Privacy Policy

StudyDeck (“we”, “us”) is a study-card application built for teachers and the parents/students they support. We minimise the personal data we collect to what's needed to run the product, and we keep most of your work local to your device by design.

1. Who this policy covers

• Teachers and parents who hold a StudyDeck account (Google sign-in or license-key activation).
• Students whose flashcards, notes and progress are stored in StudyDeck by their teacher / parent.
• Visitors to the public marketing site.

2. What we collect

Account data (server-side)

• Google account email, display name, profile picture URL (only after you click Sign in with Google).
• Org name, tier, and role you choose during onboarding.
• Payment metadata from your chosen gateway (Razorpay / Paddle / Lemon Squeezy / manual bank transfer): last-4 digits, transaction reference, GSTIN if provided. Card numbers and bank account numbers never reach our servers.
• Audit log of admin actions and authentication events (IP address, action, timestamp). Retained 365 days.

Study content (mostly local)

• Cards, notes, vocabulary, mind maps, quiz answers and games progress are stored in your browser's localStorage by default.
• If you opt into cloud sync (Phase 7, opt-in toggle), the same data is mirrored to our server in encrypted-at-rest form so a second device can pick up where the first left off.

Operational data

• Server logs (request paths, status codes, timing, IP). Used for debugging and abuse detection. Retained 30 days.
• Error reports (stack trace, anonymised user agent). Retained 90 days.

What we do not collect

• We do not run advertising or behavioural-tracking pixels.
• We do not sell or rent your data to anyone, ever.
• We do not train AI models on your content.

3. How we use what we collect

• To run the product — render your dashboard, gate paid features by tier, deliver invoices.
• To prevent abuse — detect signup spikes, suspended users, and similar threshold rules from §9.4 of our internal spec.
• To support you — when you write to us via the contact channels below.
• To comply with law — tax invoices (GST), retention obligations, court orders.

4. AI providers

StudyDeck supports five AI providers (Anthropic, OpenAI, Groq, OpenRouter, Gemini). When you generate flashcards, notes or quizzes:

• The pasted source text plus a system prompt is sent to your configured provider (you control the keys, or you've chosen our managed pool).
• The provider's privacy policy applies to that request — review it on their site.
• We do not log the content of AI requests on our server. We log that a request happened (for credit metering) but not what was sent.

5. Cookies and similar storage

• Session cookie (HttpOnly, Secure, SameSite=Lax) — set after Google sign-in. Required for the product. Cleared on sign-out.
• OAuth state cookie — short-lived (10 min), CSRF protection during sign-in only.
• localStorage — your study content. Lives only in your browser. We don't access it server-side unless you opt into cloud sync.
• We do not set advertising or analytics cookies.

6. Children (under 13) — COPPA

StudyDeck is designed to be operated by a teacher or parent. Children under 13 must not create their own accounts.

• The student portal (Milestone B) uses a class code + PIN issued by the teacher — no email is collected from students under 13.
• If a parent enrols a child, we obtain verifiable parental consent via an email-challenge flow before any data is collected from the child.
• A parent may request access to or deletion of their child's data at any time via hello@theconsultant.chat.

7. Data retention

• Active accounts: data is retained while the subscription is active.
• Cancelled accounts: data is retained for 365 days by default, then archived and purged. The retention window is configurable per-tier; longer windows can be agreed contractually.
• Audit log: 365 days.
• Server logs: 30 days.
• Backups: encrypted at rest, retained 90 days, in a different region than primary.

8. Your rights

Under India's DPDP Act 2023, EU/UK GDPR, California's CCPA and similar regimes, you have rights to:

• Access — request a copy of your data. Available from /admin/orgs/:id/export for org admins, or by email request.
• Correct — fix inaccurate data via the in-app settings or by writing to us.
• Delete — request account + content deletion. We action within 30 days and confirm by email.
• Object to processing or withdraw consent — you can stop using the product at any time; we'll honour standing deletion requests.
• Portability — exports are provided as JSON.

9. International transfers

StudyDeck servers are hosted in India. If you're in the EU/UK, data transfers fall under Standard Contractual Clauses; we offer a Data Processing Agreement to organisations that need one. Customers should request the DPA before processing personal data of EU/UK data subjects.

10. Security

• TLS 1.3 in transit.
• AES-256-GCM at rest for encrypted secrets (API keys, payment webhook secrets).
• Ed25519 for offline license tokens.
• Audit log on every admin action.
• Backups encrypted at rest in a different region.

If you discover a vulnerability, please report it privately to hello@theconsultant.chat. We'll respond within 5 business days.

11. Changes to this policy

Material changes are announced via an in-app banner with a 30-day notice window before they take effect. Minor clarifications are reflected in the “Last reviewed” date at the top.

12. Contact

Privacy questions: hello@theconsultant.chat
Operator: StudyDeck (sole proprietorship), India.
Grievance officer (DPDP Act): same email; we'll route to a designated officer once one is appointed.