< Create account

DreamPath legal

Privacy Policy

Last updated: May 23, 2026 Version 2.2 — This version adds a full data inventory, GDPR lawful basis disclosures, specific retention periods, and expanded user rights in compliance with GDPR, CCPA/CPRA, and COPPA. Minimum signup grade raised to 8th (age 13+). Analytics now run automatically for eligible users; opt-out options remain available. DreamPath (“DreamPath”, “we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, how we protect it, and the rights you have regarding your data. DreamPath is designed for students and young adults to explore career pathways in a safe and educational environment. By using DreamPath, you agree to the data practices described in this Privacy Policy. Privacy Contact / Operator DreamPath Email: Support@dreampathcareer.com If you are a parent, guardian, school, or eligible student and need to review, correct, or delete personal information, contact us at the email above. 1. Every Data Point We Collect We list below every specific piece of information DreamPath collects, what it is, and where it is stored. A. Account and Profile Data (stored in Firebase Firestore) • First name — the name you enter at signup; used to personalize your experience and display within the App. • Last name — collected at signup; used to identify your account internally. • Display name — a combined or chosen name shown within the App. • Email address — collected at signup and used for account verification, login, and support communications. • Grade level — the grade or education stage you select (e.g., 8th, 9th, college); used to personalize content. • School code — an optional code entered at signup to link your account to a school or district; used only if your school participates in DreamPath. • Account type — whether your account is a student explorer or counselor; used to determine which features and portal you access. • Account creation timestamp — the date and time your account was created; retained for legal and compliance records. B. Consent and Legal Records (stored in Firebase Firestore) • Terms and privacy consent timestamp — the date and time you agreed to the Terms of Use and Privacy Policy; retained as a legal compliance record. • Terms version accepted — which version of the Terms you agreed to; retained as a legal compliance record. C. In-App Activity Data (stored in Firebase Firestore) • Onboarding quiz responses — your answers to career-exploration questions during onboarding; used to generate personalized career recommendations. • Onboarding results — the career category recommendations generated from your quiz responses; used to populate your home screen and recommendations. • Favorited careers — careers you mark as favorites within the App; used to power your saved list. • Career category selections — career fields you explore or engage with; used to tailor recommendations. • Career views — careers you have viewed; used to improve recommendation quality. • Game and station progress — your progress through career games and interactive stations; used to track completion and award achievements. • Stars and planets earned — in-app achievement counts; used for the gamification and streak features. • Daily login streak — a count of consecutive days you have used the App; used to display your streak and motivate continued use. • Notification and preference settings — in-app settings you choose, such as streak reminders; used to deliver the features you have enabled. D. Analytics Data (processed by Google LLC via Google Analytics 4) The following analytics data may be collected: • Pages and screens visited — which sections of the App you navigate to; used to understand usage patterns and improve the App. • In-app events — specific interactions such as starting a game, favoriting a career, or completing onboarding; used to understand which features are used most. • Session duration — how long you spend in the App per visit; used for aggregate product analysis. • Device type, operating system, and browser — the hardware and software you use to access the App; used to ensure compatibility and fix technical issues. • Approximate geographic location — city or region level only, derived from an anonymized IP address; used for aggregate reporting. Street-level or GPS location is never collected. • Analytics session identifier — a randomly assigned, pseudonymous ID that is not linked to your name, email, or Firebase account; used to distinguish sessions within Google’s systems. E. Security and Infrastructure Data • IP address — collected temporarily by our rate-limiting system (Upstash Redis) when you submit forms such as login or password reset; used solely to prevent abuse. Stored in memory only, not in a persistent database. • Authentication tokens — short-lived cryptographic tokens issued by Firebase when you log in; used to verify your identity during a session. Not stored permanently. • Session cookie — a server-side session token stored in your browser after login; used to maintain your authenticated session. Expires when you log out or after a short period of inactivity. • Crash logs and error reports — technical error data collected by Firebase if the App crashes or encounters an error; used to identify and fix bugs. This data may include device type and error stack traces, but not your name or personal content. F. Data We Do NOT Collect DreamPath does not collect or store: • Precise GPS or street-level location • Contacts, photos, or messages from your device • Financial or payment information • Health or biometric data • Advertising identifiers (IDFA, GAID) used for cross-app behavioral tracking • Social media profiles or public posts • Social Security numbers or government ID numbers 2. Why We Collect Each Type of Data (Purpose and Lawful Basis) For each category of data we collect, the table below explains the purpose