Mistake Master
Home/ IT and Privacy Review

For school IT, network, and content-filter review

IT and Privacy Review

This page exists to help school technology staff approve Mistake Master quickly. It states exactly what the site is, what data it does and does not handle, what runs in the browser, and every external domain the site loads so you can allow them on your filter.

Last updated: June 23, 2026

Mistake Master is a free, browser-based AP Physics 1 and AP Physics C diagnostic and remediation tool. It runs in two modes. In open practice, the default, students do not create accounts, no student names or emails are collected, and progress is saved locally in the student's own browser. In class mode, an optional teacher-led setup, a teacher signs in by email to create a class, and students join with a short code or nickname the teacher assigns. Students are never asked for their real name. The teacher keeps the code-to-student mapping on their own side; it is never sent to Mistake Master, so the platform stores no student names, emails, or IDs in either mode. The site requires no installs, no browser extensions, and no special device permissions.

What the tool does and does not do

ItemStatus and detail
Purpose AP Physics 1 diagnostic, practice, and adaptive remediation aimed at common misconceptions.
Student accounts None   No student sign-in, registration, password, or login wall. To join a class, a student enters a short code or nickname their teacher assigns; this is not an account and stores no real name.
Teacher accounts Email magic link   Teachers sign in by clicking a one-time link emailed to them, with no password. The teacher's email address is stored so the app can authenticate them and link them to the classes they create. No student emails are involved.
Student names or emails Not collected   The app never asks for or transmits a student's real name, email, or student ID. In class mode, a student enters only the teacher-assigned code or nickname (for example a roster number or initials). If an entry looks like a real full name, the app warns the student to use their code instead.
Progress storage In open practice, progress is saved on the device using the browser's localStorage, under keys prefixed mm- (for example mm-diag-..., mm-drill-...), and never leaves the browser. An anonymous content-session token (sb-...-auth-token) is stored alongside it so the app can read questions; it holds no name, email, or password. In class mode, a student's skill-check results are also saved to Supabase under their class, keyed to the teacher-assigned roster code (never a name), so the teacher can see class progress. Clearing site data resets the local copy.
Installs or extensions None   Runs entirely in a standard web browser.
Device permissions None   No camera, microphone, location, notifications, or file access requested.
Uploads or sharing None   Students cannot upload files or post content. There is no chat, no messaging, and no user-to-user content.
Advertising None   No ad networks, no advertising scripts, no sponsored content, no ad cookies.
Analytics Server-side   Aggregate traffic (such as pages viewed, referrers, and approximate region) is measured by the host from server logs. No analytics script runs in the browser, no cookies are set, and no advertising products or ad networks are used. No student names, emails, or IDs are collected.
Cookies None   The site sets no cookies: no advertising cookies, no cross-site tracking cookies, and no analytics cookies. The anonymous content session is kept in localStorage, which is not a cookie and stays on the device.
Hosting Static files served by Netlify over HTTPS. Supabase serves question content and, in class mode, stores class data: the teacher's email, the class roster of teacher-assigned codes, and skill-check results keyed to those codes (see domains below).
Student education records The app collects no student names, emails, accounts, or IDs, so the data it stores is not directly identifying. In class mode, a student's results are keyed to a teacher-assigned code, and the code-to-student mapping stays with the teacher and is never sent to Mistake Master. A teacher can see how the codes in their own class are doing; Mistake Master cannot connect any code to a specific student.
Contact info@mistakemaster.com

Domains to allow on your filter

Every external domain the site contacts is listed below. Allowing these lets all pages, math rendering, interactive applets, and practice content load correctly.

DomainWhy it is neededOwner
mistakemaster.com The site itself: pages, styles, images, the interactive applets, and the React runtime they use (all served from this domain). Netlify hosting
fonts.googleapis.com Web font stylesheets. Google Fonts
fonts.gstatic.com Web font files. Google Fonts
cdnjs.cloudflare.com KaTeX library for rendering math notation. Cloudflare
cdn.jsdelivr.net Loads the Supabase client library that fetches practice content. jsDelivr (Cloudflare / Fastly)
qnlqqsinrslenrjsalaz.supabase.co Delivers question and practice content at page load. The app signs in anonymously (no name, email, or password) to read content under row-level security. No personally identifiable information is collected or stored. Supabase

All connections use HTTPS. If your filter supports wildcards, allowing *.supabase.co covers any regional endpoint variants.

Suitability for school networks

Data privacy agreements

The only personal information the platform stores is the email address of a teacher who chooses to sign in, which is that teacher's own professional contact. No student names, emails, or IDs are collected, and student results are keyed to teacher-assigned codes rather than identities, so the app does not hold student personal information of the kind a data privacy agreement governs. If your district still requires a signed agreement (for example an SDPC or NDPA exhibit) before approving the site, reach out and it can be reviewed. As Mistake Master grows to store identifiable student data, district data privacy agreements will be offered before that goes live.