Security & Student Data Privacy | Lemonade Stand Business Plan
Back to home
Trust, Safety & Student Data

A Safe, Modern Place for Future-Ready Learning

The Lemonade Stand Business Plan is a K-12 entrepreneurship and career-readiness platform built with student safety, privacy, and responsible AI at the core. This page summarizes how we keep student data protected, what schools and parents can expect, and how the platform is designed to support — not replace — great classroom teaching.

Last updated: February 5, 2026

We never sell student data — full stop.

We do not use student data to train AI models.

We minimize what we collect — only what's needed.

We sign district Data Privacy Agreements at no cost.

Download District One-Pager (PDF) Request a DPA / Vendor Form

Platform Security Overview

The Lemonade Stand Business Plan is a cloud-hosted web platform built with modern security practices throughout. We design the platform with the assumption that it will be used in K-12 classrooms — meaning student safety, predictable behavior, and data minimization come before everything else.

  • HTTPS / TLS 1.2+ on every connection between the student's device and our servers.
  • HSTS enforcement so browsers refuse to downgrade to insecure HTTP.
  • Standard browser hardening headers: clickjacking protection, MIME-sniffing protection, restrictive referrer policy, and limited browser-feature permissions.
  • U.S.-based hosting on managed Kubernetes (Emergent Cloud) with managed MongoDB (Atlas).
  • Rate-limiting on authentication and AI endpoints to prevent abuse.
  • Error monitoring (Sentry) with personally identifiable information automatically redacted at the source.

Student Data Protection

We follow a data minimization approach — we collect only what is required to deliver lessons and show progress, nothing more.

  • What we collect: name, email, role, lesson responses, optional pitch recordings the student chooses to make, and aggregated usage counts.
  • What we don't collect: government IDs, financial data, precise location, biometric data, or advertising profiles.
  • How long we keep it: while the account is active; on deletion request, we remove records within 30 days and rotate backups within 90.
  • Who can see it: the student, their assigned educator (if any), their parent (via parent share link), and the school under FERPA "school official" terms.
  • What we never do: sell student data, share it for advertising, or use it to train external AI models.

See the full Privacy Policy for line-by-line detail.

COPPA Positioning

The federal Children's Online Privacy Protection Act (COPPA) applies to children under 13. We approach COPPA with a strict, school-first model:

  • Our public Elementary preview ("Lemonade Leaders Jr." — grades 2–5) is designed to require no account and no data transmission. All progress is stored locally in the child's own browser.
  • Any future student accounts under 13 will only be created with verifiable consent from a parent, legal guardian, or school acting under the FERPA "school official" exception.
  • We do not target advertising at children or anyone else.
  • Parents and schools may request access, correction, or deletion of a child's data at any time.

FERPA Readiness

When a school or district uses the platform, we operate as a "school official" under FERPA (34 CFR § 99.31(a)(1)). That means:

  • Student education records remain under the school's direction and control.
  • We use student data only to deliver the service the school requested.
  • We do not redisclose student data without school authorization.
  • Schools can request export (CSV, PDF) and deletion at any time.
  • We will sign your district's Student Data Privacy Agreement — including SDPC/NDPA standard contracts — at no cost. Email privacy@thewementality.com to start.

Authentication & Encryption Practices

  • Passwords are hashed using bcrypt — never stored in plain text.
  • Sessions use signed JWT tokens with rotation and short expirations.
  • Login endpoints are protected by per-IP and per-user rate-limiting against brute-force attempts.
  • Admin and educator routes are role-gated server-side, not just hidden in the UI.
  • All in-transit data uses HTTPS / TLS 1.2 or higher.
  • At-rest data lives in managed MongoDB Atlas (U.S. region) with provider-level encryption.
  • Internal team access is restricted, audited, and reviewed.

Responsible AI Statement

AI assists learning — it does not replace student thinking.

  • Coach, not ghostwriter. Our AI helper ("LemonBot") is designed to ask Socratic questions and prompt reflection. It does not write a student's business plan, pitch, or reflection answers for them.
  • Human creativity and entrepreneurship remain central. Every Mini Business Plan, every pitch, and every problem-solving moment belongs to the student.
  • Student safety and privacy are prioritized. LemonBot conversations run under OpenAI's enterprise API terms — student chats are not used to train any AI model.
  • Outputs are guided. Prompts and safety filters are reviewed by our team; daily per-student quotas keep usage focused on learning, not entertainment.
  • Educator control. Teachers and admins can disable LemonBot for any class with one click.

Account & Deletion Rights

  • Any account holder can permanently delete their account and associated learning data at /delete-account.
  • Parents and guardians may request deletion on behalf of their child by emailing privacy@thewementality.com.
  • Schools may request bulk deletion at the end of a course, school year, or pilot period.
  • Deletions complete within 30 days; backups rotate within 90.
  • You can download your own work (PDF) before deleting.

Vendor & Subprocessor Transparency

We use a small, carefully selected set of service providers to run the platform. The full, current list — including what data each handles and where it sits — lives on our Subprocessors page. Notable highlights:

  • Hosting: Emergent Cloud (U.S. Kubernetes).
  • Database: MongoDB Atlas (U.S. region).
  • AI: OpenAI Enterprise API (no model training on customer data).
  • Email: SendGrid (transactional only).
  • Analytics: Privacy-respecting (PostHog + GA4) — no advertising profiles.
  • Error tracking: Sentry with PII redaction.

Digital Citizenship & Safe Technology Use

Entrepreneurship education is also an opportunity to build healthy digital habits. Our lessons and activities are designed to support — not undermine — classroom digital-citizenship work:

  • Modeling responsible AI use. LemonBot demonstrates that AI is a tool for thinking, not a shortcut around thinking.
  • Healthy creator mindset. Students are guided to build products and ideas that respect customers and communities.
  • Safe sharing. Public share links (Mini Business Plans, certificates) use opaque tokens — no personally identifiable URLs.
  • Respectful communication. Our Terms of Service prohibit harassment, hate, and harmful content; abuse reports are reviewed quickly.
  • Cybersecurity awareness. Students learn how their information is stored, what HTTPS means, and why strong passwords matter — through the lens of running their own business.

Nevada Technology & Digital Citizenship Alignment

The platform is designed to support Nevada classrooms working toward future-ready learning. We use the phrasing "aligned with" and "designed to support" intentionally — we are not a state-certified solution, but we have built the experience to fit the priorities Nevada educators tell us matter:

  • Built to support the Nevada Computer Science & Integrated Technology Standards — students plan, problem-solve, and use technology purposefully throughout the journey.
  • Aligned with widely accepted digital citizenship expectations — safe sharing, respectful communication, and balanced technology use.
  • Designed with cybersecurity awareness in mind — students see, in context, how their data is collected, stored, and protected.
  • Supports responsible, AI-assisted learning — our LemonBot model emphasizes student voice and original thinking.
  • Aligned with Nevada's future-ready learning emphasis — career readiness, entrepreneurship, real-world problem solving, and adaptive technology fluency.
  • Supports schools and districts pursuing CTE / Perkins V reporting through our CTE-metrics export tools (available to educators).

Note: alignment statements describe how the platform was designed and how educators may apply it. They are not formal state endorsements or certifications.

Contact & Inquiries

The WE Mentality
Las Vegas, Nevada, USA

Related documents