Privacy Policy

1.1 Information You Provide

• Account credentials — email address, username, and (if you sign up with email) password
• Name — we collect your name only in limited circumstances:
  • OAuth sign-in — if you sign in using Google or Apple, we receive the name associated with your provider account as part of the OAuth flow. You can update or remove this from your profile at any time. We do not verify and do not require that this name be your real or legal name.
  • Billing — if you make a purchase, our payment processor (Stripe) may collect a billing name as required for payment processing.
  • Email and password sign-up — if you sign up using email and password, we do not collect your name. You may optionally set a display name, which does not need to be your real name.
• University affiliation — automatically derived from your email domain, including university name, region, and academic calendar
• Profile information — profile picture (if you choose to upload one) and display preferences (timezone, language, theme)
• Uploaded content — documents you upload to the Service, such as lecture slides and past examination papers
• Payment information — payment details are collected and processed directly by our payment processor, Stripe. We do not collect or store your credit card number, bank account details, or other direct payment credentials. We receive and store only limited billing metadata (such as your plan and billing period) needed to manage your subscription.

1.2 Information We Collect Automatically

• Device and connection information — IP address, browser type, and device identifiers, used for security and abuse prevention
• Authentication data — login timestamps and account activity used to secure your account
• Usage data — interactions with the Service used to maintain and improve functionality

1.3 Information from Third Parties

• OAuth providers — if you sign in with Google or Apple, we receive your provider account identifier, email address, and the name associated with the provider account. We do not import or store the avatar or profile picture from your OAuth provider; if you wish to have a profile picture on the Service, you must upload one yourself.

We use the information we collect for the following purposes:

• Providing the Service — authenticating your identity, processing your uploaded documents, generating study materials, and managing your subscription
• Document processing — analyzing your uploaded files using OCR and AI services to extract text, equations, and images, and to generate notes, flashcards, quizzes, and study schedules
• Communication — sending verification codes and service-related notifications. We do not send marketing emails.
• Security — protecting your account and the Service through abuse and fraud prevention measures
• Service improvement — monitoring performance and aggregate usage patterns to improve the Service

We do not sell, rent, or trade your personal information. We share data with third-party service providers strictly as necessary to operate the Service:

• AI and OCR processing providers — portions of your uploaded content (extracted text, equations, and image regions) are transmitted to third-party AI and OCR services for document analysis and study material generation. We do not send your original uploaded files to these services. No personal information (name, email, university) is included in processing requests.
• Payment processing — Stripe processes your payments and receives necessary billing information. Stripe's use of your data is governed by the Stripe Privacy Policy.
• Cloud infrastructure providers — we use third-party cloud services for hosting, storage, and related infrastructure
• Email service providers — we use a third-party email service to send transactional emails such as verification codes
• Security providers — we use third-party CAPTCHA services to protect against automated abuse

We may also share information when required by law, legal process, or to protect our rights, safety, or property.

4.1 Our Use of Browser Storage

The Service does not set any cookies. Instead, we use browser storage APIs (localStorage and sessionStorage) for strictly functional purposes:

• localStorage (persists across sessions) — authentication and session tokens, your theme preference, and a cached list of your courses
• sessionStorage (cleared when tab closes) — transient UI state (such as your sidebar position or last visited page) and temporary sign-in data

4.2 Third-Party Cookies and Tracking

While the Service itself sets no cookies, third-party services integrated into the Service may use their own cookies and tracking technologies:

• Google OAuth — when you use Google to sign in, the Google OAuth popup flow may set cookies and apply Google's own tracking practices
• Stripe — when you interact with Stripe's payment components, Stripe may set cookies for fraud prevention and payment authentication

We have no control over cookies or tracking technologies set by these third-party services. Their use is governed by their respective privacy policies.

4.3 What We Do Not Use

We do not use any analytics services (such as Google Analytics, Mixpanel, or similar), tracking pixels, beacons, browser fingerprinting, or advertising or retargeting technologies.

• Account data — retained for as long as your account exists. If your account is deactivated, your data is retained in a deactivated state but is not accessible through the Service.
• Uploaded content and generated materials — retained for as long as the associated course exists in your account. To minimize the amount of original document data we hold:
  • Original uploaded source files (such as lecture slides and past papers) may be automatically deleted after a period of inactivity on the associated course, while the derivative study materials we generated for you (notes, flashcards, quizzes, schedules, and analyses) remain available in your account
  • When you delete a course, both the original uploaded files and the associated generated study materials are deleted from our systems
• Temporary authentication data — verification codes, session state, and similar transient data are automatically deleted after a short period.
• Billing records — retained for as long as your account exists and for a reasonable period thereafter as required for accounting, tax, and dispute resolution purposes.

We implement appropriate technical and organizational security measures to protect your personal information, including encryption of data in transit, secure credential storage, and measures against abuse and intrusion. Your password is stored using industry-standard one-way hashing and is never stored in plaintext.

While we take reasonable steps to protect your information, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7.1 We Do Not Train AI Models on Your Content

We do not use your uploaded content, generated study materials, or any data derived from them to train, fine-tune, or otherwise improve any machine learning model — neither our own nor any third party's.

7.2 Third-Party AI and OCR Providers

The third-party AI and OCR providers we use to process your documents are engaged under contractual terms that prohibit them from using your content to train their models, where such terms are available.

7.3 No Routine Human Review of Your Content

Your uploaded content and generated study materials are processed by automated systems and are not routinely reviewed by GPAce personnel. Limited access by authorized personnel may occur only:

• To debug a specific issue you have reported to support
• To investigate suspected violations of our Terms of Service
• Where required by law or legal process

7.4 Aggregate and Anonymous Service Metrics

We may calculate aggregate, non-identifying statistics about how the Service is used (for example, the total number of documents processed in a month, average processing time, or error rates) for the purposes of monitoring performance, capacity planning, and improving the Service. These statistics do not identify you, do not include the content of your documents, and are not derived in a way that allows your content to be reconstructed.

• Access and correction — you can view and update your profile information, preferences, and password through the Service at any time
• Content deletion — you may delete individual courses and their associated content through the Service
• Account deletion — to request full account deletion, contact us at support@gpace.ai. Upon deletion, your account data, uploaded files, and generated materials will be removed from our systems, subject to any legal retention requirements.
• Data portability — to request an export of your personal data, contact us at support@gpace.ai

The Service is intended for university students and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it.

Your data may be processed in jurisdictions outside your country of residence, including the United States and other regions where our service providers operate. By using the Service, you consent to such transfers. We rely on our service providers' data protection commitments and standard contractual clauses where applicable.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a revised “Last Updated” date. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, contact us at: support@gpace.ai