous users, it remains in browser localStorage only.
Users create a display name (max 20 characters), select a US state, and customize a potato character. Multiple profiles can be created under a single sign-in for family use, each with their own progress and character. Optional 4-digit PINs (stored as SHA-256 hashes) protect individual profiles. For signed-in users, this data is synced to the cloud. For anonymous users, it remains in browser localStorage only.
Users may select from 11 supported languages (English, Spanish, Chinese, Arabic, Vietnamese, Ukrainian, Portuguese, French, Hindi, Korean, Japanese). This preference is stored per profile to personalize the interface and voice-assistant language.
We do not collect precise geolocation, photos, contacts, browsing history, device identifiers for advertising, or biometric information. We do not use cookies or tracking pixels. We do not allow third-party advertising. Text input fields include automatic on-device filtering to prevent entry of email addresses, phone numbers, and other personally identifiable information.
Reading assessment data is collected up to three times per school year during designated testing windows (Fall, Winter, Spring). This data includes:
Teachers in classrooms can view their students’ reading assessment results, including rush detection indicators, and may initiate retakes of specific skill areas where rushing was detected. Reading tool annotations (highlights, notes) are stored per-profile and per-book, and are not shared externally.
Math assessment data is collected up to three times per school year during designated testing windows (Fall, Winter, Spring). This data includes:
Teachers in classrooms can view their students’ math assessment results, including per-domain proficiency levels and rush detection indicators.
When a student completes a math or reading assessment, an anonymized data record is stored in our database for the purpose of building empirical percentile norms. This record contains enrolled grade level, assessed level, per-domain scores, whether rushing was detected, and per-item correctness with pre-calibrated difficulty estimates.
This data contains no student names, email addresses, account identifiers, or any personally identifiable information. It cannot be linked back to any individual student. It is used solely to improve the accuracy of percentile rankings and assessment quality over time. The Firestore security rule on this collection permits authenticated writes only and denies all client reads— no student, teacher, or unauthenticated visitor can retrieve raw records.
Potato Class is free for students and families. The student-facing application has no in-app purchases, no consumer subscriptions, and no advertising. No payment information of any kind (credit card, bank account, Apple Pay, Google Pay) is ever collected, processed, or accessible to us from a student device.We do not use Stripe, Apple In-App Purchase, or any other payment processor at runtime. All runtime payment-processor integrations and API secrets have been removed from the application, the backend Worker, and the hosting infrastructure’s secret store.
Schools and districts that choose to unlock premium classroom features (teacher dashboards, the digital library, teacher-led lessons, the Grow adaptive assessment, multiplayer games) purchase per-student annual licenses from Growing Standard LLC. These institutional purchases are arranged entirely out-of-app via purchase order or ACH bank transfer through direct invoicing— never through the student application. No card data is collected, processed, or stored by Growing Standard in connection with these licenses.
Potato Class does not use runtime LLM or generative-AI services to produce student content. All math questions, reading passages, hints, explanations, and AiPa dialogue are human-authored or produced by deterministic in-code generators that ship with the app bundle.
Voice narration (AiPa).The “AiPa” assistant character can speak its pre-authored lines using either the device’s built-in text-to-speech engine (Web Speech API on web, AVSpeechSynthesizer on iOS) or, for higher-quality narration, OpenAI’s text-to-speech API. When the OpenAI path is used, only the pre-scripted instructional phrase (e.g. “Which number is greater, 5 or 3?”) is sent for audio synthesis — never a student’s name, answer, performance data, or any free-form input. Synthesized audio is cached server-side on Cloudflare R2 by content hash, so most phrases are served from cache rather than re-synthesized.
We use Firebase Authentication for sign-in (Google, Apple, and Clever) and Firestore for cloud data storage. Firebase is certified under SOC 1, SOC 2, and SOC 3. All student data is stored in Firestore’s United States multi-region (us-central1); no data leaves the United States. Data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM with Google-managed keys).
We use Cloudflare Workers as a secure proxy for SSO token exchange. The Worker rejects any non-HTTPS request. Cloudflare does not store request content beyond immediate processing.
For districts that use Clever, we accept Clever SSO sign-in and receive only the Clever user ID, district ID, and school ID. Clever is used as an authentication provider only.
The web app is hosted on Vercel for static file serving and CDN. Vercel serves application files and performs no user data processing. No analytics, tracking, or advertising services are used on either platform.
We use Sentry to capture browser-side error reports so we can fix bugs that affect students. Sentry is hosted in the United States (Sentry’s US region). Before any error event leaves a student’s device, an on-device privacy filter strips email addresses, phone numbers, Social Security numbers, street addresses, and other personally identifiable strings from the payload. We additionally remove user identity (email, username, IP address), request cookies, and authorization headers before transmission. We do not enable Sentry Session Replay or Session Tracking. Sentry receives only sanitized stack traces, browser/OS metadata, and the URL path of the page where the error occurred — never student responses, names, or assessment data.
