Trust is part of the product.
Generation STEM is built for families, so account safety, student privacy, payment protection, and responsible admin access are core product requirements.
Product safeguards
Security designed around families.
The platform protects the surfaces families actually use: parent accounts, student profiles, billing, progress tracking, and learning workspaces.
Least-privilege access
Parent, student, and admin areas are separated so each user sees the information and tools intended for their role.
Secure account sessions
Authenticated areas use protected sessions, server-side validation, scoped API access, and rate-limited password reset and OTP flows.
Payment isolation
Payments are handled through Stripe. Generation STEM does not store raw credit card numbers.
Learning data controls
Student progress, enrollments, submissions, and achievements are tied to household records and protected through access checks.
Safe technical environments
Courses are designed around guided, browser-native workspaces and isolated execution so students practice safely without installing tools on family devices.
Responsible admin tooling
Administrative actions use server-validated admin sessions and audit logs, including support access into parent or student views.
Data protection
What we protect.
Generation STEM collects only what is needed to operate family accounts, deliver courses, show progress, support billing, and improve the learning experience.
Family account information
Parent names, emails, household structure, plan information, and account settings.
Student learning records
Student profiles, course enrollments, progress, achievements, activity status, and certificates.
Project and workspace activity
Course-specific code submissions, outputs, and learning interactions needed to support progress and feedback.
Billing status
Subscription tier and payment status, with sensitive payment details managed by Stripe.
Support tooling should increase trust, not weaken it.
Administrative access is used to operate the platform, support families, and troubleshoot issues. Admin routes require the protected admin session cookie, legacy admin-new entrypoints are disabled, and support access is logged when it starts and ends.
Protected admin sessions
Admin routes are guarded by server-side session checks backed by persisted session tokens.
Hijack start and end logs
Support access records target type, target id, household context, and the admin who initiated the action.
Clear return controls
Admin support sessions include a clear way back to the admin portal and clear temporary user cookies when ended.
Password reset and OTP
Password reset links use random expiring tokens that are hashed before storage, verification codes are hashed before storage, email auth requests are rate-limited, and reset requests use a neutral response so account existence is not exposed.
Log and analytics hygiene
Application logs should not expose student PII, reset links, OTP codes, or full transactional email bodies. Marketing analytics are kept to public pages and excluded from private dashboards, course-player, checkout, and account-auth routes.
Family best practices
Use a strong, unique password for the parent account.
Keep parent login details separate from student access.
Review student progress and activity from the parent dashboard.
Use supported, up-to-date browsers on shared family devices.
Contact support if you see unfamiliar account activity.