Skip to content

Privacy Policy

⚠️ DRAFT — PENDING COUNSEL REVIEW. This document is a working draft prepared from the project brief and is not legal advice. Before any version is published or relied upon for compliance with GDPR, CCPA, CPRA, COPPA, PIPEDA, or any other regulation, a qualified attorney (preferably one with experience in international privacy law) must review and finalize it for the jurisdictions where Human Wants to Learn operates. Placeholders (in [brackets]) require completion. Sections flagged with [COUNSEL] involve legal choices, not engineering decisions.

Effective date: 2026-05-11 Last updated: 2026-05-11 Data Controller: Human Wants to Learn (operated by James Jackson Leach, sole proprietor, Austin, TX, pending entity formation) ("HWTL," "we," "us," "our") Privacy contact: privacy@human-wants-to-learn.dev EU Representative (if required): to be appointed by counsel before EEA/UK launch UK Representative (if required): to be appointed by counsel before EEA/UK launch


1. Our approach to privacy

HWTL is designed around a privacy-first principle: the less data we have, the less data we can lose, mishandle, or be compelled to disclose. We have deliberately engineered the product to minimize what we collect.

This Privacy Policy describes what we collect, why we collect it, what we do not collect, and what rights you have. Read it. If anything is unclear, ask us at privacy@human-wants-to-learn.dev.

The most important commitments in this policy are:

2. Who this policy applies to

This policy applies to:

It does not apply to data processing performed entirely on your own device by the open-source adapters when they do not communicate with our servers.

3. Information we collect

3.1 Information you provide

3.2 Information collected automatically

3.3 Information from third parties

4. The adapters and what they do (and don't) send

The OpenClaw plugin, Claude Code hook, and browser extension run on your device and communicate primarily with a local core service on your machine. By default, that local core service:

If you self-host the core service or modify the open-source adapters, those modifications are governed by the MIT License and are outside this policy's scope.

5. The bounded context payload (the most important section)

When you tap a learn-icon and the hosted page opens, the adapter passes a small context payload to the hosted page so that the lesson can be more relevant.

What the payload contains:

What the payload never contains:

Where the payload goes:

Audit access.

Signed-in users can review every context payload that has been sent on their behalf at human-wants-to-learn.dev/me/context-log. The log shows: the timestamp, the concept ID, the payload contents, and the provider (if any) it was sent to. Logs are retained for 90 days to support audit and can be cleared by the user at any time.

This commitment is structural, not aspirational. The schema for the context payload is published in our open-source code and enforced server-side; payloads that exceed the bounded scope are rejected.

6. What we do not collect

We do not collect, and we do not knowingly receive from any source:

7. Cookies and local storage

We use a minimal set of cookies and browser storage mechanisms:

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that share data with third-party advertising networks.

Our ad partner (Carbon Ads) serves contextual ads that do not require behavioral tracking cookies. [COUNSEL] confirm any disclosure required by the partner's actual practice.

8. Advertising

We display contextual ads on free-tier hosted concept pages (v1). Ads are selected based on the topic of the concept page being viewed (for example, an AWS-related ad on a CloudFormation concept page).

We work with Carbon Ads, which (per its own privacy practices) does not use behavioral targeting or cross-site tracking. Carbon Ads may record aggregate ad delivery metrics (impressions, clicks) but does not build a profile of you.

Subscribed users (v2) see no ads.

Direct ad sales, if introduced in the future, will be added to this policy with at least thirty (30) days' notice.

9. Tutoring session recordings

Live tutoring Sessions are recorded by default with explicit consent solicited from both you and the Tutor at the start of the Session. If either party declines, the Session may be cancelled or proceed without recording.

Recordings are:

You may request deletion of your Session recording before the retention period ends.

10. How we use the information we collect

We use the information described above to:

We do not use your data for behavioral advertising. We do not sell your data. We do not share your data with advertisers, except in aggregate, non-identifying form.

11. Children's privacy

The Services are not directed to or intended for children under 13 (or under 16 in the European Economic Area, the United Kingdom, and other jurisdictions with a higher applicable minimum). We do not knowingly collect information from children under those ages. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe we have information about a child, please contact privacy@human-wants-to-learn.dev.

[COUNSEL] confirm COPPA compliance posture and any required parental-consent flows.

12. Your rights

We respect your rights regardless of where you live. Some jurisdictions grant specific rights summarized below; users in other jurisdictions may have similar rights under local law.

12.1 Universal rights

12.2 GDPR rights (European Economic Area, United Kingdom, and Switzerland)

In addition to the universal rights:

To exercise these rights, contact privacy@human-wants-to-learn.dev. We will respond within thirty (30) days. If we require identity verification, we will let you know.

Legal bases for processing (GDPR Art. 6):

12.3 CCPA / CPRA rights (California)

If you are a California resident:

To exercise these rights, contact privacy@human-wants-to-learn.dev or use the in-account self-serve flows. Authorized agents may submit requests on your behalf with written authorization.

We do not engage in financial-incentive programs that involve personal-information collection.

12.4 Other jurisdictions

If you reside in a jurisdiction with privacy laws not specifically named above (Canada, Brazil, Japan, Australia, etc.), [COUNSEL] confirm any specific disclosures required.

13. Data security

We protect your information with industry-standard security practices, including:

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you and the relevant authorities within the timeframes required by applicable law.

14. Data retention

Data categoryRetention period
Account dataWhile your account is active; deleted within 30 days of account deletion
Tutoring session recordings90 days from Session date
Service logs (IP, user agent)30 days
Payment records7 years (tax compliance)
Engagement telemetry (aggregated, anonymous)Indefinite; raw signal deleted after 30 days
Context-log entries (Section 5)90 days
Newsletter subscriptionUntil you unsubscribe
Comment threads (via GitHub Discussions)Governed by GitHub's retention; we do not control
Registry contributions (public)Indefinite (part of the open-source historical record)

[COUNSEL] confirm these periods against the legal minimums and maximums in target jurisdictions.

15. International data transfers

Our service infrastructure is hosted with Cloudflare and Supabase. Data may be processed in the United States, the European Union, and other jurisdictions where our service providers operate.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to other countries, we rely on Standard Contractual Clauses approved by the European Commission and the supplementary measures described in Schrems II guidance.

[COUNSEL] confirm the specific transfer mechanism applicable and add any required Data Processing Addendum (DPA) language.

16. Third-party services

The Services integrate with the third parties listed below. Your data may be processed by these third parties according to their own privacy practices.

We update this list when we add or change providers.

17. Do Not Track signals

We honor the "Global Privacy Control" (GPC) signal as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising — which we already do not engage in by default. We do not respond to browser "Do Not Track" headers separately, as their interpretation is not standardized.

18. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by email (to account holders) and by a prominent notice on the Site. The "Last updated" date at the top reflects when this policy was last changed.

We will preserve and link to previous versions of this policy at human-wants-to-learn.dev/privacy/history so you can review what has changed over time.

19. Contact us

For privacy questions, requests, or complaints:

For general support, see support@human-wants-to-learn.dev.

For legal notices and process: legal@human-wants-to-learn.dev.


End of Privacy Policy draft. Status: pending counsel review. Do not publish in current form.