Privacy Policy — Personal Knowledge Library

Effective Date: April 22, 2026 · Last Updated: April 22, 2026

This Privacy Policy explains how ThinkPKL, Inc. (doing business as "PKL," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the PKL platform at thinkpkl.com and any associated applications or services (the "Services"). It also explains the rights and choices you have with respect to your personal information.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. Your use of the Services is also subject to PKL's Terms and Conditions of Service, available at thinkpkl.com/terms, which are incorporated by reference.

If you are accessing the Services on behalf of a school, school district, or other educational institution (a "School"), this Privacy Policy supplements — and is subject to — the applicable School Subscription Agreement between PKL and your School. In the event of any conflict between this Privacy Policy and a School Subscription Agreement regarding student data, the School Subscription Agreement controls.

Questions or concerns about this Privacy Policy may be directed to: privacy@thinkpkl.com

SECTION 1. SCOPE OF THIS PRIVACY POLICY

1.1 Who This Policy Covers

This Privacy Policy applies to:

Individual users who register directly for PKL accounts ("Direct Users"), including adult teachers, tutors, and individuals aged 13 and older who subscribe directly to the Services; and
Student and teacher users who access the Services through a School account, subject to the additional provisions in Section 9 (School Accounts, FERPA, and Student Privacy).

1.2 Who This Policy Does Not Cover

This Privacy Policy does not govern:

Personal information collected through third-party websites or services that are linked from the Services. PKL is not responsible for the privacy practices of any third-party site or service, and we encourage you to review their privacy policies before providing your information.
Information processed by PKL solely as a data processor on behalf of a School under a School Subscription Agreement, to the extent that agreement provides different or additional terms for student data. In that context, the School is the data controller and PKL acts as a service provider.

1.3 Children Under 13

PKL does not knowingly collect personal information directly from children under the age of 13 through Direct User registration. Children under 13 may only access the Services through a School account where the School has entered into a School Subscription Agreement and has complied with the Children's Online Privacy Protection Act ("COPPA") on behalf of its students. See Section 8 for details.

SECTION 2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When you create an account or use the Services, we collect information you provide to us, including:

Account registration information: your name, email address, username, and password (or, for single sign-on accounts, the account credentials you authorize from a third-party provider);
Role information: whether you are registering as a Student User, Teacher User, or school administrator;
School affiliation: if you are a Teacher User or School administrator, the name of your school or institution;
Payment information: if you subscribe to a paid plan, billing name, billing address, and payment card information. Payment card data is processed directly by PKL's third-party payment processor and is not stored by PKL on its own servers;
User Content: essays, written responses, think-again exchanges, annotations, and other content you submit through the Services (see Section 5 for how we handle User Content); and
Communications: information you provide when you contact PKL for support, submit feedback, or otherwise communicate with us.

2.2 Information Collected Automatically

When you access or use the Services, we automatically collect certain technical and usage information, including:

Log data: IP address, browser type, operating system, referring URLs, pages visited within the Services, and the date and time of access;
Device information: device type, device identifiers, and screen resolution;
Usage data: features accessed, assignments completed, time spent in the Services, and interactions with the Essay Workshop and Think Again Feature; and
Cookies and similar technologies: as described in Section 6.

2.3 Information from Third Parties

If you register or log in using a third-party single sign-on service (such as Google), we receive information from that service as authorized by you, which may include your name, email address, and profile picture. We use this information only for account creation and authentication purposes.

If you access the Services through a School account, we may receive information about you from your School, including your name, grade level, class assignments, and school-assigned identifiers.

2.4 Information We Do Not Collect

PKL does not collect:

Social media profiles or social network activity;
Biometric data;
Precise geolocation data (we collect only IP-level location);
Behavioral data for the purpose of targeted advertising; or
Sensitive personal information such as government identification numbers, financial account numbers, or health information, except as strictly necessary for payment processing (handled by our payment processor).

