Privacy Policy

1. Introduction

Welcome to Scratch Robots. This Privacy Policy explains how Scratch Robots LLC ("Scratch Robots," "we," "us," or "our") collects, uses, shares, and protects information when you visit our website at scratchrobots.com, use our subscription service, purchase robotics kits, participate in our community forum, or otherwise interact with our products and services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

The Service is intended for users aged 13 and older. If you are between 13 and 17, a parent or legal guardian must be the account holder and be responsible for any payment. We do not knowingly collect personal information from children under 13. See Section 8 for details.

2. Information We Collect

2.1 Information You Provide to Us

When you create an account, make a purchase, or interact with the Service, you may provide us with:

• Account information: name, email address, password (stored as a salted hash, never in plain text), profile photo (optional).
• Age information: confirmation that you are 13 or older. For users under 18, the contracting parent or guardian's name and email.
• Billing and shipping information: mailing address, phone number (optional), shipping country, ZIP/postal code. We do not store your full payment card information. Card details are handled directly by our payment processor (Stripe) and never touch our servers; we receive only a token, the last four digits of your card, and the card brand.
• Subscription and order history: the subscription plan you selected, kit shipments, individual project purchases, and order status.
• Promo code and referral activity: any promo codes you redeem, codes you generate as a referrer, and credits you earn or redeem.
• Beta program application data: if you apply to our beta program, we collect the student's first name, age, grade, prior robotics experience, parent/guardian name and email, shipping address, and your responses to consent questions.
• Replacement and support requests: the project, kit, and parts your request relates to; photos you upload as evidence; the text of messages you send to our support team.
• Forum content: discussion threads, replies, votes, bookmarks, and any content (including text, links, and images) you post in the community forum. Forum content is public and visible to other Service users.
• Communications with us: the content of emails, support tickets, and other messages you send us.
• Survey, waitlist, and marketing-form responses: information you provide if you complete a waitlist form, customer survey, or sign up for marketing communications.

2.2 Information We Collect Automatically

When you visit or use the Service, we (and our service providers) may automatically collect:

• Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, language preferences, and time zone.
• Usage information: pages and screens you view, features you use, links you click, search queries, time spent on pages, and the date/time of your visits.
• Authentication and session information: session tokens (so you stay logged in), security event logs (such as failed login attempts), and the date/time of password changes.
• Learning progress: lessons you have started or completed, video position, quiz answers and scores, and project enrollment status.
• Tracking and analytics identifiers: cookies, web beacons, and similar technologies used to understand how the Service is used and to improve it. See Section 5.
• Marketing attribution: if you arrive via a referral link or marketing campaign, we may capture UTM parameters (utm_source, utm_medium, utm_campaign, etc.) and your referrer URL.
• Email engagement: whether you opened our emails or clicked links inside them (when measurable through our email service provider).
• Error and performance data: when the Service encounters an error, we may collect diagnostic information including the error message, stack trace, browser context, and the URL where the error occurred.

2.3 Information We Receive from Third Parties

• Payment processor (Stripe): transaction status, billing address verification results, fraud-prevention signals, dispute and chargeback information.
• Authentication providers: if you sign in with a third-party identity provider (such as Google), we may receive your name, email, profile picture, and the unique account identifier from that provider.
• Shipping carriers: tracking events such as "package shipped," "in transit," or "delivered" related to your kit deliveries.