and — for users in the EU, UK, or EEA — the lawful basis under the General Data Protection Regulation (GDPR). For U.S. users, this section also satisfies CCPA/CPRA business purpose disclosure requirements. Account and Profile Data Purpose: To create and maintain your account, verify your identity, personalize your experience, and provide access to App features. GDPR lawful basis: Performance of a contract (Article 6(1)(b)) — this data is necessary to provide the service you signed up for. CCPA business purpose: Providing the service; security and fraud prevention; internal research and quality improvement. Grade Level Purpose: To personalize career content to your education stage. GDPR lawful basis: Performance of a contract (Article 6(1)(b)). CCPA business purpose: Providing the service; internal research and quality improvement. Consent and Legal Records Purpose: To maintain a permanent record that you agreed to our Terms of Use and Privacy Policy. GDPR lawful basis: Compliance with a legal obligation (Article 6(1)(c)). CCPA business purpose: Compliance with legal obligations; auditing. In-App Activity Data (quiz answers, favorites, progress, streaks) Purpose: To generate career recommendations, save your progress, power saved lists, display your achievements, and deliver the core features of the App. GDPR lawful basis: Performance of a contract (Article 6(1)(b)). CCPA business purpose: Providing the service; internal research and quality improvement. Google Analytics Data Purpose: To understand how users interact with the App in aggregate, identify which features are working well, and improve the product over time. This data is pseudonymous and cannot identify you by name. GDPR lawful basis: Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in understanding aggregate usage to maintain and improve an educational product. You may opt out at any time (see Section 13). CCPA business purpose: Auditing; internal research; product improvement. This may constitute "sharing" under California law — see Section 13. IP Address (rate limiting) Purpose: To detect and prevent abuse such as automated login attempts, spam signups, or brute-force attacks. The IP address is used only for this security function and is never stored in your permanent user record. GDPR lawful basis: Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in securing the App and protecting all users from abuse. CCPA business purpose: Security; fraud prevention; debugging. Session Cookies and Authentication Tokens Purpose: To maintain your authenticated session so you do not have to log in on every page. These are technically necessary to operate a logged-in web application. GDPR lawful basis: Performance of a contract (Article 6(1)(b)); strictly necessary for service delivery. CCPA business purpose: Providing the service; security. Crash Logs and Error Reports Purpose: To detect and resolve technical errors that could affect App stability or security. This data is used only for debugging. GDPR lawful basis: Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in maintaining a stable, secure App. CCPA business purpose: Security; debugging; quality assurance. We do not sell personal information for monetary compensation. We use Google Analytics 4, which transfers pseudonymous usage data to Google LLC. Under California law, this may be considered "sharing" for cross-context behavioral advertising purposes. California residents have the right to opt out — see Section 14 (California Privacy Rights). 3. Sharing of Information We may share limited data only in the following cases: A. Anonymous, Aggregated Data We may share fully anonymous usage trends or aggregated statistics with educators, schools, partners, or service providers. This data cannot identify any individual user. B. Service Providers We use the following third-party service providers: • Google Analytics 4 (Google LLC) — We use Google Analytics 4 to understand how users interact with the App. GA4 collects pseudonymous usage data including page views, session duration, device type, approximate location, and events. IP addresses are automatically anonymized by GA4 before storage. We have disabled Google Signals to limit cross-product data use. Data is processed by Google in accordance with Google's Privacy Policy (https://policies.google.com/privacy). You may opt out using the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout. • Firebase (Google LLC) — We use Firebase for user authentication, database storage, and crash reporting. Firebase may collect device identifiers and crash data necessary to operate the App securely. These service providers are prohibited from using personal information for their own advertising or marketing purposes beyond what is described above. C. Legal Compliance We may disclose information if required by law, subpoena, or legal request. We do NOT share: • personally identifiable student data with advertisers • personal information with third parties for marketing • data with data brokers, ad networks, or external profiling services 4. Use by Schools (FERPA Alignment) Schools that distribute a DreamPath school code to students are covered by our School Data Processing Agreement (DPA), which is available at Settings › School Data Processing Agreement. The DPA governs how DreamPath processes student data on behalf of the school in its role as a school official under FERPA. If a school or district uses DreamPath as part of its curriculum: • The school may authorize student use on behalf of parents or guardians when permitted by law • Student information created through the App may be considered an education record when DreamPath is used by or on behalf of a school • We provide student-level information back to the school only where permitted by the school’s agreement, applicable law, and a valid FERPA exception or consent • We share aggregated or anonymous insights unless the school has authorized a more specific educational use DreamPath does not disclose personally identifiable student information to third parties except as directed by the school or required by law. Sponsors do not receive access to student educational records or any personally identifiable student information under FERPA. 