Privacy Policy

Last updated: April 1, 2026 · ~12 min read

We don't sell your data. We don't run ads.

Your learning data is used only to generate your personalized lessons. It is never used to train AI models.

What we collect	Why	Who processes it
Email and password	Account creation and authentication	Our authentication provider
Billing information	Payment processing	Stripe
Onboarding answers and learning goals	Personalizing your learning paths	Droplet Learn, our AI content provider
Learning interactions (views, saves, skips, completions)	Generating relevant content and tracking progress	Droplet Learn
Reflections and experiment notes	Personalizing lessons and enabling your journaling	Droplet Learn, our AI content provider
User preferences	Customizing your experience	Droplet Learn
Device and usage data	Maintaining security and improving the service	Our hosting and infrastructure providers

In plain language: We collect only what we need to run Droplet Learn. We don't sell your data. We don't run ads. Your learning data is sent to an AI provider (Anthropic) to generate your personalized lessons, but it is never used to train AI models.

1. Who we are

Droplet Learn is operated by Maple Spark Labs Inc., a limited liability company registered in Ontario, Canada, with its principal place of business in Toronto, Ontario, Canada. Full mailing address is available upon request for formal legal correspondence.

For privacy matters, you can reach our designated Privacy Officer at:

Email: info@maplesparklabs.com

Throughout this policy, "Droplet Learn," "we," "us," and "our" refer to Maple Spark Labs Inc. "You" and "your" refer to you, the individual using our service.

2. Information we collect

We collect personal information in three ways: directly from you, automatically when you use the service, and from third-party service providers.

2a. Information you provide

When you create an account and use Droplet Learn, you voluntarily provide:

Account information: Your email address, password (securely hashed — we never see or store your raw password), and display preferences.
Onboarding interview responses: Your answers to our onboarding questions about your learning goals, experience level, preferred topics, and learning style. These answers shape your personalized curriculum.
Learning paths and goals: The topics you select, the learning paths you create, and the goals you set within the platform.
Reflections and experiment notes: The text you write in response to lessons, including personal reflections, takeaway checklists you complete, and experiment notes you record. This is your most personal data, and we treat it with the highest level of care.
Billing information: When you subscribe to the Pro tier, your payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not store your full credit card number. We receive only a partial card number, expiration date, and billing country from Stripe for record-keeping.
Support communications: Any emails or messages you send to our support team.

2b. Information collected automatically

When you use Droplet Learn, we automatically collect:

Interaction data: Which lessons ("Drops") you view, save, skip, or complete; when you interact with them; your completion rates; and your engagement patterns. This data drives our personalization engine.
Device and browser information: Your IP address, browser type, operating system, device type, and screen resolution.
Usage data: Pages visited, features used, time spent on the platform, referring URLs, and general navigation patterns.
Log data: Server logs that include your IP address, access times, and pages viewed. These are maintained by our hosting provider.

2c. Information from third parties

Authentication provider: Authentication tokens and session data when you sign in.
Stripe: Transaction confirmations, subscription status, and payment failure notifications.

We do not purchase data about you from data brokers or other third-party sources.

3. How we use your information

We use your personal information for the following specific purposes:

To provide and personalize the service

Processing your onboarding answers and learning goals to generate personalized curricula via our AI system
Sending your learning context (goals, preferences, progress data) to our AI content provider to generate your daily Drops
Tracking your interactions to adapt content difficulty, pacing, and topic selection
Displaying your saved favorites, completed lessons, and learning progress

To operate your account and process payments

Creating and maintaining your account via our authentication provider
Processing subscription payments and managing billing through Stripe
Sending transactional emails (account verification, password resets, billing receipts, subscription reminders)

To maintain and improve the service

Analyzing aggregate, de-identified usage patterns to improve content quality and platform features
Monitoring for technical errors, security threats, and service disruptions
Conducting internal research on learning effectiveness (using anonymized, aggregated data only)

To communicate with you

Sending service-related notifications (required for the service to function)
Sending product updates and feature announcements (only with your consent, per CASL requirements)

To comply with legal obligations

Maintaining records as required by tax and financial regulations
Responding to lawful requests from authorities
Fulfilling our obligations under PIPEDA and other applicable privacy laws

In plain language: We use your data to make Droplet Learn work for you — to create your personalized lessons, track your progress, and handle payments. We analyze anonymized patterns to improve the product. We never use your personal data for advertising or sell it to anyone.

4. How AI features process your data

This section explains exactly how your data interacts with artificial intelligence. We believe you deserve full transparency about this process.

What happens when AI generates your lessons

Droplet Learn uses the Anthropic Claude API to generate personalized educational content. Here is precisely what occurs:

What we send to the AI: When generating your Drops, we transmit your learning goals, topic preferences, experience level, and relevant interaction history (such as which topics you've covered and your progress) to Anthropic's Claude API. We design our prompts to minimize personally identifiable information — we do not send your email address, name, or billing details to the AI.
What the AI returns: Anthropic's system processes this context and generates educational content (lesson text, checklists, discussion prompts) which we then deliver to you as your personalized Drops.
Where processing occurs: Anthropic's servers are located in the United States. Your learning context data crosses the Canadian border for AI processing.

