The short version. You can use the canvas anonymously and we collect almost nothing. If you sign in with Google, we store your email, name and profile picture so we can sync your projects. If you use AI features, your prompts and attached files are sent to Anthropic so they can generate a response. If you subscribe to Pro, Dodo Payments handles the card — we never see it. We run our own first-party, cookie-free pageview counter so we can see how many people visit each page (details in §2.6) — we do not use Google Analytics or any other third-party tracker. We don't sell your data, and we don't train AI models on your content.
On this page
- Who this policy is from
- Data we collect
- How we use your data
- Legal basis (DPDP / GDPR)
- Third-party services we share data with
- How AI features handle your data
- Cookies & local storage
- Data retention
- Security
- International data transfers
- Your rights
- Children
- Changes to this policy
- Contact & data requests
1. Who this policy is from
This Privacy Policy explains how TeachBoard (an Indian sole-proprietorship, the "Data Fiduciary" / "Controller", referred to here as "we", "us") handles personal data when you use teachboard.app and related services (the "Service"). It applies to all users worldwide.
For the purposes of the EU/UK GDPR we are the controller of your personal data. For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act") we are the Data Fiduciary.
2. Data we collect
2.1 If you use the canvas anonymously
You can open teachboard.app and use the drawing canvas without an account. In that mode:
- We do not create a server-side record of you.
- Your canvas is stored in your browser's local storage on your machine — we never see it.
- Standard server logs (covered in §2.5) still apply.
2.2 If you sign in with Google
When you sign in via Google OAuth, Google sends us — and we store — the following from your Google profile:
- your Google account email address;
- your display name;
- your profile picture URL;
- your Google subject ID (a stable identifier we use to associate your data with you).
We do not receive your Google password and we do not request access to your Drive, Gmail, contacts, calendar or any other Google scope.
2.3 Content you create or upload
When you use the cloud features of TeachBoard (signed in), we store the projects you save:
- your canvases: strokes, shapes, text, tables, charts, diagrams, embedded media (images, sprites, videos, PDFs you imported);
- AI Chat history within a project (prompts and AI responses);
- Manim render history within a project (prompts and rendered MP4/PNG files);
- saved assets in your StoreBox (the thumbnails and element data you've explicitly saved).
2.4 Subscription & billing data
If you subscribe to TeachBoard Pro, Dodo Payments processes the payment. We receive only:
- your subscription status (active / cancelled / past-due);
- the plan you chose;
- the next billing date;
- a Dodo customer/subscription identifier so we can look you up.
We never see or store your full card number, CVV, UPI ID or bank credentials. Those live with Dodo Payments.
2.5 Technical & log data
Like any web service, our servers (and our infrastructure providers — see §5) automatically log:
- your IP address (used for rate-limiting, abuse prevention and approximate region detection);
- the date / time / URL of your request;
- HTTP status, user-agent and referrer (for debugging);
- error stack traces and request IDs when something goes wrong.
2.6 First-party site analytics
So we can see which pages are visited and roughly how the Service is used, every page on teachboard.app includes a small first-party script (/track.js) that sends a single request per pageview to our own servers. For each pageview we record:
- the page path you visited (e.g.
/features); - the referring host, if any (e.g.
google.com— query parameters are stripped); - your browser language, time-zone and a coarse screen-width bucket (
xs/sm/md/lg/xl); - a derived device / browser / OS family from your User-Agent (e.g. "mobile / Chrome / Android");
- a synthetic visitor id:
SHA-256(secret salt || today's UTC date || your IP || your User-Agent), truncated to 16 hex characters. The same visitor on the same day always hashes to the same id (so we can count unique daily visitors), but because the hash is salted with the day, the same visitor on a different day gets a different id — we cannot follow you across days.
We do not store your raw IP address, raw User-Agent, cookies, or any other cross-session identifier as part of this analytics. We do not share this data with any third party — it is collected by, stored on, and read from our own AWS infrastructure only. The script respects the browser's Do Not Track signal and does not run if you have it enabled.
2.7 What we don't collect
- We do not run third-party advertising or marketing trackers.
- We do not run third-party web-analytics (no Google Analytics, no Facebook pixel, no Hotjar, etc.). Our pageview counter is the first-party one described in §2.6.
- We do not access your microphone, camera or location.
- We do not sell, rent or trade your personal data.
3. How we use your data
We use the data described in §2 to:
- provide the Service to you — letting you sign in, sync projects across devices, run AI and Manim jobs, and access your subscription;
- process payments and manage subscriptions (via Dodo Payments);
- communicate with you about your account — receipts, billing problems, security issues, important service changes;
- protect the Service from abuse, fraud and security incidents (rate-limiting, anomaly detection);
- debug, monitor and improve the Service;
- comply with our legal obligations (e.g. tax records, responding to lawful requests).
4. Legal basis (DPDP / GDPR)
For users in jurisdictions that require it (e.g. India under the DPDP Act, the EU/UK under the GDPR), we rely on the following grounds:
- Performance of a contract — to deliver the features you've signed up for.
- Consent — for AI features that send your prompts to Anthropic, for storing your Google profile, and for any optional features you explicitly opt into. You can withdraw consent at any time by deleting your account.
- Legitimate interests — to keep the Service secure, detect abuse, and operate the business. We balance these interests against your rights and freedoms.
- Legal obligation — to comply with applicable laws (tax, accounting, lawful disclosure requests).
5. Third-party services we share data with
We rely on the following sub-processors / providers. Each has its own privacy policy; we only share the minimum data needed for the feature to work.
5.1 Google (sign-in)
Used for OAuth sign-in. We receive your email, name, profile picture and a stable Google ID. We do not request additional scopes.