SECTION 3. HOW WE USE YOUR INFORMATION

3.1 To Provide and Operate the Services

We use information we collect to:

Create and manage your account;
Deliver the features and functionality of the Services, including the Essay Workshop, Think Again Feature, and Librarian Feature;
Allow Teacher Users to view and provide feedback on Student User submissions within assigned classes;
Process payments for paid Subscriptions; and
Respond to your support requests and communications.

3.2 To Power AI Features

We use User Content to generate AI Output through the Essay Workshop and Think Again Feature. Before transmitting User Content to any AI Sub-Processor (see Section 5), we strip personally identifiable information including your legal name and email address. See Section 5 for a full description of our AI data handling practices.

3.3 To Improve and Develop the Services

We may use de-identified and aggregated data — from which all personally identifiable information has been removed — to:

Analyze usage patterns and improve platform functionality;
Develop and refine PKL's AI algorithms and educational features;
Conduct internal research and analytics; and
Generate aggregate statistics about platform use.

We do not use individually identifiable User Content from Student Users for product improvement without first de-identifying it. We do not use Student User data to build individual profiles for non-educational purposes.

3.4 To Communicate with You

We use your contact information to:

Send transactional communications, such as account confirmations, password resets, subscription receipts, and service notifications;
Send product updates, policy change notices, and legally required disclosures;
Send marketing communications about PKL features and offerings — but only to adult Direct Users who have not opted out, and never to Student Users. You may opt out of marketing communications at any time by following the unsubscribe link in any marketing email or by contacting us at privacy@thinkpkl.com.

3.5 To Comply with Legal Obligations

We may use and retain information as necessary to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms and Conditions; to investigate suspected violations; to protect the safety or rights of PKL, its users, or the public; and to cooperate with law enforcement.

3.6 What We Do Not Do

PKL does not:

Sell, rent, or trade your personal information to third parties for their own marketing purposes;
Use Student User data for targeted advertising, whether on the PKL platform or on third-party platforms;
Use Student User data to build behavioral profiles for non-educational purposes;
Allow AI Sub-Processors to train their models on your User Content; or
Use personal information for purposes materially different from those described in this Privacy Policy without obtaining your consent.

SECTION 4. HOW WE SHARE YOUR INFORMATION

4.1 With Your Teacher User and School

When a Student User submits User Content through a class or assignment associated with a Teacher User's account, that Teacher User can view the submission within the Services for educational purposes. School administrators with access to a School account may access aggregate usage data. Individual student submissions are accessible to school administrators only where authorized by the applicable School Subscription Agreement.

4.2 With Sub-Processors

PKL shares User Content with the following categories of Sub-Processors solely to provide the Services:

AI inference providers: PKL transmits anonymized User Content to OpenAI to generate AI Output through the Essay Workshop and Think Again Feature. User Content is anonymized (legal name and email stripped) before transmission, and PKL's agreement with OpenAI prohibits OpenAI from using PKL user data to train its models.
Data storage and infrastructure: PKL uses Supabase for database hosting and storage. Supabase processes personal information as a data processor on PKL's behalf, subject to Supabase's data processing terms.
Payment processing: Payment card information is transmitted to PKL's payment processor(s) for Subscription billing. PKL does not store raw payment card data.
Communication services: PKL may use third-party email service providers to send transactional and notification emails.

All Sub-Processors are contractually prohibited from using personal information for any purpose other than providing services to PKL and from retaining personal information beyond the time necessary to deliver those services. PKL maintains an up-to-date list of Sub-Processors, available at thinkpkl.com/subprocessors upon request.

4.3 For Legal Compliance and Safety

We may disclose personal information if we believe in good faith that such disclosure is necessary to:

Comply with a valid legal obligation, court order, subpoena, or governmental request;
Enforce our Terms and Conditions or investigate suspected violations;
Detect, prevent, or respond to fraud, security threats, or technical issues; or
Protect the safety, rights, or property of PKL, its users, or the public.

Where legally permissible, PKL will attempt to notify affected users before complying with such requests.

