PRIVACY POLICY

Elumnos is the data controller responsible for your personal data collected through this Platform. For privacy-related enquiries, please contact:

Elumnos — Data Protection
privacy@elumnos.com

Account Data: When you register, we collect your name, email address, and a hashed (bcrypt) password. We never store your password in plain text.

Learning Activity Data: We record your progress through lectures, time spent on each lecture, quiz and review session results, notes you create, and AI tutor interaction history (questions you ask, answers you receive).

Technical Data: We collect session tokens (HTTP-only cookies managed by Auth.js) necessary to authenticate your sessions. We do not use third-party analytics, advertising pixels, or tracking SDKs.

AI Interaction Data: When you use AI-powered features (Chat, Guided Lesson, Quick Recall), your messages and the AI's responses are processed by Anthropic, PBC. We transmit only the minimum necessary context (lecture content excerpt, concept name) alongside your query. This data is subject to Anthropic's privacy policy.

Data We Do Not Collect: We do not collect payment card details (handled by payment processors), precise location data, biometric data, or data about your activities outside our Platform.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data and learning activity to provide the educational services you have enrolled in
• Legitimate interests (Art. 6(1)(f)): Improving the Platform, detecting abuse, and ensuring security — balanced against your interests and fundamental rights
• Legal obligation (Art. 6(1)(c)): Retaining transaction records where required by applicable law
• Consent (Art. 6(1)(a)): For non-essential cookies, where you have given explicit consent via our cookie banner

We use your data to:

• Authenticate your identity and maintain your session
• Deliver personalised learning content and track your progress
• Generate spaced repetition schedules based on your review performance (SM-2 algorithm, processed locally on our servers)
• Power AI tutor features by sending relevant context to Anthropic's API
• Send service-related communications (account verification, security alerts)
• Generate certificates and diplomas based on your completion data
• Analyse aggregate, anonymised usage patterns to improve the Platform

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We share your data only with the following categories of processors, each bound by data processing agreements:

• Anthropic, PBC (USA): AI model provider for chat and guided lesson features. Data transfers to the USA are covered by standard contractual clauses. Anthropic processes query text and receives no more data than is necessary to generate a response.
• Hosting provider: Our infrastructure provider stores Platform data within the European Economic Area (EEA).
• Payment processor: For paid subscriptions, your payment is handled by our payment processor who operates as an independent data controller for payment data.

We will disclose your data to law enforcement or regulatory authorities only when legally compelled to do so, and will notify you where permitted by law.

When you use AI-powered features, your query data is transferred to Anthropic in the United States. This transfer is lawful under GDPR Chapter V by virtue of standard contractual clauses (SCCs) adopted by the European Commission.

All other personal data is stored and processed within the EEA.

We retain your personal data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data: Retained until you delete your account, plus 30 days to allow for recovery
• Learning activity and progress: Retained for the duration of your account
• Notes: Retained until you delete them or your account is deleted
• AI chat logs: Session data is not stored beyond your browser session; server-side logs are retained for 7 days for security purposes then deleted
• Authentication logs: Retained for 90 days for security monitoring
• Transaction records: Retained for 7 years as required by applicable tax law

As a data subject under the GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@elumnos.com:

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
• Right to restriction (Art. 18): Request we restrict processing of your data in certain circumstances
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority (in Sweden: Integritetsskyddsmyndigheten, imy.se)

We will respond to your request within 30 days. We may request proof of identity before processing requests.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Passwords hashed using bcrypt (cost factor 12)
• TLS/HTTPS encryption for all data in transit
• HTTP-only session cookies with SameSite=Lax attribute
• Regular security reviews
• Access controls limiting staff access to personal data on a need-to-know basis

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly without undue delay.

We use cookies to operate the Platform. For detailed information on the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe we have inadvertently collected such data, please contact us at privacy@elumnos.com.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and will update the "Last Updated" date at the top of this page. Your continued use of the Platform following notification constitutes acceptance of the updated Policy.

For any privacy-related questions, requests, or complaints, contact our Data Protection team at:

privacy@elumnos.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)
imy.se
Box 8114, 104 20 Stockholm, Sweden