Compliance and Security Overview

Current Product Boundary

TARK Learn is currently an invite-gated family learning product. Parents create accounts, add learners with minimized student details, invite students with learner codes, and monitor progress. Family access is kept separate from TARK operational support systems.

Children's Privacy Approach

• Parent-led account creation and student invitation.
• Student access through one-time learner code, learner ID, and PIN instead of student email sign-up; school details are parent-provided.
• Student home ZIP is not collected; ZIP is used only as searchable school-directory reference data.
• No behavioral advertising and no sale of student data.
• Parent request path for access, correction, deletion, and refusal of further collection.
• Private storage for uploaded notes and generated study materials.
• Parent progress digest emails stay behind parent preferences, suppression/unsubscribe handling, and an admin sending switch.

FERPA and School Use

TARK Learn is not currently positioned as a school system of record. If a school, district, teacher, or education institution uses TARK Learn with students, that deployment should be covered by a written school data agreement before launch. The agreement should define the education purpose, data ownership, directory information rules if any, parent/student access rights, retention, deletion, and support responsibilities.

AI and Data Controls

• AI generation requests are server-side only; browsers do not receive AWS or model-provider credentials.
• Generated learning artifacts are saved before being displayed or reused.
• Uploaded notes remain private to the student/family account and are not treated as public content.
• Workers validate generated JSON before saving study-pack, harder-practice, flashcard, or parent-summary outputs.
• Parents and students are told not to upload sensitive information that is unnecessary for study.

Security Controls

• Separate family access and operational support boundaries.
• Operational support access uses separate authentication and authorization checks.
• Private S3 storage, scoped IAM roles, Secrets Manager for runtime secrets, and Terraform-managed infrastructure.
• On-demand worker tasks and isolated Java runner execution instead of running untrusted code in the main web process.
• Operational health checks, worker/job status tracking, and CloudWatch logging for production support.

Subprocessors and Infrastructure

TARK Learn uses AWS infrastructure for hosting, authentication, private storage, databases, queues, logs, edge delivery, secrets, and runtime execution. AI generation currently uses configured Bedrock-compatible model access through backend secrets. Subprocessor and model-provider details may change as the product develops, and material changes should be reflected in the Subprocessors and Data Sharing page or the Privacy Policy.

Launch Review Status

These pages are implementation-ready for private beta testing, but broad student rollout should wait for counsel review of parent consent, children's privacy disclosures, retention/deletion operations, AI/subprocessor language, state privacy obligations, and any school or district use case.

Regulatory References

These links are provided for transparency and should be reviewed with counsel before broader student rollout.

• FTC children's privacy and COPPA guidance
• U.S. Department of Education Student Privacy Policy Office
• California Consumer Privacy Act information
• W3C Web Content Accessibility Guidelines 2.2
• U.S. Copyright Office DMCA designated agent directory

Related Trust Pages

• Policy Center
• Student Privacy
• Subprocessors and Data Sharing
• AI Use Policy
• Accessibility Statement
• DMCA and Copyright Policy

Contact

Questions or requests can be sent to privacy@tarklearn.com. Product support can be sent to support@tarklearn.com.