4.4 In Corporate Transactions

If PKL undergoes a merger, acquisition, sale of all or substantially all of its assets, or other corporate transaction, personal information held by PKL may be transferred to the successor entity. PKL will notify affected users of any such transfer by email or notice within the Services, and the successor will be bound by a privacy policy at least as protective as this one.

4.5 With Your Consent

PKL may share personal information in additional ways if we have your explicit consent to do so.

4.6 What We Do Not Share

PKL does not share personal information with:

Advertisers or advertising networks for the purpose of behavioral targeting or retargeted advertising on third-party platforms;
Data brokers or data aggregators; or
Any third party in exchange for monetary compensation or other consideration.

SECTION 5. AI SUB-PROCESSING AND DATA HANDLING

5.1 How AI Features Process User Content

PKL's Essay Workshop and Think Again Feature are powered in part by OpenAI's API. When you submit User Content to either of these features, the following process occurs:

Your User Content is received by PKL's secure backend server. User Content is never transmitted directly from your client device to OpenAI's API.
Before transmission to OpenAI, PKL's backend removes your legal name, email address, and any school or district identifiers from the content.
The anonymized User Content is transmitted to OpenAI's API for inference (i.e., to generate a response).
The AI Output generated by OpenAI is returned to PKL's backend and then delivered to you within the Services.

5.2 Prohibition on Model Training

PKL's agreement with OpenAI prohibits OpenAI from using User Content submitted through PKL's API integration to train, fine-tune, or otherwise improve OpenAI's models. PKL similarly prohibits all AI Sub-Processors from using User Content for model training.

5.3 PKL's Use of AI Interaction Data

PKL may use de-identified and aggregated AI interaction data — including de-identified essay submissions, think-again exchanges, and feedback patterns — to improve PKL's own platform features, prompt engineering, and educational algorithms. PKL will not use individually identifiable Student User content for this purpose. De-identification involves the removal of all direct and indirect identifiers that would allow a reasonable person to identify the individual student.

5.4 AI Output Is Not Stored Indefinitely

AI Output generated in response to your User Content is stored in your account for as long as your account remains active and is deleted as described in Section 7.3.

SECTION 6. COOKIES AND TRACKING TECHNOLOGIES

6.1 Cookies We Use

PKL uses cookies and similar tracking technologies to operate and improve the Services. The types of cookies we use include:

Strictly necessary cookies: Required for the Services to function, including session authentication and security features. These cannot be disabled.
Functional cookies: Enable features like remembering your preferences, login state, and account settings.
Analytics cookies: Allow PKL to understand how users interact with the Services, including which features are most used. PKL uses first-party analytics only within the Services. We do not use third-party advertising analytics cookies within the Services.

6.2 What We Do Not Do with Cookies

PKL does not use cookies or similar tracking technologies within the Services to:

Target behavioral advertising to users based on their activity within the Services;
Share cookie data with advertising networks or data brokers; or
Track Student Users across third-party websites or platforms.

Note: PKL's marketing website (the public-facing portions of thinkpkl.com accessible without login) may use standard analytics tools to understand visitor traffic. These analytics are separate from the logged-in Services and do not apply to Student User accounts.

6.3 Your Cookie Choices

Most web browsers allow you to control cookies through their settings. You may set your browser to refuse cookies or to alert you when cookies are being set. Note that disabling strictly necessary cookies may affect the functionality of the Services. PKL honors browser-level Do Not Track signals to the extent technically practicable.

SECTION 7. DATA RETENTION

7.1 Account Data

PKL retains your account registration information (name, email, role) for as long as your account is active. After account termination, PKL will retain basic account data for up to two (2) years to comply with legal obligations and to resolve disputes, after which it will be deleted or anonymized.

7.2 User Content

User Content (essays, think-again exchanges, annotations) is retained while your account is active. Upon account termination or deletion, PKL will delete User Content from its active systems within thirty (30) days, subject to:

Legal hold obligations (e.g., if User Content is the subject of a pending legal dispute);
School data retention requirements under an applicable School Subscription Agreement; and
The thirty (30) day export grace period described in the Terms and Conditions.

