Privacy Policy

Overview

ExitFlow ("we," "us," or "our") is a teacher-first formative assessment tool operated by Free Teacher Tools. We are committed to protecting the privacy of teachers and students who use ExitFlow. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

If you have questions about this policy, contact us at privacy@exitflow.app.

What we collect

Teacher accounts

When you sign up for ExitFlow, we collect your name, email address, and the password you choose. Your password is hashed using a secure one-way algorithm and is never stored in plaintext. We also store optional profile information you may add: timezone, locale preference, grade band, subject area, and school name.

Class and check data

We store the classes you create, the students you add to those classes, and the checks (questions and settings) you author. This data belongs to you.

Session and response data

When you run a session, we store which students joined, what they submitted, and the timing of their responses. Student participation data is associated with a session and a class — not with any persistent external identity.

Student participation

Students do not create accounts in ExitFlow. They join sessions using a code or link and may optionally provide their name. We do not collect device identifiers, IP addresses beyond basic session logging, or any other personal information beyond what they voluntarily submit.

How we use your data

• To create and manage your account and sessions
• To deliver responses and results to you in real time
• To send you account-related emails (verification, password reset)
• To maintain the security and integrity of the service
• To improve ExitFlow based on aggregate usage patterns

We do not sell your email address, student data, class data, or any other personal information to anyone. Ever.

Cookies and sessions

ExitFlow uses cookies to maintain your authenticated session when you are logged in. These cookies are HTTP-only, secure, and have a limited lifetime. We do not use tracking cookies or advertising pixels.

Data retention

You may delete your account and all associated data at any time by contacting us at support@exitflow.app. We will remove your account, classes, students, checks, and session data from our active systems within 30 days of your request.

Some anonymized, aggregated data (e.g., total number of checks created platform-wide) may be retained for operational and improvement purposes but can never be linked back to individual users.

Third-party services

ExitFlow uses a limited number of third-party services to operate: a hosting provider (servers), an email delivery service (for transactional emails like verification and password reset), and a payment processor (for donations). Each service is chosen for its privacy practices, and your data is shared only to the extent necessary to provide the service.

Children's privacy

ExitFlow is used by teachers with students of all ages. We do not knowingly collect personal information directly from students under 13 without teacher/campus authorization. All participation is initiated by the teacher through session codes. Any student data is associated with the teacher's account and is under the teacher's control.

Security

ExitFlow implements the following security measures: secure password hashing, rate limiting on all auth endpoints, one-time use verification and reset codes that expire, session invalidation after password changes, and same-origin request validation on all authenticated API routes. While no internet service is completely immune to risk, we take reasonable technical measures to protect your data.

Changes to this policy

If we update this Privacy Policy, we will change the "Last updated" date above and post the revised policy on this page. For significant changes, we will notify you via email to the address associated with your account.

Contact

Questions about this Privacy Policy? Email us at privacy@exitflow.app.