HamCoach AI — Privacy Policy
Last updated: May 17, 2026
This Privacy Policy describes how HamCoach AI ("HamCoach," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the HamCoach AI website, applications, and related services (the "Service").
We've tried to write this in plain English. If anything is unclear, contact us at privacy@hamcoach.ai.
1. Information we collect
We collect the following categories of information:
Account data (from you, via Clerk): email address, display name, and authentication identifiers. If you sign in with a third-party identity provider (e.g., Google), we receive the identifiers that provider passes to us.
Study data (from you, generated by your use): practice sessions, questions viewed, answers submitted, time spent, study preferences, streaks, and notes or feedback you submit.
Inferences and learning analytics (generated by us): mastery levels, readiness scores, predicted exam performance, recommended topics, and similar inferences our adaptive engine draws from your study activity.
Billing data (via Stripe): subscription status, plan, billing cadence, transaction history, and Stripe customer and subscription identifiers. We do not store full payment card numbers; Stripe handles all card data subject to its own terms and PCI-DSS compliance.
Support and communications data: messages, attachments, and contact details you submit through the contact form, plus metadata associated with transactional emails we send (e.g., delivery status, opens, clicks where available).
Technical and usage data (collected automatically): IP address, browser type and version, operating system, device identifiers, referring and exit pages, pages or features viewed, timestamps, error reports, and similar log data collected when you access the Service.
Information we do not intentionally collect. We do not intentionally collect special categories of personal data under GDPR (such as racial or ethnic origin, political opinions, religious beliefs, health information, biometric data, or data concerning a person's sex life or sexual orientation) or sensitive personal information under CPRA. Please do not submit sensitive information in AI tutor chats, support messages, or other free-text fields. If we become aware that you have submitted sensitive information, we may delete or redact it.
2. How we use information
We use personal information for the purposes listed below. For users in the European Union, United Kingdom, and European Economic Area, the table also identifies the legal basis under the GDPR.
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and authenticate your account; provide the core Service | Performance of a contract |
| Personalize study recommendations and track progress | Performance of a contract |
| Process subscription payments and enforce plan entitlements | Performance of a contract |
| Send transactional emails (receipts, account notices, security alerts) | Performance of a contract |
| Respond to support requests and contact form submissions | Performance of a contract; legitimate interests |
| Improve, debug, and develop the Service; analyze aggregated usage | Legitimate interests (improving our product) |
| Detect, prevent, and respond to fraud, abuse, and security threats | Legitimate interests; legal obligation |
| Comply with legal obligations (tax, accounting, lawful requests) | Legal obligation |
| Send marketing emails (only if you opt in) | Consent (you may withdraw at any time) |
What we do not do. We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising or targeted advertising. We do not use student or study data to train foundation AI models. We do not knowingly process personal information of children under 13 (see Section 9).
3. AI features
When you use AI explanations, the AI tutor, or other AI-assisted features, we send relevant context to a third-party AI provider in order to generate a response. That context typically includes the question text, your answer, related study context, and the conversation history within that session.
AI providers. We route AI requests through OpenRouter, which forwards them to one or more upstream model providers (which may include Anthropic, OpenAI, Google, Meta, and others). The current list of upstream providers we use is maintained at https://www.hamcoach.ai/subprocessors.
Training. We have configured our AI integrations, where supported by the provider, so that your inputs and outputs are not used to train foundation models. Some providers retain inputs for a short period (typically 30 days or less) for abuse monitoring; we do not use these retained inputs for model training.
Caching. We may cache AI responses on our own systems to improve performance and reduce cost. Cached responses are associated with the question and study context that produced them and may be reused for other users when the inputs are equivalent. Cached responses are retained for up to 12 months and may be purged earlier.
Limitations. AI-generated content is educational support, not official FCC, NCVEC, or examination authority, and may be inaccurate, incomplete, or fabricated. Do not rely on AI output for regulatory, legal, or safety decisions. Always verify against official sources.
Sensitive information. Do not submit sensitive personal information in AI tutor chats. We may filter or block submissions that appear to contain sensitive personal data.
4. Subprocessors and third-party providers
We rely on the following third-party processors to deliver the Service. Each is bound by contractual data-protection terms and processes personal information only as needed to perform its function.
| Provider | Function | Location | Cross-border transfer mechanism |
|---|---|---|---|
| Clerk | Authentication and account management | United States | Standard Contractual Clauses (SCCs) |
| Stripe | Payment processing and subscription management | United States, Ireland | SCCs / Stripe DPA |
| OpenRouter + upstream AI providers | AI inference | United States (varies by provider) | SCCs |
| Resend | Transactional and contact email delivery | United States | SCCs |
| Vercel | Application hosting and edge delivery | United States | SCCs |
| Neon | Database hosting | United States | SCCs |
| Sentry | Error and performance monitoring | United States | SCCs |
| PostHog | Product analytics and usage insights | United States | SCCs |
We maintain an up-to-date subprocessor list at https://www.hamcoach.ai/subprocessors. When we add a new subprocessor that materially changes how personal data is processed, we will update that page and notify subscribers in advance through email or in-product notice.
5. International data transfers
The Service is operated from the United States, and our subprocessors are primarily located in the United States. If you access the Service from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with cross-border data transfer restrictions, your personal information will be transferred to and processed in the United States.
For transfers from the EEA, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms, supplemented by additional safeguards where appropriate (encryption in transit and at rest, access controls, contractual restrictions). Copies of our transfer mechanisms are available on request.
