Privacy Policy
Effective Date: February 21, 2026
Last Updated: February 21, 2026
penblox, operated by Pragcraft (pragcraft.com) (“we,” “us,” “our”), is committed to protecting your privacy, especially the privacy of children who use our Service. This Privacy Policy explains how we collect, use, store, and protect your personal information.
1. Who We Are
penblox is a digital math workspace designed for children with dysgraphia and other learning differences, operated by Pragcraft (pragcraft.com). We act as the data controller for personal information collected through the Service.
- Contact Email: legal@penblox.io
- Data Protection Contact: privacy@penblox.io
2. Information We Collect
2.1 Information You Provide
- Account Information — Name, email address, and role (student, parent, educator) when you register for an account.
- Profile Information — Optional display name or preferences you configure.
- User Content — Documents, math blocks, and other materials you create within the Service.
2.2 Information Collected Automatically
- Usage Data — Pages visited, features used, session duration, and interaction patterns (collected via analytics tools such as Google Analytics).
- Device Information — Browser type, operating system, screen resolution, and device type.
- Log Data — IP address, access timestamps, and referring URLs.
2.3 Information from Third Parties
- Authentication Providers — If you sign in through a third-party service (e.g., Google), we receive basic profile information (name, email) as authorized by you.
- Google Classroom (future) — If you connect Google Classroom, we will access class roster and assignment data as needed to provide integration features.
3. How We Use Your Information
We use your information only for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| Create and manage your account | Performance of contract (Art. 6(1)(b)) |
| Store and display your Content | Performance of contract (Art. 6(1)(b)) |
| Improve and optimize the Service | Legitimate interest (Art. 6(1)(f)) |
| Analyze usage patterns and trends | Legitimate interest (Art. 6(1)(f)) |
| Communicate updates and changes | Legitimate interest (Art. 6(1)(f)) |
| Ensure security and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Send marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
We do not:
- Sell your personal information to third parties.
- Use your Content for advertising or profiling.
- Use children's data for marketing purposes.
4. Children's Privacy
We take children's privacy seriously. Our approach complies with the General Data Protection Regulation (GDPR), the UK Age Appropriate Design Code, and the Children's Online Privacy Protection Act (COPPA) where applicable.
4.1 Age Verification and Consent
- Users under the age of 16 (or the applicable age of digital consent in their jurisdiction) require parental or guardian consent to create an account.
- Educators may create accounts on behalf of students with appropriate authorization from the school or district.
4.2 Data Minimization for Children
- We collect only the minimum information necessary to provide the Service to child users.
- We do not require children to provide more information than is reasonably necessary.
- We do not serve behavioral advertising to children.
- We do not create profiles of children for marketing purposes.
4.3 Parental Rights
Parents and guardians may at any time:
- Review the personal information we hold about their child.
- Request correction or deletion of their child's personal information.
- Withdraw consent for further collection or use of their child's data.
- Request a copy of their child's data in a portable format.
To exercise these rights, contact us at privacy@penblox.io.
5. Cookies and Tracking Technologies
5.1 Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, security, session management | Session |
| Analytics | Usage patterns, feature adoption (e.g., Google Analytics) | Up to 2 years |
| Preferences | User settings (e.g., grid visibility, theme) | Persistent |
5.2 Your Cookie Choices
- Essential cookies cannot be disabled as they are required for the Service to function.
- Analytics cookies are enabled only with your consent (via a cookie consent banner).
- You can manage cookies through your browser settings at any time.
- We honor Do Not Track (DNT) browser signals.
6. Data Sharing and Third Parties
We share your information only in the following circumstances:
- Service Providers — Trusted third parties who help us operate the Service (e.g., hosting, analytics). These providers are contractually bound to process data only on our instructions and in accordance with this Privacy Policy.
- Legal Requirements — When required by law, regulation, legal process, or governmental request.
- Safety — When necessary to protect the safety, rights, or property of our users, ourselves, or the public.
- Business Transfers — In connection with a merger, acquisition, or sale of assets, with notice to affected users.
6.1 Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Google Analytics | Usage analytics | Anonymized usage data |
| Amazon Web Services (AWS) | Infrastructure | All data (encrypted at rest) |
| Google Classroom (future) | Classroom integration | Class roster, assignments |
7. International Data Transfers
- Our Service is hosted in the European Union (AWS eu-west-1, Ireland).
- If you access the Service from outside this region, your data may be transferred to and processed in the European Union (AWS eu-west-1, Ireland).
- For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) to ensure appropriate safeguards under GDPR.
8. Data Retention
- Account Data — Retained for as long as your account is active. Deleted within 30 days of account deletion.
- User Content — Retained for as long as your account is active. Deleted within 30 days of account deletion.
- Usage Data — Aggregated and anonymized data may be retained indefinitely for analytics. Identifiable usage data is deleted within 26 months.
- Log Data — Retained for up to 90 days for security and debugging purposes.
When data is no longer needed, it is securely deleted or anonymized.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption in transit (TLS/HTTPS) and at rest.
- Access controls limiting who can access personal data.
- Regular security assessments.
- Incident response procedures for data breaches.
While we take reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data.
10. Your Rights (GDPR and UK GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data (“right to be forgotten”). |
| Restriction (Art. 18) | Request that we limit how we process your data. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interests. |
| Withdraw Consent (Art. 7) | Withdraw consent at any time where processing is based on consent. |
| Automated Decisions (Art. 22) | Not be subject to solely automated decision-making. |
To exercise any of these rights, contact us at privacy@penblox.io. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
10.1 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority:
- EU: Find your authority at edpb.europa.eu
- UK: Information Commissioner's Office (ICO) at ico.org.uk
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to Know — Request details about the personal information we collect and how it is used.
- Right to Delete — Request deletion of your personal information.
- Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.
We do not sell personal information. To exercise your rights, contact us at privacy@penblox.io.
12. Changes to This Privacy Policy
- We may update this Privacy Policy from time to time. The updated version will be posted with a revised “Last Updated” date.
- For material changes, we will provide notice via email or an in-app notification.
- Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
- Email: legal@penblox.io
- Data Protection Contact: privacy@penblox.io