Privacy Policy

Effective date: 2026-02-08

This Privacy Policy explains, in plain language, How to Learn AI Fast (“we,” “us,” “our”) collects, uses, shares, and protects information when you use the https://howtolearnaifast.com/ landing page and tutoring experience (the “Service”). It also explains your rights under the GDPR, the EU AI Act transparency rules for AI systems that interact with people, and (where relevant) U.S. privacy laws like CCPA/CPRA.

Quick reality check: this Service personalizes your learning path using automated decision-making (ADMT) based on your performance telemetry. You’re always allowed to request a human review, override, or a non-personalized path.

Table of Contents

1) Who we are (roles & contact)

Data Controller: [Company Legal Name], [Company Address], [Country].

Email: danilo@freedomwithgesmundo.com

Data Protection Officer (DPO) / EU Representative (if applicable): [Name/Entity + contact]

Processor note: Stripe and our LLM vendors typically act as processors (or equivalent) when handling data on our instructions for this Service. Stripe’s privacy materials describe their controller/processor roles depending on context. :contentReference[oaicite:0]{index=0}

2) The learner data lifecycle (end-to-end map)

This section is the “wiring diagram” auditors ask for.

A. You land on the page

  • Your browser loads the site and our Server-Side Google Tag Manager (ssGTM) endpoint.
  • We receive basic request metadata (e.g., timestamp, page URL, device/browser signals) and a network identifier (IP address) at our edge/server for security and delivery.

B. You create an account / start tutoring

  • You provide identifiers (e.g., email) and learning preferences (e.g., goals, current level).
  • You submit prompts (questions, answers, code, notes). These may contain personal data if you include it.

C. Personalization engine runs (ADMT)

  • We generate performance telemetry (quiz results, completion time, error patterns, hint usage, topic mastery signals).
  • Our system produces a curriculum decision (e.g., “advance,” “review,” “switch explanation style,” “add practice set”).

D. Third-party LLM processing (OpenAI / Anthropic)

  • Selected prompt content (and minimal necessary context) is sent to OpenAI and/or Anthropic via API to generate tutoring responses.
  • We are configured for enterprise / zero-retention protocols where available, meaning the vendor does not retain content beyond what is needed to deliver the response under that program.

E. Storage & “memory”

  • We store a short prompt history (configurable) to provide continuity and allow you to review progress.
  • We may compute vector embeddings (numeric representations of your text) for faster retrieval of relevant prior concepts and to reduce repetition.

F. Payments (Stripe)

  • When you subscribe, payment details are handled by Stripe. We typically receive billing status, plan, and transaction references—not full card numbers.

3) What we collect (by category)

3.1 Identifiers & account data

  • Email, account ID, authentication events
  • Subscription status, invoice references, payment confirmations (via Stripe)

3.2 Learner inputs (“prompt content”)

  • Questions, answers, assignments, uploaded text (if supported), code snippets
  • Any personal data you choose to include in prompts (we recommend you don’t include sensitive data)

3.3 Performance telemetry (education signals)

  • Scores, attempts, time-on-task, completion and drop-off points
  • Error patterns, hint usage, revision frequency, topic mastery estimates

3.4 “Behavioral biometrics” (what we mean and what we don’t)

We use the phrase behavioral biometrics here narrowly: behavioral patterns that help us adapt teaching speed and difficulty (e.g., response latency trends, repeated confusion points, pacing preference). We do not use face, voiceprints, keystroke dynamics for identity verification, or other biometric identification on this landing page experience.

3.5 Server-side tracking & device/network data

  • Server request logs (IP address, user agent, timestamp, requested URL, referrer)
  • Event data routed through ssGTM (e.g., page_view, signup, purchase, content engagement events)
  • Cookie/consent status signals (where required)

3.6 Support & communications

  • Messages you send to support, bug reports, and associated metadata

4) Why we use it (purposes & legal bases)

Where GDPR applies, we process data under these legal bases (often in parallel):

  • Contract — to provide tutoring, personalization, and subscription access.
  • Legitimate interests — to secure the Service, prevent abuse, measure performance, and improve reliability (balanced against your rights).
  • Consent — where required for non-essential tracking or optional personalization features.
  • Legal obligation — accounting/tax records, compliance requests.

5) Server-side tracking (Server-Side GTM)

We use Server-Side Google Tag Manager to route analytics and conversion events through our server instead of sending them directly from your browser to third parties. Google describes server-side tagging as a way to “instrument your application across devices,” with data flowing through a server container.

What ssGTM changes

  • Browser → Our server → Analytics destinations (instead of Browser → Analytics destinations).
  • We can minimize what gets forwarded (e.g., strip unnecessary identifiers), and we can apply consent logic consistently.

