Legal
Privacy Policy
What data POLYPRO collects, why we collect it, who we share it with, and the rights you have.
Last updated: 2026-05-22We aim for transparency — if anything is unclear, contact privacy@polypro-academy.com.
1. Data we collect
- Account data: name, email, password (hashed), country, phone (optional), CEFR level, preferred language.
- Learning data: lesson progress, exercise attempts, quiz scores, AI conversation history, placement-test answers.
- Payment data: handled by Stripe; we store only the payment intent ID and a snapshot of the transaction.
- Technical data: IP address, browser/user-agent, page paths visited (for audit logging).
2. Why we collect it
- Deliver the learning experience (track progress, unlock content, grade exercises).
- Provide AI tutoring (conversation history is needed for the model to remember context).
- Process payments (Stripe legal requirement).
- Detect abuse and protect the platform (audit logs).
- Send transactional emails: account verification, password reset, payment receipts.
3. Legal basis (GDPR)
- Performance of contract — for account, learning, and payment data.
- Legitimate interest — for audit logs and abuse prevention.
- Consent — for marketing emails (opt-in only; you can opt out anytime).
4. Data sharing
- We do not sell your data.
- Sub-processors we use: Stripe (payments), Resend (transactional email), Google Gemini & ElevenLabs & Azure (AI providers — anonymized prompts where possible).
- We may disclose data if compelled by law or to protect platform safety.
5. Data retention
- Account data is retained while your account is active and for 12 months after deletion (for legal/tax reasons).
- Payment receipts are retained for 10 years (tax compliance).
- AI conversation history is retained for 90 days unless required for ongoing learning context.
- Audit logs are retained for 24 months.
6. Your rights
- Access — request a copy of your data (Settings → Export data).
- Rectification — edit your profile anytime.
- Erasure — delete your account (Settings → Delete account). Some data is retained as noted above.
- Portability — receive your data in a machine-readable format.
- Objection — withdraw consent for marketing or AI processing.
7. Cookies
- We use strictly-necessary cookies for authentication (JWT tokens) and affiliate tracking (30-day first-touch attribution).
- We do not use third-party analytics cookies by default.
- See our Cookie Policy for details.
8. Security
- Passwords are hashed with Argon2id.
- JWT tokens are signed with HS256 and rotated.
- Data in transit is encrypted with TLS 1.3.
- Database backups are encrypted at rest.
9. Contact
- For privacy questions, write to privacy@polypro-academy.com.
- EU users can lodge a complaint with their local Data Protection Authority.
Questions? Email privacy@polypro-academy.com. We respond within 30 days as required by GDPR.
