Individual Entrepreneur Kovalchuk Dmytro Oleksiyovych ("we", "us", "our"), registered in Ukraine, is the data controller for personal data processed via konspekt.ai. This Policy explains how we collect, use, disclose, and safeguard your information and is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended (CCPA/CPRA), the Children's Online Privacy Protection Act (COPPA), and the Law of Ukraine "On Protection of Personal Data".
1. Information We Collect
- Account data: name, email address, hashed password, locale, optional date of birth (if provided for age verification), and (if you sign in with Google) your Google account identifier.
- Profile data: optional bio, headline, qualifications, social links, and preferences you add.
- Content data: files, PDFs, URLs, and text you upload to your Knowledge Base, the embeddings derived from them, and the lessons, tests, and homework generated for you.
- Student data: for learners who join a course via class code or invitation, we process their account details and learning activity — progress, submitted answers, and grades.
- Payment data: processed by WayForPay. We store only a masked card reference, card type, and (for subscriptions) a recurring-payment token — never full card numbers.
- Support data: messages and attachments you send through our in-app support chat.
- Technical data: IP address, user-agent, and session information used to keep you logged in and secure the service.
2. Legal Bases for Processing (GDPR)
- Performance of a contract (Art. 6(1)(b)): account management, content processing, and payments.
- Legitimate interests (Art. 6(1)(f)): securing the Platform, preventing fraud and abuse, and improving reliability.
- Consent (Art. 6(1)(a)): non-essential cookies and optional marketing communications, which you may withdraw at any time.
- Legal obligation (Art. 6(1)(c)): retaining transaction records for tax and accounting purposes.
3. How We Use Your Information
- Provide, maintain, secure, and improve the Platform.
- Transmit your uploaded content to our AI sub-processors to generate the materials you request.
- Process payments and send receipts and billing notices.
- Send administrative, technical, and security messages.
- Send marketing communications where you have consented or as permitted by law (opt-out anytime).
4. AI Providers and Your Data
Your uploaded documents and prompts are sent to third-party AI APIs to fulfil your generation requests. We use the API/enterprise tiers of these services, which contractually provide that your data is not used to train their public models. Your data is used only to fulfil your immediate request and is subject to each provider's own security terms.
5. Sub-Processors
We engage the following sub-processors. Where required, we have entered into Data Processing Agreements (DPAs) with them:
- Google LLC — AI generation (Gemini API), authentication (Google Sign-In), and search APIs.
- Voyage AI — text embeddings and semantic search (RAG).
- Serper and DataForSEO — web/image/video search enrichment.
- Supadata — retrieval of public video transcripts and related data.
- WayForPay — payment processing.
- Resend — transactional email delivery.
- Hetzner Online GmbH — cloud hosting and infrastructure (primary servers located in the EU).
We will update this list and, where required, notify you before adding sub-processors that materially affect your data.
6. Sharing of Information
We do not sell or rent your personal data. We share it only with the sub-processors above, with educators/students within a shared course as inherent to the service, and where required by law or valid requests from public authorities. We may share aggregated, anonymised data that cannot identify you.
7. International Data Transfers
Our primary servers are hosted in the European Union (Hetzner). However, some sub-processors — in particular our AI providers — operate in other countries, including the United States, so your data may be processed there to fulfil your requests. For transfers from the EEA/Ukraine we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), where applicable.
8. Data Retention
- Account & profile data: kept for the life of your account; deleted within 30 days of account closure.
- Knowledge Base & generated content: retained until you delete it or close your account.
- Transaction/billing records: retained for the period required by Ukrainian tax and accounting law.
- Technical/session logs: retained for a limited period for security and diagnostics.
9. Your Privacy Rights
EU/EEA (GDPR) and Ukraine: you have the rights of access and portability, rectification, erasure ("right to be forgotten"), restriction, objection, and withdrawal of consent. You can edit your profile in your settings and request deletion of your account by contacting support@konspekt.ai; upon deletion, personal data, Knowledge Base files, and generated lessons are permanently removed from active systems within 30 days. You may lodge a complaint with your supervisory authority — in Ukraine, the Ukrainian Parliament Commissioner for Human Rights (Ombudsman); in the EU, your national Data Protection Authority.
California (CCPA/CPRA): you have the right to know, delete, and correct your personal information, to opt out of "sale"/"sharing" (we do not sell personal information), and to non-discrimination. Submit requests to support@konspekt.ai.
We respond within 30 days (GDPR) or 45 days (CCPA) of a verifiable request.
10. Children's Privacy
The Platform is intended for educators, tutors, and learners. We do not knowingly collect personal data directly from children under 13. Students under 13 may use the Platform only when invited by an educator whose school or institution has obtained any verifiable parental consent required under COPPA, FERPA, or equivalent local law, as set out in our Terms of Service. For learners in the EEA, the age of digital consent (13–16 depending on the member state) applies. If you are a parent or guardian and believe we hold data about your child without a proper legal basis, contact support@konspekt.ai and we will review and, where appropriate, delete it.
11. Security
We use industry-standard technical and organisational measures, including encryption in transit, hashed passwords, and access controls. No method of transmission or storage is 100% secure, but we work to protect your data and will notify you and the relevant authorities of a personal data breach as required by law.
12. Changes & Contact
We may update this Policy and will post the new effective date here; material changes will be notified by email or in-Platform notice. Contact the controller at support@konspekt.ai.