BAP AI Tutor Privacy Policy

1. Who this policy covers

This policy explains how BAP, Inc., a Delaware corporation ("BAP," "we," "us," "our"), collects, uses, shares, and protects information about people who use the BAP service. It applies to:

• The BAP web application at https://bap.best and any subdomains we operate.
• The BAP iOS application.
• Communications you send us by email or other support channels.

The BAP AI Tutor — Smart Importer Chrome extension is governed by a separate, narrower policy at bap.best/privacy-extension. Where the extension transfers content into your BAP account, this policy then applies to that content.

BAP is operated from the United States. Our service is intended for college and university students aged 18 and older. See Section 10 for how we handle younger users.

2. Information we collect

We collect only what we need to operate the service, satisfy our legal obligations, and protect users. The categories below describe what we collect, where it comes from, and why.

2.1 Account and identity information

• Email address — required to create your account, sign in, and receive transactional emails.
• Display name — required so peers and instructors can identify you in study groups.
• Profile photo URL — optional, taken from your Google profile if you sign in with Google.
• Password — handled by Firebase Authentication; we never see or store your password ourselves.
• Date of birth — optional unless you sign up as a minor (see Section 10). We store a one-way hash of your date of birth for age-verification recordkeeping; we do not store the raw date of birth.
• Google account identifier — if you sign in with Google, we receive your Google account ID, email, and basic profile fields. We do not request access to your Gmail, Drive, or Calendar.

2.2 Coursework and content you provide

• Files you upload — PDFs, slides, images, and documents you bring into your BAP workspace.
• Imported LMS content — course names, assignment names, due dates, file names, file URLs, file contents, item IDs, and discussion-topic information you choose to import from your learning-management system through the BAP extension.
• AI tutor conversations — your messages to the BAP tutor and the tutor's responses.
• Study artifacts — notes, flashcards, practice-exam responses, study plans, concept explanations, custom questions, annotations, and "teach-back" explanations you create in BAP.
• Study-group activity — posts, threads, messages, shared files, comments, and reactions inside groups you join.
• Course derivatives — embeddings (numeric representations) we compute from your course materials so the tutor can retrieve relevant passages when answering you.

2.3 Service-provider authentication tokens

• LMS session tokens — when you connect a learning-management system through the BAP extension, the extension may capture session cookies or authentication tokens that the LMS already sets in your browser. Those tokens are encrypted with AES before storage and are used only to fetch the materials you asked us to import.
• Firebase ID tokens — short-lived session tokens we use to verify that requests come from your signed-in account.

2.4 Usage and device information

• Application logs — request method, path, status code, response time, and a server-generated request identifier. We do not log full request or response bodies in normal operation.
• IP address — used transiently for security, abuse detection, and rate limiting; not joined to your profile for marketing.
• Browser and device information — user-agent string, browser language, time zone, and approximate device type, gathered from request headers and used for compatibility and security.
• In-product analytics events — counts of feature usage (for example, number of practice exams generated this month) used to enforce plan limits and improve the product. These events are tied to your account; they are not shared with any third-party analytics service.
• Audit log — for FERPA-aligned recordkeeping, we maintain an immutable audit trail of significant events such as sign-in, sign-out, role changes, file access, AI-retrieval events, instructor-visibility consent changes, and disclosures.

2.5 Billing information

• Subscription status — your active plan, billing status, current period end, country, and currency.
• Stripe customer identifier — issued by Stripe when you start a paid plan; we use it to look up your subscription. We do not see or store your full credit-card number, CVV, or bank-account number. Stripe collects, stores, and processes that information directly under Stripe's privacy policy.
• Invoice metadata — invoice IDs, amounts, and payment status received from Stripe webhooks for accounting and tax purposes.

2.6 Communications and support

• Emails you send to us at [email protected] or [email protected], including the message, attachments, and basic header information.
• In-product feedback, bug reports, and support requests you submit.

