Privacy Policy

Sheelon ("we," "us," or "our") operates the interactive learning platform at sheelon.me. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. Please read this policy carefully. By using Sheelon, you consent to the practices described herein.

Sheelon is operated by Sheelon Inc. We are the data controller responsible for your personal information. For data protection inquiries or to exercise your privacy rights, contact us at: [email protected]

Account Information

• Name and display name
• Email address
• Password (stored as a secure hash; we never store plaintext passwords)
• Profile information you choose to provide (school name, subjects, grade levels)

OAuth Data

If you sign in via Google or Microsoft, we receive your name, email, and profile picture URL from those providers. We do not receive or store your OAuth password.

Platform Usage Data

• Quizzes you create, including question content and settings
• Game session data (game mode, player count, scores, answer responses)
• Player nicknames entered during game sessions (no account required for players)
• Analytics and reporting data derived from game sessions

Technical Data

• IP address (hashed for rate limiting; we do not store raw IP addresses)
• Browser type and version
• Device type and operating system
• Pages visited and features used

AI Quiz Generation Data

If you use the AI-powered quiz generation feature, we collect the topic, audience description, difficulty level, and language you provide. This information is sent to a third-party AI service (Ollama Cloud or OpenRouter) to generate quiz questions. The generated quiz content is stored in your account.

Payment Information

If you subscribe to a paid plan, we collect billing information through our payment processor, Lemon Squeezy (a merchant of record). We do not store your full credit card number; Lemon Squeezy handles all payment processing, tax collection, and compliance. We receive only limited payment information such as transaction status and subscription details.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following legal bases as defined in the General Data Protection Regulation (GDPR):

• Contract Performance (Article 6(1)(b)): Account data, quiz content, game session data, and payment information are processed to provide the Sheelon service you signed up for.
• Legitimate Interest (Article 6(1)(f)): Technical data and analytics are processed to improve our platform, prevent abuse, ensure security, and optimize performance. We have assessed that these interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): Marketing emails and analytics cookies are processed only with your explicit consent, which you may withdraw at any time.
• Legal Obligation (Article 6(1)(c)): We process data as necessary to comply with legal obligations, such as tax reporting and responding to lawful requests from authorities.

• To create and manage your account
• To deliver the Sheelon service, including hosting games and generating analytics
• To process payments and manage subscriptions
• To send transactional emails (account verification, password resets, billing notices)
• To send optional onboarding and feature announcement emails (with consent)
• To improve and optimize the platform
• To prevent abuse and enforce our Terms of Service
• To respond to support requests

We do not sell your personal information. We do not use your data for advertising purposes. We do not share student data with third parties for marketing. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

Sheelon uses cookies and similar technologies to provide and improve our service. Below is a description of the cookies we use:

Essential Cookies (Always Active)

• Session Cookie (authjs.session-token): Required for authentication and account security. This cookie expires when you close your browser or after 30 days.
• CSRF Token (authjs.csrf-token): Protects against cross-site request forgery attacks.
• Language Preference (NEXT_LOCALE): Remembers your language selection.

Analytics Cookies (With Consent)

• Google Analytics (_ga, _ga_*): Used to understand how visitors use our platform, analyze traffic patterns, and improve user experience. These cookies are loaded only with your consent. They expire after 2 years of inactivity.

Cookie Consent Preference

• Consent preference (localStorage): Your accept/reject choice from our cookie consent banner is stored locally in your browser using localStorage (not as a cookie). This preference persists until you clear your browser data.

We do not use advertising or marketing cookies. You can manage your cookie preferences through your browser settings or by using our cookie consent banner. Note that disabling essential cookies may affect your ability to use certain features of Sheelon.

We use the following third-party services to operate Sheelon. Each service processes data as described below and is governed by its own privacy policy, which we encourage you to review.

Authentication

• Google OAuth and Microsoft Entra ID -- optional single sign-on. We receive your name, email, and profile picture. We do not receive your password from these providers.

Payments

• Lemon Squeezy -- acts as our merchant of record, handling payment processing, tax collection, and compliance. We receive only limited information (transaction status, subscription details). See Lemon Squeezy's Privacy Policy.

Analytics

• Google Analytics 4 (GA4) -- collects page views, user interactions, browser type, device type, and approximate location (country/region level). GA4 scripts are loaded only after you accept analytics cookies via our cookie consent banner. Data is retained for 14 months per Google's default retention settings. See Google's Privacy Policy.

Error Monitoring

• Sentry -- captures application errors, stack traces, browser type, operating system, and the URL where an error occurred. Sentry may also capture anonymized session replays when errors occur (sampled at 10%) to help us reproduce and fix bugs. No personally identifiable information (such as names, emails, or passwords) is intentionally sent to Sentry. Error data is retained for 90 days. See Sentry's Privacy Policy.

Email

• Resend -- delivers transactional emails (verification, password reset, onboarding). Resend processes your email address and may collect delivery metadata (open/click tracking for onboarding emails). See Resend's Privacy Policy.

Infrastructure

• Railway -- hosts our application, database (PostgreSQL), and cache (Redis). All data stored in our application resides on Railway infrastructure in the United States.
• Cloudflare -- provides CDN, DNS routing, and DDoS protection. Cloudflare processes IP addresses and HTTP request metadata (headers, URL paths) to route and protect traffic. See Cloudflare's Privacy Policy.

