Privacy Policy

Welcome to AskCrates ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.

1. Information We Collect

1.1 Personal Information You Provide

We collect personal information that you voluntarily provide when you:

• Register for our waitlist or create an account
• Use our application or services
• Contact us for support or inquiries
• Subscribe to our newsletter or marketing communications

The personal information we collect may include:

• Contact Information: Name, email address
• Profile Information: Grade level, subjects of interest, learning preferences
• Account Credentials: Username, password (encrypted)
• User Content: Learning materials you upload, questions asked, conversation history

1.2 Information Automatically Collected

When you visit our website or use our services, we automatically collect certain information:

• Usage Data: Pages visited, time spent, features used
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, referring URLs
• Cookies and Tracking: See our Cookie Policy for details

2. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide Services: Deliver personalized tutoring and learning assistance, including AI-generated explanations and practice questions based on your inputs and materials
• To Improve Services: Analyze usage patterns to enhance user experience and the quality of AI responses
• To Communicate: Send updates, notifications, and respond to inquiries
• To Ensure Security: Protect against fraud, abuse, and unauthorized access
• To Comply with Legal Obligations: Meet regulatory and legal requirements
• With Your Consent: For any other purpose with your explicit permission

2.1 Use of Artificial Intelligence (AI)

AskCrates uses AWS Bedrock (including Claude and Titan Embeddings) to generate tutoring responses, explanations, summaries, and recommendations based on the questions you ask and the learning materials you provide. All AI processing is performed on AWS infrastructure located in Switzerland (eu-central-2) to ensure data residency and privacy.

• We send only the information necessary for the AI to process a given request (e.g. your prompt, relevant context, excerpts from documents you upload).
• Your data is not used to train AI. The AI provider (AWS Bedrock) does not use your inputs, your uploaded materials, or the AI's outputs to train or improve its models. Your content is processed only to answer your request and is not retained by the provider for model training.
• Your materials are isolated to your account. Only you (and, for child accounts, the linked parent) can access your uploaded materials and the tutoring generated from them. We do not use your content for other users' sessions or for training any AI.
• We do not intentionally send special categories of personal data (e.g. health, biometric, religious, or political information) to AI providers.
• AI-generated outputs are suggestions to support learning. They are not professional advice and are not used to make automated decisions that produce legal or similarly significant effects about you.
• AI systems can occasionally generate incorrect, incomplete, or biased information. We encourage you, parents, and teachers to critically review AI outputs and verify important information with authoritative sources.
• For security, abuse prevention, and quality assurance, we may log prompts and AI responses in a limited way. Where children are involved, we restrict these logs and do not use them for targeted advertising or selling data.

3. Legal Basis for Processing

3.1 European Economic Area and United Kingdom (GDPR/UK GDPR)

If you are located in the EEA or UK, our legal basis for collecting and using your personal information depends on the data and the context:

• Consent: You have given explicit consent for specific purposes
• Contract Performance: Processing is necessary to provide our services
• Legitimate Interests: We have legitimate interests that do not override your rights
• Legal Obligations: We need to comply with legal requirements

3.2 Brazil (LGPD)

If you are located in Brazil, we process your personal data based on legal bases under LGPD: consent, contract performance, legal obligation, legitimate interests, protection of life or physical safety, and credit protection.

3.3 Canada (PIPEDA)

If you are located in Canada, we collect, use, and disclose your personal information in accordance with PIPEDA principles: consent, limited collection, limited use and disclosure, accuracy, and safeguards.

4. How We Share Your Information

4.1 Service Providers

We may share your information with third-party service providers who perform services on our behalf:

• AWS (Amazon Web Services): Cloud infrastructure including Lambda, RDS PostgreSQL, S3, Cognito, and Bedrock for AI processing. All services are located in Switzerland (eu-central-2).
• AWS Bedrock: AI processing for tutoring; data is processed on AWS infrastructure in Switzerland. The provider does not use your data or content to train or improve its models.
• Email (AWS SES): For sending notifications and updates
• Analytics: To understand usage patterns (where applicable and with consent)

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities (e.g. court orders, subpoenas).

