Privacy Policy

Name: [TODO DP-5: full legal name]. Registered office: [TODO DP-5: official postal address]. Registration / tax number: [TODO DP-5: relevant identifier, or „not applicable as natural person"]. Contact: contact@ai24tutors.com. Research context: Doctoral research project at Eszterházy Károly Catholic University (Eger, Hungary).

[TODO DP-5: DPO name and contact, or „Given the non-systemic nature of processing and the limited data volume of this research POC, appointment of a DPO is not mandatory under Article 37(1) GDPR. For privacy matters, the controller is directly reachable at contact@ai24tutors.com"].

(a) Providing adaptive learning paths, measuring learning performance and giving feedback within the "Foundations of Computer-Based Analysis" course. (b) Scientific research: single-group pre-post quasi-experimental study with N=30 university students on changes in self-regulated learning (OSLQ) before vs. after platform use. (c) System auditability, bug fixing and security incident handling.

Article 6(1)(a) GDPR — freely given, specific, informed and unambiguous consent (through acceptance of the Informed Consent document). For special categories (if any): Article 9(2)(a) (explicit consent) and 9(2)(j) (scientific research). No contractual basis is applicable — access is exclusively based on voluntary research participation.

Identification: pseudonymised username (student hash), initial password until first change. Profile: preferred language (hu/en/de), role (student). Usage: course interactions, time on lessons, task correctness, BKT mastery estimates. Questionnaire (optional): OLA, CSES, OSLQ, TIPI, NCS-6, TRI 2.0, CLS, SIMS, SUS, UEQ-S, PLG, BI-UTAUT responses. LLM context: audit of prompts + responses linked to questions (prompt hash + optional full-content flag). Technical: Flask session cookie, IP address (only in short-lived security logs). Principle: data minimisation — only data essential for testing the research hypotheses.

Active pilot phase: Spring semester 2026 (expected through 2026-09-30). Pseudonymised research data retained for publication: 5 years (Article 5(1)(e) GDPR — scientific research). Anonymised aggregate data (articles, preregistration): indefinite. Upon withdrawal of consent, the pseudonymised record is deleted within 30 days; data already included in anonymised aggregates cannot be retroactively extracted. Security logs (IP, session): 90 days. LLM audit (full prompt + response): 180 days.

Hosting: Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland) — Cloud Run application + Cloud SQL PostgreSQL 16. Region: europe-west4 (Netherlands). LLM providers: OpenAI Ireland Limited (Dublin), Google Ireland Limited (Dublin, Gemini), Anthropic PBC (San Francisco, USA). Basis for transfer to a third country (USA): EU-U.S. Data Privacy Framework (Implementing Decision 2023/1795/EU). E-mail delivery: [TODO DP-5: e-mail provider name if applicable].

The platform uses only functional cookies: Flask session cookie (login persistence), language preference. NO analytics, marketing or third-party tracking cookies are set. Functional cookies are used under Article 6(1)(f) GDPR (legitimate interest) — the browser session is essential for course access.

The data subject may request: (a) information about processing (Art. 15), (b) rectification (Art. 16), (c) erasure („right to be forgotten", Art. 17) — pseudonymised record deleted within 30 days, (d) restriction (Art. 18), (e) portability (Art. 20) — JSON/CSV export, (f) objection (Art. 21), (g) withdrawal of consent at any time (Art. 7(3)). Requests: contact@ai24tutors.com. Response deadline: 30 days (Art. 12 GDPR).

Technical: HTTPS (TLS 1.3) on all traffic, password hashing (scrypt/Argon2), pseudonymisation of research data (3-tier hash), row-level encryption on sensitive fields, automated backups (Cloud SQL PITR 7 days). Organisational: least-privilege access, audit log for every processing operation (`LLMCallAudit`, `InteractionLog`, `security_audit_log`), incident response procedure. Incident: 72-hour breach notification to NAIH (Art. 33 GDPR), data subject notification if high risk (Art. 34).

Data subjects may lodge a complaint with the supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH). Address: Falk Miksa utca 9-11, 1055 Budapest, Hungary. Postal: 1363 Budapest, Pf. 9. Phone: +36 1 391 1400. E-mail: ugyfelszolgalat@naih.hu. Web: https://naih.hu. Alternatively, the data subject may seek judicial remedy at the competent court of their residence.

The controller reserves the right to unilaterally modify this notice. Material changes will be communicated by e-mail or an on-platform notice at first login. The current version is always available at /privacy. Current version: v1.0, 2026-04-15.