Privacy Policy

1.1 About This Policy

This Privacy Policy ("Policy") describes the information practices of BXAR Inc. ("BXAR," "Company," "we," "us," or "our"), a federally incorporated Canadian corporation with its principal office in Montreal, Quebec, Canada, in connection with the CyberScale platform ("Platform"), accessible at cyberscale.bxar.io and through associated applications.

This Policy applies to all users of the Platform, including parents and guardians ("Parent Users"), educators ("Educator Users"), institutional administrators ("Admin Users"), and individuals who access the Platform through classroom codes without creating an account ("Anonymous Users"). Parent Users, Educator Users, and Admin Users are collectively referred to as "Account Holders." All individuals who interact with the Platform in any capacity are collectively referred to as "Users."

1.2 About the Platform

CyberScale is a free cybersecurity awareness education platform designed for young people ages 8–17. The Platform provides interactive lessons, quizzes, and activities organized into three age-appropriate tracks: Explorer (ages 8–10), Defender (ages 11–13), and Operative (ages 14–17). The Platform is intended for use by individuals, families, schools, and educational institutions.

1.3 Our Core Privacy Commitments

• (a) We do not collect personal information from children or teenagers under 18 years of age. All accounts are held by adults.
• (b) We collect the minimum information necessary to operate the Platform from adult Account Holders.
• (c) We do not sell, rent, lease, or trade personal information to third parties for their commercial or marketing purposes.
• (d) We do not serve advertisements of any kind on the Platform.
• (e) We do not use personal information for behavioral profiling, targeted advertising, or cross-site tracking.
• (f) We provide all Account Holders with the ability to access and delete their data.

2.1 Information Collected from Parent Users (Age 18+)

When a Parent User creates an account, we collect:

• (a) Email address — used for account authentication, password recovery, essential Platform notifications, and communication regarding the Parent User's account or their children's use of the Platform.
• (b) Password — stored exclusively as a salted cryptographic hash using the Argon2id algorithm. We do not store, view, or have the ability to retrieve the plaintext password.
• (c) Display name — a name chosen by the Parent User for display within the Platform. This is not required to be the Parent User's legal name.
• (d) Account activity metadata — login timestamps, last active date, IP address at login (retained for 30 days for security purposes), browser type and version (for compatibility purposes), and session identifiers.
• (e) Family group configurations — when a Parent User creates a family group, a unique join code (e.g., CYBER-XXXX) is generated. Children join by entering this code and choosing their own nickname, avatar, and optional PIN. We store the child-chosen nickname, a selected avatar identifier, an optional PIN hash, and an age tier designation (Explorer, Defender, or Operative). These do not constitute personal information of the child, as they contain no information identifiable to the child. Users may access educational content at their assigned tier and all tiers below. Content above the user's assigned tier is restricted. Parents may change a child's age tier at any time from their dashboard.

2.2 Information Collected from Educator and Admin Users (Age 18+)

We collect the same categories of information described for Parent Users in Section 2.1(a) through (d), plus:

• (a) Professional affiliation — the name of the school, district, or organization the Educator or Admin User is associated with, if voluntarily provided.
• (b) Classroom configurations — classroom names, enrollment codes, and age tier defaults, which are created and controlled by the Educator User.

2.3 Information Collected from Anonymous Users (Class Code Access)

When an individual accesses the Platform via a classroom enrollment code, we collect:

• (a) A self-chosen anonymous nickname — selected by the individual at the time of access. This nickname is not verified, is not required to be the individual's real name, and is not linked to any personal identifier.
• (b) A selected avatar identifier.
• (c) A session token — a randomly generated, hashed identifier stored in the browser for the duration of the session. This token enables continuity of the learning session and is not linked to any personal information.
• (d) Learning progress data — lessons completed, quiz responses (correct/incorrect, not free-text content), XP earned, and time spent, associated with the anonymous nickname under the Educator User's classroom.

We do not collect email addresses, names, dates of birth, device identifiers, IP addresses, or any other personal information from Anonymous Users.

