Privacy policy

Part 1 — Who we are

About The Money Lab

The Money Lab (theMoneyLab.online) is a browser-based financial literacy simulation platform designed for classroom use at middle school, high school, and university level. It is operated by Matthew Clement, a Canadian citizen resident in Seoul, Republic of Korea.

For any privacy-related matter, contact: [email protected].

Part 2 — Student data

What we collect from students

What students enter

To join a class session, a student enters:

• A chosen first name or alias (their real name is not required and is never validated)
• A class code issued by their teacher

This information is used only to identify the student’s tile on the teacher’s live dashboard during that session. It is never transmitted to, stored on, or processed by our servers.

What we never collect from students

• Full name or surname
• Email address
• Date of birth or age
• Student ID or school ID number
• Home or school address
• IP address or device identifier
• Browser fingerprint or device type
• Geographic location
• Cookies, local storage persistent data, or tracking pixels
• Analytics or behavioural telemetry
• Photo, voice, or video
• Biometric data of any kind

How the simulation works technically

The Money Lab simulation is delivered as a single self-contained HTML file. After the initial page load, the simulation runs entirely within the student’s browser tab with no ongoing network communication. All student decisions, simulation state, and progress exist only in the browser’s in-memory JavaScript environment for the duration of that tab session. Closing or refreshing the tab destroys all session data permanently. Nothing is written to disk, cookies, local storage, or any server.

Part 3 — Teacher and school data

What we collect from teachers and administrators

Account registration

Teachers and school administrators register using:

• First and last name
• Work or personal email address
• School name and country (optional at registration)

This data is stored in a Supabase-managed Postgres database hosted on Vercel infrastructure, protected by industry-standard encryption at rest and in transit.

How we use this data

• To authenticate account access
• To send transactional emails (account confirmation, password reset, licence renewal reminders)
• To associate a licence with the correct school
• To contact account holders regarding service updates or changes to these terms

Retention

Teacher account data is retained for the duration of the active licence plus 12 months following licence expiry or account cancellation, after which it is deleted. Where a teacher requests earlier deletion, we will action that request within 30 days. To request deletion, email [email protected].

Your rights

Teachers and administrators may request access to, correction of, or deletion of their personal data at any time by contacting [email protected]. Requests will be responded to within 30 calendar days.

Part 4 — Paid plan billing

Billing data

Schools on paid plans (Starter and School tiers) are billed annually. Payment processing is handled entirely by Stripe, a PCI DSS-compliant payment processor. We never see, transmit, or store credit card numbers, bank account details, or any other payment card data. The only billing data retained by The Money Lab is:

• Invoice records (amount, date, plan tier)
• The Stripe customer ID associated with the school account

The Money Lab acts as the data controller for teacher account information and as a data processor in relation to student data processed on behalf of the school. Because no student personal data is collected or processed, the data processor role is limited to the technical infrastructure supporting the teacher dashboard.

Part 5 — COPPA

Children’s Online Privacy Protection Act (COPPA)

COPPA (applicable to US users) prohibits the online collection of personal information from children under 13 without verifiable parental consent. Because The Money Lab collects no personal information from any student of any age, the COPPA collection trigger is never reached.

Nonetheless, we have designed the platform to exceed COPPA requirements for under-13 use:

• No student account creation — students do not register or log in
• No persistent identifiers — no cookies, device IDs, or session tokens tied to a student
• No behavioural profiling — the platform does not observe, record, or transmit student behaviour
• No targeted advertising — the platform contains no advertising of any kind
• No third-party data sharing from the student-facing interface

Schools deploying The Money Lab with students under 13 may do so with confidence that no parental consent mechanism is required on our part, because no data collection occurs.

Part 6 — FERPA

Family Educational Rights and Privacy Act (FERPA)

FERPA (applicable to US educational institutions) governs the privacy of student education records. The Money Lab does not create, maintain, or transmit education records as defined by FERPA. No student performance data, grades, participation records, or identifiable academic information is stored by The Money Lab’s systems.

If a teacher chooses to use simulation outcomes (for example, a student’s end-of-simulation net worth) as part of a formal grade, that grading decision and any resulting records are managed entirely within the school’s own systems, not ours.

