Privacy Policy

The data controller of personal data processed in connection with moinaki is:

GradeBuilder SL

C. Coronel Ivorra Ruiz 7, 1, 30720 San Javier, Murcia, Spain

Email: org@gradebuilder.tech

Privacy contact: privacy@moinaki.life

Phone: +34 622 448 805

We have not appointed a Data Protection Officer (DPO) because we do not meet the mandatory thresholds in Article 37 GDPR. The privacy contact above acts as the single point of contact for data-protection matters.

We collect or generate the following categories of personal data:

(a) Account data. Email address, normalised email (lower-cased, dot- and plus-stripped for Gmail), display name, optional full name (used on certificates), optional nickname, optional avatar URL, password (stored only as a bcrypt hash with cost factor 12), preferred locale, role.

(b) Profile and onboarding data. Self-declared interests, goals, ADHD profile (your stated focus / energy patterns, optional), mood and energy check-ins (one-tap chips you choose), preferred working hours.

(c) Learning activity. Course enrolments, lesson completions, quiz attempts and answers, knowledge-mastery scores (computed via Bayesian Knowledge Tracing), XP, streak counters, badges, certificate records.

(d) AI mentor (Lem) interaction data. The full text of the messages you write to Lem and Lem's replies; structured "memory nodes" the system extracts from conversations so Lem can remember context across sessions (for example: a goal you mentioned, a topic that bored you, an exam date you referenced). These memory nodes are tied to your user account and can be reviewed or deleted from /dashboard/mentor/memory.

(e) Planner and capture data. Goals you create, tasks you add, brain-dump notes you save with the "catch a thought" button, and the AI-generated classifications applied to them (task / goal / note).

(f) Payment data. We do NOT store card numbers, CVVs, or full bank account numbers. Stripe (our payment processor) issues us a customer ID and a subscription ID; we store those identifiers, the chosen plan, the trial start and end dates, and the redemption status of any promo or gift code (e.g. PROMO, PRODUCTHUNT) you used.

(g) Usage and technical data. IP address, user-agent string, approximate language and timezone, login timestamps, session identifiers, refresh-token metadata. Server-side logs may retain raw IP for up to 30 days for security and abuse-prevention purposes; thereafter, IP is either deleted or aggregated.

(h) Analytics data. If you have not opted out via cookie banner, we record anonymised page views and aggregate behavioural events through Google Analytics 4 with IP anonymisation enabled and Google Signals / ad personalisation disabled.

(i) Communication data. Any messages you send to support@moinaki.life, feedback you submit via the in-app feedback form, and metadata about emails we send you (delivery status, bounce, open-tracking only when explicitly enabled).

We do not knowingly collect special-category personal data under Article 9 GDPR (health, biometric, ethnic origin, etc.). If you choose to disclose such information in a Lem chat, it will be processed under the same terms as your other mentor data — you can delete it from /dashboard/mentor/memory at any time.

All personal data we hold about you comes from one of three sources:

(a) Directly from you, when you register, fill in onboarding, complete lessons, message Lem, capture thoughts, or contact support.

(b) Automatically generated by the platform as you use it (for example, mastery scores computed from your quiz answers, or memory nodes extracted from your Lem conversations).

(c) From our payment processor (Stripe) when you start, cancel, or modify a subscription.

We do not buy personal data, scrape it from external sources, or accept marketing lists.

We process each category of personal data for one or more of the following purposes, on the legal bases listed:

(a) Performance of the contract (Article 6(1)(b) GDPR) — the contract being our Terms of Service, which you accept by registering. This covers: maintaining your account, delivering courses and lessons, running Lem (the AI mentor), tracking learning progress, issuing certificates, processing subscription payments, sending transactional emails (verification, password reset, receipts).

(b) Legitimate interests (Article 6(1)(f) GDPR) — covering: aggregated analytics with IP anonymised, fraud detection, abuse prevention, security monitoring, system error logging, infrastructure observability. We have performed an internal balancing test; if you object, contact us under Section 8.

(c) Consent (Article 6(1)(a) GDPR) — covering: non-essential cookies and analytics, marketing emails (we do not send marketing emails by default), and any future feature explicitly gated on a consent toggle. Consent can be withdrawn at any time without affecting prior processing.

(d) Legal obligation (Article 6(1)(c) GDPR) — covering payment and tax record retention as required by Spanish accounting law (currently 6 years per Ley 58/2003 General Tributaria, Article 70).

We do not engage in automated decision-making that produces legal or similarly significant effects on you. The Lem mentor adapts its replies to your inputs but does not make decisions that bind you outside the platform.

We share personal data with the following categories of third-party processors. Each processor is bound by a written Data Processing Agreement (Article 28 GDPR) and may only process your data on our documented instructions.

