Privacy Policy
Version 2026-06-12. This policy explains what The Norudit Academy (“Norudit”, “we”) collects, why, how long we keep it, and the controls you have. It is written to be readable by students, including younger ones — because you should actually understand it.
Who we are
[PLACEHOLDER: legal entity name, registered address, company number]. We are the data controller for the personal data described here. Contact: [PLACEHOLDER: privacy@norudit.com]. If we are required to appoint a Data Protection Officer or EU/UK representative, their contact details will appear here.
What we collect, and why
| Data | What it is | Why (purpose & lawful basis) | Kept for |
|---|---|---|---|
| Account | Name, email, password (hashed) or Google/Microsoft sign-in, country, education level, interests you add | Operating your account; personalising examples to your interests (contract) | Until you delete your account |
| Your study materials | Documents you upload (textbooks, notes, timetables) and the content generated from them | The core service: building your classes, retrieval, generation (contract) | Until you delete the class or account |
| Learning records | Review history (FSRS), per-concept mastery estimates and observations (BKT), phase attempts, grades, exam results | Scheduling reviews and tracking mastery — the product's purpose (contract) | Until you delete the class or account |
| Learner memory | Inferred learning state: weak/strong concepts, misconceptions, study patterns, a learner profile. Never textbook content or answers | Longitudinal personalisation (legitimate interest — you can see, edit, and delete every fact in Settings → Memory) | Until you edit/delete it or delete your account; superseded facts pruned after 90 days |
| Schedule | Commitments and exam dates you enter or import; whether you did/skipped planned blocks | Composing your study plan (contract). Raw done/skipped marks are a rolling ~14-day window, then deleted — only consolidated patterns (visible and deletable in Memory) persist. Generated plans are never stored | Inputs: until you delete them. Raw adherence: ~14 days |
| Conversations | Chats with the tutor, phases, and Lura. Voice modes keep the text transcript only — audio is never recorded or stored | Continuity of your sessions (contract) | Until you delete the session/conversation or account |
| Usage & billing | Token usage counters, subscription tier; payments are processed by Polar (we never see card numbers) | Fair-use limits and billing (contract) | Daily usage 90 days; monthly 6 months; billing per legal requirements |
| Waitlist/blog email | Email address + which list you joined | Sending what you asked for (consent — withdraw any time by unsubscribing) | Until you unsubscribe or ask us to delete it |
| Errors & security | Error reports (Sentry) without request bodies or PII; rate-limit decisions (Arcjet) using IP | Keeping the service working and safe (legitimate interest). No session replay, no behavioural advertising, no ad trackers — ever | Per processor retention (≤90 days) |
How AI processing works
Your materials and messages are sent to AI model providers to generate the service's output (explanations, questions, grading, schedules parsed from your timetable). We use Mistral, OpenAI, and Anthropic models via API — under terms that do not permit training on your data — plus our own retrieval and text-to-speech infrastructure (Modal). Independent Research queries the open web through Linkup. We send only what each feature needs.
Your controls (and rights)
- See what the AI knows about you: Settings → Memory shows every inferred fact; you can correct or delete each one. This is the live, in-app version of your access and rectification rights.
- Delete: classes, conversations, schedule entries, and your whole account (Settings → Delete account) — deletion cascades through your data and uploaded files.
- GDPR rights: access, rectification, erasure, restriction, portability, and objection — email [PLACEHOLDER: privacy@norudit.com]. We respond within one month.
- Complaints:you may complain to your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk); in the EU, your national DPA.
Children and young people
Norudit is designed for students, including those under 18, and we apply the standards of the ICO's Age Appropriate Design Code by design: high-privacy defaults, data minimisation (we keep outcomes, not archives — e.g. plans are recomputed, not stored; raw adherence logs self-delete), no behavioural advertising, no engagement-bait mechanics, no selling of personal data, and plain-language explanations like this one. You must be at least 13 to create an account (16 in some EU countries unless a parent consents) — [PLACEHOLDER: confirm minimum age per launch markets]. Parents/guardians of younger users can exercise all the rights above on their child's behalf.
Where your data lives
Data is stored with Supabase (Postgres + file storage) and processed by the providers listed above. Where processing happens outside the UK/EEA, transfers rely on adequacy decisions or Standard Contractual Clauses. [PLACEHOLDER: hosting regions per deployment.]
Security
Row-level security on every table, scoped service credentials, secrets kept server-side, TLS in transit, and rate-limiting on public and AI endpoints. No system is perfect; if a breach affects you, we will notify you and the regulator as the law requires.
Changes
If this policy changes materially we will ask you to review it again — your account records which version you accepted (2026-06-12 is current).