2.4 Information We Do NOT Collect

Regardless of user type, we do not collect, request, store, or process:

• (a) Personal information from children or teenagers under 18 years of age.
• (b) Social Security Numbers, national identification numbers, or government-issued identifiers from any user.
• (c) Precise geolocation data (GPS coordinates) from any user.
• (d) Biometric data (facial geometry, fingerprints, voiceprints) from any user.
• (e) Data from third-party social media accounts, address books, or contact lists.
• (f) Browsing history, search history, or activity on other websites or applications.
• (g) Device advertising identifiers (IDFA, GAID).
• (h) Information obtained through browser fingerprinting techniques.
• (i) Photographs, videos, or audio recordings from any user.
• (j) Dates of birth from any user. Age tiers are set by the Parent User and are not verified.

2.5 Information Collected Automatically

When any User accesses the Platform, our servers automatically log:

• (a) IP address (retained for 30 days, used solely for security monitoring and abuse prevention).
• (b) Browser type and version, operating system (for compatibility and troubleshooting).
• (c) Pages viewed, features used, and timestamps (for aggregate analytics only — not linked to individual profiles for non-Account Holders).
• (d) Referring URL (the address of the page that linked you to our Platform).

We may use privacy-respecting, self-hosted analytics tools (such as Plausible Analytics or Umami) that do not use cookies, do not track users across websites, and do not collect personally identifiable information. These tools provide us with aggregate data only and do not create individual user profiles.

3.1 Purposes of Use

We use the information described in Section 2 for the following purposes only:

• (a) Platform operation — to authenticate users, maintain sessions, track learning progress, calculate XP, and enable core Platform features.
• (b) Account management — to process account creation, password resets, profile changes, and account deletion requests.
• (c) Essential communications — to send transactional emails related to account activity, security alerts, Platform outages, and material changes to this Policy or our Terms of Service. We do not send promotional or marketing emails.
• (d) Security and abuse prevention — to monitor for unauthorized access, brute-force attacks, credential stuffing, account compromise, and other security threats.
• (e) Aggregate analytics — to understand Platform usage in aggregate for the purpose of improving content and features. This analysis uses anonymized, aggregated data and does not involve profiling individual users.
• (f) Legal compliance — to comply with applicable laws, regulations, court orders, and governmental requests.

3.2 Purposes for Which We Do NOT Use Information

We do not use personal information for:

• (a) Advertising of any kind.
• (b) Selling, renting, leasing, or trading to third parties.
• (c) Behavioral profiling, user scoring, or predictive analytics.
• (d) Cross-site or cross-device tracking.
• (e) Training machine learning models on user-provided data, except where anonymized aggregate usage patterns inform Platform improvements.
• (f) Automated decision-making that produces legal or similarly significant effects on users.

4.1 AI Mentor

If the Platform includes an AI-powered educational mentor feature:

• (a) Mentor conversations are processed by our AI service provider (currently Anthropic, PBC) under a data processing agreement that contractually prohibits the use of conversation content for model training or any purpose other than generating responses to the user's queries.
• (b) Mentor conversations initiated from child profiles are stored under the Parent User's account.
• (c) For Anonymous Users: AI mentor features are not available unless the anonymous session is linked to a parent-owned child profile.
• (d) The AI mentor is configured with system-level instructions to (i) remain on the topic of cybersecurity education, (ii) never request personal information from users, (iii) never provide professional advice (legal, medical, financial, or psychological), and (iv) recommend the user speak to a trusted adult if the user expresses distress.
• (e) We reserve the right to review AI mentor conversations for safety monitoring purposes.
• (f) Account Holders may request deletion of AI mentor conversation history by contacting service@bxar.io. Deletion is permanent and irreversible.

4.2 AI-Assisted Content

The Platform may use AI tools in the development and improvement of educational content. This occurs at the editorial level and does not involve processing user data.

5.1 Service Providers

We share personal information with third-party service providers solely to the extent necessary:

• (a) Hosting infrastructure — Render Services, Inc.
• (b) Email delivery — transactional email service for account-related emails.
• (c) Payment processing — if applicable.
• (d) AI service provider — Anthropic, PBC.

All service providers are contractually bound to process data only on our instructions, implement appropriate security measures, not use data for their own purposes, assist with data subject rights requests, and delete or return data upon termination.

5.2 Legal Requirements

We may disclose personal information when required by law, to enforce our Terms, to address fraud/security issues, or to protect safety.