5. State Student Privacy Laws (SOPIPA and Equivalents) In addition to FERPA and COPPA, many U.S. states have enacted their own student online privacy laws. DreamPath is designed to comply with these laws and the principles they protect. A. California — SOPIPA (Student Online Personal Information Protection Act, Cal. Bus. & Prof. Code § 22584) DreamPath complies with California’s SOPIPA, which applies to operators of websites, online services, and mobile apps used primarily for K–12 school purposes. Under SOPIPA, DreamPath: • Does not use student data to engage in targeted advertising to students • Does not use student data to build a profile of a student for non-educational purposes • Does not sell or rent student personal information • Does not knowingly retain student data after the educational purpose has ended, beyond what is necessary • Does not use persistent identifiers to track students across third-party websites or services for advertising purposes The contextual sponsored content displayed within DreamPath (based solely on the career topic being viewed, not on any student profile) is consistent with SOPIPA’s permitted uses. B. New York — Education Law § 2-d DreamPath supports schools’ compliance with New York’s Education Law Section 2-d, which imposes obligations on third-party contractors that receive student data from New York schools or districts. When a New York school or district uses a DreamPath school code: • DreamPath acts as a third-party contractor subject to Section 2-d obligations • Student data is used only for the educational purpose for which it was provided • DreamPath implements reasonable data security protections • DreamPath will cooperate with schools to fulfill their obligations under Section 2-d, including responding to data breach notifications within required timeframes Schools subject to Section 2-d should ensure that their use of DreamPath is reflected in their data privacy officer’s approved vendor list and that the School Data Processing Agreement (available at Settings › School Data Processing Agreement) is on file. C. Other State Laws Several additional states have enacted student data privacy laws with similar requirements, including: • Colorado — Student Data Transparency and Security Act (C.R.S. § 22-16-101 et seq.) • Washington — Student Privacy Act (RCW Chapter 28A.604) • Texas — Texas Student Privacy Act and Texas Education Code Chapter 32 • Illinois — Student Online Personal Protection Act (105 ILCS 85/) • Nevada — NRS Chapter 388A (Student Privacy) DreamPath’s core data practices — no behavioral advertising, no sale of student data, no profiling for non-educational purposes, data minimization, and school-controlled access via school codes — are designed to satisfy the common requirements across these and similar laws. D. How DreamPath Satisfies These Laws The following practices apply to all student accounts and are consistent with SOPIPA and its state equivalents: • Student data is used only to provide the DreamPath career-exploration service • No student data is used for targeted or behavioral advertising • Sponsored content is contextual only — based on the career topic being viewed, not on any student profile or browsing history • Student data is not sold, rented, or shared with advertisers • Students cannot be tracked across third-party websites using DreamPath identifiers • Data is retained only as long as the account is active and deleted within 30 days of an account deletion request • Schools can request deletion of all student data associated with their school code at any time If your state has specific student privacy requirements not addressed here, please contact us at Support@dreampathcareer.com and we will work with you to meet those requirements. 6. Children’s Privacy (COPPA Compliance) DreamPath is designed for users aged 13 and older. The minimum grade available at signup is 8th grade (typically age 13 or older). DreamPath does not knowingly collect personal information from children under 13. If we learn that a child under 13 has created an account, we will delete that account and all associated data promptly. If you are a parent or guardian and believe your child under 13 has a DreamPath account, please contact us at Support@dreampathcareer.com. A. School Use If DreamPath is deployed in a school setting where students under 13 may access the App, DreamPath will work with the school to comply with COPPA. In that context: • The school acts as the parent’s agent and provides authorization for student use • DreamPath collects only the information reasonably necessary for the educational purpose authorized by the school • Student information collected under school authorization is used only for that educational purpose — never for sponsored content, advertising, or unrelated commercial purposes • Sponsors do not receive access to any student educational records or personally identifiable student information B. All Student Accounts For all student accounts, DreamPath: • Collects only information reasonably necessary to operate the App • Does not use student data for targeted or behavioral advertising • Does not sell student personal information • Does not allow students to publicly post personal information • Does not permit Sponsors to collect data through the App C. Parental and Guardian Rights Parents and guardians may at any time: • Request review of personal information collected about their child • Request deletion of their child’s account and data • Contact us to ask questions about our data practices Contact: Support@dreampathcareer.com. We will verify your identity before fulfilling any data request. 