(a) DeepSeek (operated by 杭州深度求索人工智能基础技术研究有限公司, China). Receives the text of your Lem chat messages and the structured context the system assembles for each turn (your display name, locale, the content of relevant memory nodes, and the lesson or page you are on at the time of the message). DeepSeek processes this content to generate Lem's reply. We use DeepSeek as the primary mentor model because of its quality and cost profile. DeepSeek is established in mainland China, which is not subject to a European Commission adequacy decision; see Section 6 for the Chapter V transfer disclosure.

(b) OpenAI, L.L.C. (United States). Receives short prompts for narrow structured tasks: intent classification of your messages, extraction of memory nodes from chats, weekly self-narrative summaries, and certain course-generation steps. We do NOT send full mentor turns through OpenAI by default. OpenAI states it does not train its models on data submitted via its API, contractually.

(c) Mistral AI (France). Optional fallback for EU students if EU-only AI processing is requested. Same scope as OpenAI.

(d) Stripe Payments Europe, Limited (Ireland) and Stripe, Inc. (United States). Processes subscription payments. Stripe receives your email, billing country, IP, the chosen plan, and the card details you enter on the Stripe-hosted checkout page (we never see card numbers).

(e) Resend (operated by Resend Inc., United States) or equivalent SMTP provider. Sends transactional emails (verification, password reset, payment receipts, optional notifications you enabled).

(f) Railway Corp. (United States, with our database and application running in the EU "europe-west4" Frankfurt region). Provides the hosting, the managed Postgres database, and the managed Redis instance.

(g) Cloudflare R2 (Cloudflare, Inc., United States, EU region). Stores user-uploaded files (avatars) and AI-generated lesson illustrations.

(h) Sentry (operated by Functional Software, Inc., United States, EU region). Receives application error traces. We configure Sentry to redact obvious personal-data fields (email, password, message text) before transmission, but operational metadata (URLs, status codes, sometimes user IDs) is included.

(i) Google Analytics 4 (Google Ireland Limited). If you accepted analytics cookies, we send anonymised page-view and event data with IP anonymisation enabled, Google Signals disabled, and ad personalisation disabled.

(j) GitHub, Inc. (United States) and Sentry. As we, the engineering team, may temporarily access logs and Sentry traces for debugging — these may incidentally include de-identified user IDs. Engineering access is logged.

We do not share personal data with advertisers, data brokers, or marketing aggregators. We do not sell personal data. The list above is exhaustive as of the "last updated" date; we will amend this Policy and notify you in advance of any addition.

Some of the processors named in Section 5 are established outside the European Economic Area (EEA). The transfers and the safeguards in place are:

United States (OpenAI, Stripe, Resend, Railway, Cloudflare R2, Sentry, Google LLC). Transfers rely on the European Commission's adequacy decision for the EU–U.S. Data Privacy Framework (EU–U.S. DPF), where the recipient is certified, and on Standard Contractual Clauses (SCCs, Commission Implementing Decision (EU) 2021/914) supplemented by transfer impact assessments where the recipient is not certified. Copies of the SCCs are available on request.

Mainland China (DeepSeek). China is NOT subject to a European Commission adequacy decision and does not currently have an equivalent regime to GDPR. Transfers to DeepSeek rely on Standard Contractual Clauses signed with the processor, supplemented by additional contractual measures (logical separation, no-training commitments, minimum-necessary content rule). We acknowledge that despite these contractual safeguards, the level of protection in China may not be equivalent to GDPR. By using the AI mentor ("Lem") feature, you give us your specific informed consent under Article 49(1)(a) GDPR for this transfer. If you do not wish your mentor messages to be processed by DeepSeek, you can disable the mentor feature from your settings, and your account will continue to function (course playback, progress tracking, planner) without the AI tutor. Further, you can request switching to the Mistral (EU-only) processor in your account preferences once that toggle ships.

United Kingdom — adequate per UK adequacy regulations.

We carry out a transfer impact assessment (TIA) for every non-EEA processor before adding them. TIAs are not published but can be summarised on request.

We retain personal data only for as long as necessary for the purposes for which it is processed:

(a) Account, profile, learning, and mentor data — kept for as long as your account is active. "Active" means you have logged in within the previous 24 months OR you have an active subscription. After that, the account is flagged inactive and you receive a re-confirmation email; failing a response, the account is anonymised within 6 months.

(b) Mentor memory nodes — kept indefinitely while your account is active, but subject to our internal relevance-decay process: memories that have not been referenced for a long time are gradually down-weighted in retrieval; raw text is not deleted by decay alone. You can delete individual memories or wipe all mentor memory at /dashboard/mentor/memory.

(c) Backups — encrypted backups of the production database are retained for up to 90 days, after which they are rotated out. A deletion request you make today will therefore propagate fully through backups within 90 days.

(d) Server-side logs containing IP and user-agent — up to 30 days for security purposes, then deleted or aggregated.

(e) Payment records — 6 years from the end of the fiscal year, as required by Spanish tax law (Ley 58/2003 General Tributaria, Article 70). After that, we delete or anonymise.

(f) Email logs (delivery, bounce) — up to 90 days at our SMTP processor.

