Privacy Policy

Introduction

Artificially Educated Ltd (“we” or “us”) is committed to protecting your personal data. This Data Policy applies to our website AnalyticalMind.ai (the “Services”). It explains what data we collect, how we use and protect it, and your rights. We adhere to the EU/UK General Data Protection Regulation (GDPR) for users in the UK, EU, and apply the same high standards of privacy to all users, including those in the US. We do not sell your personal data, and we only share it with third parties as needed to provide our Services, as outlined below.

Legal Basis for Processing Personal Data

Under GDPR, we must have a lawful basis to process your personal data. We only process data where at least one of the following legal bases applies (GDPR Article 6(1): consent, contract necessity, legal obligation, or legitimate interests). Below we detail the types of data we collect and the legal basis for each:

• User Account Details (email address, username, password): We collect these to create and maintain your account, allow login, and provide you with our Services. Legal Basis: Performance of a contract – this processing is necessary to deliver the service you signed up for (GDPR Art. 6(1)(b)). We also have a legitimate interest in securely storing passwords (hashed) and managing user accounts (Art. 6(1)(f)).
• Study Progress Tracking (optional): If you choose to enable study progress tracking in your settings, we will record your study activities (e.g. completed lessons, quiz scores) to help you monitor your progress. This feature is off by default and only activated with your explicit opt-in. Legal Basis: Consent – we will process your study progress data only with your consent (GDPR Art. 6(1)(a)). You can enable or disable this feature at any time in your account settings, and withdrawing consent will stop further tracking.
• AI Interactions (Q&A with our AI tutor): When you interact with our AI (e.g. ask questions or get explanations), your queries are processed by (OpenAI’s API or Gemini’s API) to generate responses. We do not include any personal identifiers in these AI requests, and we design the system so you shouldn’t need to submit personal data for study questions. These AI query data are handled anonymously – they are not linked to your name or contact details. Legal Basis: Performance of a contract – processing your questions is necessary to provide the core AI tutoring service you requested (Art. 6(1)(b)). Additionally, we have a legitimate interest in improving our AI service (e.g. analyzing anonymized Q&A logs to enhance answer quality) (Art. 6(1)(f)). (Note: OpenAI and Gemini do not use API-submitted data to train its models by default and we do not allow OpenAI or Gemini to use your queries for their purposes. They may retain API request data for a short period for abuse monitoring, but it is not used to improve their model.) Importantly, no personally identifiable data is sent to OpenAI in these interactions.
• Payments (subscriptions or purchases): Paid features of our Services are processed via Stripe. When you make a payment, you will provide your payment details (credit card number, billing info) directly to Stripe on their secure checkout. We do not receive or store your full financial information (like credit card numbers). Stripe simply notifies us of the payment status so we can activate your membership. Legal Basis: Performance of a contract – processing payments is necessary to fulfill our service contract with you for paid services (Art. 6(1)(b)). We also have a legal obligation to maintain basic transaction records for accounting and tax purposes (Art. 6(1)(c)). Any financial information is handled by Stripe in accordance with their privacy policy; we only retain records of your transactions (e.g. the fact that you paid and for what) but not your card details.
• Customer Support Queries: If you contact us for help (e.g. via email or support ticket), we will collect the information you provide (such as your email address and the details of your query). We use this data solely to assist you and resolve your issue, and to improve our customer support services. Legal Basis: Legitimate interests – it is in both your and our interest to use your data to respond to your inquiries and ensure the Service is working properly. In some cases, responding to support requests may also be necessary for the performance of our contract with you (if your query relates to the service we owe you). We will not use support query data for any purpose unrelated to assisting you, except for internal training or quality assurance as described in the retention section below.

Data Retention Policies

We retain personal data only for as long as necessary to fulfill the purposes described above, in accordance with the GDPR’s storage limitation principle (personal data should be kept no longer than needed). Below are our retention practices for different data types:

