Security & Trust — ClassMinds

Four pillars

How we protect your data.

🔐

Encryption everywhere

All data encrypted in transit (TLS 1.3) and at rest via Google Cloud's default encryption. Uploads go to Firebase Storage with server-side AES-256.

👤

Strict access scoping

Firestore security rules enforce per-user reads and writes. Notes are scoped to your UID; class chats are scoped to enrolled members only.

🧠

Zero-training policy

Your notes are never used to train any AI model — yours, ours, or a third party's. They're only used to answer your own questions.

🗑️

Real deletion

Account deletion removes your notes, uploads, and profile. Group-chat messages are tombstoned so classmates' threads stay intact without exposing you.

Live security status

Real status — not aspirational. Updated with every release.

TLS 1.3

Enforced

At-rest encryption

AES-256

Firestore rules

Per-user scoped

Auth MFA

Apple + Email

App Check

Rolling out

SOC 2

Post-launch

How your data meets the AI

When you ask the AI tutor a question, ClassMinds fetches the most relevant passages from your notes, sends those — and only those — along with your question to the model. The model generates an answer grounded in that context.

Uploads are indexed privately; the index is scoped to your account
Retrieved passages are sent as one-time request context — not stored by the model provider
We use OpenAI's zero-retention API mode: prompts aren't retained for training
You can delete any uploaded file at any time; its index is removed within minutes

Compliance & privacy laws

ClassMinds is built around data-minimization principles from the start.

GDPR: Users can export and delete their data from Settings. We don't sell data. DPAs available for EU institutions.
CCPA: California users have the same export/delete rights. We don't sell personal information.
FERPA: ClassMinds is consumer-facing today, not a covered school official. If your institution wants to deploy ClassMinds as a FERPA-scoped service, we offer a Data Processing Agreement.
COPPA: ClassMinds is 13+. We don't knowingly collect data from children under 13.

Responsible disclosure

Found a security issue? Report it directly — we read every email and respond within 48 hours. We don't offer a bug bounty yet, but we do credit disclosures publicly (with your permission).

Email: [email protected]

PGP key: classminds.app/.well-known/security.txt

Don't: publicly disclose until we've confirmed a fix. Do: include reproduction steps and, if possible, a patch suggestion.

Your notes,
locked down.

How we protect your data.

Live security status

How your data meets the AI

Compliance & privacy laws

Responsible disclosure

Questions about security?

Your notes,locked down.

How we protect your data.

Live security status

How your data meets the AI

Compliance & privacy laws

Responsible disclosure

Questions about security?

Your notes,
locked down.