Your data is not used to train AI models

Under our commercial API agreement with Anthropic, your data submitted through Droplet Learn is never used to train Anthropic's AI models. Anthropic's Commercial Terms of Service explicitly state: "Anthropic may not train models on Customer Content from Services." This is a firm contractual commitment, not a policy that can be quietly changed.

How long our AI provider retains your data

Our AI provider retains processing logs for a limited period as required for safety and abuse prevention, after which they are deleted. Their current retention practices are described in their published privacy documentation.

Reflections and experiment notes

When you write reflections or experiment notes, this text is stored in our database. If your reflections are used as context for generating future lessons, they follow the same AI processing pipeline described above. You can delete your reflections at any time.

In plain language: Your learning goals and progress get sent to our AI provider to create your lessons. They keep this data briefly for safety checks, then delete it. They never use it to train their AI. We never send your email, name, or payment info to the AI.

5. How we share your information

We do not sell your personal information. We do not share it with advertisers. We do not engage in data brokering. We share your information only with the following service providers, who process data on our behalf under contractual obligations to protect it:

Service provider	Data shared	Purpose
Cloud hosting and database provider	Email, hashed password, session tokens, all application data	Database hosting, authentication, data storage
Stripe	Billing details, transaction records	Payment processing
Anthropic	Learning context, goals, preferences, interaction history	AI content generation
PostHog	Usage events, page views, feature interactions, IP address	Product analytics and user behavior analysis
Sentry	Error logs, stack traces, user context at time of error	Error monitoring and debugging
Application hosting provider	IP address, device info, usage logs	Application hosting and delivery

Our service providers are primarily located in the United States. See Section 6 for details on international data transfers. A detailed list of specific service providers is available upon request.

Each provider is contractually required to:

Use your data only for the purposes we specify
Maintain appropriate security safeguards
Not sell or share your data with other parties
Delete data upon our instruction or contract termination

Other circumstances where we may disclose your information

Legal requirements: If required by law, regulation, legal process, or governmental request
Safety: If we believe disclosure is necessary to prevent harm, fraud, or illegal activity
Business transfers: In connection with a merger, acquisition, or sale of assets (you would be notified in advance)
With your consent: If you explicitly ask us to share information with a third party

6. International data transfers

Droplet Learn is operated from Canada, but several of our service providers are based in the United States. This means your personal information is transferred to, stored in, and processed in the United States.

What this means for you: The United States has different privacy laws than Canada. Under US law, including the USA PATRIOT Act and the Foreign Intelligence Surveillance Act (FISA), US government authorities may access data held by US companies under certain circumstances. While we cannot prevent such access, we take the following steps to protect your data:

We maintain data processing agreements with all US-based service providers requiring them to protect your information to a standard comparable to Canadian law
We limit the data transferred to what is strictly necessary for each provider's function
We use industry-standard encryption in transit for all data transfers between our systems and third-party services
We select providers with strong security practices and industry-recognized security certifications

Under PIPEDA, we remain fully accountable for your personal information even when it is processed by a third party in another country.

In plain language: Your data is stored and processed on servers in the United States by our service providers. US privacy laws differ from Canadian ones. We protect your data through encryption and strict contracts with these providers.

7. Data retention

We retain your personal information only as long as necessary to fulfill the purposes described in this policy or as required by law.

Data type	Retention period	Reason
Account information	Until you delete your account	Required to provide the service
Learning paths, interaction history, reflections	Until you delete your account (or delete individual items)	Required to personalize your experience
Onboarding responses	Until you delete your account	Required for curriculum personalization
Billing records	7 years after the transaction	Canadian tax law (Income Tax Act) requires retention of financial records
Server logs	Limited period, typically no more than 90 days	Security monitoring and debugging
AI processing logs	Limited period per provider's safety requirements	AI provider's trust and safety requirements
Support communications	Reasonable period for quality assurance	Quality assurance and dispute resolution
De-identified, aggregated analytics	Indefinitely	Product improvement (no longer personal information)

When you delete your account: We delete or anonymize your personal information within 30 days of your deletion request, except for data we are legally required to retain (such as billing records for tax purposes). Data held by third-party processors will be deleted according to our agreements with them and their published retention schedules.

8. Data security

We implement technical, organizational, and administrative safeguards to protect your personal information:

Technical measures

All data transmitted between your browser and our servers is protected by industry-standard encryption
Passwords are hashed using industry-standard algorithms — we never store passwords in plain text
Database access requires authentication and is restricted by role-based access controls
Application data is encrypted at rest

Organizational measures

Access to personal information is limited to personnel who need it to perform their duties
We follow the principle of least privilege for all system access
We maintain an incident response plan for potential data breaches

Third-party security

We select service providers who maintain industry-recognized security certifications
Our payment processor (Stripe) is PCI DSS certified
All service providers are contractually required to maintain appropriate security safeguards

No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us immediately at info@maplesparklabs.com.

9. Your privacy rights

Depending on where you live, you have specific rights regarding your personal information. We honor these rights for all users, regardless of location.