7. Data Security We take reasonable organizational and technical measures to safeguard your information. We take additional precautions to protect children’s information in accordance with COPPA, including restricting internal access to children’s accounts. This includes: • encryption in transit • secure database storage • limited internal access • routine security reviews While no system is entirely secure, we work to protect your data from unauthorized access, alteration, or disclosure. 8. How Long We Keep Your Data We keep each type of data only as long as it is needed for the purpose it was collected. Below is the specific retention period for every category of data we hold. Account and profile data (name, email, grade, school code, account type) Kept for: As long as your account is active. When you delete your account, this data is permanently removed within 30 days. In-app activity data (quiz answers, career recommendations, favorites, progress, streaks, achievements) Kept for: As long as your account is active. Deleted within 30 days of account deletion. Consent and legal records (terms acceptance timestamp, consent version) Kept for: 3 years from the date of consent, even after account deletion. This is necessary to demonstrate legal compliance if required. Google Analytics data (page views, events, session data, device type, approximate location, analytics identifier) Kept for: Up to 14 months within Google’s systems, which is Google’s standard Analytics data retention setting. After that period, Google automatically deletes the data. DreamPath does not receive or store raw GA4 data separately. IP addresses (rate limiting only) Kept for: Up to 1 hour. Rate-limiting records are stored in short-term memory (Upstash Redis) and expire automatically. IP addresses are never written to a permanent database. Session cookies and authentication tokens Kept for: The duration of your active session. Session cookies expire when you log out or after a short period of inactivity. Authentication tokens are short-lived and refreshed automatically. Crash logs and error reports (Firebase) Kept for: Up to 90 days within Firebase’s systems. These logs are used only to diagnose technical issues and are not linked to your personal identity beyond a device identifier. Aggregated, anonymized analytics Kept for: Indefinitely. Once data has been fully anonymized and aggregated so that no individual can be identified, it is no longer personal data and may be retained for historical product analysis. Account deletion: You may request deletion of your account and all associated personal data at any time by contacting Support@dreampathcareer.com. Deletion will be completed within 30 days. Consent and legal compliance records may be retained for the period stated above even after deletion. 9. Your Privacy Rights All Users Regardless of where you live, you have the right to: • Access — request a copy of the personal data we hold about you. • Correct — ask us to fix inaccurate or incomplete information. • Delete — request that we delete your personal data (subject to legal retention obligations described in Section 8). • Withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. • Opt out of analytics — disable Google Analytics for your sessions (see Section 13 for options). EU, UK, and EEA Users (GDPR) If you are located in the European Union, United Kingdom, or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR: Right of access (Article 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data along with information about how and why we use it. Right to rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete data. Right to erasure / "right to be forgotten" (Article 17): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where there is no overriding legitimate interest. Right to restriction of processing (Article 18): You may request that we limit how we use your data in certain circumstances — for example, while a correction request is being resolved. Right to data portability (Article 20): Where processing is based on your consent or on a contract, and is carried out by automated means, you may request that we provide your personal data in a structured, machine-readable format so you can transfer it to another service. Right to object (Article 21): You may object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You may also object to processing for direct marketing purposes at any time. Right to withdraw consent (Article 7(3)): Where we rely on consent as a lawful basis, you may withdraw that consent at any time. Withdrawal does not affect the legality of processing that occurred before withdrawal. Right to lodge a complaint: If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is typically your country's data protection authority. In the UK, it is the Information Commissioner's Office (ICO) at ico.org.uk. International Data Transfers: DreamPath uses Firebase and Google Analytics, both provided by Google LLC (United States). By using DreamPath, your data may be transferred to and processed in the United States. Google LLC participates in the EU–U.S. Data Privacy Framework and relies on Standard Contractual Clauses for international transfers where required. For details, see Google's Privacy Policy at https://policies.google.com/privacy. To exercise any of the above rights, contact us at Support@dreampathcareer.com. We will respond within 30 days (or 45 days if your request is complex). We may need to verify your identity before fulfilling your request. 