Privacy Policy

StudyDeck (“we”, “us”) is a study-card application built for teachers and the parents/students they support. We minimise the personal data we collect to what's needed to run the product. Since May 2026 the app is cloud-first: your study content is stored on our servers, tied to your account, so it follows you across devices.

1. Who this policy covers

• Teachers and parents who hold a StudyDeck account (Google sign-in).
• Students whose flashcards, notes and progress are stored in StudyDeck by their teacher / parent.
• Visitors to the public marketing site.

2. What we collect

Account data (server-side)

• Google account email, display name, profile picture URL (only after you click Sign in with Google).
• Org name, tier, and role you choose during onboarding.
• Payment metadata from your chosen payment path (Razorpay or manual bank / UPI transfer): transaction reference, last-4 digits where the gateway provides it, GSTIN if provided. Card numbers and bank account numbers never reach our servers.
• Audit log of admin actions and authentication events (IP address, action, timestamp). Retained 365 days.

Study content (stored on our servers)

• Cards, notes, vocabulary, mind maps, quizzes, worksheets, practice decks and study progress are stored server-side against your account — the app went cloud-only in May 2026, so there is no browser-side copy of your content. It syncs automatically to any device you sign in on.
• Images generated for your cards, vocabulary and mind maps are stored as files in our object storage (Cloudflare R2) and referenced by URL from your content.
• Files you upload for auto-import (PDFs, photos, ZIP archives) are kept on our server only while the import runs and are deleted when the job completes, fails, or is cancelled.

Operational data

• Server logs (request paths, status codes, timing, IP). Used for debugging and abuse detection. Retained 30 days.
• Error reports — server-side errors plus bounded error reports the app itself sends when something breaks (error message, stack trace, page, IP, user agent). Retained 90 days.
• AI call log — for managed-pool AI requests we record the prompt sent and the response received, alongside provider, model, duration and credit cost. Used for support, billing accuracy, abuse review and quality debugging; accessible to the operator only. Bring-your-own-key requests never touch our servers — see §4.

Marketing-site analytics (cookieless, first-party)

Our public marketing pages (home, compare, install) carry a small first-party beacon so we can see the site's reach. It sets no cookie and sends nothing to third parties. Per visit we store: the page path, the referrer hostname (never the full URL), campaign tags from the link you clicked (utm_*), whether a buy / open-app button was clicked, a coarse country code, coarse device / browser / OS buckets, and a visitor token that is a one-way hash of IP + browser + the UTC date + a server secret. The token rotates every day, so it can count “unique visitors today” but cannot follow a person across days. Your IP address and raw user-agent are used transiently to derive these values and are never stored. Search-engine and AI crawlers are detected and counted separately by their public crawler name. The logged-in app, the kid kiosk and the student surfaces carry no analytics at all.

What we do not collect

• We do not run advertising or behavioural-tracking pixels.
• We do not sell or rent your data to anyone, ever.
• We do not train AI models on your content.

3. How we use what we collect

• To run the product — render your dashboard, gate paid features by tier, deliver invoices.
• To prevent abuse — detect signup spikes, runaway AI usage, and rate-limit violations; enforce account suspensions.
• To support you — when you write to us via the contact channels below.
• To comply with law — tax invoices (GST), retention obligations, court orders.

4. AI features and providers

AI generation runs in one of two modes, depending on your plan:

• Managed pool (default on most plans) — your request is sent from our server to one of the AI providers we have configured. For text these currently include Anthropic, OpenAI, Google Gemini, Groq and OpenRouter; for images, providers such as OpenAI, Google, Together AI, Recraft, Stability AI, Replicate, Black Forest Labs, Leonardo and Pollinations. The active set can change over time. Each provider's own privacy policy applies to that request. We meter usage in credits and, for managed requests, we log the prompt and response on our server for support, abuse review and quality debugging (see §2).
• Bring-your-own-key (Private Teacher plans) — your browser calls the provider directly with your own API key. The request content never touches our servers, and we don't meter or log it.

By design, every generation prompt instructs the model to use only the source material you pasted or uploaded — never outside knowledge.

