Privacy Policy

1. Introduction

Razumei, a DBA (doing business as) of NovaThread Ventures LLC (“Company,” “we,” “us,” or “our”) operates the Razumei platform (“the Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (hashed), phone number (optional), grade level, favorite subjects
• Payment Information: Processed securely by Stripe. We do NOT store credit card numbers, CVVs, or full card details on our servers
• Session Content: Messages exchanged during tutoring sessions, voice input transcriptions, feedback and ratings
• Profile Information: Account type (student, parent, teacher), school name (optional)

2.2 Information Collected Automatically

• Device Information: Browser type, device fingerprint (for credential sharing detection), operating system
• Usage Data: Session duration, subjects studied, features used, pages visited
• IP Address: Collected for security, fraud detection, and approximate geographic location
• Cookies: Authentication session cookies (required for login). We do not use third-party advertising cookies

2.3 AI-Generated Content

• Session Transcripts: Conversations between you and AI tutors are stored to provide session history, generate study notes, and improve the Service
• Study Notes: AI-generated summaries of your sessions are stored in your vault
• Voice Data: Voice input is transcribed in real-time by Deepgram and is NOT stored as audio. Only the text transcription is retained as part of the session transcript
• TTS Audio: Text-to-speech audio is generated on-the-fly and is NOT permanently stored on our servers

3. How We Use Your Information

• Provide, maintain, and improve the tutoring Service
• Generate AI tutor responses tailored to your subject and learning level
• Generate and store study notes from your sessions
• Process payments and manage subscriptions
• Send transactional emails (session recaps, feedback requests, account notifications)
• Send optional marketing emails (weekly digests, promotions) — you may opt out at any time
• Detect and prevent credential sharing, fraud, and abuse
• Monitor content safety and review flagged content
• Improve AI tutor quality through aggregated, anonymized usage analytics
• Comply with legal obligations

4. Third-Party Services

We use the following third-party services to operate the platform. Each has its own privacy policy:

We do NOT sell your personal information to any third party. We do NOT use your data for advertising.

5. AI Training & Data Use

Your session conversations may be used in anonymized, aggregated form to improve AI tutor quality. This means:

• Your name, email, and personal identifiers are REMOVED before any analysis
• Individual sessions are NOT reviewed by humans unless flagged for content safety
• We do NOT send your personal information to AI model providers (Anthropic, OpenAI) for training
• Third-party AI providers (Anthropic, Google) process messages in real-time but do NOT retain them for training per our data processing agreements

6. Data Retention

• Account data: Retained as long as your account is active. Deleted within 30 days of account deletion request
• Session transcripts: Retained for the duration of your account. Deleted upon account deletion
• Study notes: Free/Starter: 30 days. Pro: 90 days. Ultra: 365 days
• Payment records: Retained for 7 years as required by tax and financial regulations
• Content safety flags: Retained for 1 year for review and compliance purposes
• Anonymized analytics: Retained indefinitely in aggregated form

7. Children's Privacy (COPPA)

We take children's privacy seriously. For users under 13:

• A parent or guardian must create a parent account and link the child's account
• We collect only the minimum information necessary to provide the Service
• Parents may review, modify, or delete their child's data at any time through the parent dashboard
• We do not display targeted advertising to any users, including children
• We do not condition a child's participation on providing more information than is reasonably necessary

If you believe we have collected information from a child under 13 without parental consent, contact us immediately at [email protected].

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data (available via Settings → Download My Data)
• Correction: Update inaccurate personal information through your account settings
• Deletion: Request permanent deletion of your account and associated data (available via Settings → Delete Account)
• Portability: Export your data in a machine-readable format (JSON)
• Opt-out: Unsubscribe from marketing emails at any time via the link in any email
• Restrict processing: Request that we limit how we use your data

To exercise any of these rights, contact us at [email protected] or use the self-service options in your account settings. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures to protect your information:

• All data transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed using bcrypt with salt (never stored in plain text)
• Database encrypted at rest (Supabase/PostgreSQL)
• API keys and secrets stored in environment variables, not in code
• JWT session tokens with 24-hour expiration
• Stripe PCI-DSS compliant payment processing
• Regular security audits of our codebase

Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect and how it's used
• Right to delete your personal information
• Right to opt-out of the sale of personal information — we do NOT sell personal information
• Right to non-discrimination for exercising your privacy rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you subscribed to
• Legitimate interest: Analytics, security, fraud prevention, and service improvement
• Consent: Marketing emails and optional data processing (withdrawable at any time)
• Legal obligation: Tax records, compliance with legal requests

You have the right to lodge a complaint with your local data protection authority.

12. Credential Sharing Detection

To protect the integrity of our subscription model, we monitor for credential sharing by tracking:

• Number of unique devices accessing your account
• IP addresses used during sessions
• Simultaneous session detection

This monitoring is conducted automatically. If anomalous activity is detected, we may contact you for verification or restrict account access. Device fingerprints are hashed and cannot be used to identify you personally.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on the Service at least 30 days before taking effect. The “Last updated” date at the top will be revised accordingly.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy:

Razumei, a DBA of NovaThread Ventures LLC
Email: [email protected]