What we log on the server

  • Security logs: IP address + request metadata to detect fraud/abuse, rate limits, and stabilize the Service.
  • Event logs: event type (e.g., signup), timestamp, page, pseudonymous identifiers (if enabled), and consent state.

Do we use “fingerprinting”?

No. We do not build a covert persistent identifier by combining device signals (“fingerprinting”). If we ever introduce anything similar, we will (1) label it clearly, and (2) require opt-in where legally required.

6) Payments (Stripe)

Payments are processed by Stripe. Stripe provides its own privacy policy and privacy center explaining how it handles personal data and its role as controller/processor depending on activity. :contentReference[oaicite:3]{index=3}

What we receive from Stripe: subscription status, billing cycle, payment confirmation, partial card metadata (e.g., last4, expiry) where applicable, and transaction IDs.

What we do not store: full card numbers or full sensitive payment credentials (they are handled by Stripe).

7) Third-party LLM processing (OpenAI + Anthropic)

We integrate with OpenAI and Anthropic APIs to generate tutoring responses.

What we send to LLMs

  • The text you submit (prompt) and the minimum contextual snippets required to answer well.
  • Optionally: a short system instruction describing your chosen learning style (e.g., “explain like I’m new to Python”).

What we do not intentionally send

  • Raw payment details.
  • Government IDs, precise location, or sensitive categories—unless you paste them into a prompt (please don’t).

Vendor retention posture (enterprise / zero-retention)

  • OpenAI: OpenAI states that, except for certain endpoints/features, API inputs/outputs may be retained up to 30 days for service delivery and abuse detection, and that zero data retention can be requested for eligible endpoints for qualifying use-cases. :contentReference[oaicite:4]{index=4}
  • Anthropic: Anthropic states that zero data retention agreements apply to eligible Anthropic APIs under appropriately configured enterprise/commercial API keys.

Our configuration commitment: for tutoring prompts, we operate under zero-retention enterprise configurations where available and we design prompts to minimize personal data exposure. If a specific feature cannot use zero-retention (rare edge cases), we will label it in-product before you submit content through that path.

8) Automated decision-making (ADMT) & your right to human intervention

We use automated decision-making to adapt your curriculum path (e.g., difficulty, pacing, topic order). This is “ADMT” in the everyday sense and can also intersect with GDPR rules on automated decision-making where the outcome significantly affects you.

What decisions are automated

  • What lesson comes next
  • Whether to insert a refresher module
  • Which practice set is assigned
  • Which explanation format you see (examples vs. theory vs. step-by-step)

What decisions are not automated

  • We do not make decisions about credit, employment, insurance, or legal eligibility.
  • We do not use ADMT to deny you access to paid features without a clear contractual or security reason.

Your rights: human intervention, contesting, and override

Under GDPR Article 22, individuals have rights relating to decisions based solely on automated processing that have legal or similarly significant effects, including the ability to obtain human intervention and contest decisions.

In this Service, we provide:

  • One-click “Request Human Review” inside your dashboard (or by email), for any curriculum path decision.
  • One-click “Switch to Standard Path” (non-personalized) if you want learning without telemetry-based adaptation.
  • Override controls: you can manually pick modules, reset placement, and change pacing preferences.

9) Algorithmic transparency (EU AI Act disclosures)

Important correction for precision: the EU AI Act’s transparency obligations for AI systems that interact with people are set out in Article 50 (Transparency obligations). Article 52 in the final Regulation concerns GPAI systemic-risk procedure, not learner-facing disclosures.

Per the EU AI Act, we ensure you are informed you’re interacting with an AI system where required.

What we disclose to you, in-product, at the point of use

  • You are interacting with AI tutoring (clearly labeled in the UI, not hidden in fine print).
  • Core capabilities: explains concepts, generates exercises, provides feedback, summarizes progress.
  • Core limitations: can be wrong, can hallucinate, may provide overconfident answers; you should verify critical facts.
  • Personalization inputs: what telemetry signals are used (e.g., accuracy, time-on-task) and what’s not used (e.g., no biometric identification).
  • Outcome meaning: what a path change means (e.g., “you’ll see more practice before new topics”).

Meaningful information about “the logic involved”

When we adapt your curriculum, we provide a short “Why you’re seeing this” explanation, for example:

  • “We added a refresher because you missed 4/6 questions on loops and took longer than your baseline.”
  • “We changed to more worked examples because you requested hints frequently in the last module.”

Human oversight design

We build the system so a human can meaningfully intervene (review context, correct errors, and override the model). Human oversight is a recognized control for reducing fundamental-rights risks in high-risk contexts.