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Service — create and maintain your account; deliver subscription kits and individual purchases; provide access to lessons, videos, and learning materials; process payments and refunds; manage your subscription lifecycle (renewals, pauses, cancellations).
• Communicate with you — send transactional emails (account confirmation, order receipts, shipping notifications, billing reminders, password resets, replacement-request status updates, support replies); respond to your questions; notify you of changes to the Service or this Policy.
• Personalize your experience — track your learning progress; surface project recommendations; show you the right next lesson and kit.
• Process replacement requests and support tickets — review damaged or missing parts, including any photos you upload; route requests to our fulfillment and support teams; maintain a record of resolution for your request.
• Operate and moderate the community forum — display your posts, replies, and votes; allow other users to interact with your content; enforce community guidelines.
• Run our beta and ambassador programs — review applications, generate promotional codes, track referral activity, calculate and credit referral rewards.
• Improve and develop the Service — analyze how the Service is used; troubleshoot bugs; measure the performance and effectiveness of features; conduct research and analytics.
• Prevent fraud, abuse, and security incidents — detect and respond to suspicious account activity, abusive behavior, payment fraud, and policy violations; maintain audit logs of administrative actions.
• Comply with legal obligations — respond to lawful requests from regulators or law enforcement; meet tax, accounting, and reporting requirements; enforce our Terms of Service.
• Marketing (with your consent where required) — send newsletters, product announcements, and other marketing communications. You can unsubscribe at any time using the link in any marketing email or by contacting us.

4. How We Share Your Information

We do not sell your personal information to third parties. We share information only as described below:

4.1 Service Providers (Sub-processors)

We rely on trusted third-party service providers to operate the Service. They process information on our behalf, under contract, only to provide their service to us. Our key sub-processors include:

We require all sub-processors to maintain appropriate security and confidentiality standards.

4.2 Other Disclosures

We may disclose information:

• In response to legal process — to comply with a subpoena, court order, or other lawful request from government authorities, including for national security or law enforcement purposes.
• To enforce our rights — to investigate, prevent, or take action regarding illegal activities, fraud, security incidents, or violations of our Terms of Service.
• To protect safety — to protect the rights, property, or safety of Scratch Robots, our users, or the public.
• In a business transfer — if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you (for example, via email and/or a prominent notice on the Service) before your personal information becomes subject to a different privacy policy.
• With your consent — for any other purpose disclosed at the time of collection or with your explicit consent.

4.3 Aggregated and De-identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you (for example, the total number of users completing a project, or fulfillment metrics by region) for any business purpose.

4.4 Public Forum Content

Information you post in the public discussion forum (including your display name, profile photo, and the content of your posts) is visible to all Service users and may be indexed by search engines. Do not post information you wish to keep private.

5. Cookies and Tracking

We and our service providers use cookies, pixels, web beacons, local storage, and similar technologies (collectively, "Cookies") to operate the Service, remember your preferences, understand usage, and (where applicable) measure marketing campaigns.

Categories of Cookies We Use

• Strictly necessary cookies — required for the Service to function: authentication, session management, shopping cart state, security tokens. These cannot be disabled.
• Functional cookies — remember your preferences (such as your "remember me" email or dismissed announcement banner).
• Analytics cookies — used by Google Analytics to measure how the Service is used so we can improve it.
• Marketing cookies — set by us or our partners to measure the effectiveness of marketing campaigns and (with your consent, where required) to enable personalized advertising.

Your Choices

You can manage Cookies through:

• The cookie consent banner displayed on your first visit (and accessible at any time via the cookie settings link in our footer).
• Your browser settings (most browsers let you block or delete Cookies). Note: blocking strictly necessary cookies will prevent the Service from working.
• The Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.
• "Do Not Track" signals: some browsers send a "Do Not Track" signal. The Service does not currently respond to Do Not Track signals because no industry consensus exists on what such signals require.

6. Data Retention

We retain your information for as long as we need it to provide the Service and meet legal, accounting, and reporting obligations.

After the applicable retention period, we delete or anonymize the data, except where longer retention is required by law.

If you close your account, we will delete or anonymize your personal information within a reasonable period, except for information we are required to retain (such as financial records).

7. Your Rights and Choices

7.1 General Rights

Regardless of where you live, you can:

• Access and update your account information by signing in to your profile.
• Request a copy of your personal information that we hold by emailing us at privacy@scratchrobots.com.
• Request deletion of your account and personal information by emailing us at privacy@scratchrobots.com. We will delete your information within 30 days, subject to the retention exceptions in Section 6.
• Unsubscribe from marketing emails at any time using the link at the bottom of any marketing email. Note: you cannot opt out of transactional emails (order confirmations, billing notices, security alerts) while you have an active account.

