Privacy Policy
⚠️ DRAFT — PENDING COUNSEL REVIEW. This document is a working draft prepared from the project brief and is not legal advice. Before any version is published or relied upon for compliance with GDPR, CCPA, CPRA, COPPA, PIPEDA, or any other regulation, a qualified attorney (preferably one with experience in international privacy law) must review and finalize it for the jurisdictions where Human Wants to Learn operates. Placeholders (in
[brackets]) require completion. Sections flagged with[COUNSEL]involve legal choices, not engineering decisions.
Effective date: 2026-05-11 Last updated: 2026-05-11 Data Controller: Human Wants to Learn (operated by James Jackson Leach, sole proprietor, Austin, TX, pending entity formation) ("HWTL," "we," "us," "our") Privacy contact: privacy@human-wants-to-learn.dev EU Representative (if required): to be appointed by counsel before EEA/UK launch UK Representative (if required): to be appointed by counsel before EEA/UK launch
1. Our approach to privacy
HWTL is designed around a privacy-first principle: the less data we have, the less data we can lose, mishandle, or be compelled to disclose. We have deliberately engineered the product to minimize what we collect.
This Privacy Policy describes what we collect, why we collect it, what we do not collect, and what rights you have. Read it. If anything is unclear, ask us at privacy@human-wants-to-learn.dev.
The most important commitments in this policy are:
- Local-first adapters. The OpenClaw plugin, Claude Code hook, and browser extension run on your device and the local core service binds to loopback (
127.0.0.1) by default. They do not send your conversation history to our servers. (See Section 4.) - Bounded context payload. When you tap a learn-icon, only the immediately surrounding agent message paragraph is sent to our hosted page — never your full conversation, never your codebase, never your project metadata. (See Section 5 — this is the most important section.)
- No behavioral tracking. We do not track you across the web. We do not use behavioral advertising, retargeting, or fingerprinting. Ads on our hosted page are contextual — selected based on the topic of the page you are viewing, not based on you.
- Opt-in telemetry. Engagement telemetry on the hosted learn page is anonymous, aggregated, and off by default. You can disable it any time.
- Transparent audit. Logged-in users can review exactly what context was sent to our servers and when, at
human-wants-to-learn.dev/me/context-log.
2. Who this policy applies to
This policy applies to:
- Visitors to
human-wants-to-learn.devand any of its subdomains; - Users of any HWTL adapter (OpenClaw plugin, Claude Code hook, browser extension) to the extent the adapter communicates with our hosted services;
- HWTL account holders (free and paid);
- Subscribers to our paid Subscription tier (v2);
- Booking Users and Tutors using the live tutoring marketplace;
- Newsletter subscribers;
- Contributors to the open-source registry via web form (PRs via GitHub are governed by GitHub's privacy policy in addition to this one).
It does not apply to data processing performed entirely on your own device by the open-source adapters when they do not communicate with our servers.
3. Information we collect
3.1 Information you provide
- Account information. Email address, display name, password (hashed by our auth provider Supabase), preferred audience level (
non-engineer/junior-engineer/any), language preference, and any other preferences you set in your account settings. - Payment information. When you make a paid purchase (tutoring session or subscription), payment details are handled directly by Stripe, Inc. We receive only the metadata necessary to associate the payment with your account (e.g., a Stripe customer ID, transaction status, last four digits of card for receipt purposes). We do not store your full payment card details.
- Tutor application information. If you apply to be a Tutor, we collect your name, GitHub or professional handle, areas of expertise, a sample explainer video URL, rate preference, and any other information you submit through the application form.
- Tutoring session content. Session video, audio, and chat are mediated by our video provider (Daily.co). Recordings (with consent of both parties) are stored for ninety (90) days; see Section 9.
- Registry contributions. If you submit a concept entry via the web form or via a GitHub PR, your submission and your GitHub username (if linked) become part of the open-source registry.
- Comments and discussions. Comments on concept pages are handled by GitHub Discussions via Giscus; your GitHub identity and comment content are governed by GitHub's terms in addition to ours.
- Newsletter subscription. If you opt in, your email address (and a subscription preferences object) is shared with our newsletter provider Beehiiv.
- Feedback and support requests. Any information you provide when contacting us.
