Privacy Policy

Personal information we collect

Information you provide

Account information. When you create an account, we collect your email address, username, and a password (stored as a cryptographic hash — we never store your password in plain text). You may also provide a display name.

Learning content. We collect the messages you send during AI tutoring sessions, teacher configurations you create (subjects, teaching styles, personalities), quiz responses, review answers, and error review sessions.

Payment information. When you subscribe to a paid plan, payment information (such as your card number) is collected and processed directly by our payment processor, Stripe. We do not receive or store your full payment card details. We receive only a transaction identifier and subscription status from Stripe.

Communications. If you contact us by email (e.g., at [email protected]), we receive your email address and the contents of your message. These are stored in our email provider (Zoho Mail).

Information collected automatically

Server logs. Our infrastructure (Cloudflare, nginx) automatically logs IP addresses and request metadata for security and operational purposes.

Product analytics. We use PostHog (EU data residency) to understand how users interact with the Service. PostHog collects: pages visited, features used, session duration, and general device information (browser type, screen size). We operate PostHog in cookieless mode — no cookies are set on your device. IP addresses are not stored. We respect the Do Not Track (DNT) browser setting. PostHog data is processed in the European Union.

Token usage. We track the number of AI tokens (input and output) consumed by your account for billing and usage limit enforcement.

Tracking technologies

We use minimal browser storage:

• Authentication token — A JSON Web Token (JWT) stored in your browser's local storage to maintain your logged-in session. This is essential for the Service to function.

Your preferences — theme (light, dark, or system), token usage display format (friendly or detailed), and email notification settings (usage warnings, weekly summaries, review reminders) — are stored server-side in your account, not in browser cookies.

We do not use advertising cookies, third-party tracking pixels, or analytics services that track you across other websites. Our analytics (PostHog) operates in cookieless mode and does not set any cookies on your device.

How we use your personal information

We use the personal information we collect to:

Service delivery

• Create and manage your account and preferences
• Provide personalized AI tutoring based on your teacher configurations
• Generate quizzes and review materials using AI
• Provide error analysis and Socratic hints (Explain My Error)
• Schedule spaced repetition reviews and build knowledge graphs
• Track learning progress, streaks, and badges
• Process payments and manage subscriptions
• Enforce usage limits based on your subscription tier
• Send email notifications (usage warnings, weekly summaries, review reminders)

Service improvement

• Analyze feature usage patterns to improve the learning experience
• Understand onboarding completion rates and identify friction points
• Monitor product performance and error rates

Security and operations

• Monitor server logs for errors, abuse, and security incidents

Legal and compliance

We may also use your personal information when necessary to:

• Comply with applicable laws and legal obligations (e.g., tax record retention)
• Enforce our Terms of Service (e.g., suspend accounts that violate usage rules)
• Protect against fraud or abuse (e.g., detecting circumvention of subscription limits)

Data retention

We retain your personal information for as long as your account is active and as needed to provide the Service. Specifically:

• Account data — Retained while your account exists. Deleted when you delete your account.
• Learning data (chat history, teachers, reviews, quizzes, progress, badges) — Deleted when you delete your account.
• Billing records — Stripe retains payment records in accordance with their retention policy. We retain subscription status data for as long as your account exists.
• Server logs — Retained for 7 days, then automatically deleted.

How we share your personal information

We do not sell your personal information. We share personal information with the following categories of third parties, strictly as needed to operate the Service:

Service providers

Legal requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business transfers

If Learnmeld is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.

Your choices

Access and update. You can access and update your account information at any time through your account settings.

Email preferences. You can opt out of weekly summary emails from your notification preferences. Transactional emails (verification, password reset, critical account alerts) cannot be opted out of while your account is active.

Delete your account. You can delete your account from your account settings. This will permanently remove your user profile and all associated data across all modules (learning history, chat sessions, reviews, quizzes, badges, streaks, graphs, and subscription). Active Stripe subscriptions are cancelled automatically.

Data export. You can export all your personal data in JSON format directly from your account settings. The export includes your profile, subscription details, preferences, consent records, teachers, chat sessions, learning data, and engagement data. This feature is rate-limited to one export per 24 hours. You may also contact us at [email protected] for assistance.

Consent tracking. We maintain an append-only audit log of your consent changes (e.g., when you enable or disable email notifications). You can view your consent history as part of the data export.

Other sites and services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you visit.

Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encrypted connections (TLS/HTTPS) for all data in transit
• Cryptographic password hashing (bcrypt)
• JWT-based authentication with token expiration
• Database access restricted to application services only
• Infrastructure hosted in European data centers (Hetzner, Germany)

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

International data transfer

Our primary infrastructure is hosted in the European Union (Hetzner, Germany). Some of our service providers (Stripe, SendGrid, RunPod, Cloudflare) are US-based companies that may process data outside the EU. These providers maintain their own GDPR compliance programs, including Standard Contractual Clauses and data protection frameworks. See each provider's privacy policy for details on their data transfer safeguards.

Children

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please contact us at [email protected] and we will take steps to delete it.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email prior to the change becoming effective. We encourage you to review this page periodically. The "Last updated" date at the top indicates when this policy was last revised.

How to contact us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

• Email: [email protected]

Notice to European users

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional information applies to you.

Legal bases for processing

We process your personal information on the following legal bases under the GDPR:

Your rights under the GDPR

You have the following rights with respect to your personal information:

• Access — Request a copy of the personal information we hold about you.
• Rectification — Request that we correct inaccurate or incomplete personal information.
• Erasure — Request that we delete your personal information. You can also initiate this from your account settings.
• Restriction — Request that we restrict processing of your personal information in certain circumstances.
• Data portability — Request your personal information in a structured, commonly used, and machine-readable format.
• Objection — Object to our processing of your personal information where we rely on legitimate interest as the legal basis.
• Withdraw consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.