Privacy Policy

NextGenCyberEd operates Praxis for classroom and organizational tabletop exercises. For school use, your institution is the data controller for student information; Praxis acts as a service providerprocessing data only to deliver exercises at the school's direction.

Educator accounts

• Email address, display name, and authentication identifiers (via Supabase Auth)
• Terms acceptance record (timestamp, IP address, browser user-agent)
• Organization membership and role

Exercise participants (join code — no staff account)

• Assigned alias (default) or optional display name if facilitator enables it
• Votes, confidence scores, and optional response text
• Technical session data required to run the exercise

We do not knowingly register children under 13 as staff users. Under-13 participants join only via exercise code under teacher direction; schools handle any consent required under their laws.

• Deliver and facilitate tabletop exercises
• Generate after-action SWOT reports for facilitators (with anonymized participant labels)
• Operate, secure, and improve the platform

We do not sell student data or use it for targeted advertising.

SWOT generation may send vote summaries to our AI provider via a gateway. Participant labels in prompts are anonymized (e.g. "Participant 1") — never real names or aliases. See Sub-processors.

• Participant session data (aliases, votes): deleted on the earlier of (a) 7 days after exercise completion, or (b) immediately after SWOT is generated.
• SWOT reports: retained with the exercise for facilitator access.
• Educator accounts: retained while the account is active, then deleted or anonymized per request.
• Terms acceptances: retained as an audit log of which agreement version each educator accepted.

Data in transit is protected with TLS. Data at rest is hosted on encrypted infrastructure operated by our database provider (Supabase). Access is restricted by application role-based controls and database row-level security. We do not separately encrypt individual participant response fields at the application layer. See our Security page.

Districts and schools may request our School Data Processing Addendum. Sub-processors are listed on the Sub-processors page.

• Personal data: Staff users can delete participant history, display name, and terms acceptance from Privacy & data in the app.
• Organization data: Tenant admins can wipe all org scenarios and exercises (keeping team accounts) from Team settings. Each action is logged.
• Audit requests: Schools may request compliance exports (terms acceptances, purge events, deletion requests, access reviews) via legal@nextgencybered.org.