3.2 Information collected automatically
- Service logs. Standard server logs (timestamp, IP address, user agent, requested URL, response status) are retained for 30 days for security and debugging. IP addresses are not used for behavioral profiling.
- Engagement telemetry (opt-in, anonymous, aggregated). With your explicit opt-in, we may record which concept pages are viewed, watch-through rates of embedded clips, and which related concepts are clicked. This data is aggregated and not linked to individual user identity. You may opt out at any time.
- Cookies and local storage. See Section 7.
3.3 Information from third parties
- OAuth providers. If you sign in via Google or GitHub, we receive your name, email, and provider user ID, subject to the scopes you approve at sign-in.
- Payment provider. Stripe sends us payment status updates and minimal metadata (Section 3.1).
- Tutor referrals. If you were referred by an existing Tutor, we may receive the referrer's identifier.
4. The adapters and what they do (and don't) send
The OpenClaw plugin, Claude Code hook, and browser extension run on your device and communicate primarily with a local core service on your machine. By default, that local core service:
- Does not send your conversation content to our servers. Concept matching happens entirely on your device against a local copy of the registry.
- Does not phone home. No periodic check-ins, no anonymous usage pings, no "did this user use the product today" beacons.
- Sends data to our servers only when you tap a learn-icon. At that moment, the adapter passes the bounded context payload (Section 5) to the hosted page when it opens. No icon tap = no data to us.
If you self-host the core service or modify the open-source adapters, those modifications are governed by the MIT License and are outside this policy's scope.
5. The bounded context payload (the most important section)
When you tap a learn-icon and the hosted page opens, the adapter passes a small context payload to the hosted page so that the lesson can be more relevant.
What the payload contains:
- The immediately surrounding paragraph from the agent message that contained the term you tapped — typically 1–3 sentences, capped at ~2,000 characters total.
- The concept identifier (e.g.,
cloudformation-nested-stacks). - Optional metadata (your chosen audience level, the surface you tapped from for UX tuning).
What the payload never contains:
- Your full conversation history with the AI agent.
- Any other messages from your conversation outside the immediate paragraph.
- File paths, file contents, or any code from your project.
- Project metadata, environment variables, secrets, API keys, or credentials.
- Your name, IP address, or other identifying information beyond what is associated with your HWTL account (if signed in).
- Any data the adapter has not been explicitly configured to send.
Where the payload goes:
- For free users (v1): The static lesson loads with no LLM personalization. The payload may be received but is not processed by an LLM; it is discarded after the request completes. (
[COUNSEL]confirm whether this minimal retention is acceptable as "not processed.") - For paid Subscription users (v2): The payload is passed to a Haiku-class LLM via Anthropic to generate the personalized 2-paragraph summary. The payload and the generated summary are processed and dropped — not retained beyond the page render. The model provider may briefly retain the payload per their own policy (see their privacy policies, linked below).
- For BYO-key users (v2 alternative): The payload is processed in your browser using your own LLM API key. It never reaches our servers.
Audit access.
Signed-in users can review every context payload that has been sent on their behalf at human-wants-to-learn.dev/me/context-log. The log shows: the timestamp, the concept ID, the payload contents, and the provider (if any) it was sent to. Logs are retained for 90 days to support audit and can be cleared by the user at any time.
This commitment is structural, not aspirational. The schema for the context payload is published in our open-source code and enforced server-side; payloads that exceed the bounded scope are rejected.
6. What we do not collect
We do not collect, and we do not knowingly receive from any source:
- Your conversation history with AI agents beyond the bounded payload (Section 5).
- The contents of your code repositories, files, or environment.
- Behavioral data across third-party websites (no cross-site tracking).
- Device fingerprints.
- Precise geolocation.
- Sensitive personal data (race, ethnicity, religion, sexual orientation, biometric data, health information, etc.) unless you voluntarily submit it (for example, in a support request or as a Tutor's biography), in which case we treat it with elevated care.
- Information about minors under 13 (or under 16 in jurisdictions where that is the minimum). See Section 11.
7. Cookies and local storage
We use a minimal set of cookies and browser storage mechanisms:
- Strictly necessary — session cookies for authentication, CSRF protection, and to remember whether you have accepted this policy.
