Privacy Policy

CPS HSAT Prep is a local-first Progressive Web App. We do not run a backend that stores your data. We do not have user accounts, logins, or passwords. We do not run analytics or tracking pixels in your browser. No JavaScript on this site sends data about you to any third party. We do not sell or share data with third parties — there is no data to sell.

Everything you do in the app — your name (or nickname), practice attempts, mock scores, vocabulary review schedules, achievements, bookmarks, highlights — lives only on your device, in your browser's IndexedDB and localStorage.

Nothing on a server about your in-app activity. The app runs entirely in your browser after the initial page load. No telemetry, no analytics calls, no third-party scripts.

Server access logs (timestamp, requested path, one-way hashed IP, user agent, country code) are emitted by our hosting provider (Railway). We review these in aggregate to understand traffic volume, detect abuse, and identify popular content. The IP address is hashed before being written to logs, so we cannot recover the original IP from the hash. No personal information beyond what every HTTP server collects is processed. Logs are retained for approximately 30 days.

We never associate your in-app activity (your practice attempts, scores, etc.) with these access logs. Your in-app activity stays on your device only.

The following are stored on your device only:

• Profile name (nickname you choose)
• Practice and mock attempt records
• Vocabulary review schedules (SM-2 spaced repetition state)
• Reading-speed and mental-math sprint history
• Error log entries with categorization
• Highlights and notes on reading passages
• Bookmarks, achievements, streaks, study plan settings
• Preferences (language, dyslexia font, accommodations)

You can export all of this as JSON from Settings, or delete a profile (which removes all of its data permanently).

The app is designed for 8th-grade students (~13-14 years old). Because we collect no personally identifiable information and run no backend, we do not trigger COPPA, FERPA, or Illinois SOPPA disclosure requirements.

That said, the responsibility for whether a student uses the app rests with the parent or guardian. We recommend a parent set up the device profile with a nickname (not a full real name) to avoid any data lingering.

• Railway (hosting) — serves the app static assets and Next.js routes.
• Service Worker (Workbox) — caches the app for offline use, runs entirely in your browser.
• Web Speech API — for the optional “Read aloud” feature; runs on-device, nothing leaves your browser.
• Web Share API — when you tap “Share summary” in Parent Dashboard, your operating system handles the share — we do not see what you shared or where.

If we ever add a backend or any tracking, we will update this page with the date of the change and require explicit opt-in for the new processing.