Rights available to all users

Access: You can request a copy of the personal information we hold about you. We will respond within 30 days, or notify you if additional time is needed.
Correction: You can request correction of inaccurate or incomplete personal information. You can also update most information directly through your account settings.
Deletion: You can delete your account and associated personal data at any time through your account settings. We will complete the process within 30 days, subject to legal retention requirements.
Withdrawal of consent: You can withdraw your consent for specific data processing activities at any time. Withdrawal does not affect the lawfulness of processing conducted before withdrawal.
Data export: You can request a copy of your data in a structured, commonly used, machine-readable format (such as JSON or CSV).
Complaint: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca if you believe we have mishandled your personal information.

To exercise any of these rights, contact us at info@maplesparklabs.com. We will verify your identity before processing your request and respond within 30 days, or notify you if additional time is needed.

Additional rights for residents of the European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK, you also have the right to:

Restrict processing of your personal information in certain circumstances
Object to processing based on legitimate interests
Data portability — receive your data in a machine-readable format and transmit it to another controller
Lodge a complaint with your local data protection authority
Not be subject to automated decision-making that produces legal or similarly significant effects, without human involvement

Legal basis for processing (GDPR): Where GDPR applies, we process your personal information on the following bases:

Performance of a contract: To provide the Droplet Learn service you signed up for (account management, content delivery, payment processing)
Legitimate interests: To improve our service, ensure security, and prevent fraud, where these interests are not overridden by your rights
Consent: For marketing communications and any optional data processing activities
Legal obligation: To comply with applicable laws and regulations

International transfers: Data transferred from the EEA to the United States is protected by our data processing agreements with service providers. Canada has received an adequacy decision from the European Commission for PIPEDA-covered commercial activities, facilitating data transfers between the EU and Canada.

Additional rights for California residents

While Droplet Learn is a Canadian company and may not meet the CCPA/CPRA applicability thresholds, we extend the following rights to California residents as a matter of good practice:

Right to know what personal information we collect, use, and disclose
Right to delete your personal information
Right to correct inaccurate personal information
Right to non-discrimination for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Because we do not sell or share personal information, a "Do Not Sell or Share" opt-out is not applicable.

In the past 12 months, we have collected the following categories of personal information as defined by the CCPA: Identifiers (email, IP address), Commercial information (subscription and transaction records), Internet or electronic network activity (usage data, interaction logs), and Inferences (learning preferences derived from your interactions).

10. Cookies and tracking technologies

Droplet Learn uses a minimal set of cookies and similar technologies:

Strictly necessary cookies

These are required for the platform to function. They include session cookies for authentication and security cookies. These cannot be disabled without breaking the service.

Analytics

We use PostHog for product analytics to understand how users interact with the platform. PostHog collects usage events, page views, and feature interactions. We use Sentry for error monitoring, which collects error logs and user context at the time of an error to help us diagnose and fix issues. Both tools process data in the United States under data processing agreements. If you are located in the EEA/UK, we will obtain your consent before activating non-essential analytics tracking.

What we do not use

No advertising cookies or tracking pixels
No social media tracking widgets
No cross-site tracking
No fingerprinting technologies

For visitors from the EEA/UK: We will obtain your consent before placing any non-essential cookies, in compliance with the ePrivacy Directive. Essential cookies required for the service to function do not require consent.

In plain language: We use only the cookies needed to keep you logged in and the service running, plus PostHog for product analytics and Sentry for error monitoring. No advertising tracking. No social media widgets.

11. Children's privacy

Droplet Learn is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided personal information to Droplet Learn, please contact us at info@maplesparklabs.com, and we will delete the account and associated data.

In accordance with the Office of the Privacy Commissioner of Canada's guidance, we treat children's personal information as particularly sensitive and requiring heightened protection.

12. Data breach notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will:

Notify you as soon as feasible after confirming the breach, describing the circumstances, the data involved, the steps we have taken to reduce harm, and your options
Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA
Notify any other relevant authorities or organizations that may help reduce the risk of harm

We maintain records of all security incidents for a minimum of 24 months, as required by PIPEDA.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

How we will notify you

For material changes (changes to what data we collect, how we use it, or who we share it with): We will notify you by email at least 30 days before the changes take effect and post a prominent notice on the platform
For minor changes (clarifications, formatting, updates to contact information): We will update the "Last updated" date at the top of this page

Your continued use of Droplet Learn after a change takes effect constitutes your acceptance of the revised policy. If you do not agree with a material change, you may delete your account before the change takes effect.

We will maintain a link to the previous version of this policy for your reference.

14. How to contact us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a concern about how we handle your data:

Privacy Officer

Maple Spark Labs Inc.
Toronto, Ontario, Canada
Email: info@maplesparklabs.com

Full mailing address available upon request.

Canadian Privacy Regulator

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
www.priv.gc.ca
1-800-282-1376

Start learning what actually matters to you

Your first path is free. 5 minutes from now, you'll have your first drop of knowledge — personalized to your goals.

Get My First Drop — Free

14-day Pro trial included. No credit card required.