Privacy Policy

1. Introduction

LearnGood ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal data when you use our website and services. This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (UK DPA), and the EU General Data Protection Regulation (GDPR).

2. Data Controller

For the purposes of applicable data protection legislation, the data controller is LearnGood. You may contact us regarding data protection matters at [email protected].

3. Data We Collect

We collect and process the following categories of personal data:

• Account Information: Your email address, name (if provided), and hashed password credentials, collected during account registration and managed by our authentication provider (Supabase Auth).
• User Content: Documents (PDFs, DOCX, TXT, and other files) that you voluntarily upload to the Platform for processing. These files are stored in Supabase Storage.
• Generated Learning Data: Knowledge graphs, quiz results, notebook entries, and progress data generated from your interactions with the Platform, stored in our Supabase PostgreSQL database.
• Payment Information: Billing details processed by Stripe. We do not directly store credit card numbers, CVVs, or full payment credentials on our servers. Stripe acts as an independent data controller for payment data.
• Usage Metadata: Subscription tier, compute credit consumption, and feature usage patterns for service analytics and billing.
• Technical Data: IP address, browser type, and device information collected automatically during access for security and rate-limiting purposes.

4. How We Use Your Data

We process your personal data on the following lawful bases:

• Contract Performance (Art. 6(1)(b) GDPR): To provide the Services you subscribed to, including generating personalised learning materials from your uploaded content.
• Legitimate Interest (Art. 6(1)(f) GDPR): To maintain platform security (rate limiting, fraud prevention), analyse usage patterns for service improvement, and provide customer support.
• Consent (Art. 6(1)(a) GDPR): For optional cookies and communications. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c) GDPR): To comply with tax, billing, and regulatory requirements.

5. AI Processing and Third-Party Data Transfers

Your uploaded documents and learning interactions are processed by Google Cloud Vertex AI (Gemini models) hosted on Google Cloud Platform infrastructure. This means your User Content is transmitted to Google Cloud servers for the purpose of generating learning materials.

• Google Cloud processes this data as a data processor under our instructions and is bound by Google Cloud's Data Processing Addendum.
• Google does not use your data submitted via the Vertex AI API to train its foundation models.
• Data may be processed in data centers located in the United States and the European Economic Area, subject to appropriate safeguards (Standard Contractual Clauses).

6. Third-Party Service Providers

We share data with the following categories of processors:

7. Data Retention

• Account Data: Retained for the duration of your active account. Upon account deletion, your personal data is erased within 30 days.
• Uploaded Documents: Stored in Supabase Storage while your account is active. Deleted within 30 days of account closure or upon your explicit request.
• Generated Learning Content: Knowledge graphs, quiz results, and notebook data are deleted alongside your account.
• Billing Records: Retained for up to 7 years as required by applicable tax law.
• Server Logs: IP addresses and rate-limiting data are retained in-memory only and are not persisted to disk.

8. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights with respect to your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of any inaccurate personal data.
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Object (Art. 21): Object to the processing of your data based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please email [email protected]. We will respond within one calendar month of receiving your request.

9. Cookies

We use the following categories of cookies and local storage:

• Strictly Necessary: Supabase session cookies for authentication. These are essential for the Service to function and cannot be disabled.
• Functional: UI preferences (e.g., dark mode, layout mode) stored in localStorage via NanoStores. These do not track users across websites.

We do not use third-party advertising or analytics tracking cookies. For details, see our cookie consent banner.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption in transit, row-level security policies on our database, IP-based rate limiting on API endpoints, and secure authentication via Supabase Auth with bcrypt password hashing.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 30 days before they take effect.