Privacy Policy

Personal Information

We collect information you provide directly to us, such as:

• Name and contact information
• Job title and department
• Organization details
• Account credentials
• Profile information and preferences
• Employee ID (when provided by your organization)
• Manager and team information

Learning Platform Integration Data

When your organization integrates third-party learning platforms:

• xAPI statements from Udemy, Coursera, LinkedIn Learning
• Course enrollment and completion data
• External certifications and badges
• Learning activity timestamps and duration

Usage Information

We automatically collect certain information about your use of our platform:

• Learning progress and completion data
• Assessment results and performance metrics
• Platform usage patterns and preferences
• Device and browser information
• IP address and location data

With Your Organization

Your organization's administrators may have access to your learning progress, assessment results, and other performance data for training and development purposes.

Service Providers

We use carefully selected sub-processors to help deliver our services:

• Supabase (Database hosting and authentication) - United States
• Vercel (Application hosting and edge functions) - Global CDN
• Cloudflare (DNS, CDN, and DDoS protection) - Global
• Resend (Transactional email services) - United States
• Sentry (Error monitoring and performance tracking) - United States
• Hugging Face (AI inference for quiz generation, optional) - United States
• OpenRouter (AI API routing, optional) - United States

All sub-processors are bound by data processing agreements and appropriate safeguards.

Legal Requirements

We may disclose information if required by law or to protect our rights, property, or safety, or that of our users or the public.

Encryption and Data Protection

• AES-256-GCM encryption for sensitive credentials (API keys, integration secrets) using PBKDF2/scrypt key derivation
• TLS encryption for all data in transit (provided by Vercel and Cloudflare)
• Database encryption at rest provided by Supabase (PostgreSQL transparent data encryption)
• Encryption keys stored in environment variables with mandatory configuration enforcement

Access Controls and Authentication

• Multi-factor authentication (MFA) available via email one-time passwords
• Role-based access control (RBAC) with four roles: Owner, Admin, Manager, Learner
• JWT-based session management with configurable expiration
• Organization-scoped access enforcement via middleware
• Password hashing using bcrypt with appropriate cost factors

Infrastructure Security

• Cloudflare DDoS protection and DNS security
• Rate limiting on API endpoints to prevent abuse
• Vercel serverless deployment with automatic security patching
• Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
• Automated dependency vulnerability scanning via npm audit

Multi-Tenant Security Architecture

• Complete tenant data separation using UUID-based organization isolation
• Row-level security (RLS) policies enforced at the database level to prevent cross-tenant access
• Subdomain-based tenant isolation with middleware enforcement
• Organization-scoped API queries validated on every request

Monitoring and Incident Response

• Sentry error monitoring and performance tracking for application issues
• Vercel deployment logs and analytics for infrastructure monitoring
• Supabase database monitoring and automated backups
• Incident response procedures for data breach notification (see Section 10)

How We Use AI

• AI-powered quiz generation based on course titles, descriptions, and curriculum data
• Learning content recommendations based on enrollment history and progress
• Analytics insights derived from aggregated learning activity data

What Data Is Sent to AI Providers

• Course titles, descriptions, and curriculum structure (for quiz generation)
• No personally identifiable information (names, emails, employee IDs) is sent to AI providers
• AI requests are made over HTTPS encrypted connections
• AI providers (Hugging Face, OpenRouter) have their own privacy policies governing data handling

AI Providers and Data Protection

• Hugging Face Inference API - used for AI text generation (free tier)
• OpenRouter - used as an AI API routing service for model access
• AI providers are selected based on their data handling policies and terms of service
• We do not use AI providers that train on customer input data

Your Rights Regarding AI

• AI-generated quizzes are reviewed and editable by administrators before assignment
• Learning recommendations are suggestions only and do not restrict access to content
• You may contact us to inquire about how AI features affect your learning experience

GDPR Rights (European Economic Area)

• Access: Request a copy of your personal information
• Rectification: Request correction of inaccurate information
• Erasure: Request deletion (subject to legal retention requirements)
• Portability: Receive your data in a machine-readable format
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is consent-based
• Automated Decision-Making: Right not to be subject to automated decisions
• Lodge a Complaint: File a complaint with your supervisory authority

CCPA Rights (California Residents)

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices

Categories of Personal Information Collected: Identifiers, professional information, education information, commercial information, internet activity, and inferences.