— Legal
This page is maintained by the StudyPod team to answer common security questions about the platform. It reflects current, in-product practices — not a certification.
All traffic to and from StudyPod is encrypted with TLS 1.2 or higher. Uploaded files and derived content are stored encrypted at rest with AES-256 on our managed database and object storage.
StudyPod supports email + password (with strong hashing) and Google sign-in. Sessions use short-lived access tokens with rotating refresh tokens. We block credential-stuffing patterns and rate-limit sign-in attempts per IP and per account.
Only your account can read your StudyPods. On the school and district plan, teachers see only their assigned classes, and district admins see aggregated mastery — not individual chat transcripts — unless explicitly authorized. Internally, engineer access to production data is restricted to a small on-call rotation and audited.
StudyPod runs on serverless infrastructure hosted in US regions. Backups are taken daily and retained for 30 days. We can restore to any point in that window.
We route AI requests through the Lovable AI Gateway. Prompts and completions are used only to serve your request — not to train foundation models. We keep audit logs of AI calls tied to your account for 90 days for abuse investigation.
If you believe you've found a security issue, please report it to security@studypod.app (PGP key available on request). We'll acknowledge within one business day and keep you updated as we investigate. We commit not to pursue legal action against researchers who make a good-faith effort to follow this policy.
StudyPod is built on top of managed cloud infrastructure. Some security controls are ours (application code, access policies, audit logs). Others are our vendors' (physical data-center security, hypervisor isolation). We list our sub-processors on the Trust page.