This Privacy Policy explains how PupilBot (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use our web application, iOS application, and Telegram bot (collectively, the “Service”).
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Romanian data protection law. Please also review our Terms of Service.
2. Data Controller
The data controller responsible for your personal data is:
Name: Gabriel Policiuc, operating as PupilBot
Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania
Password hash (Argon2id — we never store your plaintext password)
Apple ID identifier (if you use Sign in with Apple)
Telegram chat ID (if you link a Telegram account)
Account tier (free or premium)
Preferred language and timezone
Notification preferences
Account creation and last-active timestamps
3.2 Study Materials & Derived Content
The core function of the Service is to turn your study materials into practice questions. When you upload material, we collect and generate:
Uploaded files (images of textbook pages, notes, slides, or similar — JPEG, PNG, WEBP, GIF, TIFF, AVIF, HEIC, SVG; up to 50 MB per upload, up to 50 pages per material)
Text extracted from those files by optical character recognition (OCR)
Topics and concepts identified from the extracted text
Practice questions automatically generated from those topics (single-choice, multiple-choice, free-form, cloze, matching, numeric)
Your answers and the system’s judgement of those answers
Per-topic mastery scores, scheduling data (next review time), and an audit log of mastery updates
You retain ownership of any material you upload. We process it only to provide the Service to you.
3.3 Subscription & Payment Data
If you subscribe to PupilBot premium via the iOS app (Apple In-App Purchase), we receive from Apple:
Original transaction ID and product ID
Subscription status (active, grace period, billing retry, expired, revoked)
Expiration and renewal dates
Subscription environment (Sandbox or Production)
If you subscribe via the web (Stripe), we store:
Stripe customer ID and subscription ID
Subscription status, plan, current period end
We do not receive or store your payment card details. All payment processing is handled by Apple or Stripe respectively.
3.4 Device & Technical Data
IP address (stored with refresh tokens for security)
User-Agent string
Device information (stored with refresh tokens)
3.5 Telegram Bot Data
If you link a Telegram account, we additionally store:
Your Telegram chat ID (used to send you proactive practice reminders and to receive your replies)
A short-lived linking code (15-minute expiry, single-use)
Conversation state needed to continue a multi-turn practice session (current question, awaiting answer)
Scheduled practice sessions (when the bot should next message you)
3.6 Authentication Tokens
JWT access tokens (short expiry, not stored server-side)
Refresh tokens (stored as hashed values with associated device info and IP address)
Password reset tokens (stored as hashed values, single-use, 1-hour expiry)
3.7 Service Telemetry
For billing transparency and reliability, we log internal usage of AI models (model name, token counts, cost in USD, type of operation — e.g. topic extraction, question generation, answer grading) tied to your user ID. Audit logs use hashed (SHA-256) email identifiers rather than plaintext email addresses.
4. How We Collect Data
Directly from you — When you create an account, upload study materials, answer questions, or chat with the Telegram bot.
Automatically — Device and technical data collected during your use of the Service (IP address, User-Agent, device info), and derived content generated by the Service from materials you upload (OCR text, topics, questions, mastery signals).
From third parties — Sign in with Apple (authentication data), Apple App Store Server Notifications (subscription status updates), Stripe webhooks (subscription status updates), and Telegram (chat ID and incoming messages when you choose to talk to the bot).
5. Purposes & Legal Bases
We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6(1):
Purpose
Data Used
Legal Basis
Account creation & authentication
Account data, OAuth data, auth tokens
Art. 6(1)(b) — Performance of contract
Running OCR on uploaded files
Uploaded study material files
Art. 6(1)(b) — Performance of contract
Generating topics, questions & grading answers
OCR text, your answers
Art. 6(1)(b) — Performance of contract
Adaptive scheduling & mastery tracking
Answers, mastery scores, review history
Art. 6(1)(b) — Performance of contract
Subscription management
Apple/Stripe transaction data, subscription status
Art. 6(1)(b) — Performance of contract
Sending proactive practice reminders via Telegram
Telegram chat ID, scheduled session data
Art. 6(1)(b) — Performance of contract (you opted in by linking Telegram)
Transactional email (password reset, welcome)
Email address
Art. 6(1)(b) — Performance of contract
Security (fraud prevention, token management)
IP address, device info, auth tokens
Art. 6(1)(f) — Legitimate interest
Cost tracking & abuse prevention for AI calls
Token counts, model usage tied to user ID
Art. 6(1)(f) — Legitimate interest
Improving the Service (aggregated/anonymised metrics)
Anonymised usage data
Art. 6(1)(f) — Legitimate interest
We do not use your study materials, questions, or answers to train third-party AI models. Where AI providers are used to power features of the Service, we rely on their contractual no-training commitments (see Section 7).
6. Study Materials, OCR & AI Generation
Because study materials are central to the Service, we want to be specific about how they are handled:
Storage: Uploaded files are stored in Cloudflare R2 (EU-preferred regions) under a per-material prefix tied to your user account. They are not publicly readable; access is gated by signed URLs and authentication.