7.2 California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

• Right to know — what personal information we collect, use, disclose, and sell or share about you in the past 12 months.
• Right to delete — request deletion of personal information we have collected from you.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of "sale" or "sharing" — we do not sell your personal information, and we do not share it for cross-context behavioral advertising. There is therefore nothing to opt out of, but you can submit an opt-out preference signal and we will honor it.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that require limitation rights under the CPRA.
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, email us at privacy@scratchrobots.com from the email address associated with your account, or contact us using the methods in Section 13. We will verify your request before responding. You may also designate an authorized agent to act on your behalf; we will require written authorization.

7.3 EU, UK, and EEA Residents (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent laws:

• Right of access — obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification — correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") — request deletion of your personal data in certain circumstances.
• Right to restriction of processing — limit how we process your personal data.
• Right to data portability — receive your personal data in a structured, commonly-used, machine-readable format.
• Right to object — object to our processing of your personal data based on legitimate interests, and to direct marketing.
• Right to withdraw consent — where we rely on your consent (for example, marketing emails or non-essential cookies), you can withdraw it at any time.
• Right to lodge a complaint — with your local data protection supervisory authority.

Legal bases for processing. We process personal data on the following bases under Article 6 GDPR:

• Performance of a contract — to provide the Service you have signed up for.
• Legitimate interests — to operate, secure, and improve the Service; to communicate with you about your account; to prevent fraud and abuse.
• Legal obligation — to comply with tax, accounting, and other legal requirements.
• Consent — for marketing emails, non-essential cookies, and any other processing where we ask for your consent.

To exercise your GDPR rights, email us at privacy@scratchrobots.com. We will respond within one month.

8. Children's Privacy

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us at privacy@scratchrobots.com. We will promptly delete the information and terminate the account.

For users between 13 and 17, the Service requires that a parent or legal guardian:

1. Be the account holder of record on the Terms of Service;
2. Be the responsible party for any payment;
3. Provide consent for the minor's use of the Service, including the collection of learning progress, forum participation, and any photos uploaded for replacement requests.

We collect the minor amount of personal information necessary for users aged 13–17 to use the Service. We do not knowingly use the personal information of minors for marketing purposes, behavioral advertising, or sale to third parties.

9. International Data Transfers

We are based in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

Where we transfer personal data of EU/UK/EEA residents to the United States or other third countries, we rely on appropriate safeguards including the Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, and supplementary measures where required.

10. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit (TLS/HTTPS for all connections).
• Encryption of stored payment information by our payment processor.
• Salted password hashing — we never store passwords in plain text.
• Row-level security policies on our database to enforce that users can only access their own data.
• Multi-factor authentication for administrative accounts.
• Regular security reviews, dependency updates, and audit logging of administrative actions.
• Access to personal information limited to authorized personnel on a need-to-know basis.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal information, we will notify you and applicable authorities as required by law.

11. Third-Party Links and Integrations

The Service may contain links to third-party websites and services that are not operated by us. This Policy does not apply to those websites and services. We encourage you to review the privacy policies of any third-party sites you visit.

When you click a tracking link in an email or visit a page that loads third-party content (for example, an embedded YouTube video), the third-party provider may collect information about you according to their own privacy policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last Updated" date at the top of this Policy.
• For material changes, notify you by email (to the address associated with your account) and/or by posting a prominent notice on the Service at least 30 days before the change takes effect.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the updated terms. If you do not agree, you should stop using the Service and may delete your account.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise any of your privacy rights, or believe we have not adhered to this Policy, please contact us:

Scratch Robots LLC — Privacy Team Email: privacy@scratchrobots.com

Scratch Robots LLC is based in Texas, United States.

For California residents exercising CCPA rights, please indicate "California Privacy Rights Request" in your message.

For EU/UK/EEA residents exercising GDPR rights, please indicate "GDPR Request" in your message.

If you are not satisfied with our response, EU/UK/EEA residents may lodge a complaint with their local data protection supervisory authority.

Last template revision: 2026-04-19. Replace before publishing.