Part 7 — Korean law (PIPA)

Personal Information Protection Act — Republic of Korea

The Money Lab is operated from the Republic of Korea. The Personal Information Protection Act (개인정보 보호법, PIPA) is our primary jurisdictional framework. We comply with PIPA’s requirements in the following ways:

Lawful basis for collection

Personal information collected from teachers (name, email) is collected with the explicit consent of the individual at the point of account registration. Collection is limited to the minimum necessary for service delivery.

Notification of purpose

The purpose of collection (account authentication, transactional email, licence management) is disclosed at the point of registration and in this policy.

Retention and destruction

Personal information is retained only for the period necessary to fulfil the stated purpose, as described in Part 3 of this policy. At the end of the retention period, data is permanently deleted in accordance with PIPA Article 21.

Rights of data subjects

Under PIPA, data subjects (teachers and administrators) have the right to request access to, correction of, suspension of processing of, or deletion of their personal information. Requests may be submitted to [email protected] and will be processed within 10 business days.

Personal information officer

Matthew Clement serves as the Personal Information Protection Officer (개인정보 보호책임자) for The Money Lab. Contact: [email protected].

Part 8 — GDPR

General Data Protection Regulation (GDPR)

Where teachers or students located in the European Economic Area (EEA) use The Money Lab, the General Data Protection Regulation applies. We are committed to compliance with GDPR requirements.

Lawful basis

We process teacher personal data on the lawful basis of contract performance (Article 6(1)(b)) — specifically, to provide the service the teacher has registered to use. Where we send marketing communications, we rely on legitimate interests (Article 6(1)(f)) and provide an opt-out mechanism in every email.

Data subject rights

Teachers and administrators with accounts have the following rights under GDPR:

• Right of access — to receive a copy of the personal data we hold about you
• Right to rectification — to have inaccurate data corrected
• Right to erasure — to have your data deleted (subject to legitimate retention obligations)
• Right to restriction — to restrict processing of your data
• Right to portability — to receive your data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests

To exercise any of these rights, contact [email protected]. We will respond within 30 calendar days.

Data Protection Officer

Given the scale of data processing, The Money Lab is not currently required to appoint a formal DPO. Privacy enquiries are handled directly by Matthew Clement.

Part 9 — Australian users

Australia Privacy Act 1988

For users in Australia, The Money Lab is committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The data handling practices described in this policy are designed to be consistent with APP requirements, including APP 3 (collection of solicited personal information), APP 5 (notification of collection), APP 6 (use or disclosure of personal information), and APP 11 (security of personal information).

Australian users who wish to make a privacy complaint or access their data may contact [email protected]. If a complaint cannot be resolved directly, it may be referred to the Office of the Australian Information Commissioner (OAIC).

Part 10 — Third-party services

Services we use

We work with the following third-party service providers. Each is named, along with its purpose and a link to its own privacy policy.

We do not use Google Analytics, Meta Pixel, or any advertising or behavioural tracking technology on any page of this site or within the simulation.

Part 11 — International data transfers

International data transfers

The Money Lab is operated by a Canadian citizen resident in the Republic of Korea. Our hosting infrastructure (Vercel) and database provider (Supabase) may process data in servers located in the United States, Europe, or other jurisdictions depending on region configuration.

Where personal data belonging to teachers or administrators is transferred outside the Republic of Korea, such transfers are made in accordance with PIPA Chapter V (Cross-border Transfer of Personal Information), including obtaining consent at the point of registration where required. Where data is transferred from the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms.

The student-facing simulation involves no data transfer whatsoever, as no student data leaves the user’s browser.

Part 12 — Children’s privacy

Children’s privacy

The Money Lab is designed for use in supervised classroom settings with students of middle school age and above. We take the privacy of young people especially seriously.

Because the student-facing simulation collects no personal information of any kind, there is no minimum age requirement to use the simulation. Students of any age may participate in a Money Lab class session without providing any personal information to us.

If you are a parent or guardian and have concerns about your child’s participation in a Money Lab session at school, please contact the teacher or school directly. If you have concerns about our data practices, contact us at [email protected].

Part 13 — Changes to this policy

Changes to this policy

If we make material changes to this Privacy Policy, we will notify account holders by email at least 30 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent revision. Continued use of the platform after a change takes effect constitutes acceptance of the updated policy.

Part 14 — Contact

Privacy requests and contact

For all privacy-related requests — including access requests, data deletion, corrections, or complaints — contact:

Matthew Clement
The Money Lab
Seoul, Republic of Korea
[email protected]

We aim to respond to all privacy requests within 10 business days.