Cross-customer caches (no personal data)

• Vocabulary dictionary — the generic definition, example sentence and illustration generated for a word are cached and reused for any customer who asks for the same word. These entries are generic dictionary content; they contain no personal data and none of your own writing.
• Concept dictionary (optional feature, off by default) — we count which abstract concept identifiers (e.g. biology::photosynthesis) are generated across accounts. Your actual card wording is never shared: a shared “canonical” card is only ever created by a fresh machine generation, and only once a concept has appeared independently in 3+ unrelated accounts.

5. Cookies and similar storage

• Session cookie (HttpOnly, Secure, SameSite=Lax) — set after Google sign-in. Required for the product. Cleared on sign-out.
• OAuth state cookie — short-lived (10 min), CSRF protection during sign-in only.
• Browser storage — the app keeps a few transient UI preferences in sessionStorage (e.g. a dismissed banner, a collapsed panel), and the marketing site remembers your colour-theme pick in localStorage. Your study content is not stored in the browser — it lives on our servers against your account (see §2).
• We set no advertising or analytics cookies. Marketing-page analytics are cookieless (see §2).

6. Children (under 13) — COPPA

StudyDeck is designed to be operated by a teacher or parent. Children under 13 must not create their own accounts.

• The kid kiosk at /web requires no account and no login from the child — a parent pushes a study session to it from their own phone, the content lives only in the kiosk's memory for that session, and the page carries no trackers. If the optional progress-sync feature is enabled, the child's Know/Revise taps are stored inside the parent's own account, scoped per student.
• The student portal (Milestone B) uses a class code + PIN issued by the teacher — no email is collected from students under 13.
• If a parent enrols a child, we obtain verifiable parental consent via an email-challenge flow before any data is collected from the child.
• A parent may request access to or deletion of their child's data at any time. Use the child-data deletion form or email hello@theconsultant.chat. Action target is 7 days.

7. Data retention

• Active accounts: data is retained while the subscription is active.
• Cancelled accounts: data is retained for 365 days by default, then archived and purged. We email the account owner 7 days before deletion so you can re-subscribe (we restore from the archive) or extend the window if you need more time. The retention window is configurable per-tier; longer windows can be agreed contractually.
• Audit log: 365 days.
• Server logs: 30 days.
• Backups: encrypted at rest, retained 90 days, in a different region than primary.

8. Your rights

Under India's DPDP Act 2023, EU/UK GDPR, California's CCPA and similar regimes, you have rights to:

• Access — request a copy of your data. Available from /admin/orgs/:id/export for org admins, or by email request.
• Correct — fix inaccurate data via the in-app settings or by writing to us.
• Delete — request account + content deletion from the in-app Settings (or by email). The account enters a 30-day recovery window during which you can cancel the request; it is then purged and we confirm by email.
• Object to processing or withdraw consent — you can stop using the product at any time; we'll honour standing deletion requests.
• Portability — exports are provided as JSON.

9. International transfers

StudyDeck servers are hosted in India. If you're in the EU/UK, data transfers fall under Standard Contractual Clauses; we offer a Data Processing Agreement to organisations that need one. Customers should request the DPA before processing personal data of EU/UK data subjects.

10. Security

• TLS 1.3 in transit.
• AES-256-GCM at rest for encrypted secrets (API keys, payment webhook secrets, storage credentials).
• Per-user and per-IP rate limits on write and AI surfaces; account-level suspension and kill switches for abuse.
• Audit log on every admin action — including any time the operator opens an account “as the user” for support, which is recorded in the audit trail and shown to you with an in-app banner while it is active.
• Backups encrypted at rest in a different region.

If you discover a vulnerability, please report it privately to hello@theconsultant.chat. We'll respond within 5 business days.

11. Changes to this policy

Material changes are announced via an in-app banner with a 30-day notice window before they take effect. Minor clarifications are reflected in the “Last reviewed” date at the top.

12. Contact

Privacy questions: hello@theconsultant.chat
Operator: StudyDeck (sole proprietorship), India.
Grievance officer (DPDP Act): same email; we'll route to a designated officer once one is appointed.