- Functional — local storage for your preferences (audience level, theme, layout) and, for BYO-key users in v2, your encrypted LLM API key.
- Engagement (opt-in only) — a single first-party cookie that records whether you opted into anonymous, aggregated engagement telemetry. Defaults to off.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies that share data with third-party advertising networks.
Our ad partner (Carbon Ads) serves contextual ads that do not require behavioral tracking cookies. [COUNSEL] confirm any disclosure required by the partner's actual practice.
8. Advertising
We display contextual ads on free-tier hosted concept pages (v1). Ads are selected based on the topic of the concept page being viewed (for example, an AWS-related ad on a CloudFormation concept page).
We work with Carbon Ads, which (per its own privacy practices) does not use behavioral targeting or cross-site tracking. Carbon Ads may record aggregate ad delivery metrics (impressions, clicks) but does not build a profile of you.
Subscribed users (v2) see no ads.
Direct ad sales, if introduced in the future, will be added to this policy with at least thirty (30) days' notice.
9. Tutoring session recordings
Live tutoring Sessions are recorded by default with explicit consent solicited from both you and the Tutor at the start of the Session. If either party declines, the Session may be cancelled or proceed without recording.
Recordings are:
- Stored encrypted at rest with our video provider Daily.co;
- Retained for ninety (90) days from the date of the Session;
- Used only for dispute resolution and safety review;
- Shared with the Booking User upon request for their own reference;
- Deleted automatically at the end of the retention period.
You may request deletion of your Session recording before the retention period ends.
10. How we use the information we collect
We use the information described above to:
- Provide and operate the Services;
- Process payments and pay Tutors;
- Send transactional emails (account confirmations, receipts, dispute notices);
- Send our newsletter, if you have opted in;
- Calibrate registry curation based on aggregated engagement (which clips are working, which are being skipped) — never based on individual user identity;
- Respond to support requests;
- Investigate and prevent abuse, fraud, security incidents, and Terms of Service violations;
- Meet legal obligations.
We do not use your data for behavioral advertising. We do not sell your data. We do not share your data with advertisers, except in aggregate, non-identifying form.
11. Children's privacy
The Services are not directed to or intended for children under 13 (or under 16 in the European Economic Area, the United Kingdom, and other jurisdictions with a higher applicable minimum). We do not knowingly collect information from children under those ages. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe we have information about a child, please contact privacy@human-wants-to-learn.dev.
[COUNSEL] confirm COPPA compliance posture and any required parental-consent flows.
12. Your rights
We respect your rights regardless of where you live. Some jurisdictions grant specific rights summarized below; users in other jurisdictions may have similar rights under local law.
12.1 Universal rights
- Access. You can view and download most of your personal data from your account settings.
- Correction. You can update your profile information at any time.
- Deletion. You can delete your account from settings; deletion completes within thirty (30) days. Some data may be retained for limited legal or security purposes (see Section 14).
- Opt-out of newsletter. Every newsletter email includes a one-click unsubscribe.
- Opt-out of engagement telemetry. Toggle in account settings.
12.2 GDPR rights (European Economic Area, United Kingdom, and Switzerland)
In addition to the universal rights:
- Right of access. Request a copy of the personal data we hold about you.
- Right to rectification. Request correction of inaccurate data.
- Right to erasure ("right to be forgotten"). Request deletion of your data.
- Right to restriction. Request that we limit how we process your data.
- Right to data portability. Request a machine-readable copy of your data.
- Right to object. Object to processing based on legitimate interests.
- Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time.
- Right to lodge a complaint with your local data protection authority.
To exercise these rights, contact privacy@human-wants-to-learn.dev. We will respond within thirty (30) days. If we require identity verification, we will let you know.
Legal bases for processing (GDPR Art. 6):
- Performance of a contract (Account management, paid Services).
- Legitimate interests (security, abuse prevention, service improvement).
- Consent (newsletter, optional telemetry, marketing communications, BYO-key storage).
- Legal obligations (tax records, compliance with valid legal process).
12.3 CCPA / CPRA rights (California)
If you are a California resident:
- Right to know what personal information we collect, use, disclose, and (if applicable) sell.
- Right to delete your personal information, subject to legal exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising; this right is honored by default.
- Right to non-discrimination for exercising your rights.