• Account Data: If you decide to delete your account, we will initiate a two-step deletion process. First, upon your deletion request, your account is deactivated. We retain your account data for a grace period of one month (30 days) after account deletion. After this period, all personal data associated with your account (email, username, study progress, etc.) is permanently erased from our active databases. This brief retention period is to accommodate any accidental deletions or final account reconciliation, and is consistent with data privacy best practices (many services allow a 30-day reactivation window before full erasure). Once deleted, the data is gone forever and cannot be recovered. (Back-up copies may persist briefly beyond this period but are also purged within a reasonable timeframe.)
• Study Progress Data: Any optional study tracking data you consent to record (e.g. your quiz scores, progress indicators) is kept for as long as you maintain an active account and continue to want this feature. You have control to clear or reset your study progress from your settings at any time. If you withdraw consent for tracking or delete your account, this data will be deleted in line with the account deletion timeline above. We do not retain detailed study progress records after account deletion or after you disable the tracking feature.
• AI Interaction Logs: We aim to keep AI interaction data only ephemerally. The content of your AI Q&A sessions is not stored to your profile by default (aside from temporary caching to stream your answers). Internally, we may retain anonymized logs of AI queries (with no user identifiers) for a short duration (typically no more than 30 days) for debugging and to monitor the service’s accuracy. After this period, these Q&A logs are deleted or irreversibly de-identified. In summary, there is no long-term storage of personal AI conversation data on our systems.
• Customer Support Tickets: Support queries (emails or tickets via our support platform) are retained for a limited time. We keep support communications for up to 1 month after resolving your issue. This allows us to review queries for training our support staff and to ensure we resolved your issue satisfactorily or to follow up if needed. We also may retain them briefly for security purposes (e.g. to investigate misuse of our support channels or repeated issues). After this retention period, support tickets and emails are securely deleted from our support system (or anonymized, if we need to keep aggregate stats). We continually review our need for older support records and purge anything no longer required. We will not keep support correspondence longer than necessary to serve these purposes.
• Payment Records: We do not store payment card details. Stripe, our payment processor, retains payment information according to their legal obligations. We retain basic transaction information (e.g. that a payment occurred on a certain date, for a certain subscription) for our financial records. By law, we may need to keep invoice or transaction data for a certain period (e.g. UK tax law may require retaining records for 6 years). Such financial records will typically be kept for at least the legally required duration and then deleted or anonymized. These records do not include your card number or bank details, only account identification and payment amount/date.

Note: After the final deletion of data from our live systems, it may take up to a further 7 days to be removed from all backups. During this period, we ensure the data is isolated and not used for any purpose, and then it is overwritten or deleted in backups as well.

Cookie Policy

Cookies are small text files placed on your device to make websites work or function more efficiently. We believe in being transparent about our use of cookies. In summary, we use minimal, necessary cookies and no tracking/advertising cookies on AnalyticalMind.ai.

• Essential Cookies (Functional): Our Services use a few essential cookies that are necessary for the site’s operation and security. For example, if you log into your account, our system will set an authentication cookie to keep you logged in as you navigate the site. This cookie might be a session identifier or token stored on your browser. Additionally, our hosting infrastructure (Amazon Web Services) may issue a cookie such as AWSALB or AWSELB to manage load balancing and ensure your requests are consistently served by the same server. These cookies are considered “functional” or “strictly necessary” – they do not track you across sites and contain no personal information beyond a random ID or your session info. They typically expire after a short time (e.g., end of your session or a set duration) and cannot be opted out of if you wish to use the site, since they are needed for basic functionality (e.g., maintaining your login or routing your requests correctly).
• Preference Cookies: At present, we do not use any cookies to remember user preferences (aside from the essential session cookies mentioned). If in the future we implement a cookie to save a preference (for example, a cookie to remember if you opted into study tracking, or to remember a UI theme), we will update this policy to disclose it. Any such cookie would only be used to enhance your experience and would not be used for advertising or sharing data.
• Analytics and Tracking Cookies: We do not use any third-party analytics or advertising cookies on our websites. This means we are not placing Google Analytics, Facebook pixels, or similar tracking technologies that follow you across other sites. Your usage of our Service is not profiled or tracked for marketing purposes. We may use server-side analytics or aggregate logs to understand usage (e.g., number of users, popular pages), but this does not involve storing tracking cookies on your device. If in the future we decide to introduce an analytics tool that uses cookies, we will do so in compliance with applicable laws (e.g., obtaining consent if required) and update our Cookie Policy accordingly.
• AWS Cookies Disclosure: Aside from the AWS load balancer cookie (AWSALB/AWSELB) and possibly related AWS security cookies, AWS does not set any additional cookies by default for our sites. We host our content on AWS servers, but this by itself doesn’t place cookies on your browser, except as needed for session routing as noted. We confirm that no AWS or application cookies are used for tracking user behavior beyond what’s needed to deliver the content and keep you logged in. All cookies we use are first-party (belonging to our domain) and not shared with third parties.