7.3 De-Identified and Aggregated Data

De-identified, aggregated data derived from User Content may be retained indefinitely for platform improvement and analytical purposes, provided that such data cannot be reasonably used to identify you.

7.4 Payment Records

Payment transaction records are retained for seven (7) years or such longer period as required by applicable law for tax and accounting purposes.

7.5 Log Data

Server log data (IP addresses, access logs) is retained for up to ninety (90) days, unless a longer retention period is required for security investigations or legal purposes.

SECTION 8. CHILDREN'S PRIVACY (COPPA)

8.1 Age Restrictions for Direct Accounts

PKL does not knowingly collect personal information from children under the age of 13 through direct account registration. All users registering for a direct consumer account must be at least 13 years old. If PKL learns that it has inadvertently collected personal information from a child under 13 through a direct registration, PKL will promptly delete that account and all associated data.

8.2 School Operator Exception

COPPA provides that operators of online services may collect personal information from children under 13 where the operator enters into a contract with a school acting on behalf of parents. PKL relies on this school operator exception for Student Users under 13 who access the Services through a School account. In this context:

The School enters into a School Subscription Agreement with PKL, which includes the applicable COPPA-compliant data processing terms;
The School is responsible for providing any required notices to parents and for obtaining any required parental or guardian consent before enrolling students under 13 in the Services;
PKL collects only the personal information of students under 13 that is necessary to provide the educational Services authorized by the School; and
PKL does not use personal information of students under 13 for any purpose beyond providing the Services to the School.

8.3 Parental Access Rights

Parents or guardians of students under 13 who access the Services through a School account may request to review, correct, or delete their child's personal information by contacting their child's school. The school will coordinate with PKL as necessary. PKL will not provide individual student records directly to parents without school authorization, in order to comply with FERPA's school custodianship requirements.

SECTION 9. SCHOOL ACCOUNTS, FERPA, AND STUDENT PRIVACY

9.1 FERPA Compliance

For School accounts, PKL operates as a "School Official" with a "legitimate educational interest" as those terms are used in the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. § 1232g, and its implementing regulations at 34 C.F.R. Part 99. Specifically:

Student education records processed by PKL on behalf of a School remain under the direct control of the School;
PKL accesses and processes student education records only as directed by the School and only for the purpose of providing the Services;
PKL will not disclose student education records to third parties without the School's authorization, except as required by law; and
Schools retain the right to review, audit, and request deletion of their students' records held by PKL at any time.

9.2 California AB 1584 Compliance (California Schools)

For contracts with California Local Educational Agencies ("LEAs"), PKL complies with California Education Code Section 49073.1 (AB 1584). Specifically, PKL agrees that:

Pupil records obtained from a California LEA or its students remain the property of and under the control of the LEA;
PKL will not use pupil records for any purpose other than those set forth in the applicable School Subscription Agreement;
PKL will not sell, disclose, or share pupil records without the LEA's authorization, except as required by law;
In the event of a data breach affecting California pupil records, PKL will notify the LEA within seventy-two (72) hours of confirmation, consistent with applicable breach notification requirements;
Upon termination of the School Subscription Agreement, PKL will return or destroy California pupil records in accordance with the timeline specified in the agreement (default: thirty (30) days from termination date); and
PKL implements commercially reasonable administrative, technical, and physical safeguards to protect the security and confidentiality of California pupil records.

9.3 California SOPIPA Compliance

PKL complies with California's Student Online Personal Information Protection Act ("SOPIPA"). Accordingly, PKL will not:

Use information in Student Users' accounts, including persistent unique identifiers, to engage in targeted advertising to students or their parents;
Use information created or gathered by the Services to amass a profile on a student for a non-educational purpose;
Sell Student User information; or
Disclose covered information about students except as permitted by SOPIPA and the applicable School Subscription Agreement.