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

5. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and other legally approved transfer mechanisms.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained while your account is active and for a reasonable period afterward
• Waitlist Data: Retained until launch, then converted or deleted per your preference
• Usage Data: Typically retained for 12–24 months for analytics purposes
• Legal Data: Retained as required by applicable laws and regulations

7. Your Privacy Rights

Depending on your location, you may have the following rights:

7.1 European Users (GDPR)

• Access: Request copies of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data (right to be forgotten)
• Restriction: Request limitation of processing
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time

7.2 California Users (CCPA/CPRA)

• Know: Request disclosure of data we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-Out: Opt out of the sale of personal information (we do not sell data)
• Non-Discrimination: Not be discriminated against for exercising your rights

7.3 United Kingdom (UK GDPR)

Your rights under UK GDPR are similar to those under the EU GDPR. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk.

7.4 Brazil (LGPD)

Under LGPD you have rights including: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion, information about sharing, revocation of consent, and review of automated decisions. You may file a complaint with the ANPD: gov.br/anpd.

7.5 Canada (PIPEDA)

You have rights to access, correction, withdraw consent, and file a complaint with the Privacy Commissioner of Canada: priv.gc.ca. We respond in accordance with PIPEDA, typically within 30 days.

7.6 How to Exercise Your Rights

To exercise any of these rights, contact us at support@askcrates.com. We will respond within 30 days (or as required by applicable law).

8. Children's Privacy

Our services are designed for students, which may include users under 18. We comply with applicable laws:

• Under 13 (U.S.): We require verifiable parental consent per COPPA
• Under 16 (EU/UK): We require parental consent per GDPR/UK GDPR
• Under 18 (Brazil): We require parental consent per LGPD
• Under 13 (Canada): We require parental consent per PIPEDA
• 13–15 (U.S.) / 16–17 (EU/UK/Brazil/Canada): May use services with parental awareness

We apply additional care to AI features used by or for children and do not use children's data for behavioral advertising or selling to third parties. Parents/guardians may contact us to review, modify, or delete their child's information.

9. Data Security

We implement appropriate technical and organizational measures:

• Encryption of data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication
• Employee training on data protection
• Incident response procedures

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience. For detailed information, see our Cookie Policy.

11. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you by posting the new policy on this page, updating the "Last Updated" date, and for significant changes, sending an email notification. Your continued use after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

AskCrates
Email: info@askcrates.com
Support: support@askcrates.com

14. Data Protection Officer

For users in the EEA, UK, Brazil, or Canada, you may contact our Data Protection Officer at support@askcrates.com.

15. Supervisory Authorities

You have the right to lodge a complaint with your local data protection authority:

• EEA: Your local supervisory authority; list at edpb.europa.eu
• United Kingdom: ICO – ico.org.uk
• Brazil: ANPD – gov.br/anpd
• Canada: priv.gc.ca
• California: CPPA – cppa.ca.gov

16. AI Governance and Responsible Use

We treat AskCrates as a limited-risk educational AI system and align with applicable AI governance frameworks, including the EU Artificial Intelligence Act and the NIST AI Risk Management Framework. We clearly inform users when they are interacting with AI; human oversight is maintained. We rely on AWS Bedrock, which implements strong security and compliance controls (SOC 2, ISO 27001). We do not deploy AI to make automated decisions that produce legal or similarly significant effects about individual users.

17. EU AI Act and U.S. AI Policy Compliance

AskCrates assesses its AI features under the EU AI Act and U.S. frameworks (Executive Order 14110, NIST AI RMF, U.S. AI Bill of Rights). We treat the service as a limited-risk system and apply the required safeguards: transparency and notices, risk management, data governance (minimization, encryption; AWS Bedrock does not use your data for training), human oversight, and record-keeping for cooperation with authorities.