For users in the UK/EU: Because we do not use non-essential cookies, we do not present a cookie consent banner. If this changes, we will implement a consent mechanism as required by law. You can control cookies through your browser settings – you may delete or block cookies, but note that doing so might disable certain essential features (like staying logged in). Our sites will still function for logged-out browsing without cookies.

User Rights & Data Access Requests

As a user of our Services and as a data subject under GDPR (for UK/EU users), you have a number of important rights regarding your personal data. We are committed to honoring these rights for all users, even if you are outside the GDPR’s jurisdiction (e.g., US users will also be provided similar access and control over their data). Your key rights include:

• Right to Access: You have the right to request a copy of the personal data we hold about you (this is known as a Subject Access Request or “SAR”). Upon request, we will provide you with a comprehensive report of your data in a common electronic format (primarily CSV files for structured data). This will include data such as your account information, any study progress records, logs of your AI interactions (if stored), your support ticket correspondence, mentor Q&A history, and any other personal data linked to your account. We will provide this information free of charge and within one month of your request as mandated by GDPR. (If a request is particularly complex or numerous, GDPR allows an extension of up to two additional months, but we will inform you within the first month if an extension is needed. In most cases, we expect to fulfill requests well within 30 days.) To make an access request, please contact us using the contact information in the last section of this policy. We will need to verify your identity before releasing data (to protect your privacy). The data will typically be delivered via email as CSV attachments or via a secure download link.
• Right to Rectification: If any of your personal data we hold is inaccurate or incomplete, you have the right to have it corrected. You can contact us and we will promptly rectify our records.
• Right to Erasure (“Right to be Forgotten”): You have the right to request deletion of your personal data. This includes the ability to delete your account via our website interface; when you do so, we follow the deletion process described in the Data Retention section (a secure erasure after a 30-day grace period). You can also specifically request that we delete certain data (for example, if you don’t want to use the service anymore but forgot your login, you can email us to remove your account). We will comply with erasure requests so long as the data is not required to be kept for legal obligations. Once your data is fully deleted, we will also notify any third-party processors (e.g. Stripe) to delete data they hold on our behalf where applicable. We will confirm to you when the deletion is completed.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (and to have us transmit it to another controller at your request, if technically feasible). The CSV format we provide for access requests is a portable format. This right mainly applies to data you provided to us directly and that we process by automated means based on consent or contract. We interpret this to include things like your account details and study progress data. If you need assistance porting your data to another service, let us know and we will do our best to help.
• Right to Object: You may object to our processing of your personal data in certain situations. For example, you have an absolute right to stop your data from being used for direct marketing. (Note: We currently do not send any marketing emails or use your data for marketing without consent.) You may also object if you feel our legitimate interests in processing (see Section 2) are overridden by your fundamental rights. If you object, we will review and unless we have a compelling legitimate ground to continue, or a legal requirement, we will cease the processing in question. For instance, if you object to us retaining anonymized AI logs, we will stop including your interactions in any logging.
• Right to Restriction: You can ask us to temporarily restrict processing of your data in certain circumstances – for example, while a data correction request is pending or if you have objected to processing and we are evaluating it. During restriction, we will just store your data securely and not use it.
• Right to Withdraw Consent: Where we rely on your consent to process data (such as for study progress tracking or marketing communications, if any), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we did before withdrawal. If you withdraw consent for study tracking, we will stop collecting your study progress going forward. If you withdraw consent for a newsletter (if we have one), we will stop sending it. There are no penalties or loss of core service for withdrawing consent for optional features.
• Right to Non-Discrimination: (For US/California users) Although not required under GDPR, we assure users that if you exercise any of the above rights, we will not discriminate against you (e.g. we won’t deny you services or charge different prices just because you exercised your privacy rights). We provide equal service to all users regardless of privacy preferences.
• Right to Lodge a Complaint: If you have concerns about how we are handling your personal data, you have the right to lodge a complaint with a supervisory authority. If you are in the UK, our lead supervisory authority is the UK Information Commissioner’s Office (ICO). If you are in the EU, you can contact your local Data Protection Authority. We would, however, appreciate the chance to address your concerns directly first – we are committed to resolving any privacy issues in a fair and transparent manner.

