Privacy Policy

StudioAI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use the StudioAI iOS application and related services.

This policy is compliant with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and App Store privacy requirements.

1. Data Controller

The data controller responsible for your personal data is:

• Full name: Francisco Bertero Paz
• Trading as: StudioAI
• Tax ID (NIF): Z0052722B
• Address: C/ Pallars, 194, 08005 Barcelona, Spain
• Email: team@studio-ai.es

StudioAI is operated by Francisco Bertero Paz, an individual based in Barcelona, Spain.

2. Data We Collect

Account & Profile Data

• Email address (required for account creation)
• Display name
• Profile photo (optional, stored in Firebase Storage)
• Native language and target learning language
• Timezone
• Account creation date

Learning Data

• CEFR assessment results and learning paths
• Unit and lesson progress
• Flashcard decks and review history (ratings, intervals, FSRS scheduling state)
• Quiz answers and scores
• Grammar and cloze exercise results
• Study session logs
• Uploaded source materials (PDFs, text, YouTube links)
• AI Tutor conversation memory (stored on-device)

Usage & Analytics Data

• In-app activity events (flashcard reviews, quiz attempts, lesson completions) - used to power FSRS scheduling and personalized recommendations
• Subscription and purchase events (plan tier, trial status)

Technical Data

• Device push notification token (for study reminders)
• App version and build configuration

We do not collect location data, contacts, camera input, microphone input, or browsing history. We do not use your data for advertising or sell it to third parties.

Website Cookies & Tracking

Our website (studio-ai.es) may use functional and analytical cookies to improve your browsing experience and understand how visitors use the site. A cookie consent banner is displayed on your first visit, allowing you to accept or decline non-essential cookies. Full details are available in our Cookie Policy, accessible from the website footer.

3. Legal Basis for Processing (GDPR)

• Contract performance - processing your email and profile to provide the service you signed up for.
• Legitimate interests (Article 6(1)(f) GDPR) - our legitimate interest in improving the reliability, security, and performance of the app, including measuring feature adoption, stability, and session quality. Where possible, we use aggregated and minimized data for this purpose, and we do not use this data for advertising. You have the right to object to processing based on legitimate interests at any time by contacting us at team@studio-ai.es.
• Consent - sending you optional marketing notifications and reminders (you can withdraw at any time in Settings).

4. How We Use Your Data

• To create and maintain your account
• To generate AI-powered flashcards, quizzes, and audio summaries from your uploaded materials
• To run the FSRS spaced-repetition scheduling algorithm on your device
• To deliver study reminders via push notifications (with your permission)
• To manage your subscription through RevenueCat
• To improve the app based on aggregate, anonymized usage patterns

5. Data Sharing and Third-Party Processors

We share data only with the processors necessary to run the service. All processors are bound by data processing agreements and are GDPR-compliant.

• Google Firebase (Auth, Firestore, Storage, Cloud Functions) - authentication, database, file storage, and serverless compute. Google Cloud Data Processing Agreement applies. Firebase Privacy
• Google Vertex AI / Gemini - AI content generation (flashcards, quizzes, audio). Processed server-side only. Your uploaded materials are sent to Vertex AI for processing and are not used to train Google's models under our enterprise agreement.
• RevenueCat - subscription and in-app purchase management. RevenueCat Privacy
• Hugging Face - hosts the on-device AI Tutor model file (downloaded once to your device). No personal data is sent to Hugging Face.
• Apple - Apple Sign In, App Store payments, push notification delivery (APNs).
• Google - Google Sign In (OAuth).

6. On-Device AI Processing

The AI Tutor feature uses a local language model (Gemma) that runs entirely on your device. Conversations with the AI Tutor are processed locally and are never transmitted to our servers or any third party. Only a short memory summary (topic preferences, current level) may be stored in Firestore to personalize future sessions. This summary contains no conversation transcripts or uploaded content - only high-level learning preferences inferred from your usage. It is processed on the legal basis of contract performance (Article 6(1)(b) GDPR), as it is necessary to deliver the personalized learning experience you signed up for. You can delete this summary at any time from Settings → Account → Clear AI Tutor Memory.

7. Data Retention

• Account data - retained while your account is active.
• Learning analytics events - retained for 12 months from creation, then automatically purged.
• Deleted accounts - all associated data (Firestore documents, Storage files) is permanently deleted within 30 days of account deletion.
• Server logs - Cloud Function logs are retained for 30 days in Google Cloud Logging.

8. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right of access - request a copy of your data via Settings → Account → Export My Data, or by contacting us.
• Right to portability - export your account data as JSON from within the app.
• Right to erasure - delete your account and all associated data from Settings → Account → Delete Account.
• Right to rectification - update your profile information in Settings.
• Right to restrict processing - contact us to restrict specific processing activities.
• Right to object - you may object at any time to processing based on legitimate interests by contacting us at team@studio-ai.es. We will review and respond in accordance with applicable law.
• Right to withdraw consent - disable marketing notifications at any time in Settings → Notifications.

Right to lodge a complaint - if you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. If you are located in Spain, the competent authority is:

• Agencia Española de Protección de Datos (AEPD)
• Web: www.aepd.es
• C/ Jorge Juan, 6, 28001 Madrid, Spain

If you are located in another EU member state, you may also contact your local data protection authority.

To exercise any of these rights, contact us at team@studio-ai.es. We will respond within 30 days.

9. Data Security

• All data in transit uses HTTPS/TLS encryption.
• Firestore security rules enforce per-user data isolation - no user can read another user's data.
• Firebase App Check is enabled to prevent unauthorized access to our APIs.
• Sensitive credentials and secrets are stored server-side as environment variables and are never embedded in the app binary. The app may include platform-required public client keys (for example, a RevenueCat public SDK key), which are not authentication secrets.
• Authentication uses industry-standard OAuth 2.0 and cryptographic nonces.

10. Children's Privacy

StudioAI is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at team@studio-ai.es and we will delete it promptly.

11. International Data Transfers

Your data is processed on Google Cloud infrastructure, which may involve transfers to servers in the United States and other countries. These transfers are covered by Google's Standard Contractual Clauses and Data Processing Agreements.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes through the app or by email. Continued use of StudioAI after the effective date constitutes acceptance of the updated policy for processing activities based on contract or legitimate interest. For activities based on consent, we will re-obtain your explicit approval if the changes significantly affect those activities.

13. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

• Right to know - you may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete - you may request deletion of your personal information, subject to certain exceptions.
• Right to non-discrimination - we will not discriminate against you for exercising your CCPA rights.
• Right to opt out of sale - we do not sell your personal information to third parties.

To exercise these rights, contact us at team@studio-ai.es. We will respond within 45 days as required by the CCPA.

14. Contact Us

For privacy inquiries, data requests, or to report a concern:

• Email: team@studio-ai.es