Privacy Policy

The data controller responsible for the processing of your personal data is Oleksandr Minzov ("we," "us," or "our").

Contact: support@studylo.app

2.1. Account Data

When you create an account, we collect the following information:

• Username
• Email address
• Password (stored securely via our authentication provider; we do not have access to your plaintext password)
• Avatar image (optional)

2.2. User Activity Data

When you use the Service, we collect data generated by your activity, including:

• Study sessions, including date, time, duration, subject, notes, and study type
• Subjects and study goals you create
• Study group membership, group activity, and interactions within groups

2.3. Technical Data

We automatically collect limited technical data, including:

• Basic, privacy-focused analytics data collected via Vercel Analytics (e.g., page views, device type)
• Product analytics data collected via PostHog, including page views, in-app events (e.g., logging a study session, starting a timer, joining a group), and session recordings. Session recordings capture clicks, scrolls, and navigation; form inputs are masked by default and are not transmitted.
• Data stored locally in your browser via local storage mechanisms

We do not collect sensitive personal data as defined under Article 9 of the GDPR.

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service to you, including account management, study tracking, and group features.
• Legitimate interest (Article 6(1)(f)): Processing necessary for improving the Service, ensuring security, and preventing abuse. Our legitimate interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)): Where applicable, for optional analytics and future features that require your explicit consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

We use the data we collect to:

• Provide, operate, and maintain the Service;
• Enable study session tracking, analytics, and goal management;
• Enable study group features, including leaderboards, activity feeds, and presence indicators;
• Improve the performance, reliability, and user experience of the Service;
• Ensure the security of the Service and prevent fraud or abuse;
• Communicate with you regarding your account, service updates, or responses to your inquiries.

We do not sell, rent, or trade your personal data to any third party.

We share data with the following categories of service providers (data processors) who process data on our behalf:

• Vercel — hosting and privacy-focused analytics (United States)
• Supabase — database and authentication (United States)
• PostHog — product analytics and session recording (European Union)
• Resend — transactional email delivery (United States)
• Google — OAuth login provider (United States)

Each processor is contractually obligated to handle your data in accordance with applicable data protection law.

5.1. Data Shared Within the Service

When you join a study group, your username, avatar, study activity, and notes may be visible to other members of that group. By joining a group, you consent to this sharing.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers operate.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The service provider's compliance with an adequacy decision, where applicable;
• Other lawful transfer mechanisms recognized under the GDPR.

You may request further information about the safeguards in place by contacting us.

We retain your personal data only for as long as your account remains active and is necessary to provide the Service.

When you delete your account, all associated personal data is permanently deleted from our systems. Data that was shared within study groups (e.g., activity feed entries) will be removed or anonymized such that it is no longer attributable to you.

We may retain certain data beyond account deletion where required by applicable law or to resolve disputes, enforce our agreements, or protect our legal rights.

Under the General Data Protection Regulation, you have the following rights with respect to your personal data:

• Right of access — You may request a copy of the personal data we hold about you.
• Right to rectification — You may request correction of inaccurate or incomplete personal data.
• Right to erasure — You may request deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing — You may request that we limit the processing of your data in certain circumstances.
• Right to data portability — You may request your personal data in a structured, commonly used, and machine-readable format.
• Right to object — You may object to processing based on legitimate interest.
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at support@studylo.app. We will respond to your request within thirty (30) days, as required by the GDPR. If we require additional time, we will inform you of the extension and the reasons for the delay.

8.1. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority. In Poland, the relevant authority is:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
uodo.gov.pl

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority (UODO) within seventy-two (72) hours of becoming aware of the breach, as required under Article 33 of the GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, providing information about the nature of the breach and the measures taken or proposed to address it.

The Service uses essential technologies, including local storage and authentication mechanisms, that are necessary for the operation of the Service. These do not require consent under applicable law.

We use Vercel Analytics for basic, privacy-focused analytics. Vercel Analytics does not use cookies and does not collect personally identifiable information.

We use PostHog for product analytics and session recording. PostHog uses cookies and similar technologies to track user behaviour across sessions. Session recordings capture interactions such as clicks, scrolls, and navigation; form inputs are masked and are not recorded. PostHog data is processed in the European Union. You may opt out of PostHog tracking by contacting us at support@studylo.app.

We do not use third-party advertising trackers or sell data to advertisers.

The Service may integrate with or contain links to third-party services (such as Google OAuth). These third-party services are governed by their own terms of service and privacy policies. We are not responsible for the practices or content of third-party services, and we encourage you to review their policies before use.

We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission, secure authentication, and access controls.

However, no method of transmission or storage is completely secure. We cannot guarantee the absolute security of your data.

The Service is intended for users aged sixteen (16) and older, in accordance with Article 8 of the GDPR as implemented in Polish law.

We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected data from a user under 16, we will take prompt steps to delete the account and all associated data.

If you are a parent or guardian and believe that your child has created an account, please contact us immediately at support@studylo.app.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this document will be revised accordingly.

Where changes are material, we will make reasonable efforts to notify you through the Service or via email. Your continued use of the Service after such changes constitutes your acceptance of the revised Privacy Policy.

For privacy-related inquiries, data subject requests, or complaints, please contact:

Email: support@studylo.app
Data Controller: Oleksandr Minzov