5.3 Business Transfers

In the event of a merger/acquisition, personal information may be transferred with notice to Account Holders, and the acquiring entity will be bound by this Policy.

5.4 No Other Sharing

We do not sell personal information. We do not disclose personal information to data brokers or for advertising purposes.

6.1 No Minor Accounts

Children and teenagers under 18 do not create accounts on the Platform. There is no registration flow, sign-up form, or account creation mechanism available to individuals under 18. All accounts are held by adults.

6.2 How Minors Access the Platform

Minors access the Platform exclusively through:

• (a) A family join code created by a Parent User. The child enters the code, chooses a nickname, avatar, and optional PIN, and begins learning. No personal information is collected.
• (b) An anonymous classroom enrollment code provided by an Educator User.

6.3 COPPA Compliance

The Platform is designed and operated in compliance with COPPA. We acknowledge that the Platform may be considered "directed to children" under FTC factors. Our compliance strategy is based on the architectural principle that we do not collect personal information from any individual under 18.

6.4 School Use

When minors access through school codes, no personal information is collected. BXAR does not act as a "school official" for FERPA purposes.

6.5 State Laws Applicable to Minors

We are aware of state AADC legislation. Our zero-minor-data architecture provides the strongest compliance posture.

7.1 Technologies We Use

The Platform uses browser-based storage (such as localStorage and session storage) for authentication tokens, session management, language preferences, and user interface settings. These are strictly necessary for the Platform to operate.

7.2 Technologies We Do NOT Use

• (a) Third-party advertising cookies or tracking scripts.
• (b) Social media tracking pixels.
• (c) Cross-site tracking.
• (d) Browser fingerprinting.
• (e) Device advertising identifiers.
• (f) Any technology to track behavior across websites or build behavioral profiles.

7.3 "Do Not Track" Signals

Because the Platform does not engage in cross-site tracking, behavior does not change in response to DNT signals.

8.1 Technical Measures

• (a) Encryption in transit via TLS 1.3.
• (b) Passwords stored using Argon2id with per-user salts; plaintext passwords are never stored, logged, or transmitted.
• (c) Role-based access controls.
• (d) Infrastructure on dedicated servers with physical access controls and network segmentation.
• (e) Regular software dependency updates and security patching.
• (f) Automated monitoring for unauthorized access attempts.
• (g) Secure development practices including code review and vulnerability assessment.

8.2 Organizational Measures

• (a) Personnel subject to confidentiality obligations.
• (b) Internal security policies for data access, incident response, and data handling.
• (c) Periodic security assessments.

8.3 Incident Response

Notification within 72 hours, regulatory notification as required, description of incident and recommended steps.

8.4 No Guarantee of Security

No system is 100% secure. We implement commercially reasonable measures but cannot guarantee absolute security.

9.1 Active Accounts

Retained for the duration of the account.

9.2 Account and Profile Deletion

• (a) Parents may delete child profiles from the dashboard.
• (b) Account Holders may delete their account directly from the Platform dashboard, or by contacting service@bxar.io.
• (c) Processed within 30 days.
• (d) Residual backup copies rotated out within 90 days.

9.3 Anonymous Classroom Data

Retained until the educator deletes the classroom.

9.4 Data Retained After Deletion

Anonymized aggregates, legal compliance records, security logs for 30 days.

10.1 All Account Holders

Access, correction, deletion, and the ability to withdraw consent. Contact service@bxar.io; response within 30 days.

10.2 Canadian Residents

PIPEDA and Law 25 rights apply.

10.3 EEA Residents

GDPR rights apply. BXAR acts as data controller.

10.4 California Residents

CCPA/CPRA rights apply. We do not sell personal information and do not share it for behavioral advertising.

10.5 Other Jurisdictions

Contact service@bxar.io.

BXAR is based in Canada. Infrastructure is hosted by Render Services, Inc. Canada is recognized as adequate by the EU Commission for data protection purposes.

Educational content may reference external sites. No embedded tracking. External sites are governed by their own privacy policies.

Material changes will be notified 30 days before taking effect by email to Account Holders. The Last Updated date will be revised. Continued use of the Platform after changes take effect constitutes acceptance.

BXAR Inc.
Montreal, QC, Canada
For all inquiries: service@bxar.io
Response within 5 business days (acknowledgment), 30 days (substantive).