How to Exercise Your Rights: To exercise any of your rights or to make a data access request, please contact us at privacy@artificiallyeducated.com (our dedicated privacy contact email). You may also write to us at our postal address (provided in the Contact section below). We may ask you to verify your identity (to ensure we don’t disclose data to the wrong person). We will respond to your request without undue delay and in any event within one month of receipt. If for some reason we cannot fulfill your request (e.g., a legal requirement prevents us from deleting certain data), we will explain the reasons to you. All information and actions we provide for your requests are generally free of charge, as required by law. Only if a request is manifestly unfounded or excessive might we charge a reasonable fee or refuse, in which case we would justify our decision.

Third-Party Processors & Data Sharing

We treat your personal data as confidential and will never sell it. We only share your data with third parties to the minimum extent necessary to operate our Services or as required by law. The third parties we use are all bound by privacy obligations (either under our contracts with them as “processors” or as independent “controllers” under their own legal compliance). Below is a list of the third-party services we use, what data is shared, and why:

• Amazon Web Services (AWS) – Hosting Provider: We host our websites and databases on AWS infrastructure. This means that any data you provide to us (your account info, content, etc.) is stored on AWS cloud servers. AWS acts as our data processor for storage and cloud services. AWS may technically have access to the data for support or maintenance, but they do not use your data for any purpose except to keep it hosted and accessible to us. We rely on AWS’s robust security measures to protect your data at rest and in transit. Our servers are currently located in the US East (N. Virginia) region (we use AWS us-east-1). AWS may set necessary cookies as noted in the Cookie Policy (e.g. for load balancing) but no tracking is done by AWS. For more information, you can refer to AWS’s GDPR-compliance and privacy practices on their website.
• OpenAI – AI Functionality: OpenAI, based in the United States, provides an AI model that powers our AI tutor. When you ask a question to our AI, the query is sent to OpenAI’s API and a response is returned. OpenAI is effectively a data processor for these query interactions. Importantly, we do not send any data that directly identifies you to OpenAI – the requests are just the question content (which you should phrase generally, without personal info). OpenAI processes the text to generate an answer and does not know who you are. According to OpenAI’s API data usage policies, they do not use API data to train their models or for other purposes without consent. No data is stored long-term by OpenAI on our behalf; they may retain logs briefly for monitoring abuse, but these logs are purged according to their policies. In summary, using the AI feature will share the content of your question (which ideally contains no personal data) with OpenAI’s servers to get you an answer. We have taken steps to anonymize requests and limit data sharing to this purpose only.
• Google (Gemini) – AI Functionality: Google, based in the United States, provides an AI model that powers our AI tutor. When you ask a question to our AI, the query is sent to Google’s API and a response is returned. Google is effectively a data processor for these query interactions. Importantly, we do not send any data that directly identifies you to Google – the requests are just the question content (which you should phrase generally, without personal info). Google processes the text to generate an answer and does not know who you are. According to Google’s API data usage policies, they do not use paid API data to train their models or for other purposes without consent. No data is stored long-term by Google on our behalf; they may retain logs briefly for monitoring abuse, but these logs are purged according to their policies. In summary, using the AI feature will share the content of your question (which ideally contains no personal data) with Google’s servers to get you an answer. We have taken steps to anonymize requests and limit data sharing to this purpose only.
• Stripe – Payment Processing: We use Stripe, Inc. for secure payment processing. When you enter payment details (such as credit card information) to purchase a subscription or service, you are actually interacting directly with Stripe’s system via an embedded form or redirect. The payment data you provide on checkout is sent straight to Stripe – not through our servers. Stripe is a PCI-DSS compliant payment processor and acts as an independent controller of your payment data for the transaction (they have legal obligations for fraud prevention, etc.). Stripe then provides us with the outcome (success/failure) and basic transaction info. We may store a Stripe customer ID or subscription ID to manage your subscription status, and possibly the last four digits of your card or card type for your reference (e.g., “Visa ending in 1234”) – but we never see your full card number or CVV. We also do not store your billing address except perhaps country for tax calculation. Stripe is headquartered in the US; for EU/UK users, Stripe’s European subsidiary (Stripe Payments Europe, Ltd.) and its compliance with GDPR means your data is adequately protected. Stripe may transfer data to the US under approved transfer mechanisms. You can read Stripe’s Privacy Policy for more details. In summary, financial data is handled by Stripe, and we only retain what is necessary to record that a payment happened. We do not share your personal data with Stripe beyond what is needed to process the payment (which generally means your email/username to associate the payment and any info you enter into the payment form).
• ProtonMail – Email Service Provider: Our company email is operated through ProtonMail (Proton AG), a secure email service based in Switzerland. ProtonMail acts as a data processor for our email communications. If you email us at our support or privacy contact addresses, your email is received on ProtonMail’s servers. ProtonMail provides end-to-end encryption for mails between ProtonMail users and encrypts emails at rest on their servers. While ProtonMail will necessarily process email metadata (like sender, recipient, date, and subject) to transmit messages, they cannot access the content of messages that are stored encrypted (and any messages you send unencrypted via regular email are secured on their server through encryption as well). ProtonMail’s infrastructure is in Switzerland, which has data protection laws deemed adequate under the GDPR. We use ProtonMail to ensure that even our email communications with you have a high level of privacy and security. ProtonMail will not read or share your emails; it merely stores and transmits them for us. If you prefer not to communicate via email, you can always use an alternative method to exercise your rights (though email is generally the fastest). By contacting us via email, you understand that the content will be processed by ProtonMail as our provider. We have ensured this arrangement complies with GDPR (ProtonMail’s terms include relevant data protection provisions).

