Table of Contents
- 1. Data Controller
- 2. Data Protection Contact
- 3. Purposes & Legal Bases of Processing
- 4. Categories of Personal Data
- 5. Recipients of Personal Data
- 6. International Transfers
- 7. Data Retention Periods
- 8. Your Rights Under GDPR
- 9. Right to Lodge a Complaint
- 10. Automated Decision-Making
- 11. Source of Data
1. Data Controller
The controller of your personal data within the meaning of Article 4(7) GDPR is:
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS – STREET, CITY, POSTAL CODE]
[COUNTRY]
[COMPANY REGISTRATION NUMBER – if applicable]
Email: testonai.tech@gmail.com
Website: www.testonai.com
2. Data Protection Contact
For all matters related to the protection of your personal data, you may contact us directly:
Email: testonai.tech@gmail.com
Subject line: "Data Protection / GDPR Request"
3. Purposes & Legal Bases of Processing
We process your personal data for the following purposes:
4. Categories of Personal Data
We process the following categories of personal data:
| Category | Specific Data |
|---|---|
| Identity Data | Email address, display name, profile avatar, Google account ID (if Google Sign-In used) |
| Authentication Data | Password hash, session tokens, OAuth tokens |
| Educational Profile Data | Institution, degree, year of study (optional, self-provided) |
| Financial Data | Subscription status and plan, Stripe Customer ID, AI Credit balance, transaction history |
| User-Generated Content | Projects, questions, answers, flashcards, test results, notes, AI-generated content saved by the user |
| Technical & Usage Data | IP address, browser type, device type, pages visited, feature usage, session duration, error logs |
| Preference Data | Interface theme setting |
| Multiplayer Data | Room participation records, in-session scores, session IDs |
We do not process special categories of personal data (Art. 9 GDPR) such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data.
5. Recipients of Personal Data
Your personal data may be shared with the following categories of recipients, each acting as data processor under a Data Processing Agreement:
| Recipient | Role | Data Shared |
|---|---|---|
| Supabase, Inc. | Database & authentication provider | All stored personal data (account, content, session tokens) |
| Stripe, Inc. | Payment processor | Email, payment data, subscription data |
| Vercel, Inc. | Web hosting provider | IP address, request logs (via edge network) |
| Cloudflare, Inc. | Edge compute & CDN | IP address, request data processed at the edge |
| OpenRouter AI, Inc. | AI model routing | Content you submit to AI generation features |
| Google LLC | OAuth provider (optional) | Name, email, Google ID (only if Google Sign-In is used) |
We do not disclose personal data to any other third parties, except where required by law (e.g., court orders or regulatory requests), in which case we will notify you where permitted by law.
6. International Transfers
All of the processors listed in Section 5 are headquartered in the United States. Transfers of personal data from the European Economic Area (EEA) to the United States are carried out under the following safeguards in accordance with GDPR Chapter V:
- Standard Contractual Clauses (SCCs) — adopted by the European Commission under Decision 2021/914, incorporated into each Data Processing Agreement;
- EU-US Data Privacy Framework — where the recipient is certified under this framework.
You may obtain a copy of the applicable transfer safeguards by contacting us at testonai.tech@gmail.com.
7. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data & User Content | Duration of account + 30 days after deletion request | Art. 6(1)(b) |
| Payment & billing records | 5 years from transaction date | Art. 6(1)(c) — legal obligation |
| Server access logs | Up to 90 days | Art. 6(1)(f) |
| Multiplayer session data | Session duration only (up to 24 hours) | Art. 6(1)(b) |
| AI generation inputs & outputs (saved) | Until user deletes or account is deleted | Art. 6(1)(b) |
| Marketing consent records | Until withdrawal of consent + 1 year | Art. 6(1)(a) — consent accountability |
| Legal claim records | Duration of limitation period (varies by jurisdiction; typically 3–6 years) | Art. 6(1)(f) |
After the applicable retention period, personal data is permanently deleted or anonymised so that it can no longer be linked to an individual.
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Art. 15 — Right of access: Obtain confirmation of whether we process your data and receive a copy.
- Art. 16 — Right to rectification: Have inaccurate or incomplete data corrected.
- Art. 17 — Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention requirements.
- Art. 18 — Right to restriction: Request that we restrict processing of your data in certain circumstances.
- Art. 20 — Right to data portability: Receive your data in a structured, commonly used, machine-readable format (e.g., JSON), and transmit it to another controller.
- Art. 21 — Right to object: Object to processing based on legitimate interests (Art. 6(1)(f)) or to direct marketing. We must stop processing unless we demonstrate compelling legitimate grounds.
- Art. 7(3) — Right to withdraw consent: Withdraw consent at any time where processing is consent-based. Withdrawal does not affect the lawfulness of prior processing.
To exercise any of these rights, please contact us at testonai.tech@gmail.com with the subject line "GDPR Right Request". We will respond within one month (extendable by two months in complex cases, with notification). We may ask you to verify your identity.
Exercising your rights is free of charge. We may charge a reasonable administrative fee only for manifestly unfounded or excessive requests.
9. Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority — in particular, in the Member State of your habitual residence, place of work, or place of the alleged infringement — if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).
The lead supervisory authority for TestOn AI (based on the controller's establishment) is:
If the controller is established in Poland:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
Email: kancelaria@uodo.gov.pl
You may also contact the supervisory authority in your own country of residence or work.
10. Automated Decision-Making
We do not engage in automated individual decision-making or profiling within the meaning of Article 22 GDPR — that is, we make no decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
AI features within the Service generate educational content based on your inputs; however, this is a tool that generates suggestions for your review and does not make autonomous decisions about you.
11. Source of Data
The personal data we hold about you is collected directly from you in the following ways:
- Registration: When you create an account (email, password, optional profile information);
- Service use: Content you create, actions you take, and preferences you set within the platform;
- Payments: When you subscribe or purchase Credit Packs (via Stripe);
- Google Sign-In: When you choose to authenticate via Google OAuth;
- Automatic collection: Technical data (IP address, browser, device) collected automatically when you access the platform.
We do not obtain personal data about you from third-party data brokers or other indirect sources.
Contact
TestOn AI – Data Protection
Email: testonai.tech@gmail.com
Website: www.testonai.com
App: www.testonai.online
Address: [COMPANY ADDRESS – TO BE COMPLETED]