Privacy Policy
Last updated: 6 April 2026
1. Who we are
Curiosity ("we", "us", "our") is an adaptive learning platform. This policy explains how we collect, use, store, and protect your personal data in compliance with the UK GDPR and EU General Data Protection Regulation (GDPR).
2. What data we collect
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | Account creation, login, verification | Contract |
| Display name | Personalisation | Contract |
| Learning topics (what you type) | Generate lessons, adapt to your knowledge | Contract |
| Quiz answers & timing | Assess knowledge, difficulty calibration | Contract |
| Knowledge mastery scores | Adaptive lesson generation, spaced repetition | Contract |
| OAuth provider ID & avatar | Social login | Contract |
| Session cookie | Keep you logged in | Legitimate interest |
| Uploaded notes / handouts (Pro BYOL feature) | Ground lesson generation in your own material | Contract |
We do not collect IP addresses for tracking, use advertising cookies, or sell your data.
3. How we use AI
Your learning topics and quiz responses are sent to large language model (LLM) providers (currently Google Gemini and OpenAI) to generate personalised lessons and quizzes. We send the minimum data necessary: your topic title and knowledge scores. We do not send your email, name, or other personally identifiable information to LLM providers.
Uploaded notes (BYOL): if you upload a document as a Pro user, the extracted text is sent to the same LLM providers solely to generate your lesson. The file itself is stored encrypted-at-rest on our hosting provider (Railway), accessible only to the generator service. We do not train models on your uploads, do not share them with third parties beyond the LLM provider, and you can delete them at any time from your uploads page.
4. Data sharing
We do not sell, rent, or share your personal data with any third party except:
- LLM providers (Google, OpenAI), to generate educational content, as described above.
- OAuth providers (Google, Microsoft, Apple), only during login, and only the data they return (email, name, avatar).
- Law enforcement, if legally compelled by a valid court order.
5. Data retention
- Your account and learning data are kept for as long as your account is active.
- If you request deletion, all data is permanently erased within 30 days.
- Server logs containing request metadata are retained for a maximum of 90 days.
6. Your rights (GDPR Articles 15-22)
You have the right to:
- Access your data, download a full export from Account Settings.
- Rectify inaccurate data, update your profile or contact us.
- Erase your data, request deletion from Account Settings.
- Restrict processing, contact us to pause data processing while we resolve a dispute.
- Data portability, your export is in machine-readable JSON format.
- Object, contact us to object to any processing based on legitimate interest.
- Withdraw consent, at any time, without affecting the lawfulness of prior processing.
7. Security
We protect your data with:
- HTTPS encryption in transit (HSTS enforced)
- Passwords hashed with PBKDF2-SHA256 (260,000 iterations)
- HttpOnly, Secure, SameSite session cookies
- CSRF token protection on all forms
- Rate limiting on authentication endpoints
- Content Security Policy (CSP) headers
8. Children
Curiosity is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us.
9. Changes to this policy
We will notify registered users by email of material changes. The "last updated" date at the top reflects the latest revision.
10. Contact
For any privacy-related questions or to exercise your rights, email us at privacy@curiositybyade.com or use the feedback form.