Apart from the parties above, we will not share your personal data with third parties unless one of the following circumstances applies: (1) With your explicit consent: If you ask us to share data with a third party or consent to a specific sharing (this will be clear and on a case-by-case basis). (2) Legal Requirements: If we are compelled by a valid legal order (e.g. a court order, or law enforcement request backed by law) to disclose certain data, we may be obligated to comply. In such cases, we will only provide the minimum data necessary and, if permitted, we will inform you of the request. (3) Business Transfers: In the event of a merger, acquisition, or sale of the company (all or part of it), your personal data might be transferred to the new owner or partner. If that happens, we will ensure the new entity is bound by this privacy policy or a policy providing at least equivalent protection, and we will notify you of any change in data control and give you an opportunity to opt out of the data transfer if applicable.

International Data Transfers: As a UK-based company, we primarily store data in the UK. However, some of our processors are outside these regions (e.g., AWS, OpenAI, Google and Stripe in the US, ProtonMail in Switzerland). Whenever we transfer personal data out of the UK/EEA, we ensure appropriate safeguards are in place in line with GDPR Chapter V. This may include using services in countries with an adequacy decision by the European Commission (Switzerland is considered to have adequate protection). Our payment and email providers likewise have GDPR-compliant transfer mechanisms. We are happy to provide more details on these safeguards upon request. Our goal is to ensure your data enjoys a high level of protection no matter where it is processed.

Data Security

We take the security of your data seriously. We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include: encryption of data in transit (HTTPS on our websites and encryption for API calls to Google, OpenAI and Stripe), encryption at rest (our databases and ProtonMail storage are encrypted), access controls (only authorized staff and mentors have access to the necessary data, and they are trained in confidentiality), and routine security audits and updates. Passwords are stored using strong one-way hashing and not in plain text. We also monitor for suspicious activity and have incident response plans. While no system is 100% secure, we follow industry best practices to minimize risks. If a data breach ever were to occur that affects your personal data, we will notify you and the relevant authorities as required by law.

Changes to This Policy

We may update this Data Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users by posting a prominent notice on our sites or via email. The “Last Updated” date at the top will always indicate the latest revision. We encourage you to review this policy periodically to stay informed about how we are protecting your information. If you continue to use the Services after a change, it will signify acceptance of the updated terms, where permissible. For significant changes (especially any that would require fresh consent under GDPR), we will seek your consent if and as required.

Contact Us

If you have any questions, concerns, or requests regarding this Data Policy or your personal data, please do not hesitate to contact us:

• Email: privacy@artificiallyeducated.com
• Postal Mail: Data Protection Officer, Artificially Educated Ltd, Maidstone, Kent, United Kingdom. (Please include “Data Subject Request” or “Privacy Inquiry” in your correspondence for faster handling.)

Artificially Educated Ltd is the data controller responsible for processing your personal data for the Services. Our company is registered in England and Wales (Company No. 16183501). For users in the UK/EU, you may also contact our representative at the above contact details.

We are committed to protecting your privacy and upholding your rights. Thank you for trusting us with your learning journey – we will continue to ensure that your personal data remains secure and used only in ways that you have been informed of and agreed to.