Privacy Policy

1. Information We Collect

1.1 Personal Information

• Account Information: Name, email address, profile picture, and authentication data from Google, Twitter, or other supported OAuth providers
• Profile Data: Username, bio, learning preferences, timezone, and public profile settings
• Contact Information: Email address for communications, support, and notifications

1.2 Learning Content and Activity

• User-Generated Content: Lessons, flashcards, notes, comments, wall posts, and other content you create or upload
• Learning Progress: Study sessions, quiz results, spaced repetition data, gamification metrics (XP, levels, achievements), and learning analytics
• Social Interactions: Wall posts, comments, reactions, and social connections within the platform

1.3 Technical and Usage Data

• Device Information: Browser type, operating system, device identifiers, and screen resolution
• Usage Analytics: Pages visited, features used, session duration, click patterns, and performance metrics
• Log Data: IP address, access times, error logs, and security events
• Cookies and Tracking: Session cookies, preference cookies, and analytics cookies (see Cookie Policy)

1.4 Communication Data

• Push Notification Subscriptions: Device tokens and notification preferences
• Email Communications: Email engagement data and communication preferences
• Customer Support: Support tickets, chat logs, and correspondence

2. Legal Basis for Processing

We process your personal information based on the following legal grounds:

• Contract Performance: To provide our learning platform services as outlined in our Terms of Service
• Legitimate Interest: To improve our services, ensure platform security, and conduct analytics
• Consent: For marketing communications, optional features, and certain data processing activities
• Legal Obligation: To comply with applicable laws and regulations

3. How We Use Your Information

• Service Provision: To operate and maintain the learning platform, process your learning content, and provide personalized experiences
• Gamification and Progress Tracking: To calculate XP, levels, achievements, streaks, and provide learning analytics
• Social Features: To enable wall posts, comments, public profiles, and community interactions
• Communication: To send notifications, updates, educational content, and respond to support requests
• Platform Improvement: To analyze usage patterns, optimize performance, and develop new features
• Security and Fraud Prevention: To protect against unauthorized access, spam, and malicious activities
• Legal Compliance: To comply with legal obligations and enforce our terms

4. Data Sharing and Third Parties

4.1 Service Providers

• Supabase: Database hosting and backend services (Data Processing Agreement in place)
• Netlify: Web hosting and content delivery
• PostHog: Analytics and user behavior tracking (anonymized data)
• Sentry: Error monitoring and performance tracking
• Authentication Providers: Google, Twitter for OAuth authentication
• Push Notification Services: Web Push API for browser notifications

4.2 Data Sharing Practices

We do not sell, rent, or trade your personal information. We may share data in the following circumstances:

• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In connection with mergers, acquisitions, or asset sales (with notice)
• Consent: When you explicitly consent to sharing with third parties
• Public Content: Content you designate as public (wall posts, public profiles) may be visible to other users

5. Data Storage and Security

5.1 Data Storage

• Location: Data is primarily stored in secure cloud infrastructure provided by Supabase
• Retention: We retain data as long as your account is active or as needed to provide services
• Backup: Regular automated backups are maintained for data recovery purposes

5.2 Security Measures

• Encryption: Data in transit and at rest is encrypted using industry-standard protocols
• Access Controls: Role-based access controls and Row Level Security (RLS) policies
• Authentication: Secure OAuth authentication and session management
• Monitoring: Continuous security monitoring and incident response procedures
• Compliance: SOC 2 Type II compliant infrastructure through our service providers

6. Your Privacy Rights

6.1 Universal Rights

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Data Portability: Receive your data in a structured, machine-readable format

6.2 GDPR Rights (EU/UK Users)

• Objection: Object to processing based on legitimate interests
• Restriction: Request restriction of processing under certain circumstances
• Withdraw Consent: Withdraw consent for consent-based processing
• Supervisory Authority: Right to file complaints with data protection authorities

6.3 CCPA Rights (California Users)

• Know: Right to know what personal information is collected, used, shared, or sold
• Delete: Right to request deletion of personal information
• Opt-Out: Right to opt-out of the sale of personal information (we do not sell data)
• Non-Discrimination: Right to non-discriminatory treatment for exercising privacy rights

To exercise your rights, contact us at privacy@learn-less.com. We will respond within 30 days of receiving your request.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Authentication, security, and core functionality
• Analytics Cookies: Usage analytics and performance monitoring (PostHog)
• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Disabling certain cookies may limit platform functionality.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your residence. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions where applicable
• Service provider certifications and compliance programs

9. Children's Privacy

Our service is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us immediately.

10. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will notify affected users within 72 hours of discovery and report to relevant supervisory authorities as required by law.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes through email or platform notifications at least 30 days before the changes take effect. Continued use of our service after changes constitutes acceptance of the updated policy.