Privacy Policy

The Operator processes the following categories of personal data:

• Identification data: email address, display name, unique account identifier.
• Authentication data: password hash (the original password is never stored or transmitted), session identifiers (httpOnly cookies).
• OAuth data: user ID, email, name, and avatar obtained from Google, GitHub, or Yandex when signing in via the respective provider.
• Payment data: YooKassa payment ID, amount, date, status. Full card credentials are not stored by the Operator — they remain with the payment provider.
• Service-usage data: User's SQL queries, task-attempt history, grading results, track progress, statistics, request timestamps.
• Technical data: IP address, browser User-Agent, visit time, language preferences, error and performance data.
• AI-feature request content: topic, difficulty, task context, User prompt text — transmitted to the selected AI provider (OpenAI or Anthropic) to produce a response.

Data is processed for the following purposes:

• Providing access to the Service, registration and authentication — legal basis: performance of a contract (Art. 6 para. 1 cl. 5 of 152-FZ, Art. 6(1)(b) GDPR).
• Processing payments, issuing fiscal receipts — legal basis: contract performance and Federal Law No. 54-FZ on cash-register equipment.
• Recording learning progress, building statistics and rankings — legal basis: contract performance.
• Sending service notifications (password reset, payment confirmation, Offer changes) — legal basis: contract performance, Operator's legitimate interest.
• Fraud prevention, infrastructure protection, and security-incident response — legal basis: Operator's legitimate interest (Art. 6(1)(f) GDPR).
• Improving Service quality and analysing feature usage — legal basis: Operator's legitimate interest or User consent.

The Operator shares a limited set of data with the following processors to fulfil the purposes in Section 3:

• YooKassa (YooMoney NBCO LLC) — to process payments. Data shared: email, amount, plan identifier.
• Google LLC, GitHub Inc., Yandex LLC — for OAuth sign-in: identification data is retrieved from the provider and stored by the Operator.
• OpenAI, Inc. and Anthropic, PBC — for AI features: the prompt text and task context are transmitted without identity linkage.
• Hosting provider (owner of the Service's physical infrastructure) — data is processed and stored within the Russian Federation.
• Law-enforcement and state agencies — pursuant to a reasoned request under applicable Russian law.

• Account data — for the lifetime of the Account; upon deletion — for 30 calendar days, after which the Account and associated personal data are deleted (except data retained by law).
• Payment and fiscal data — 5 years from the date of the transaction, per Russian tax law.
• Task attempts, SQL queries, and progress data — until Account deletion.
• Technical logs and security data — up to 180 days from the event.
• AI-request history — up to 90 days for quality review; afterwards deleted or anonymised.

The User has the right to:

• be informed about the processing of their personal data;
• request correction, restriction, or deletion of data that is inaccurate, outdated, or unlawfully obtained;
• withdraw consent to processing at any time;
• request deletion of the Account and all associated data (right to be forgotten);
• receive a copy of their data in machine-readable format (data portability, for EEA Users);
• lodge a complaint against the Operator with Roskomnadzor or a court.