2.7 Information we do not collect

• We do not collect precise geolocation, GPS coordinates, or nearby-device data.
• We do not collect biometric identifiers (faceprints, voiceprints, fingerprints, gait, or retina scans).
• We do not collect Social Security numbers, passport numbers, driver's-license numbers, or other government-issued identifiers.
• We do not collect health, medical, or insurance information.
• We do not collect race, ethnicity, religion, union membership, sexual orientation, citizenship, or immigration status.
• We do not collect general web-browsing history outside the BAP service and the LMS sites the extension is configured for.

3. How we use information

We use the information described above only for the purposes listed below. Where our basis under EU or UK GDPR matters, we identify it.

What we do not do. We do not use your account information, your coursework, your AI-tutor conversations, or your study-group content for advertising. We do not use your information to assess your creditworthiness, eligibility for lending, or eligibility for insurance. We do not make consequential decisions about you using AI: BAP does not assign grades, make admissions decisions, allocate scholarships, or make employment decisions.

4. AI tutoring and how your content is processed

When you ask the BAP tutor a question or generate a study artifact, BAP sends the content needed to answer the request to one or more AI service providers. As of the date of this policy, those providers are:

• Anthropic, PBC — Claude family models, used for chat, explanations, and exam generation. Anthropic's privacy policy.
• Google LLC — Gemini family models and Vertex AI, used for chat, embeddings, and content extraction. Google's privacy policy.

No model training on your content. BAP accesses these providers through their commercial APIs under terms that prohibit them from using your content to train their general-purpose foundation models. We do not opt in to any "improve the model" or "share for training" setting on these APIs. If we ever change which providers we use or expand the list, we will update this section before the change takes effect.

What gets sent. The provider receives only what is needed to produce the response you asked for: your prompt, the relevant retrieved passages from your course materials, and prior turns in the same conversation. The provider does not receive your account email, your billing information, or your study-group membership.

Limits on automated processing. AI output is not authoritative. The tutor can be wrong. You are responsible for verifying important facts before relying on them, especially for graded assignments and exams. We do not use AI to make consequential decisions about you (see Section 3).

Embeddings and retrieval. We compute numeric "embeddings" of your course materials and store them in our retrieval database (Chroma). Embeddings let the tutor find the right passage to cite when you ask a question. Embeddings are derived from your content and are protected by the same access controls.

If you do not want a particular file to be available to the AI tutor, do not upload it to your BAP workspace. You can also delete a file at any time, which removes it from the AI retrieval index. See Section 7.

5. How we share information and our service providers

We share information only with the categories of recipients below, only for the purposes shown, and only under written agreements that require them to protect your information and use it solely on our instructions.

We do not sell your personal information. Under California, Colorado, Connecticut, Virginia, Texas, Maryland, and other state privacy laws, "sale" means disclosing personal information for monetary or other valuable consideration, and "sharing" means disclosing it for cross-context behavioral advertising. We do neither.

We do not run third-party advertising on the service. We do not embed advertising pixels (including from Meta, Google Ads, TikTok, LinkedIn, Snap, X/Twitter, or any other ad network) on the signed-in BAP product.

6. Cookies and similar technologies

We use a small number of cookies and local storage entries that are strictly necessary to operate the service:

• Authentication. Firebase Authentication tokens to keep you signed in.
• Preferences. Your light/dark theme, calendar view selection, and similar interface preferences.
• Onboarding state. Flags so we don't re-show first-run hints.

We do not use cookies or local storage for advertising, cross-site tracking, retargeting, or analytics-vendor profiling. We do not embed third-party tags such as Google Analytics, Meta Pixel, LinkedIn Insight Tag, or TikTok Pixel on the BAP application.

Global Privacy Control (GPC) and "Do Not Track." Because we do not sell or share your personal information for cross-context behavioral advertising, GPC signals do not change how we process your information; we already do not engage in those practices. We do not respond to legacy "Do Not Track" headers because there is no consensus standard for them.