- Right to limit use of sensitive personal information to the purposes for which it was collected.
To exercise these rights, contact privacy@human-wants-to-learn.dev or use the in-account self-serve flows. Authorized agents may submit requests on your behalf with written authorization.
We do not engage in financial-incentive programs that involve personal-information collection.
12.4 Other jurisdictions
If you reside in a jurisdiction with privacy laws not specifically named above (Canada, Brazil, Japan, Australia, etc.), [COUNSEL] confirm any specific disclosures required.
13. Data security
We protect your information with industry-standard security practices, including:
- TLS encryption in transit;
- Encryption at rest for sensitive data (passwords, session recordings, payment metadata);
- Role-based access controls;
- Minimum-privilege principles for employee and contractor access;
- Regular security review and dependency monitoring;
- Incident response procedures.
No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you and the relevant authorities within the timeframes required by applicable law.
14. Data retention
| Data category | Retention period |
|---|---|
| Account data | While your account is active; deleted within 30 days of account deletion |
| Tutoring session recordings | 90 days from Session date |
| Service logs (IP, user agent) | 30 days |
| Payment records | 7 years (tax compliance) |
| Engagement telemetry (aggregated, anonymous) | Indefinite; raw signal deleted after 30 days |
| Context-log entries (Section 5) | 90 days |
| Newsletter subscription | Until you unsubscribe |
| Comment threads (via GitHub Discussions) | Governed by GitHub's retention; we do not control |
| Registry contributions (public) | Indefinite (part of the open-source historical record) |
[COUNSEL] confirm these periods against the legal minimums and maximums in target jurisdictions.
15. International data transfers
Our service infrastructure is hosted with Cloudflare and Supabase. Data may be processed in the United States, the European Union, and other jurisdictions where our service providers operate.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to other countries, we rely on Standard Contractual Clauses approved by the European Commission and the supplementary measures described in Schrems II guidance.
[COUNSEL] confirm the specific transfer mechanism applicable and add any required Data Processing Addendum (DPA) language.
16. Third-party services
The Services integrate with the third parties listed below. Your data may be processed by these third parties according to their own privacy practices.
- Supabase (authentication, database) — https://supabase.com/privacy
- Cloudflare (hosting, CDN, DNS) — https://www.cloudflare.com/privacypolicy/
- Stripe (payments) — https://stripe.com/privacy
- Daily.co (video for tutoring) — https://www.daily.co/legal/privacy
- Cal.com (booking) — https://cal.com/privacy
- Carbon Ads (advertising, primary) — https://www.carbonads.net/privacy
- EthicalAds (advertising, fallback) — https://www.ethicalads.io/privacy-policy/
- YouTube (embedded video content) — https://policies.google.com/privacy
- GitHub / Giscus (comments, registry hosting) — https://docs.github.com/site-policy/privacy-policies/github-general-privacy-statement
- Beehiiv (newsletter) — https://www.beehiiv.com/privacy
- Anthropic (LLM for v2 personalization and ETI pipeline) — https://www.anthropic.com/legal/privacy
- Google Fonts (typography) — note: served via CSS only, no font tracking
We update this list when we add or change providers.
17. Do Not Track signals
We honor the "Global Privacy Control" (GPC) signal as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising — which we already do not engage in by default. We do not respond to browser "Do Not Track" headers separately, as their interpretation is not standardized.
18. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by email (to account holders) and by a prominent notice on the Site. The "Last updated" date at the top reflects when this policy was last changed.
We will preserve and link to previous versions of this policy at human-wants-to-learn.dev/privacy/history so you can review what has changed over time.
19. Contact us
For privacy questions, requests, or complaints:
- Email: privacy@human-wants-to-learn.dev
- Postal mail: James Jackson Leach, c/o HWTL Legal, Austin, Texas, USA — exact postal address available on request via the privacy contact
- EU Representative (if you are an EEA resident): to be appointed by counsel before EEA/UK launch
- UK Representative (if you are a UK resident): to be appointed by counsel before EEA/UK launch
For general support, see support@human-wants-to-learn.dev.
For legal notices and process: legal@human-wants-to-learn.dev.
End of Privacy Policy draft. Status: pending counsel review. Do not publish in current form.