Smart-Edu.ai

Privacy Policy

Last updated: February 17, 2026

§1. Data Controller

The controller of your personal data is the entity listed below. The Controller determines the purposes and means of processing personal data of Smart-Edu.ai Service users.

Ecopywriting.pl Karol Leszczyński

86-221 Papowo Biskupie 119/18, Poland

Tax ID (NIP): 9562203948

REGON: 340627879

kontakt@smart-edu.ai

For matters related to personal data protection, you can contact the Controller at: kontakt@smart-edu.ai.

§2. Definitions

1.Personal Data — any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR

2.GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation)

3.Service — the Smart-Edu.ai online platform available at https://www.smart-edu.ai

4.User — any natural person using the Service

5.Processing — any operation or set of operations performed on personal data, including collection, recording, storage, modification, disclosure, and erasure

6.Cookies — small text files stored on the User's device while using the Service

7.PUODO — President of the Personal Data Protection Office, the supervisory authority for data protection in Poland

§3. Data We Collect

When using the Service, we collect the following personal data provided by the User:

a)Email address — provided during account registration or Google Sign-In login

b)Name (optional) — provided during registration or retrieved from a Google account

c)Password — stored in encrypted form (bcrypt hash), never in plain text

d)Payment data — processed exclusively by Stripe Inc.; the Controller has no access to full card numbers

e)Order content — paper topics, generation parameters, generated content

Additionally, the Service automatically collects technical data:

a)IP address, browser type, operating system, screen resolution

b)Activity data: visited pages, visit duration, traffic source (collected by Google Analytics 4 after obtaining consent)

c)Google reCAPTCHA verification result (security token, no biometric data)

§4. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, based on the following GDPR provisions:

a)Contract performance (Art. 6(1)(b) GDPR) — account registration and management, order fulfillment, delivery of generated content, payment processing via Stripe

b)Legal obligation (Art. 6(1)(c) GDPR) — maintaining accounting and tax records, handling complaints under Polish consumer law

c)Legitimate interest (Art. 6(1)(f) GDPR) — Service security (reCAPTCHA), abuse detection, pursuing or defending legal claims, contacting Users regarding orders

d)Consent (Art. 6(1)(a) GDPR) — web analytics (Google Analytics 4), marketing and ad personalization (if applicable), newsletter (if applicable)

e)Google Sign-In login — we process data (email, name) received from Google on the basis of contract performance (Art. 6(1)(b) GDPR). Google processes your data according to its own Privacy Policy.

f)Service security — Google reCAPTCHA processes data to protect against bots and abuse based on the Controller's legitimate interest (Art. 6(1)(f) GDPR).

You may withdraw consent for consent-based processing (e.g., analytics cookies) at any time via the cookie banner or Cookie Settings available in the site footer. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

§5. Cookies and Tracking Technologies

The Service uses cookies and similar technologies to ensure proper operation, analyze traffic, and personalize content.

We use three categories of cookies:

a)Necessary (always active) — provide basic Service functions: login session, language and theme preferences, cookie consent storage. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

b)Analytics (require consent) — Google Analytics 4 (ID: G-T1813ZQY64) collects anonymous usage statistics: visited pages, session duration, traffic source. Cookies: _ga, _ga_T1813ZQY64, _gid, _gat. Legal basis: consent (Art. 6(1)(a) GDPR).

c)Marketing (require consent) — may be set by advertising partners (Google Ads) to build an interest profile. The Service does not currently run active ad campaigns, but this category is required by Google Consent Mode v2. Legal basis: consent (Art. 6(1)(a) GDPR).

On your first visit, we display a cookie banner with options to: accept all, reject optional, or customize preferences. You can change your choice at any time by clicking "Cookie Settings" in the site footer.

You can also manage cookies at the browser level (blocking, deleting). Blocking necessary cookies may limit Service functionality.

§6. Google Consent Mode v2

The Service implements Google Consent Mode version 2, which is a standard required by Google since March 2024 for websites operating in the European Economic Area.

Consent Mode communicates your consent choices directly to Google services via the following signals:

•analytics_storage — controls Google Analytics cookies (_ga, _gid)

•ad_storage — controls Google Ads advertising cookies

•ad_user_data — controls sending user data to Google Ads

•ad_personalization — controls ad personalization

By default, all signals are set to "denied". Only after the User grants consent do the corresponding signals change to "granted". When analytics or marketing cookies are rejected, Google only collects so-called "cookieless pings" — anonymized basic signals without identifiers, used for statistical data modeling.