9.4 Data Minimization for School Accounts

For School accounts, PKL collects only the personal information of students that is necessary to provide the educational Services authorized by the School. PKL does not require students to submit personally identifiable information that is not necessary for the educational purposes of the Services.

9.5 School Responsibilities

Schools using the Services are responsible for:

Entering into a School Subscription Agreement with PKL before enrolling students;
Complying with FERPA, COPPA, and applicable state student privacy laws, including providing required notices to parents and obtaining required consents;
Managing teacher and student account access within their school account; and
Notifying PKL promptly of any student who should be removed from the Services.

SECTION 10. SECURITY

10.1 Security Measures

PKL implements commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. Our security practices include:

Encryption of data in transit using TLS (Transport Layer Security);
Encryption of data at rest using AES-256 encryption through our Supabase infrastructure;
Access controls limiting employee and contractor access to personal information to those with a need-to-know for the purpose of providing the Services;
Backend proxy architecture for AI API calls, ensuring that User Content is never transmitted directly from client devices to AI Sub-Processors; and
Regular security reviews and monitoring.

10.2 No Absolute Security

No method of transmission over the internet or electronic storage is completely secure. While PKL uses commercially reasonable security measures, we cannot guarantee the absolute security of personal information. If you believe your account has been compromised, please contact us immediately at privacy@thinkpkl.com.

10.3 Data Breach Notification

In the event of a data breach that is reasonably likely to result in harm to affected individuals, PKL will notify affected users and, for School accounts, the applicable School, as required by applicable law. For California residents, PKL will provide notification consistent with the California Consumer Privacy Act ("CCPA"), CPRA, and California Civil Code Section 1798.82 (California data breach notification law). For School accounts subject to AB 1584, PKL will notify the LEA within seventy-two (72) hours of confirming a breach affecting pupil records.

SECTION 11. YOUR PRIVACY RIGHTS AND CHOICES

11.1 Access and Correction

You have the right to access, review, and correct the personal information PKL holds about you. You may review and update your account information by logging into your account. If you cannot access or update certain information through your account settings, you may contact us at privacy@thinkpkl.com.

11.2 Deletion

You have the right to request deletion of your personal information. To request account deletion, you may [deletion method TBD] or contact us at privacy@thinkpkl.com. Upon deletion, PKL will delete your personal information from its active systems within thirty (30) days, subject to retention obligations described in Section 7. De-identified, aggregated data derived from your account may be retained after deletion.

For Student Users whose accounts are managed by a School, deletion requests should be directed to the School. PKL will process deletion requests from Schools in accordance with the applicable School Subscription Agreement.

11.3 Data Portability

You have the right to receive a copy of the personal information you have provided to PKL in a structured, commonly used, machine-readable format. To request a data export, contact us at privacy@thinkpkl.com. PKL will respond to portability requests within thirty (30) days.

11.4 Opt-Out of Marketing Communications

Direct Users may opt out of receiving marketing emails from PKL at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@thinkpkl.com. Opting out of marketing communications does not affect your receipt of transactional communications (such as subscription receipts or security notices).

PKL does not send marketing communications to Student Users.

11.5 Cookie Preferences

You may manage your cookie preferences through your browser settings, as described in Section 6.3. Note that disabling strictly necessary cookies may impair the functionality of the Services.

SECTION 12. CALIFORNIA CONSUMER PRIVACY ACT (CCPA/CPRA)

12.1 Applicability

This Section 12 applies to California residents whose personal information is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, "CCPA/CPRA").

12.2 Categories of Personal Information Collected

In the preceding twelve (12) months, PKL has collected the following categories of personal information from California residents, as defined under the CCPA:

Identifiers: name, email address, IP address, device identifiers, and account username.
Commercial information: Subscription tier and payment history (for paid subscribers).
Internet or other electronic network activity information: log data, usage data, and cookies, as described in Sections 2.2 and 6.
Education information: for School accounts, grade level, class assignments, and School-assigned identifiers, as disclosed by the School.
Inferences: de-identified, aggregated inferences drawn from platform usage for product improvement purposes (not linked to any individual).