AI Quiz Generation

• Ollama Cloud and OpenRouter -- when you use AI-powered quiz generation, the topic, audience description, difficulty level, and language you provide are sent to a third-party AI service to generate quiz questions. No personal account information (name, email, or payment data) is included in AI requests. Generated content is stored in your account. See Ollama's Privacy Policy and OpenRouter's Privacy Policy.

Sheelon is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, Switzerland, or other regions with data protection laws, your personal information may be transferred to and processed in the United States and other countries where our service providers operate.

These countries may not have the same data protection laws as your jurisdiction. When we transfer your data internationally, we rely on approved safeguards including:

• Standard Contractual Clauses approved by the European Commission (for transfers to service providers)
• Data Processing Agreements that meet GDPR requirements with all third-party processors
• Services certified under the EU-U.S. Data Privacy Framework where applicable (e.g., Google, Microsoft)

We retain different categories of data for different periods based on their purpose:

Retention Periods

• Account data (name, email, profile): retained for as long as your account is active.
• Quizzes and game session data (questions, scores, player responses): retained until you delete them or until your account is deleted.
• Analytics data (Google Analytics): retained for 14 months per Google's default data retention settings, then automatically deleted.
• Error logs (Sentry): retained for 90 days, then automatically deleted.
• Transactional email records (Resend): retained per Resend's data retention policy.
• Payment records (Lemon Squeezy): retained as required for tax and legal compliance (typically 7 years for financial records).
• Player nicknames (game participants without accounts): retained as part of game session data. These are temporary, user-chosen display names and are not linked to any real identity.

Account Deletion

You may request deletion of your account and associated data at any time by contacting us at [email protected]. Upon account deletion:

• Your account and profile information will be permanently removed
• Quizzes you created will be deleted
• Game session data associated with your account will be anonymized or deleted
• This process may take up to 30 days to complete across all systems

We may retain certain information as required by law (e.g., financial records for tax purposes) or for legitimate business interests (e.g., anonymized analytics data that cannot be linked back to you).

Sheelon is designed for use by educators. Teachers create and host quizzes; students participate as players. Players joining a game are not required to create an account and only provide a temporary nickname. We do not knowingly collect personal information from children under 13 beyond these temporary nicknames provided during gameplay.

Educator responsibility: Sheelon is designed for educators. When used in educational settings, educators and schools are responsible for compliance with the Children's Online Privacy Protection Act (COPPA) and for obtaining any necessary parental consent before allowing students under 13 to participate. When a school uses Sheelon in a classroom setting, the school acts as the agent of the parent for the purposes of COPPA consent.

What we collect from players: Players who join a game only provide a temporary, self-chosen nickname. We do not require or collect names, email addresses, phone numbers, or any other personal identifiers from game participants. Player nicknames are subject to profanity filtering and are stored as part of game session data.

If you believe we have collected personal information from a child under 13 without proper consent, please contact us immediately at [email protected] and we will promptly investigate and delete any such data.

We implement reasonable technical and organizational security measures to protect your data, including:

• Encryption in transit (HTTPS/TLS for all connections)
• Passwords hashed using bcrypt with per-user salts
• IP addresses hashed with SHA-256 before storage in rate limiting systems
• Database access restricted to application servers only
• Regular security reviews and dependency updates

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Depending on your jurisdiction, you have specific rights regarding your personal data. We are committed to honoring these rights promptly and transparently.

For EEA, UK, and Swiss Residents (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure / "Right to Be Forgotten" (Article 17): Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
• Right to Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Article 20): Request a machine-readable copy of the data you provided to us, so you can transfer it to another service.
• Right to Object (Article 21): Object to processing of your data based on legitimate interests, including profiling.
• Right to Withdraw Consent (Article 7): Where processing is based on consent (e.g., analytics cookies, marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: If you believe we have not complied with data protection laws, you have the right to lodge a complaint with your local data protection supervisory authority.

For All Users

Regardless of your location, you may exercise the following rights:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data
• Opt out of marketing emails (via the unsubscribe link in any email or by contacting us)
• Withdraw analytics cookie consent (via your browser settings or by rejecting cookies in our consent banner)

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We will verify your identity and respond to your request within 30 days (or 45 days for CCPA requests, as described below). If we need additional time, we will notify you of the extension and the reason.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of Personal Information We Collect

• Identifiers: Name, email address, IP address (hashed), device identifiers
• Commercial Information: Subscription plan, payment history
• Internet Activity: Pages visited, features used, interaction data
• Professional Information: School name, subjects taught, grade levels (optional)

Sources of Personal Information

We collect personal information directly from you (account registration, quiz creation, game participation), automatically from your device (technical data, analytics with consent), and from third-party providers (Google/Microsoft OAuth profile data).

Your CCPA/CPRA Rights

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months, including the sources, purposes, and third parties with whom it was shared.
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: We do not sell or share (as defined by the CCPA/CPRA) your personal information. We have not sold or shared personal information in the past 12 months.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the Sheelon service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your CCPA/CPRA rights, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days. If we need additional time, we will notify you and may extend the response period by up to 45 additional days. You may designate an authorized agent to make a request on your behalf by providing written authorization.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also send you an email notification if you have an active account. Your continued use of Sheelon after changes are posted constitutes acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

Email: [email protected]

General inquiries: [email protected]