§7. Data Recipients (Processors)

Your personal data may be shared with the following entities that process them on our behalf or for their own purposes:

a)Stripe, Inc. (USA) — card and BLIK payment processing. Stripe acts as an independent controller of payment data. Privacy Policy: https://stripe.com/privacy

b)Google LLC (USA) — services: Google Analytics 4 (analytics upon consent), Google Sign-In (login), Google reCAPTCHA (abuse protection). Privacy Policy: https://policies.google.com/privacy

c)Amazon Web Services, Inc. (USA/EU) — Service hosting, data storage (AWS S3, CloudFront). Data stored in the EU region (eu-central-1, Frankfurt). Privacy Policy: https://aws.amazon.com/privacy/

d)Anthropic, PBC (USA) — processing order content for AI text generation (Claude model). Anthropic does not retain input data after processing for responses. Privacy Policy: https://www.anthropic.com/privacy

e)Email service provider — sending transactional emails (verification codes, order confirmations)

The Controller does not sell Users' personal data to third parties. Data is shared only to the extent necessary for service delivery.

§8. International Data Transfers

Due to the use of Google, Stripe, Anthropic, and AWS services, your data may be transferred to the United States.

These transfers are safeguarded by the following mechanisms:

a)EU-U.S. Data Privacy Framework (DPF) — Google, Stripe, and AWS are certified under the DPF, which provides a legal basis for data transfer under the European Commission's adequacy decision of July 10, 2023

b)Standard Contractual Clauses (SCC) — used as additional or alternative safeguards for data transfers

c)Data encryption in transit (TLS/HTTPS) and at rest (AES-256) — applied at all stages of processing

The Controller continuously monitors the validity of data transfer mechanisms and will take appropriate action in case of regulatory changes.

§9. Data Retention Periods

We retain your personal data for the period necessary to fulfill the purposes of processing:

a)Account data (email, name) — for the duration of an active account in the Service, plus 30 days after deletion (for reactivation)

b)Order data and generated content — for 12 months from the order fulfillment date, unless legal obligations require longer retention

c)Accounting and tax data — for 5 years from the end of the tax year in which the transaction occurred (in accordance with the Polish Tax Ordinance)

d)Analytics cookie data — according to individual cookie lifespans (from 1 minute to 2 years), deleted upon consent withdrawal

e)Complaint data — for 12 months after complaint resolution

After the retention period expires, data is permanently deleted or anonymized.

§10. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

a)Right of access (Art. 15 GDPR) — you have the right to obtain confirmation of whether we process your data and receive a copy

b)Right to rectification (Art. 16 GDPR) — you have the right to request correction of inaccurate or completion of incomplete data

c)Right to erasure (Art. 17 GDPR) — you have the right to request deletion of your data ("right to be forgotten"), unless there is a legal basis for continued processing

d)Right to restriction of processing (Art. 18 GDPR) — you have the right to request restriction of processing in certain circumstances

e)Right to data portability (Art. 20 GDPR) — you have the right to receive your data in a structured, machine-readable format

f)Right to object (Art. 21 GDPR) — you have the right to object to processing based on the Controller's legitimate interest

g)Right to withdraw consent (Art. 7(3) GDPR) — if processing is based on consent, you may withdraw it at any time, which does not affect the lawfulness of prior processing

To exercise any of these rights, contact the Controller at: kontakt@smart-edu.ai. We will respond to your request without undue delay, within 30 days at the latest.

You also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl

§11. Data Security

The Controller implements appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or disclosure:

a)Connection encryption — all communication with the Service uses the HTTPS protocol (TLS 1.2+)

b)Password encryption — passwords are stored exclusively in hashed form (bcrypt) and are never stored in plain text

c)Secure infrastructure — the Service is hosted on Amazon Web Services (AWS) in the EU data region (Frankfurt), with data-at-rest encryption (AES-256)

d)Access control — only persons authorized by the Controller have access to personal data, to the extent necessary for their duties

e)Regular updates — Service software is regularly updated to address known security vulnerabilities

Despite applying the highest security standards, no system is 100% resistant to attacks. In case of a personal data breach, the Controller will notify the supervisory authority (PUODO) within 72 hours and Users — if the breach is likely to result in a high risk to their rights and freedoms.

§12. Children's Privacy

The Smart-Edu.ai Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or legal guardian and believe your child has provided us with personal data, please contact us at kontakt@smart-edu.ai, and we will promptly delete such data.

For persons aged 16 to 18 — use of the Service should be carried out with the knowledge and consent of a parent or legal guardian.

§13. Privacy Policy Changes

The Controller reserves the right to amend this Privacy Policy. Changes may result from changes in applicable law, Service functionality developments, or changes in data processing practices.

We will inform Users of material changes at least 14 days in advance via email to the address associated with their account or through a visible notification in the Service.

The current version of the Privacy Policy is always available at https://www.smart-edu.ai/privacy. The date of the last update is indicated at the beginning of the document.

§14. Contact

If you have any questions about this Privacy Policy or the processing of your personal data, please contact the Controller: