2. Data We Collect: We collect personal data when you create an account, visit our site, or interact with our services and social media.

Account data: name, email, profile image URL, and user ID from Clerk (we do not store passwords).

Uploads: PDF, DOCX, PPTX, XLSX, TXT, JPG, PNG, GIF, WEBP. Uploads are stored temporarily for processing, then deleted immediately after usage.

AI processing: To provide AI features, we send prompts and necessary excerpts of your materials to OpenAI as our processor. We configure our use so OpenAI does not use your data to train their models. OpenAI may retain limited logs for a short period for safety/abuse prevention. See: https://openai.com/enterprise-privacy.

3. How We Use Your Data:

• To provide and maintain our services (including AI features)
• To ensure security and prevent abuse
• To comply with legal obligations

4. Legal Basis for Processing (GDPR):

• Performance of a contract (account, subscriptions, providing requested features, including AI processing)
• Compliance with legal obligations (billing/tax)
• Our legitimate interests (e.g., security, preventing fraud, service integrity)
• Your consent (e.g., analytics/marketing cookies via our consent tool)

5. Sharing Your Information:

• Stripe – for payment processing
• OpenAI – for AI-powered features
• Clerk – for authentication and account management
• Vercel & Neon.tech – hosting and database (Neon DB in AWS Europe (Frankfurt))
• AWS S3 – temporary file storage for uploads (auto-cleanup)
• Google & Facebook – optional login and integrations
• Other service providers under data processing agreements, bound by confidentiality and security obligations

6. International Transfers: Some providers may process data outside the EEA (e.g., OpenAI, Stripe, Clerk). Where required, we rely on Standard Contractual Clauses (SCCs) and appropriate safeguards.

7. Data Deletion & Retention:

• Account deletion: When your Clerk account is deleted, our webhook deletes your Profile and associated records (e.g., subscriptions, usage limits, courses, materials, notes, summaries, key terms, mock exams, scores, uploads) via cascades.
• Backups: Deleted data may persist in encrypted backups for 30–90 days before being overwritten.
• Uploads: We delete uploaded source files after processing; our AWS S3 bucket auto-cleans any residual uploads within 7 days.
• Outputs: Generated outputs (e.g., summaries, flashcards) remain in your account until you delete them.
• Payments: Stripe may retain its own records to meet legal obligations.

8. Security: We implement industry-standard measures to protect your personal data from unauthorized access, alteration, or disclosure, including encryption in transit and at rest where applicable, least-privilege access, and monitoring.

9. Your Rights: You may request access, rectification, erasure, restriction, portability, or object to processing. You may withdraw consent at any time (e.g., for cookies). To exercise rights, email kontakt@studieven.dk. You can also complain to Datatilsynet.