We do not sell, rent, or share personal information with any third party for marketing, advertising, or profiling purposes.
Potato Class is designed for children in grades K through high school. We comply with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501–6506 and 16 C.F.R. Part 312). This section is our Online Notice under 16 C.F.R. §312.4(d) and supplements the Direct Noticewe deliver to a parent at the time we ask for consent (see “Parental Consent for Children Under 13” below).
The operator collecting and maintaining information from children through Potato Class is Growing Standard LLC. The single point of contact for all COPPA-related questions, consent revocation, and requests to review or delete a child’s information is privacy@potatoclass.com.
The categories of personal information we collect from a child are limited to what is necessary to deliver the educational service. They are: the child’s first name or chosen display name; US state of residence; grade level; preferred language; educational progress data (math and reading skills practiced, questions answered, accuracy, stars earned, assessment results, response times); profile customization choices (potato character appearance, starter item); and reading activity data (book selections, highlights, notes). We do not collect precise geolocation, photos, contacts, audio recordings of the child’s voice, device identifiers used for advertising, or biometric information from children.
Information collected from a child is used only to provide the educational service: to personalize the experience, track learning progress aligned with state standards, compute placement and growth metrics, sync progress across devices the child’s parent has authorized, and surface progress reports to the parent or to teachers in a school context. We do not use information collected from children for behavioral advertising or profiling, we do not allow third-party advertising in the application, we do not sell or rent information about children, and we do not use information collected from children to train AI models. The full list of third-party service providers that process child information on our behalf (limited to authentication, encrypted cloud storage, and error monitoring with PII stripping) is in the “Third-Party Services” section above.
Children under 13 cannot sign in to Potato Class directly. Apple Family Sharing and Google Family Link both block third-party-app sign-in for child accounts, and COPPA prohibits us from collecting information from a child under 13 without verifiable parental consent regardless of the platform. To use Potato Class at home, a parent or legal guardian creates a personal Potato Class account, then creates a child profile inside that account. Before any information is collected from the child, we present the parent with a Direct Notice (16 C.F.R. §312.4(c)) describing what we collect, how we use it, and the parent’s rights, and we obtain the parent’s express affirmative consent. The Direct Notice is presented in-app during the “Add child” flow.
Method of verifiable parental consent.We rely on a combination of (a) the parent’s verified online contact information obtained at sign-in through an OAuth provider (Apple, Google, or email), and (b) an in-app affirmative-attestation step in which the parent reviews the Direct Notice, confirms their relationship to the child as parent or legal guardian, and affirms consent. The attestation is recorded to an append-only audit log that captures the parent’s account email, the version of the notice shown, a timestamp, the device’s browser or platform information, and a salted hash of the IP address. This combined method is consistent with the “email plus” method described in 16 C.F.R. §312.5(b)(2)(ii). A parent who later believes the consent was provided by someone other than the actual parent or legal guardian can contact us at privacy@potatoclass.com and we will delete the affected child profile and all associated information.
Where a child uses Potato Class through their school under an active school or district license, the school may consent on behalf of the parent for the educational purposes described above, as permitted under COPPA and the FTC’s school-authorization guidance. The school remains responsible for notifying parents of the use of Potato Class. We will enter into a Student Data Privacy Agreement with the school or district upon request.
A parent who has consented to the collection of information from their child may at any time:
We do not condition a child’s participation in the educational service on disclosure of more information than is reasonably necessary for that activity.
Potato Class supports two account modes: school mode, in which a student signs in through Clever, ClassLink, or a school-domain Google account and is associated with a teacher’s classroom; and family mode, in which a parent signs in with a personal Apple, Google, or email account and manages one or more child profiles inside their account.
Profile limits.A school-mode student account holds exactly one profile (the student’s) and a school-mode teacher account holds exactly one profile (the teacher’s). A family-mode parent account holds up to eight child profiles by default, with a hard limit of twelve enforced server-side; parents who need additional profiles for legitimate reasons (e.g., a guardian for several children) can contact us at privacy@potatoclass.com.
Co-parents in a family.A second adult — a co-parent, spouse, or legal guardian with their own personal Apple, Google, or email account — may join a family using the family’s five-character join code. Co-parents have the same read and write access as the family owner to the roster, assignments, and progress data for the children in the family, and each co-parent signs their own COPPA consent for each child in the family at the time they join. Only the family owner (the parent who originally created the family) may remove a co-parent, transfer ownership of the family, or delete the family entirely. A co-parent may leave the family at any time without affecting the rest of the family’s data.
Data scope of each profile.Each profile’s data is associated with that profile only. A parent who has consented for one child has not thereby consented for any other child — the consent record we keep names the specific child profile. When a profile is deleted, the data associated with that profile is deleted on the timelines described in “Data Retention and Deletion” below; other profiles in the same family are unaffected.