7. Your choices and account controls

• Sign in or out. You can sign out from any device at any time.
• Edit your profile. You can update your display name, profile photo, and notification preferences in account settings.
• Control study-group sharing. What you post inside a group is visible to other members of that group. You can leave a group at any time; content you posted before leaving may remain visible to remaining members until you delete it.
• Instructor visibility. Where your school uses BAP and you join a course, you can opt in or out of letting your instructor see your individual progress. Instructor visibility is off by default (see Section 11).
• Delete content. You can delete files, notes, flashcards, practice exams, and other artifacts from your workspace. Deleted items are removed from the live database and from the AI retrieval index. Backup copies expire on the schedule in Section 12.
• Delete your account. Email [email protected] from the address associated with your account and ask us to close it and delete your data. We will verify your identity, complete deletion within thirty (30) days, and confirm in writing. We will retain only what we are legally required to keep (for example, billing records for tax purposes).
• Export your data. Email [email protected] and we will provide a portable export of your account information, your uploaded files, and the artifacts you have created.
• Withdraw consent. Where we rely on your consent for a specific processing activity, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
• Stop receiving non-transactional email. If we ever send you product or marketing email, every message will include an unsubscribe link.

8. U.S. state privacy rights

If you live in a U.S. state with a comprehensive consumer-privacy law — including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — you have the rights summarized here. Some of these laws give residents additional or differently-framed rights; we honor whichever rights apply to you.

• Right to know. Confirm whether we process your personal information and obtain a copy of what we have.
• Right to delete. Request that we delete your personal information, subject to legal exceptions.
• Right to correct. Request that we correct inaccurate personal information about you.
• Right to portability. Receive your personal information in a portable, readily usable format where feasible.
• Right to opt out of "sale" and "sharing." We do not sell or share personal information for cross-context behavioral advertising; this right has nothing to opt out of for BAP.
• Right to opt out of profiling for decisions with legal or similarly significant effects. We do not engage in this kind of profiling.
• Right to limit use of sensitive personal information. We do not use sensitive personal information beyond the limited account, security, and FERPA-recordkeeping purposes described in this policy.
• Right to non-discrimination. We will not deny service, charge a different price, or provide a different quality of service because you exercised a privacy right.
• Right to appeal. If we deny a request, you can appeal by replying to our denial. We will respond within sixty (60) days. If you remain dissatisfied, you can contact your state attorney general.
• Authorized agent. You can designate an agent to make a request for you. We will verify the agent's authority and your identity before responding.

How to exercise these rights. Email [email protected] with the subject line "Privacy request" and tell us which right you are exercising. We will verify your identity by matching your request to the email associated with your BAP account; we may ask additional verification questions for sensitive requests. We respond within forty-five (45) days and may extend by another forty-five (45) days if reasonably necessary, with notice to you.

California-specific notes.

• BAP qualifies for the online-only-business exception in Cal. Civ. Code § 1798.130 and accepts privacy requests by email; we do not maintain a toll-free number.
• "Shine the Light" (Cal. Civ. Code § 1798.83). We do not disclose personal information to third parties for their direct marketing purposes.
• Sensitive personal information. The categories of sensitive personal information we process are: account log-in credentials and the contents of student-uploaded coursework that the user chooses to upload. We use sensitive personal information only to provide the service the user requested and to secure the account.
• We have not sold or shared personal information of any consumer in the preceding twelve (12) months and have no plans to.

Maryland Online Data Privacy Act (effective Oct. 1, 2025). We collect only the personal data reasonably necessary and proportionate to provide the BAP service to you. We do not sell sensitive data. We do not use the personal data of consumers we know to be under 18 for targeted advertising and we do not sell the personal data of those consumers.

Nevada (NRS Chapter 603A). Nevada residents can submit a verified request directing us not to make any future "sale" of their covered information to [email protected]. We do not sell covered information.

9. EU, UK, and Swiss rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following rights apply under the EU GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection, as applicable.

• Right of access to your personal data and information about how it is processed (Art. 15).
• Right to rectification of inaccurate or incomplete personal data (Art. 16).
• Right to erasure ("right to be forgotten") in the circumstances listed in Art. 17.
• Right to restriction of processing in the circumstances listed in Art. 18.
• Right to data portability for data you provided that we process by automated means under contract or consent (Art. 20).
• Right to object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation (Art. 21).
• Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you (Art. 22). BAP does not make such decisions.
• Right to withdraw consent at any time where processing is based on consent (Art. 7).
• Right to lodge a complaint with a supervisory authority. For users in the EU, contact your national data-protection authority. For users in the UK, contact the Information Commissioner's Office at ico.org.uk.

