Privacy Policy

Data Controller: Gradis AI Tutor
Email: privacy@gradis.ai
Data Protection Officer: dpo@gradis.ai
Address: [Your Company Address]

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at the email address above.

2.1 Personal Information

We collect the following personal information:

• Account Information: Name, email address, password (hashed)
• Profile Information: Phone number, country, region, bio, career goals, hobbies, preferred examples domain, timezone
• Usage Data: Lesson progress, chat history, challenge submissions, time spent on platform
• Technical Data: IP address, browser type, device information, operating system
• Cookies and Tracking: See our Cookie Policy below

2.2 How We Collect Information

• Directly from you when you register, update your profile, or use the Service
• Automatically through your use of the Service (cookies, logs, analytics)
• From third-party services (if you connect social accounts or use OAuth)

We use your personal data for the following purposes:

• Service Provision: To provide, maintain, and improve the AI tutoring service
• Personalization: To personalize your learning experience based on your profile and preferences
• Progress Tracking: To track your learning progress and provide feedback
• Communication: To send you service-related notifications and updates
• Support: To respond to your inquiries and provide customer support
• Security: To protect the security and integrity of the Service
• Legal Compliance: To comply with legal obligations and enforce our Terms
• Analytics: To analyze usage patterns and improve our Service

Under GDPR, we process your personal data based on the following legal bases:

• Consent: When you provide explicit consent (e.g., for marketing communications)
• Contract Performance: To fulfill our contract with you (providing the Service)
• Legitimate Interests: For service improvement, security, and fraud prevention
• Legal Obligation: To comply with applicable laws and regulations

You have the right to withdraw consent at any time where we rely on consent as the legal basis. Withdrawal will not affect the lawfulness of processing before withdrawal.

5.1 Third-Party Service Providers

We may share your data with trusted service providers who assist us in operating the Service:

• Cloud hosting providers (e.g., AWS, Vercel)
• AI service providers (e.g., Anthropic, OpenAI) for processing your educational interactions
• Analytics providers (e.g., Google Analytics) - anonymized data only
• Email service providers for sending notifications

5.2 International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by GDPR

5.3 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

As a data subject under GDPR, you have the following rights:

• Right of Access: You can request a copy of your personal data we hold
• Right to Rectification: You can request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data
• Right to Restrict Processing: You can request we limit how we use your data
• Right to Data Portability: You can request your data in a structured, machine-readable format
• Right to Object: You can object to processing based on legitimate interests
• Right to Withdraw Consent: Where we rely on consent, you can withdraw it at any time
• Right to Lodge a Complaint: You can file a complaint with your local supervisory authority

To exercise any of these rights, please contact us at privacy@gradis.aior use the data management features in your account settings.

We will respond to your request within one month. If your request is complex, we may extend this period by up to two additional months, and we will inform you of this extension.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active and for 3 years after account deletion for legal compliance
• Usage Data: Retained for 2 years for analytics and service improvement
• Chat History: Retained for 1 year to provide continuity in your learning journey
• Legal Records: Retained as required by law (typically 7 years for financial records)

After the retention period, we will securely delete or anonymize your personal data, unless we are required to retain it for legal purposes.

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (SSL/TLS) and at rest
• Secure password hashing (bcrypt)
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We use cookies and similar tracking technologies to:

• Maintain your session and authentication
• Remember your preferences
• Analyze usage patterns (anonymized)
• Improve our Service

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of the Service.

We use the following types of cookies:

• Essential Cookies: Required for the Service to function
• Analytics Cookies: Help us understand how users interact with the Service
• Preference Cookies: Remember your settings and preferences

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (as required by GDPR)
• Notify affected users without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and recommended protective measures

For privacy-related inquiries or to exercise your rights, contact us:

Email: privacy@gradis.ai
Data Protection Officer: dpo@gradis.ai
Address: [Your Company Address]

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, you can find your authority at: https://edpb.europa.eu/about-edpb/board/members_en