In the event of a confirmed unauthorized access to student data:
We maintain an incident-response runbook and log relevant access events in an append-only audit collection. Security researchers may report vulnerabilities at potatoclass.com/security or via security@growingstandard.com.
Potato Class targets WCAG 2.1 Level AAconformance and ships teacher-togglable accommodations: reduced answer choices, mandated read-aloud, simplified language, font scaling (1.0–1.5×), and break reminders. Accommodation preferences are set by the teacher per student; Potato Class does not import or store a student’s IEP or 504 status. Adaptive assessments are untimed to match iReady and NWEA MAP Growth standards. A Voluntary Product Accessibility Template (VPAT 2.4) is available on request for district procurement review. Full accessibility statement: growingstandard.com/accessibility. Accessibility feedback: partnerships@growingstandard.comwith subject “Accessibility:”.
Potato Class is built to meet the data privacy standards required by schools, districts, and families. We comply with or align to the following regulations and frameworks:
For data privacy agreements, compliance documentation, or district onboarding, contact privacy@potatoclass.com.
Self-service deletion:Users can delete all their progress data directly from the app at any time via Settings → Data → “Delete All Progress Data.” This removes all progress, stars, accessories, and assessment data from the active account on both the device and cloud storage (if signed in). Deleted data is retained in a recovery state for 30 days, during which users can restore their progress via Settings → Data → “Restore Progress.” After 30 days, the data is permanently and irreversibly deleted from all systems.
Retention windows. Our retention posture is designed to match the baseline schools expect from peer screening tools (iReady, MAP Growth, Star, DIBELS):
A full collection-by-collection table is maintained in our internal Data Retention Policy and is available to districts on request as part of the DPA process. Retention sweeps run monthly and produce an auditable per-collection report.
Backups and deletion requests.We operate three independent backup lanes for disaster recovery: Firestore Point-in-Time Recovery (7-day window), Firebase-managed daily snapshots (14-day retention), and a project-isolated daily export to a separately-owned Google Cloud Storage destination (30-day retention with a bucket-level retention lock). When a parent or school requests deletion of a student’s data, we remove the data from production within the timelines above. Backups taken beforethe deletion request retain a snapshot of the data for the duration of each lane’s retention window—up to 30 days—and then age out automatically. Backups taken after the deletion request reflect the post-deletion state. We do not restore deleted data from a backup absent a specific written request. The 30-day retention lock on the project-isolated lane is a load-bearing security control: it prevents an attacker who gains administrative credentials from destroying our recovery surface, but it also means we cannot expedite removal from that lane below 30 days. All backup copies of deleted data are gone within 30 days of the deletion request.
Parent data access (self-serve).When a student has an active school or district license, a signed-in parent or guardian can visit Settings → Data in the app to (a) review the categories of data we store for each of their children’s profiles, (b) queue a machine-readable export request, or (c) queue a deletion request. Verified requests are fulfilled within 30 days and the fulfillment is logged. Parents without an active school or district license can make the same requests by contacting privacy@potatoclass.com.
Signed-in users: Educational progress data (math progress, math assessment history, reading levels, reading assessment history, and reading tool annotations) is retained under the windows above while the account is active. Users or parents may also request deletion of all personal data by contacting us directly. Verified deletion requests are fulfilled within 30 days. Schools may request bulk deletion when students leave the district or when use of Potato Class ends.
School-managed accounts: Students whose accounts are provisioned through a school or district roster (e.g., via Clever) cannot self-delete their data while their school enrollment is active. Data deletion for these students is managed by the school administrator or teacher. This ensures district data integrity and compliance with school data-governance policies. After the school enrollment ends, standard self-service deletion is available.
Anonymous web users: All data is stored locally in the browser and can be cleared by the user at any time by clearing browser data or using the in-app delete option. No server-side data exists to delete for anonymous users.
Every read of an identifiable student record by a teacher, school administrator, district administrator, parent, or platform administrator is recorded to an append-only audit collection (accessLog) with the reader’s role, the category of data viewed, the affected student ID, and a timestamp. These logs are retained for 3 years and are readable only by platform administrators. They are intended to make the data-access history auditable in line with FERPA §99.32 recordkeeping expectations. Access logs contain no assessment scores, response data, or free-text fields.
For students using Potato Class through a school, the school acts as the parent’s agent for consenting to data collection under COPPA. Parents retain all FERPA rights: to inspect and review educational records, request corrections, and request deletion. Contact your child’s school or contact us directly to exercise these rights.
We may update this policy from time to time. Changes will be posted in the app and at potatoclass.com/privacy. Material changes to how we handle children’s data will include prominent notice and any required consent.
If you have questions about this policy or wish to exercise your data rights, contact:
Growing Standard LLC
Email: privacy@potatoclass.com
Website: potatoclass.com