5.2 Anthropic (AI)
When you use AI Chat, AI charts/diagrams or the Manim generator, your prompt, attached files (if any) and a snapshot of the relevant canvas selection are sent to Anthropic's Claude API to produce a response. Anthropic, by default on the API, does not use API inputs to train their models. See Anthropic's privacy policy.
5.3 Amazon Web Services (AWS)
We host the Service on AWS (S3, CloudFront, Lambda, etc.). Your account data, projects, Manim renders and server logs are stored on AWS. AWS acts as our data processor.
5.4 Dodo Payments (billing)
Dodo Payments processes your subscription as merchant of record. They handle card data, tax calculation, invoicing and recurring billing. See Dodo's privacy policy on their website.
5.5 Freepik (icon search)
When you use the icon-search panel, your search query is sent to Freepik's API. Images shown in the search panel are loaded directly from Freepik's CDN, which may log your IP and request metadata under their privacy policy.
5.6 Pexels (stock video search)
When you use the stock-video search, your search query is sent to Pexels' API. Video previews stream from Pexels' CDN, which may log your IP and request metadata under their privacy policy.
5.7 Other recipients
We may also disclose personal data: (a) to comply with a binding legal request or court order; (b) to enforce our Terms; (c) to protect the rights, property or safety of TeachBoard, our users or the public; or (d) in connection with a business transfer (merger, acquisition, asset sale), in which case we will give notice before personal data becomes subject to a different privacy policy.
6. How AI features handle your data
Because AI features are the most data-sensitive part of the Service, here is exactly what happens:
- You type a prompt (or attach a file) in the AI Chat panel, AI chart dialog or Manim dialog.
- Our backend forwards that prompt — together with the minimum context needed (e.g. a snapshot of the selected canvas elements) — to Anthropic's Claude API.
- Anthropic returns a response; our backend forwards it to your browser and stores it in your project history so you can refer back to it.
- For Manim, the model writes a Python script which is then executed on our server-side Manim + LaTeX renderer (AWS Lambda). The resulting MP4 / PNG is stored on AWS S3 and served back to you. We do not share the script or the output with any third party other than AWS for storage/delivery.
We do not use your prompts, attachments or outputs to train any AI model. We do not give your content to Anthropic for model training; Anthropic's API default policy applies.
7. Cookies & local storage
We use a minimum of storage in your browser:
- An authentication token / session marker that keeps you signed in after a Google OAuth flow.
- localStorage: the in-progress state of your anonymous canvas, your UI preferences (dark/light mode, last-used tool, etc.), recently-used Freepik icons, and similar non-personal app state.
- sessionStorage: a single flag (
tb_seen) used by our first-party analytics script (§2.6) to distinguish the first pageview of a session from subsequent ones. It is wiped automatically when you close the tab.
We do not use cookies for advertising, marketing or third-party analytics.
8. Data retention
- Account data (email, name, profile picture, Google ID) — kept while your account is active. Deleted within 30 days of account deletion, except where retention is required by law.
- Your projects, canvases, AI / Manim history, assets — kept while your account is active. Deleted within 30 days of account deletion (or sooner if you delete the project directly).
- Subscription & billing records — retained for the period required by Indian tax and accounting law (typically up to 8 years from the financial year of the transaction). Dodo Payments has its own retention schedule for the underlying transactions.
- First-party site analytics (§2.6) — individual pageview records are automatically deleted after 90 days by a DynamoDB time-to-live policy. After that point only aggregate counts (if any) survive.
- Server logs — retained for up to 90 days for security and debugging, then deleted or aggregated.
- Backups — encrypted backups roll on a 30-day window; after that, deleted data is no longer recoverable.
9. Security
We take security seriously:
- All traffic to and from the Service is encrypted in transit (HTTPS / TLS).
- Data at rest in AWS S3 is encrypted using AWS-managed keys.
- API keys for third-party providers are kept in environment variables, never exposed to the browser.
- Access to production systems is restricted and audited.
No system is 100% secure. If we discover a personal-data breach that is likely to result in significant harm, we will notify affected users and the relevant authorities in accordance with applicable law (including the DPDP Act and, where relevant, the GDPR's 72-hour notification requirement).
10. International data transfers
TeachBoard is operated from India. Our infrastructure providers (notably AWS, Anthropic and Dodo Payments) operate in multiple regions, including the United States and the European Union. This means your personal data may be transferred to, stored in or processed in countries other than your own.
Where we transfer personal data outside your jurisdiction, we rely on the safeguards offered by those providers (such as Standard Contractual Clauses for GDPR transfers) and limit the data shared to what is strictly necessary.
11. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal data we hold about you;
- Correct data that is inaccurate or incomplete;
- Erase your account and associated personal data;
- Restrict or object to certain processing;
- Withdraw consent where processing is based on consent;
- Port your data — receive a copy in a structured, machine-readable format;
- Nominate another person to exercise these rights on your behalf in the event of death or incapacity (DPDP Act).
To exercise any of these rights, write to us at xeonaicontact@gmail.com from the email associated with your account. We will respond within 30 days, or sooner where the law requires it.
If you believe we've mishandled your data, you also have the right to complain to your local data-protection authority — for users in India, that's the Data Protection Board of India once constituted under the DPDP Act.
12. Children
The Service is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please email xeonaicontact@gmail.com and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. For material changes, we will give reasonable advance notice — for example by email or via an in-app notice — before they take effect.
14. Contact & data requests
For any privacy question, data-access request, deletion request or grievance under the DPDP Act:
- xeonaicontact@gmail.com
- Subject prefix
[Privacy]— helps us route faster- Operator
- TeachBoard (Indian sole-proprietorship)
- Website
- teachboard.app