12.3 Purposes for Collection

PKL collects the above categories of personal information for the business purposes described in Section 3 of this Privacy Policy.

12.4 No Sale of Personal Information

PKL does not sell personal information within the meaning of the CCPA/CPRA, including personal information of minors. PKL does not share personal information with third parties for cross-context behavioral advertising.

12.5 California Consumer Rights

California residents have the following rights under the CCPA/CPRA:

Right to Know: The right to request that PKL disclose the categories and specific pieces of personal information it has collected about you, the categories of sources from which that information was collected, the business purpose for collecting or sharing it, and the categories of third parties to whom it was disclosed.
Right to Delete: The right to request deletion of personal information collected from you, subject to certain exceptions.
Right to Correct: The right to request correction of inaccurate personal information PKL holds about you.
Right to Opt-Out of Sale/Sharing: The right to opt out of the sale or sharing of personal information. PKL does not sell or share personal information, so this right is inherently satisfied.
Right to Limit Use of Sensitive Personal Information: PKL does not process sensitive personal information (as defined under CPRA) for purposes beyond those necessary to provide the Services.
Right to Non-Discrimination: PKL will not discriminate against you for exercising any of your CCPA/CPRA rights.

12.6 Minors 13 to 15 — Opt-In Required for Sharing

Consistent with California Civil Code Section 1798.120(c), PKL does not sell or share the personal information of California consumers between the ages of 13 and 15 for cross-context behavioral advertising without affirmative authorization. Because PKL's standing commitment is to not sell or share any user data for advertising purposes, this protection extends to all users regardless of age.

12.7 How to Submit a CCPA/CPRA Request

To exercise your CCPA/CPRA rights, you may:

Submit a request by email to privacy@thinkpkl.com with the subject line "California Privacy Request";
Include your name, email address associated with your PKL account, and the specific right(s) you wish to exercise.

PKL will verify your identity before processing your request and will respond within forty-five (45) days of receipt. If we need additional time (up to an additional forty-five (45) days), we will notify you of the extension within the initial forty-five (45) day period. PKL will not charge a fee for processing your request unless it is excessive, repetitive, or manifestly unfounded.

12.8 Authorized Agents

California residents may designate an authorized agent to submit a CCPA/CPRA request on their behalf. PKL will require the authorized agent to provide proof of authorization and may require you to verify your identity directly with PKL before processing the request.

SECTION 13. INTERNATIONAL USERS

The Services are operated from the United States and are intended for users in the United States. PKL's servers and Sub-Processors are located in the United States. If you access the Services from outside the United States, please be aware that your personal information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

PKL does not actively market or target the Services to users in the European Union, United Kingdom, or Switzerland. PKL does not currently maintain EU Standard Contractual Clauses or other GDPR transfer mechanisms. If your jurisdiction requires specific data transfer safeguards that PKL does not currently provide, you should not use the Services.

SECTION 14. CHANGES TO THIS PRIVACY POLICY

PKL may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes to this Privacy Policy, we will:

Update the "Last Updated" date at the top of this Policy;
Post a notice on the Services; and
For material changes, send an email notice to the address associated with your account at least thirty (30) days before the changes take effect.

For School accounts, any changes to this Privacy Policy that materially affect the processing of student personal information will require affirmative re-acceptance by the School administrator before taking effect with respect to the School's student accounts.

Your continued use of the Services after the effective date of any revised Privacy Policy constitutes your acceptance of the changes.

SECTION 15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or PKL's data practices, please contact us at:

ThinkPKL, Inc. Privacy inquiries: privacy@thinkpkl.com Legal inquiries: legal@thinkpkl.com Website: thinkpkl.com

For California residents exercising CCPA/CPRA rights, please include "California Privacy Request" in the subject line of your email.

For School administrators and FERPA-related inquiries, please reference your School Subscription Agreement account number in your communication.

PKL will acknowledge your inquiry within five (5) business days and provide a substantive response within the timeframe required by applicable law.