Legal
Compliance
Last updated: February 8, 2026
This page describes the security practices, infrastructure, and compliance measures in place for the Learnmeld platform. We believe in transparency about how we protect your data and operate our service.
Table of contents
Overview
Learnmeld is an early-stage AI tutoring platform. We take security seriously and implement industry-standard practices to protect your data. This page documents what we have in place today.
We do not currently hold formal certifications (such as SOC 2 or ISO 27001). As our platform grows, we will evaluate and pursue certifications appropriate to our scale and user base.
Data security
Encryption in transit
All traffic to and from Learnmeld is encrypted using TLS (HTTPS). We use Cloudflare Tunnel to terminate TLS at the edge, ensuring that data in transit between your browser and our infrastructure is encrypted.
Encryption at rest
Our database uses standard filesystem storage provided by our hosting provider. We do not currently implement application-level encryption at rest beyond what the hosting infrastructure provides.
Security headers
Our web server enforces the following security headers on all responses:
X-Frame-Options: SAMEORIGIN— prevents clickjacking attacksX-Content-Type-Options: nosniff— prevents MIME type sniffingX-XSS-Protection: 1; mode=block— enables browser XSS filteringReferrer-Policy: no-referrer-when-downgrade— controls referrer information
CORS policy
API requests are restricted to our application origin
(https://app.learnmeld.com) via CORS policy. Cross-origin requests from
other domains are rejected.
Rate limiting
We implement rate limiting at both the web server and application levels to protect against abuse:
- Authentication endpoints (login, register, password reset): 3–5 requests per minute
- General API endpoints: 10 requests per second with burst allowance
- Additional per-endpoint limits for sensitive operations
Authentication and access control
Password security
- Passwords are hashed using bcrypt with the default cost factor before storage. We never store plaintext passwords.
- Minimum password length: 8 characters.
Email verification
Email verification is required before you can log in. Verification tokens are cryptographically random (32 bytes) and expire after 24 hours. A 60-second cooldown prevents abuse of the resend function.
Session management
- Sessions are managed using JSON Web Tokens (JWT) signed with HMAC-SHA256.
- Tokens expire after 7 days and must be renewed by logging in again.
- Tokens are stored in browser local storage — we do not use session cookies.
Data isolation
All database queries are scoped to the authenticated user's ID. User data is isolated at the application level — there is no mechanism to access another user's data through the API.
Administrative access
Internal administrative endpoints are protected by a separate API key and are not accessible through the public API. Administrative actions are limited to operations required for service delivery (e.g., token validation for inter-service communication).
Infrastructure
Hosting
Learnmeld is hosted on Hetzner Cloud, a European cloud provider with data centers in Germany and Finland. Our primary server is located in Germany.
Architecture
- Services run as Docker containers orchestrated by Docker Swarm.
- All services (database, API, application) run on an internal overlay network — only the reverse proxy and Cloudflare Tunnel are exposed.
- Credentials and API keys are stored as Docker Secrets, not in environment variables or code.
Logging and monitoring
- Application logs are collected using Promtail and aggregated in Loki.
- Logs are rotated automatically (10 MB max per file, 3 files retained).
- Log retention: 7 days.
- Monitoring dashboards are available via Grafana (internal access only).
Data processing and sub-processors
We use the following third-party services to operate Learnmeld. Each service processes some portion of user data as described below.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Hetzner | Server hosting | All data (database, logs, application) | Germany (EU) |
| Cloudflare | CDN, DDoS protection, TLS termination | Web traffic, IP addresses | Global (nearest edge) |
| Stripe | Payment processing | Email, payment details, billing history | US (Stripe infrastructure) |
| RunPod | AI model inference | Chat messages sent for AI responses | US (RunPod infrastructure) |
| SendGrid | Transactional email delivery | Email addresses, email content | US (Twilio infrastructure) |
| Zoho Mail | Business email | Support correspondence | EU (Zoho EU data centers) |
| PostHog | Product analytics | Page views, feature usage, session duration (cookieless, no IP) | EU (PostHog EU cloud) |
| GitHub | Source code hosting, CI/CD, container registry | Application code, Docker images (no user data) | US (GitHub infrastructure) |
GDPR compliance
As a service available to users in the European Union, we are committed to complying with the General Data Protection Regulation (GDPR). Here is what we currently have in place:
What we provide
- Right to access: You can view your account information, learning history, and preferences from your account settings.
- Right to rectification: You can update your email, username, display name, and preferences at any time.
- Right to deletion: You can delete your account from your account settings. Account deletion synchronously removes all your data across all modules (learning history, chat sessions, reviews, quizzes, badges, streaks, graphs, and subscription). Active Stripe subscriptions are cancelled automatically before deletion. See our Privacy Policy for details on data retention.
- Data minimization: We only collect data necessary to provide the Service (account credentials, learning activity, payment information via Stripe).
- Lawful basis: We process data based on contractual necessity (providing the service you signed up for), legitimate interest (security, fraud prevention), and consent (optional email notifications). See the Notice to European users in our Privacy Policy for the full legal basis table.
- Data portability: You can export all your personal data in JSON format directly from your account settings. The export includes your profile, subscription, preferences, consent records, teachers, chat sessions, learning data, and engagement data (Art. 20).
- Consent records: We maintain an append-only audit log of consent changes, recording the consent type, granted/revoked status, IP address, and timestamp (Art. 7). Consent history is included in the data export.
What we are working on
- Cookie consent banner: We are implementing a cookie consent mechanism. See our Cookie Policy for current details.
- Formal DPA: We do not currently offer a formal Data Processing Agreement. If you require one, please contact us.
Data location
Our primary database is hosted in Germany (Hetzner Cloud, EU). Some data is processed by US-based sub-processors (Stripe, RunPod, SendGrid) as listed in the sub-processors table above. These providers maintain their own GDPR compliance programs and data protection measures.
Data backup and recovery
- Database backups are created automatically before each deployment.
- Backups are compressed and stored on the server. The last 7 backups are retained.
- We do not currently offer off-site or geographically redundant backups. This is planned as the platform scales.
Reporting a vulnerability
If you discover a security vulnerability in Learnmeld, please report it responsibly by contacting us at [email protected]. Please include a description of the vulnerability and steps to reproduce it.
We do not currently operate a formal bug bounty program. We appreciate responsible disclosure and will acknowledge your report.