Privacy Policy

1. Introduction

Razumei, a DBA (doing business as) of NovaThread Ventures LLC (“Company,” “we,” “us,” or “our”) operates the Razumei platform (“the Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (hashed), phone number (optional), grade level, favorite subjects
• Payment Information: Processed securely by Stripe. We do NOT store credit card numbers, CVVs, or full card details on our servers
• Session Content: Messages exchanged during tutoring sessions, voice input transcriptions, feedback and ratings
• Profile Information: Account type (student, parent, teacher), school name (optional)

2.2 Information Collected Automatically

• Device Information: Browser type, device fingerprint (for credential sharing detection), operating system
• Usage Data: Session duration, subjects studied, features used, pages visited
• IP Address: Collected for security, fraud detection, and approximate geographic location
• Cookies: Authentication session cookies (required for login), a consent-preference cookie (razumei_consent) that remembers your choice, and — where you've accepted — analytics and advertising cookies set by Meta (_fbp, _fbc) used for ad measurement. See Section 4 and Section 12 for details and opt-out options

2.3 AI-Generated Content

• Session Transcripts: Conversations between you and AI tutors are stored to provide session history, generate study notes, and improve the Service
• Study Notes: AI-generated summaries of your sessions are stored in your vault
• Voice Data: Voice input is transcribed in real-time by Deepgram and is NOT stored as audio. Only the text transcription is retained as part of the session transcript
• TTS Audio: Text-to-speech audio is generated on-the-fly and is NOT permanently stored on our servers

3. How We Use Your Information

• Provide, maintain, and improve the tutoring Service
• Generate AI tutor responses tailored to your subject and learning level
• Generate and store study notes from your sessions
• Process payments and manage subscriptions
• Send transactional emails (session recaps, feedback requests, account notifications)
• Send optional marketing emails (weekly digests, promotions) — you may opt out at any time
• Detect and prevent credential sharing, fraud, and abuse
• Monitor content safety and review flagged content
• Improve AI tutor quality through aggregated, anonymized usage analytics
• Comply with legal obligations

4. Third-Party Services

We use the following third-party services to operate the platform. Each has its own privacy policy:

We do NOT sell your personal information for financial consideration. However, our use of the Meta Pixel and Conversions API for advertising measurement may qualify as “sharing” under laws such as California's CCPA/CPRA, Colorado's CPA, and similar U.S. state privacy laws. You may opt out at any time using our Do Not Sell or Share My Personal Information page, or manage your choice via Cookie Preferences. See Section 12 for more detail on what we send to Meta and how to opt out.

5. AI Training & Data Use

Your session conversations may be used in anonymized, aggregated form to improve AI tutor quality. This means:

• Your name, email, and personal identifiers are REMOVED before any analysis
• Individual sessions are NOT reviewed by humans unless flagged for content safety
• We do NOT send your personal information to AI model providers (Anthropic, OpenAI) for training
• Third-party AI providers (Anthropic, Google) process messages in real-time but do NOT retain them for training per our data processing agreements

6. Data Retention

• Account data: Retained as long as your account is active. Deleted within 30 days of account deletion request
• Session transcripts: Retained for the duration of your account. Deleted upon account deletion
• Study notes: Free/Starter: 30 days. Pro: 90 days. Ultra: 365 days
• Payment records: Retained for 7 years as required by tax and financial regulations
• Content safety flags: Retained for 1 year for review and compliance purposes
• Anonymized analytics: Retained indefinitely in aggregated form

7. Children's Privacy (COPPA)

We take children's privacy seriously. For users under 13:

• A parent or guardian must create a parent account and link the child's account
• We collect only the minimum information necessary to provide the Service
• Parents may review, modify, or delete their child's data at any time through the parent dashboard
• We do not display targeted advertising to any users, including children
• We do not condition a child's participation on providing more information than is reasonably necessary

If you believe we have collected information from a child under 13 without parental consent, contact us immediately at [email protected].

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data (available via Settings → Download My Data)
• Correction: Update inaccurate personal information through your account settings
• Deletion: Request permanent deletion of your account and associated data (available via Settings → Delete Account)
• Portability: Export your data in a machine-readable format (JSON)
• Opt-out: Unsubscribe from marketing emails at any time via the link in any email
• Restrict processing: Request that we limit how we use your data

To exercise any of these rights, contact us at [email protected] or use the self-service options in your account settings. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures to protect your information:

• All data transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed using bcrypt with salt (never stored in plain text)
• Database encrypted at rest (Supabase/PostgreSQL)
• API keys and secrets stored in environment variables, not in code
• JWT session tokens with 24-hour expiration
• Stripe PCI-DSS compliant payment processing
• Regular security audits of our codebase

Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect and how it's used
• Right to delete your personal information
• Right to opt-out of the sale or sharing of personal information. We do not sell personal information for financial consideration, but our use of the Meta Pixel and Conversions API may constitute “sharing” for cross-context behavioral advertising under CCPA/CPRA. Opt out at Do Not Sell or Share My Personal Information
• Right to non-discrimination for exercising your privacy rights

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you subscribed to
• Legitimate interest: Analytics, security, fraud prevention, and service improvement
• Consent: Marketing emails, analytics and advertising cookies (Meta Pixel / Conversions API), and other optional data processing. Consent is opt-in for EEA, UK, Swiss, and Canadian users via our consent banner, and is withdrawable at any time via Cookie Preferences
• Legal obligation: Tax records, compliance with legal requests

You have the right to lodge a complaint with your local data protection authority.

12. Analytics & Advertising (Meta Pixel + Conversions API)

We use Meta's advertising tools to measure the performance of our marketing and the paths visitors take through our site:

• Meta Pixel (browser): A small JavaScript snippet that sets the _fbp and, on ad clicks, _fbc cookies. It reports page views, clicks on pricing tier buttons (InitiateCheckout), and signup completion (CompleteRegistration) to Meta.
• Meta Conversions API (server): The same events are also sent directly from our servers for better attribution accuracy. Server-side events include your hashed email, hashed first/last name, hashed internal user ID, IP address, user agent, and the page URL. Hashing uses SHA-256 and is performed before the data leaves our servers.

When these tools fire:

• Visitors from the EEA, United Kingdom, Switzerland, and Canada see a consent banner and the Pixel fires only after affirmative acceptance
• Visitors elsewhere have the Pixel enabled by default, and may opt out at any time at Do Not Sell or Share My Personal Information or Cookie Preferences
• Opting out sets a cookie that disables both the browser Pixel and any server-side Conversions API events tied to your browser. It does not affect your account, session history, or access to the Service

Meta's processing of this data is governed by Meta's own privacy policy, available at facebook.com/privacy/policy.

13. Credential Sharing Detection

To protect the integrity of our subscription model, we monitor for credential sharing by tracking:

• Number of unique devices accessing your account
• IP addresses used during sessions
• Simultaneous session detection

This monitoring is conducted automatically. If anomalous activity is detected, we may contact you for verification or restrict account access. Device fingerprints are hashed and cannot be used to identify you personally.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on the Service at least 30 days before taking effect. The “Last updated” date at the top will be revised accordingly.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy:

Razumei, a DBA of NovaThread Ventures LLC
Email: [email protected]