Privacy Policy

Last updated: March 2026

1. What Data We Collect

We collect the following categories of personal data:

Account data: Name, email address, hashed password, role (student / teacher / admin / parent).
Academic data: Test answers, grades, attendance records, lesson plans, course enrollments.
Usage data: Session tokens, login timestamps (managed by NextAuth.js).
Media uploads: Files you upload to the platform (stored on Vercel Blob).

We do not collect: government IDs, financial data, health data, or biometric data.

2. Where Data Is Stored

Database: Neon PostgreSQL — data at rest is encrypted (AES-256). Hosted in the US (AWS us-east-1).
File storage: Vercel Blob — files are stored in Vercel's CDN-backed object storage.
Application hosting: Vercel Edge Network — HTTPS enforced on all endpoints.
Session tokens: HTTP-only cookies, not accessible to JavaScript.

3. How AI Processing Works

This platform uses AI models (OpenAI GPT-4o-mini, Anthropic Claude) for automatic grading and lesson plan generation.

✅ Anonymization guarantee

Student names, email addresses, IDs, class names, and school names are never included in prompts sent to AI providers. Only anonymous answer text and question content are processed.

Every AI call is logged in our audit database with a hasPersonalData: false flag, which is verified programmatically before each request.

OpenAI Data Processing Addendum (DPA) is required to be signed by the organization.
AI provider links: OpenAI Privacy Policy, Anthropic Privacy Policy.

4. Your Rights Under KVKK (Law No. 6698) and GDPR

Under KVKK Article 11 and GDPR Article 15–22, you have the right to:

🔍 Access

Request a copy of all personal data we hold about you.

✏️ Rectification

Correct inaccurate or incomplete data.

🗑️ Erasure (Right to be Forgotten)

Request permanent deletion of all your data. School admins can trigger this via the admin panel.

📤 Data Portability

Receive your data in a machine-readable format.

🚫 Object to Processing

Object to processing of your data for specific purposes.

⏸️ Restriction

Request restriction of processing in certain circumstances.

5. Data Retention

Student academic records are retained for the duration of the student's enrollment plus 2 years.
AI audit logs are retained for 1 year.
Deleted user data is purged immediately and is not recoverable.

6. Contact

For privacy-related requests, please contact your school administrator or our Data Protection Officer (DPO):

Data Protection Officer

Email: privacy@schoolapp.example

Response time: Within 30 days (KVKK) / 1 month (GDPR)