Privacy Policy

1. Data Controller

The data controller for kvasi is:

2. What Data We Collect

We collect and process the following categories of personal data:

• Account information: name, email address, and authentication credentials when you register.
• Learning progress: exercise responses, scores, spaced repetition scheduling data, streak information, and XP.
• AI interactions: text inputs sent to AI services for exercise generation and evaluation, and the responses received.
• User-generated content: tasks, sets, and learning materials you create or share.
• Technical data: IP address, browser type, device information, and cookies (see our Cookie Policy).

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, including account management, learning progress tracking, and AI-powered features.
• Consent (Art. 6(1)(a)): For non-essential cookies. You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): For service improvement, security monitoring, and fraud prevention.
• Legal obligation (Art. 6(1)(c)): Where we are required by law to retain or disclose data.

4. Third-Party Services

We use the following third-party services that may process your data:

• Azure OpenAI Service (Microsoft): For AI-powered exercise generation and evaluation. Text inputs are processed via Microsoft's Azure OpenAI Service, hosted in the EU (Sweden Central region). Your data is not used by Microsoft to train or improve their AI models. Processing is governed by the Microsoft Data Processing Addendum (DPA). See Microsoft's Privacy Statement.
• Authentication provider: For secure user authentication and session management.
• Database hosting (PostgreSQL): Provided by Supabase for storing user data, learning progress, and content. Data is stored in secure, encrypted databases hosted in the EU. Processing is governed by Supabase's Data Processing Agreement (DPA). See Supabase's Privacy Policy.
• Vercel: For hosting the application. See Vercel's Privacy Policy.
• Upstash: For rate limiting and abuse prevention. User identifiers and IP addresses used as rate-limiting keys, along with request counters. No message content or personal profile data is shared. See Upstash's Privacy Policy.

5. Data Retention

We retain your data for the following periods:

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Learning progress: Retained for the duration of your account.
• AI interaction logs: Retained for up to 90 days for service improvement, then anonymized or deleted.
• Azure OpenAI abuse monitoring (managed by Microsoft): Microsoft may retain prompts and completions for up to 30 days for abuse monitoring purposes as part of the Azure OpenAI Service.
• Technical logs: Retained for up to 12 months for security and debugging purposes.

6. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven), you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to restriction (Art. 18): Request limitation of processing of your data.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@falckstudios.com. We will respond within 30 days.

7. Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Datatilsynet (Norwegian Data Protection Authority).

8. Cookies

We use cookies and similar technologies. For details on what cookies we use and how to manage them, please see our Cookie Policy.

9. International Data Transfers

AI processing via Azure OpenAI Service is performed within the EU (Sweden Central region) and does not involve cross-border data transfers outside the EEA.

Some of our other third-party service providers may process data outside the EEA, including:

• Vercel: Application hosting (United States).
• Upstash: Rate limiting and abuse prevention (United States).

Where data is processed outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service. The "Last updated" date at the top of this page indicates when this policy was last revised.