Security & Data Protection

The platform uses Firebase Authentication for account login and role-based admin access for privileged areas.

Admin API routes are expected to verify Firebase ID tokens server-side and require an admin custom claim before returning administrative data.

Firestore security rules are used to separate student-owned records, admin-only data, course content, chat history, feedback, and public lecturer onboarding submissions.

Firebase Storage rules restrict uploaded course materials and pro uploads based on authentication, admin status, and course ownership or access where configured.

AI API keys and Firebase Admin private keys must be server-only and must not be exposed to browser code.

NEXT_PUBLIC environment variables should be limited to public Firebase client configuration and public analytics configuration.

Users should avoid submitting sensitive personal data, third-party confidential information, or unauthorized copyrighted materials.

Academic AI responses may contain inaccuracies and should not replace official course instructions.

Report suspected security issues, unauthorized access, exposed data, or misuse to liamesika2121@gmail.com with relevant details and timestamps where possible.