10) AI Data Hygiene: embeddings, memory, and “no training”

10.1 Vector embeddings (what they are)

Embeddings are numeric vectors computed from your text so the system can retrieve relevant prior concepts quickly (e.g., remembering you struggled with recursion). They are not a human-readable transcript, but they can still be personal data if they can be linked back to you.

10.2 What we use embeddings for

  • Fast retrieval of your prior learning context (to reduce repetition)
  • Personalized practice selection (matching weaknesses to exercises)

10.3 What we do not use embeddings for

  • Advertising profiling
  • Selling or “sharing” cross-site behavioral profiles
  • Identity verification

10.4 Exclusion from base model training

Your tutoring prompts and outputs are not used by us to train a public “base model.” We use them to deliver the Service to you. For third-party LLM vendors, we operate under enterprise/zero-retention configurations where available, and those programs are designed to prevent vendor retention beyond what is required to deliver the response under that setting.

10.5 Prompt minimization & redaction

  • We encourage you not to submit sensitive personal data in prompts.
  • We design tutoring prompts to avoid unnecessary identifiers.
  • Where feasible, we pseudonymize account references before calling LLM APIs.

11) Data retention schedule (specific periods)

These are our default retention periods unless law requires longer or you change settings in your dashboard.

  • Account identifiers (email, account ID): kept while your account is active; deleted within 30 days after account deletion request (unless legal/security holds apply).
  • Prompt history (readable transcript): stored for 90 days by default to support learning continuity; you can shorten to 0 days (“No History”) or delete immediately from your dashboard.
  • Embedding memory (vectors): kept while account is active to power personalization; deleted within 30 days after you delete your account or toggle off “Personalized Memory.”
  • Performance telemetry (scores, mastery signals): retained for 24 months to show progress trends and improve curriculum sequencing; you can request earlier deletion.
  • Server security logs (including IP): retained for 7 days (rolling) unless needed to investigate abuse/fraud.
  • Analytics event logs (ssGTM): retained for 14 months in aggregated/pseudonymous form, subject to consent settings and lawful configuration.
  • Billing records (Stripe invoices/receipts references): retained for 7–10 years as required for accounting/tax compliance (jurisdiction-dependent).
  • Support tickets: retained for 24 months after closure (or shorter on request, where feasible).

Legal holds: if we’re legally required to preserve certain records (e.g., fraud, disputes, regulatory requests), deletion may be delayed until the hold ends. (We will tell you if that happens, unless prohibited by law.)

12) Sharing, processors, and international transfers

12.1 Who we share data with

  • Payment processor: Stripe (subscription payments).
  • LLM processors: OpenAI and Anthropic for tutoring generation under enterprise/zero-retention configurations where available. :
  • Infrastructure providers: hosting/CDN/logging providers (as subprocessors) to deliver and secure the Service.

12.2 International transfers

If your data is processed outside the EEA/UK, we use appropriate transfer mechanisms (e.g., Standard Contractual Clauses) and apply additional safeguards where needed.

13) Security controls

  • Encryption in transit (TLS) and encryption at rest for stored data
  • Access controls (least privilege), audit logging, and environment segregation
  • Secrets management for API keys (no keys in client-side code)
  • Prompt data minimization; pseudonymization where feasible
  • Incident response process and breach notification workflows

14) Your rights & one-click controls (export/delete)

14.1 GDPR rights (where applicable)

  • Access, rectification, deletion (“right to be forgotten”), restriction, objection
  • Data portability (export your data in a usable format)
  • Rights related to automated decision-making, including obtaining human intervention and contesting outcomes.
  • 14.2 One-click controls (no tickets required)

We provide self-serve controls inside your account (or via a single link if you used a “magic link” signup):

  • Export my data (Portability): One-click export (JSON + CSV; includes prompts, telemetry, and embeddings metadata).
  • Delete my data (Right to be Forgotten): One-click deletion (prompts, embeddings, telemetry). Billing records are retained only as legally required.
  • Turn off Personalized Memory (Embeddings): Memory toggle (stops new embeddings; deletes existing within 30 days).
  • Request Human Review of learning path: Human intervention

If you can’t access the dashboard, email [privacy@domain.com] from your account email with the subject “Privacy Request.”

14.3 CCPA/CPRA (California) notes (if applicable)

If you are a California resident, you may have rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell personal information in the traditional sense. If we use any analytics configuration that could be considered “sharing” under CPRA, we provide an opt-out: Do Not Sell or Share.

15) Children

This Service is not intended for children under [age threshold]. If you believe a child has provided personal data, contact us to delete it.

16) Changes

If we make material changes, we’ll post the updated policy here and, when appropriate, notify you in-product or by email.

Vendor retention references: OpenAI enterprise privacy notes optional zero data retention for eligible endpoints; Anthropic documents zero retention eligibility for appropriately configured enterprise/commercial API keys.