Schema School
Sign inEnroll

Last updated: 2026-06-08

Privacy Policy

This Privacy Policy explains what personal data Schema School collects when you use our service at schemaschool.dev, why we collect it, and how we protect it. We have tried to be specific and honest — if something is unclear, email us at hello@schemaschool.dev.

"We", "us", and "Schema School" refer to the operator of this specific instance of the Schema School service. "You" refers to any visitor or registered user.

1. What We Collect

Account information

When you create an account we store:

  • Your email address (used for sign-in and transactional emails).
  • A bcrypt-hashed password — we never store or log your plaintext password.
  • Your chosen display name.

Learning progress

To power your streak, achievements, and mastery metrics we record:

  • Which lessons you have completed and when.
  • Every exercise attempt — the SQL you submitted, whether it passed or failed, and the timestamp.
  • Your current streak, total XP, and any achievements unlocked.

Feedback

If you submit in-app feedback, we store the message text together with your email address (so we can follow up if needed) and the timestamp.

Visitor analytics

For every page view we record a lightweight analytics event containing the page path, the HTTP referer, your User-Agent string, and your IP address. We assign a persistent pseudonymous visitor ID (ss_vid cookie) so we can count unique visitors without requiring an account. IP addresses are used to derive an approximate country and are not separately retained in the analytics table beyond the visit row.

DBA chat history

The DBA AI assistant stores your conversation sessions (the messages you send and the responses generated) so you can pick up where you left off. These are tied to your account and deleted when you delete your account.

Bring-Your-Own (BYO) database connections

If you choose to save a BYO database connection string, it is stored in your browser's localStorage — it is never sent to or stored on our servers. If you paste a connection string into the DBA tool or Playground without saving it, it is used only for the duration of that request and is never written to our database or logs.

Payment information

If you purchase lifetime access, the payment is processed entirely by Razorpay. We receive confirmation of a successful payment (order ID, payment ID, and amount) but never your card number or banking details. Those remain with Razorpay.

2. Cookies We Use

  • Session cookie (NextAuth): an HttpOnly, SameSite=Lax, Secure first-party cookie that keeps you signed in. It expires when you sign out or after 30 days of inactivity.
  • ss_vid (visitor ID): a 1-year first-party cookie containing a random UUID. Used only for counting unique visitors in our own analytics — not shared with third parties.

We do not use advertising cookies or third-party tracking pixels.

3. How We Use Your Data

  • To authenticate you and keep your account secure.
  • To track your learning progress, streak, and achievements, and to grade your exercise submissions.
  • To power the DBA AI assistant — your message and the relevant database schema are sent to Groq to generate a SQL suggestion or explanation (see section 4).
  • To send transactional emails (registration confirmation, password reset) via Brevo.
  • To understand which pages are popular so we can improve the curriculum (aggregate analytics, not individual targeting).
  • To process your payment and record your lifetime-access entitlement.
  • To respond to feedback or support requests you submit.

We do not sell your data. We do not run ad networks or share data with advertisers.

4. Third-Party Subprocessors

The following third-party services process data on our behalf. Each is bound by their own privacy policy and, where applicable, a data processing agreement.

  • Neon — our PostgreSQL database host. Your account data, progress, DBA chat history, analytics events, and feedback are stored on Neon's infrastructure. See neon.tech/privacy.
  • Groq — AI inference. When you use the AI assistant (lessons, playground, or DBA tool), your natural-language question and the relevant database schema are sent to Groq to generate SQL. Your submitted SQL and row-level data are not included unless you explicitly paste them into the prompt. See groq.com/privacy-policy.
  • Razorpay — payment processing. Card and banking details go directly to Razorpay and are never seen by our servers. See razorpay.com/privacy.
  • Brevo (formerly Sendinblue) — transactional email. Your email address and the content of system emails (registration, password reset) pass through Brevo. See brevo.com/legal/privacypolicy.
  • Application host — the cloud platform hosting the Next.js application (e.g., Vercel or equivalent). It processes requests and may retain access logs per their standard retention period.

5. Your Rights

  • Access: your profile page shows your stored progress, streak, and achievements. You can download a copy of your data by emailing us.
  • Update: change your display name and password any time from the Settings page.
  • Delete: the "Danger Zone" in /settings permanently deletes your account, progress, attempt history, DBA chat sessions, and feedback. Deletion is irreversible.
  • Other rights: depending on where you live you may have additional rights (access, portability, rectification, objection, restriction) under laws such as the GDPR or India's DPDP Act. Email us at hello@schemaschool.dev to exercise any of these rights.

6. Data Retention

  • Account and progress data is kept for as long as your account is active. When you delete your account it is removed from primary storage promptly.
  • Visitor analytics events are retained for 12 months and then purged.
  • Feedback is retained indefinitely unless you ask us to remove it.
  • Payment records (order and payment IDs, amounts) are retained for 7 years for accounting and tax compliance.
  • Backup copies are rotated out within 30 days of the deletion event.

7. Security

Passwords are stored as bcrypt hashes. All production traffic is served over TLS. We never log passwords, connection strings, or payment credentials. The application is open source, so the security model is auditable.

To report a suspected security issue, email security@schemaschool.dev — please do not open a public GitHub issue for security matters.

8. Children

Schema School is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has created an account, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be announced on the Service and the "last updated" date at the top of this page will be revised. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

10. Contact

Privacy questions: hello@schemaschool.dev. Security disclosures: security@schemaschool.dev.