Privacy Policy
Last updated: March 28, 2026
This Privacy Policy explains how CaptoLearn (“we”, “our”, or “us”), operated by Bytes Forge, collects, uses, and protects your personal data when you use our platform at captolearn.app.
1. Who We Are
CaptoLearn is an AI-powered study tool developed by Bytes Forge. We are the data controller for personal data collected through this platform. If you have any questions about this policy or your data, contact us at support@captolearn.com.
2. Data We Collect
We collect the following categories of personal data:
- Account data — your email address and hashed password when you register.
- Profile data — optional display name and avatar you provide in settings.
- Study content — images, text, flashcards, quiz attempts, and other study material you upload or generate.
- Usage data — pages visited, features used, session duration, and device/browser metadata collected via Google Analytics.
- Payment data — billing information processed by our payment provider (Paddle). We never store raw card details on our servers.
- Cookie data — authentication session cookies and, with your consent, analytics cookies (see Section 7).
3. How We Use Your Data
We use your data to:
- Provide and operate the CaptoLearn service.
- Authenticate your account and keep sessions secure.
- Generate AI-powered study tools from your uploaded material.
- Process subscription payments and send billing receipts.
- Send transactional emails (email verification, password reset, billing receipts).
- Analyse platform usage to improve features (only with your consent for analytics cookies).
- Comply with legal obligations.
We do not sell your personal data to third parties, and we do not use your study content to train AI models without your explicit consent.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your data under the following legal bases:
Contract
Processing necessary to provide the service you signed up for (account, study tools, payments).
Legitimate interests
Security monitoring, fraud prevention, and service improvement.
Consent
Analytics cookies and optional data use for app enhancement — you can withdraw consent at any time.
Legal obligation
Compliance with applicable tax, financial, or regulatory requirements.
5. Data Sharing & Third Parties
We share your data only with trusted processors required to run the service:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Authentication & database | EU / US |
| Anthropic / OpenAI | AI content generation | US |
| Paddle | Payment processing | UK / US |
| Google Analytics | Usage analytics (with consent) | US |
| Neon | Serverless database hosting | US |
All processors are bound by data processing agreements that require them to protect your data in accordance with applicable law.
6. Data Retention
We retain your personal data for as long as your account is active, or as needed to provide the service. You can set a custom data retention period in your privacy settings. When you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial obligations (typically up to 7 years for financial records).
7. Cookies
We use the following types of cookies:
Strictly necessary
Session and authentication cookies required for the service to function. These cannot be disabled.
Analytics
Google Analytics cookies that help us understand how users interact with the platform. Only set with your consent.
You can manage your cookie preferences at any time using the cookie consent banner or by contacting us.
8. Your Rights
Under GDPR (and similar laws), you have the following rights regarding your personal data:
Access
Request a copy of the data we hold about you.
Rectification
Correct inaccurate or incomplete data.
Erasure
Request deletion of your personal data ("right to be forgotten").
Portability
Receive your data in a machine-readable format.
Restriction
Ask us to stop processing your data in certain circumstances.
Objection
Object to processing based on legitimate interests.
Withdraw consent
Revoke analytics consent at any time without affecting prior processing.
Complaint
Lodge a complaint with your local data protection authority.
To exercise any of these rights, email us at support@captolearn.com. We will respond within 30 days.
9. International Transfers
Some of our processors are based in the United States. Where we transfer personal data outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.
10. Children's Privacy
CaptoLearn is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
11. Security
We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, and Supabase Row-Level Security (RLS) to ensure your data can only be accessed by you. We conduct regular security reviews and promptly address any vulnerabilities discovered.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.
13. Contact & DPO
For any privacy-related questions or to exercise your rights, contact us at:
© 2026 CaptoLearn. All rights reserved.