6. Cookies and similar technologies
We use cookies and similar technologies that are strictly necessary to authenticate users, maintain sessions, and prevent fraud. We do not currently use cookies for analytics, advertising, or behavioral tracking.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
__session, __clerk_* | Clerk | Authentication and session management | Session / up to 7 days |
__stripe_mid, __stripe_sid | Stripe | Fraud prevention at checkout | Up to 1 year / 30 minutes |
Because these cookies are strictly necessary to provide the Service, they do not require consent under the EU ePrivacy Directive or UK PECR. If we add analytics, marketing, or other non-essential cookies in the future, we will update this Policy and, where required, present a cookie consent banner before such cookies are set.
We honor Global Privacy Control (GPC) signals as opt-out-of-sale and opt-out-of-sharing requests, even though we do not sell or share personal information for cross-context behavioral advertising.
7. Data retention
We retain personal information only as long as necessary for the purposes described in this Policy or as required by law. Specific retention practices:
- • Account and study data: retained while your account is active. After account deletion, we delete or irreversibly anonymize personal data within 90 days, except as noted below.
- • Billing records: retained for 7 years after the last transaction to comply with United States tax and accounting requirements.
- • Support communications: retained for up to 24 months after the matter is resolved.
- • AI prompts, outputs, and caches: retained for up to 12 months, then purged.
- • Security and access logs: retained for 90 days.
- • Encrypted backups: deleted data may persist in encrypted backups for up to 30 days before being overwritten.
Where we anonymize data rather than delete it, the result no longer identifies any individual and is not subject to the rights described in Section 8.
8. Your privacy rights
Depending on where you live, you may have specific rights regarding your personal information.
Users in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK GDPR)
You have the right to:
- • Access the personal data we hold about you and receive a copy.
- • Rectify inaccurate or incomplete personal data.
- • Erase ("right to be forgotten") your personal data in certain circumstances.
- • Restrict processing in certain circumstances.
- • Portability: receive a copy of your data in a structured, commonly used, machine-readable format.
- • Object to processing based on legitimate interests, including profiling.
- • Withdraw consent at any time, where processing is based on consent.
- • Lodge a complaint with your national supervisory authority (e.g., the ICO in the UK, the CNIL in France, the DPC in Ireland).
Users in California (CCPA / CPRA)
You have the right to:
- • Know what categories and specific pieces of personal information we have collected, the sources, the purposes of collection, and the categories of recipients.
- • Delete personal information we have collected from you, subject to legal exceptions.
- • Correct inaccurate personal information.
- • Opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising, but we honor opt-out signals (including GPC) anyway.
- • Limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for purposes that trigger this right.
- • Non-discrimination: we will not deny service, charge different prices, or provide a different level of quality because you exercised your rights.
California residents may also designate an authorized agent to make requests on their behalf. We may require the agent to provide written authorization and may require you to verify your own identity.
Users in other US states
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, Minnesota, New Jersey, Nebraska, New Hampshire, Kentucky, Maryland, Rhode Island, and other states with comprehensive privacy laws have rights similar to those described for California. Contact us to exercise them.
How to exercise your rights
Email privacy@hamcoach.ai with the request and the jurisdiction whose rights you are invoking. We may need to verify your identity before responding, typically by asking you to confirm information associated with your account.
We will respond within the timelines required by applicable law — generally 30 days under GDPR (extendable by 60 days for complex requests) and 45 days under CCPA (extendable by 45 days). If we cannot fulfill a request, we will explain why.
You may also delete your account directly from the Settings page, which triggers the deletion process described in Section 7.
9. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13.
If you are a parent or guardian and believe we have collected personal information from a child under 13, contact us at privacy@hamcoach.ai and we will investigate and delete the information.
For users known to be between 13 and 17, we do not use their personal information for targeted advertising, profiling for marketing purposes, or sale of personal information, consistent with state laws on minors' privacy.
10. Security
We use reasonable administrative, technical, and physical safeguards to protect personal information, including:
- • Encryption in transit (TLS) and at rest (provider-managed encryption)
- • Least-privilege access controls and audit logging for administrative actions
- • Reputable infrastructure providers with established security practices
- • Periodic review of access and security configuration
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and any required authorities without undue delay and consistent with applicable law (including the GDPR's 72-hour supervisory authority notification requirement and applicable US state breach notification statutes).
11. Automated decision-making
Our adaptive engine generates recommendations about what topics to study and predicts your exam readiness. These are decision-support outputs, not decisions that produce legal or similarly significant effects under GDPR Article 22. You remain in control of how you use the Service, and a human (you) decides whether and when to take an exam.
If you would like more information about how our adaptive engine works or wish to object to automated processing, contact us at privacy@hamcoach.ai.
12. Changes to this Policy
We may update this Policy from time to time. For material changes — for example, expanded categories of data we collect, new purposes of use, or new categories of recipients — we will provide reasonable advance notice (typically at least 30 days) by email or through the Service. For non-material changes (such as clarifications or contact updates), we will update the "Last updated" date above. Where required by law, we will seek your renewed consent.
13. Contact us
Privacy inquiries and rights requests: privacy@hamcoach.ai
General inquiries: via our contact page
Privacy Lead: Andy Melichar, Privacy Lead
Mailing address: HamCoach.ai PO BOX 431 Willis, MI 48191 hello@hamcoach.ai