(g) Analytics data — Google Analytics 4 default retention setting is 14 months; we use that.

(h) Deleted accounts — when you exercise the right to erasure (Section 8), we cascade-delete: refresh tokens, sessions, mentor conversations, mentor messages, mentor memory nodes, planner goals and tasks, capture inbox, mood check-ins, lesson progress, enrolments, XP and badges, the user record itself. The cascade is configured in our database via Prisma `onDelete: Cascade` constraints; we audit it quarterly. The full deletion is completed within 30 days; backup expiry takes up to a further 90 days.

Under GDPR Articles 15–22 you have the following rights:

(a) Right of access (Article 15) — to obtain a copy of all personal data we hold about you. Use /dashboard/privacy → "Export my data" or email privacy@moinaki.life.

(b) Right to rectification (Article 16) — to correct inaccurate or incomplete data. Most fields are user-editable in /dashboard/settings; for the rest, email us.

(c) Right to erasure / "right to be forgotten" (Article 17) — to delete your account and the cascading data described in Section 7. Use /dashboard/privacy → "Delete my account" or email us. Some retention may continue under (e) above where required by law.

(d) Right to restriction of processing (Article 18) — to ask us to halt certain processing while a dispute is resolved. Email us with the specifics.

(e) Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format. The export at /dashboard/privacy returns JSON.

(f) Right to object (Article 21) — to object to processing based on legitimate interests (Section 4(b)). We will reassess and, absent overriding reasons, stop the processing.

(g) Right to withdraw consent (Article 7(3)) — for processing based on consent (Section 4(c)). Withdrawal does not affect prior processing.

(h) Rights related to automated decision-making (Article 22) — we do not engage in such decision-making (see Section 4 last paragraph).

(i) Right to lodge a complaint with a supervisory authority. The Spanish authority is the Agencia Española de Protección de Datos (AEPD) — C/Jorge Juan, 6, 28001 Madrid; +34 901 100 099; https://www.aepd.es. You may also complain to the supervisory authority in your country of residence.

We respond to rights requests within 30 days. We may extend by a further 60 days for complex requests (we will tell you within the first 30 days). We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse them; we will explain why.

We use a minimal set of cookies and similar storage:

(a) Strictly necessary (no consent required): the `refreshToken` httpOnly cookie that keeps you signed in, the `session` flag cookie used by our edge middleware, the `NEXT_LOCALE` cookie that remembers your preferred language, the CSRF anti-forgery token used during OAuth flows. These cannot be turned off without breaking the service.

(b) Analytics (consent-based): one Google Analytics cookie set (`_ga`, `_ga_*`) when you accept analytics in the cookie banner. Configured with anonymised IP, no Google Signals, no ad personalisation. Withdraw consent in the cookie banner footer link.

We do not run advertising cookies, retargeting pixels, or social-media tracking pixels. The full list and TTLs live at /legal/cookies.

We implement appropriate technical and organisational measures (Article 32 GDPR), including:

(a) HTTPS-only transport, HSTS, secure cookies, SameSite=strict on the refresh token, separate signing secrets for access and refresh tokens, refresh-token rotation with replay-attack invalidation.

(b) Password hashing with bcrypt (cost factor 12), no plaintext password storage anywhere.

(c) Database at rest is encrypted by Railway. Backups are encrypted.

(d) Least-privilege access — engineering access to production data is logged; no analytics SQL is permitted on production rows containing personal data.

(e) Rate limiting on authentication endpoints, lockouts on repeated failed attempts.

(f) Vulnerability disclosure: report security issues to security@moinaki.life. We do not currently run a paid bug bounty.

(g) Personal data breach notification: we will notify the AEPD within 72 hours of becoming aware of a notifiable breach (Article 33), and notify affected users without undue delay where there is a high risk to their rights and freedoms (Article 34).

moinaki is intended for adults (18+). We do not knowingly process personal data of children under 16 in the EEA, or under 13 in jurisdictions where 13 is the local minimum. If you believe a child has provided personal data to us, please contact privacy@moinaki.life and we will delete the account.

We may update this Privacy Policy from time to time. The "last updated" date at the top reflects the most recent change.

For material changes — adding a new processor, changing a legal basis, expanding the data categories, broadening the retention — we will notify you at least 30 days in advance, by email and via an in-app banner. Continued use of moinaki after the effective date means you accept the updated Policy. If you do not accept, you may delete your account before the effective date.

We do not maintain a public archive of previous versions, but we will provide the prior version on request via privacy@moinaki.life.

Questions or concerns: privacy@moinaki.life. Postal mail: see Section 1.

If you are not satisfied with our response, you may lodge a complaint with the Agencia Española de Protección de Datos — C/Jorge Juan, 6, 28001 Madrid; +34 901 100 099; sedeagpd.gob.es — or with the supervisory authority in your country of residence.

EU online dispute resolution platform (for matters arising from a contract): https://ec.europa.eu/consumers/odr/