Controller. BAP is the controller for the processing described in this policy. Our contact details are in Section 17. We have not appointed a Data Protection Officer because our processing does not meet the thresholds in Art. 37; for any data-protection question, write to [email protected].

EU/UK representative. BAP does not currently maintain establishment in the EU or UK. If you are an EU/UK user and need an in-region representative, contact us at [email protected]; we will identify a representative if your circumstances require one under Art. 27.

10. Children and minors

BAP is intended for users 18 and older. We do not direct the service to children under 13 and we do not knowingly collect personal information from children under 13 without verifiable parental consent.

The BAP signup flow asks for date of birth. Based on the answer:

• Under 13. We do not create the account. If we later learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. Parents who believe their child has provided personal information to BAP should email [email protected].
• 13 through 17. The account is held in a "pending consent" state. We send a verifiable parental-consent request to a parent's email address, which expires if not acted on within seven (7) days. The account becomes active only after the parent or legal guardian gives consent. We obtain a separate consent for any third-party disclosure of the minor's personal information beyond the disclosures necessary to provide the service.
• 18 and older. The account becomes active immediately.

For minors aged 13 to 17:

• We do not use their personal information for targeted advertising.
• We do not sell or share their personal information.
• We do not profile them for decisions with legal or similarly significant effects.
• Parents and legal guardians can review their child's information, request deletion, and revoke consent at any time by emailing [email protected].

We comply with the Children's Online Privacy Protection Act (COPPA) and the FTC's 2025 amendments to the COPPA Rule, including the requirement of separate verifiable parental consent for third-party disclosures and the data-retention limits in 16 CFR § 312.10.

11. Education records and FERPA

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records held by schools. BAP, as a service offered directly to students, generally does not hold "education records" within FERPA's meaning when a student voluntarily uploads their own coursework. The student is making the disclosure; the school is not.

Where a school contracts with BAP to provide the service to its students, BAP operates as a "school official" under 34 CFR § 99.31(a)(1)(i)(B). In that role:

• BAP performs services the school would otherwise use its own employees for.
• BAP is under the direct control of the school with respect to use and maintenance of education records.
• BAP uses education records solely to provide the contracted service.
• BAP does not re-disclose education records except as authorized by the school or required by law (34 CFR § 99.33(a)).
• BAP supports the school in honoring the rights of parents and eligible students under FERPA.
• BAP returns or destroys education records at the end of the engagement on the school's instruction.

Instructor visibility is opt-in. Even where your school uses BAP, an instructor cannot see your individual progress unless you choose to share it. The default is private. Consent changes are recorded in the audit log.

Aggregate analytics. Where your school uses BAP, instructors may see aggregated, privacy-thresholded analytics about cohort performance. We suppress aggregates that fall below the threshold needed to prevent re-identification of individual students.

NY Education Law § 2-d. Section 2-d applies to NY pre-K–12 educational agencies and their contractors. BAP is offered to higher-education users and is not a § 2-d "third-party contractor" for any K–12 agency unless we sign a contract that brings us within scope, in which case the K–12-specific Parents' Bill of Rights, data security and privacy plan, and 8 NYCRR Part 121 obligations attach.

12. How long we keep information

We retain information only as long as needed to provide the service and to meet our legal, accounting, and security obligations. Specific schedules:

• Account profile. Until you delete your account.
• Files and study artifacts you create. Until you delete them or close your account, then up to thirty (30) days in active backups before they are purged.
• AI tutor conversations. Until you delete them or close your account.
• Embeddings derived from your content. Removed when the underlying content is removed.
• Authentication logs. Twelve (12) months for security and abuse investigation.
• Application logs. Up to ninety (90) days, except where a security incident requires longer retention.
• FERPA-aligned audit log. Five (5) years, consistent with 34 CFR § 99.32.
• Billing records. Seven (7) years from the transaction date, consistent with U.S. federal and New York tax recordkeeping rules.
• Hashed date of birth. Until you delete your account, then immediately purged.
• LMS session tokens captured by the extension. Until they expire or you sign out of the LMS, whichever is sooner.
• Parental-consent records. For the period required by 16 CFR § 312.10.