10. Email Communications and CAN-SPAM Compliance Types of emails we send DreamPath currently sends only transactional emails — messages that are necessary to operate your account or fulfill a request you have made. These include: • Account verification emails sent when you create an account • Password reset emails sent when you request a new password Transactional emails are not promotional and do not require an unsubscribe link under the CAN-SPAM Act or equivalent laws. If DreamPath begins sending marketing or promotional emails (such as feature announcements, career spotlights, or newsletters), we will: • Include a clear and easy-to-use unsubscribe link in every message • Use honest, non-deceptive subject lines that accurately reflect the content of the email • Include a valid physical mailing address in the footer of every marketing email, as required by the CAN-SPAM Act • Honor all unsubscribe requests within 10 business days • Never send marketing emails to users who have opted out You may opt out of any future marketing emails at any time by contacting Support@dreampathcareer.com. Opting out of marketing emails will not affect transactional emails necessary to operate your account. GDPR note for EU/UK users: If you are located in the EU or UK, we will only send you marketing emails with your prior explicit consent. You may withdraw that consent at any time. 11. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in features, regulations, or practices. When updated, the “Last updated” date at the top will be changed. Continued use of DreamPath indicates acceptance of the updated Policy. 12. Sponsored Content and Advertising DreamPath includes non-personalized sponsored content from colleges, universities, trade schools, certification programs, employers, and other educational organizations (“Sponsors”). We do not use personal information, behavioral data, or individual user activity to select or display sponsored content. Sponsored placements are shown based only on general app context (such as the career category being viewed), not on the user’s identity. DreamPath does not: • share personal information with Sponsors • permit Sponsors to track users or collect data through the App • sell or rent student information • allow targeted or behavioral advertising of any kind Any reporting shared with Sponsors is fully anonymous and aggregated, and cannot identify any specific user. 13. Google Analytics 4 and Cookies DreamPath uses Google Analytics 4 ("GA4"), a web analytics service provided by Google LLC. GA4 helps us understand how users interact with the App so we can improve the experience. What Google Analytics Collects • Page views and in-app events (e.g., games started, careers favorited) • Session duration and navigation flow • Device type, operating system, and browser type • Approximate geographic location (city or region level — not street-level or GPS) • A randomly assigned analytics identifier (not linked to your name or email) What Google Analytics Does Not Collect in Our Implementation • Full IP addresses (GA4 automatically anonymizes them before storage) • Your name, email address, or other account credentials • Precise location How Google Uses This Data Google processes analytics data on our behalf to provide aggregate, anonymized reports. We have disabled Google Signals to limit cross-product data sharing with Google's advertising products. Your Opt-Out Options • Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout • Google Ad and Data Settings: https://adssettings.google.com • Email us at Support@dreampathcareer.com to request that analytics be disabled for your account Cookies Google Analytics uses cookies — small text files stored on your device — to distinguish sessions. GA4 initializes automatically when you log in (except for accounts where we detect the user may be under 13, in which case analytics are suppressed). You may opt out at any time using the options listed above. You may also disable or delete cookies through your browser settings; doing so may affect certain App features. Google's Privacy Policy: https://policies.google.com/privacy 14. California Privacy Rights (CCPA / CPRA) If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights over your personal information. Right to Know You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it. Right to Delete You may request deletion of personal information we have collected, subject to certain legal exceptions. Right to Correct You may request correction of inaccurate personal information we hold about you. Right to Opt Out of Sharing for Cross-Context Behavioral Advertising We use Google Analytics 4, which transfers pseudonymous usage data to Google. Under California law, this may be considered "sharing" personal information for cross-context behavioral advertising. You have the right to opt out: • Install the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout • Email Support@dreampathcareer.com and we will disable analytics data collection for your account Right to Non-Discrimination We will not deny services, charge different prices, or provide a lesser experience because you exercised any of the rights above. Categories of Personal Information We Collect (California Disclosure) • Identifiers: email address (if account created), device identifier assigned by Firebase • Internet or network activity: pages visited, session data, events — collected via Google Analytics 4 • Inferences: career interests derived from in-app quiz answers and activity We do not collect Social Security numbers, financial account numbers, health information, or precise geolocation. We do not sell personal information for money. How to Submit a Request Email Support@dreampathcareer.com with "California Privacy Request" in the subject line. We will respond within 45 days. We may need to verify your identity before fulfilling your request. You may designate an authorized agent to submit requests on your behalf. 15. Contact Us If you have questions about this Privacy Policy, or would like to request data access or deletion, please contact us: Email: Support@dreampathcareer.com