OCR: Text is extracted from your uploads using the GLM-OCR open-source model running on our own private infrastructure (a server hosted by Hetzner in Germany, reached over a private Tailscale network). Your files are not sent to any third-party OCR service.
AI generation & grading: Extracted text and your answers are sent to a large-language-model provider — currently OpenAI and/or xAI — for topic extraction, question generation, and answer grading. Image generation (when used to illustrate questions) is performed by OpenAI. Both providers’ API terms include a no-training commitment for data submitted via the API. Only the text needed for the task is sent — not your original image files, account credentials, or other identifying information beyond what is necessary.
Telegram bot: When you practice via Telegram, the question text, your answer, and the grading result pass through Telegram’s servers as part of the normal bot protocol. Your original uploaded files are not sent to Telegram.
Deletion: Deleting a study material removes the database rows and the underlying files in Cloudflare R2. Deleting your account removes all materials you have uploaded.
7. Data Sharing & Third Parties
We share personal data only with the following third-party service providers (processors), strictly for the purposes described:
Practice reminders & bot conversations (only if you link Telegram)
Chat ID, question text, your answers, grading messages
Global
We do not sell your personal data. We do not share data with advertisers or ad networks. We do not engage in profiling for marketing purposes. We do not use your data to train third-party AI models.
8. International Data Transfers
Your personal data is primarily stored on servers within the European Union (Cloudflare R2 EU regions, Hetzner Germany, our own application database). Where data is transferred to service providers outside the EU (Apple, OpenAI, xAI, Resend in the USA; Telegram globally), such transfers are protected by:
The EU-US Data Privacy Framework (where the provider is certified), or
Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
Additional safeguards required by GDPR Chapter V.
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:
Data Category
Retention Period
Guest account data
Until you upgrade the account or until automated cleanup after extended inactivity
Until you delete your account (Apple/Stripe retain their own records independently for accounting and tax purposes)
Refresh tokens
Until the refresh token expires or is revoked
Password reset tokens
1 hour or until used, whichever comes first
Telegram link codes
15 minutes or until used, whichever comes first
AI usage telemetry (model name, token counts, cost)
Retained for billing transparency and operational integrity
Webhook logs (Apple, Stripe)
Retained for operational integrity and accounting
When you delete your account, all associated personal data is deleted via cascading database deletion, including any study materials you have uploaded and their associated files in Cloudflare R2.
10. Your GDPR Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of Access (Art. 15) — You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
Right to Rectification (Art. 16) — You have the right to request correction of inaccurate personal data.
Right to Erasure (Art. 17) — You have the right to request deletion of your personal data (“right to be forgotten”).
Right to Restriction of Processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format, including any study materials you have uploaded.
Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests.
Rights Related to Automated Decision-Making (Art. 22) — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The Service’s adaptive scheduling and mastery scoring are used to choose what to show you next; they do not produce legal or similarly significant effects.
Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) at www.dataprotection.ro. You may also complain to the supervisory authority in your EU country of residence.
How to exercise your rights: Email [email protected] with the subject line “GDPR Request.” You may also delete your account and all associated data directly within the Service. We will respond to all requests within 30 days.
11. Cookies & Local Storage
PupilBot uses a JWT-based authentication system, not traditional browser cookies for session management.
On the web, authentication tokens are stored in browser localStorage so you can stay signed in.
On iOS, tokens are stored securely in the device Keychain.
Stripe Checkout, when used, sets its own cookies on Stripe’s domain (necessary for payment processing).
We do not use tracking cookies.
We do not use advertising cookies, pixels, or third-party ad networks.
12. Children’s Privacy
The Service is not directed at children under the age of 16 (the GDPR age threshold for consent to data processing in most EU member states; some member states set a lower limit, no lower than 13). We do not knowingly collect personal data from children under 16 without verifiable parental consent. If we become aware that we have collected personal data from a child under 16 without such consent, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].
13. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
Password hashing: All passwords are hashed using the Argon2id algorithm (never stored in plaintext).
Encryption in transit: All data is transmitted over HTTPS/TLS.
Short-lived access tokens: JWT access tokens have short expiry.
Hashed refresh tokens: Refresh tokens are stored as hashed values with device and IP binding.
Private OCR infrastructure: OCR runs on a server reachable only via a private Tailscale network, not over the public internet.
Log redaction: Application logs redact tokens and passwords; user identifiers in audit logs are hashed.
Breach notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (GDPR Article 34).
14. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will be revised accordingly. For material changes that affect how we process your personal data, we will notify registered users by email. Previous versions of this policy are available upon request.
15. Contact
For privacy-related inquiries or to exercise your GDPR rights, please contact us:
Email:[email protected] (use subject line “GDPR Request” for data rights requests)
Data Controller: Gabriel Policiuc
Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania
We will respond to all GDPR requests within 30 days of receipt.