If you ask us to delete your account, we complete deletion within thirty (30) days, except for the records above that we are required to retain. Backups are purged on the schedule above; we do not restore deleted accounts from backup except where necessary to investigate a security incident.

13. Security

We use a layered set of administrative, technical, and physical safeguards to protect your information.

• Encryption in transit. All connections between you and BAP, and between BAP and our service providers, use HTTPS/TLS.
• Encryption at rest. Firestore and Cloud Storage encrypt your data at rest with Google-managed keys (AES-256). LMS session tokens captured by the extension are additionally encrypted at the application layer with AES before storage.
• Access controls. Database access is gated by deny-by-default rules; sensitive collections are only writable by our backend service account. Backend access is restricted to a small number of authorized personnel under role-based access.
• Authentication. Firebase Authentication issues short-lived ID tokens that are revocable on demand. Sign-in revocation propagates to API requests within minutes.
• Authorization. Server-side authorization checks run on every API call. Study-group, course, and workspace permissions are enforced both in the database rules and in the application layer.
• Origin and message validation. The BAP extension and web app use origin checks and one-time nonces on authentication messages to prevent token replay and cross-origin attacks.
• Rate limiting and abuse detection. Authentication and AI endpoints are rate limited.
• Content security policy. The web app loads scripts only from a small allowlist of trusted origins.
• Vulnerability management. We monitor our dependencies and patch security advisories.
• Audit logging. Significant security and disclosure events are recorded in an append-only audit log.
• Vendor due diligence. We choose service providers with strong security postures (SOC 2, ISO 27001, or equivalent) and minimum necessary access.

Breach notification. If we determine that a security incident has compromised your personal information, we will notify you and, where applicable, regulators in the time required by law, including New York General Business Law § 899-aa, California Civil Code § 1798.82, and other applicable state and EU/UK breach-notification laws.

No system is perfectly secure. You can help by using a strong, unique password, enabling multi-factor authentication on your Google account if you sign in with Google, and reporting anything suspicious to [email protected].

14. International data transfers

BAP is operated from the United States, and our service providers are predominantly U.S.-based. If you access BAP from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area, the United Kingdom, or Switzerland, BAP transfers personal data to the United States under the following safeguards:

• Standard Contractual Clauses (SCCs). We have executed the European Commission's 2021 Standard Contractual Clauses (and the UK Addendum where applicable) with our key sub-processors, including Google LLC, Anthropic, PBC, and Stripe, Inc.
• EU-US Data Privacy Framework. Where our sub-processors are self-certified under the EU-US Data Privacy Framework (and the UK extension), we rely on that framework as an additional safeguard.
• Transfer impact. We perform transfer impact assessments and apply supplementary measures (encryption in transit and at rest, contractual restrictions on access) consistent with EDPB guidance.

You can request a copy of the SCCs that apply to your data by emailing [email protected].

15. Third-party sites and integrations

BAP links to and integrates with services we do not operate, including learning-management systems (Gradescope, Canvas/Instructure, Brightspace/D2L, Blackboard, Google Classroom), Google sign-in, Stripe checkout, and Apple App Store distribution. When you interact with those services, their own privacy policies and terms apply. We are not responsible for their practices.

16. Changes to this policy

We may update this policy from time to time. When we make a material change, we will update the "Last updated" date at the top, post the new policy at https://bap.best/privacy, and where required by law notify you by email or in the application before the change takes effect. Continuing to use BAP after the effective date of an update constitutes acceptance of the updated policy.

We maintain a change log of material revisions and can provide a prior version on request.

17. Contact and how to exercise rights

Privacy contact. Email [email protected] for any privacy question or to exercise a right. Use the subject line "Privacy request" for data-subject requests so we can route your message correctly.

Security contact. Email [email protected] to report a security issue. We support coordinated disclosure and will not pursue good-faith security research conducted within the bounds of our security policy.

General support. Email [email protected].

Operator. BAP, Inc., a Delaware corporation. For privacy questions and legal notices, contact [email protected].