Privacy Policy

What Data We Collect

Account & Authentication

• Email address — Collected during sign-up, used for authentication and account recovery
• Google account info — If you sign in via Google, we collect your email address and public profile information
• Password hash — Securely stored by Supabase Auth using industry-standard encryption (bcrypt)

Learning & Mastery Data

• Concept mastery scores — Tracked as you learn. Ranges from 0 (new) to 1.0 (complete mastery)
• Spaced repetition schedule — Next review dates, ease factors, interval days (our SM-2 algorithm computes these locally)
• Question attempts — Whether you answered correctly, incorrect, or partially correct; time taken per question
• Session history — When you studied, how long, XP earned, streak continuation
• Subject enrollment — Which subjects (ML Foundations, Math for ML, etc.) you're learning

Gamification Data

• XP (experience points) — Earned through question attempts and learning milestones
• Streaks — Current and longest streak (consecutive days studied)
• Leagues & rank — Your placement in competitive leagues (if enabled)
• Badges — Achievements earned (e.g., "First Concept Mastered", "7-Day Streak")
• Daily quests — Progress toward daily learning goals

AI Tutor Usage

• AI conversation tokens — Number of tokens used per interaction (for quota enforcement)
• AI model used — Which Claude model processed your request
• Concept discussed — Which concept you asked for help with
• Session ID — Links usage to a learning session for context
• Prompts & responses — Your questions and the AI's explanations (see AI Tutor section below)

Diagnostic Assessment Data

• Algorithm state — Internal state of the diagnostic assessment (used to resume if interrupted)
• Question responses — Your answers during the initial diagnostic assessment
• Accuracy scores — How many questions you got right in each subject diagnostic
• Inference tracking — Which concepts were inferred as known/unknown based on your answers

Analytics & Product Insights

• Firebase Analytics — Anonymous usage events (e.g., "user started diagnostic", "brick filled") to help us improve the app
• Mixpanel — Product analytics including user ID, feature usage, user flows
• Push notification tokens — Firebase Cloud Messaging token to deliver reminders and streak notifications

Data We Do NOT Collect

• Location data (GPS, IP-based location)
• Camera, photos, or microphone
• Contacts or calendar
• Financial/payment information (Apple & Google handle this via RevenueCat — we never see credit card data)
• Device identifiers or advertising IDs
• Health data

How We Use Your Data

We will never:

• Sell your data to third parties
• Share your learning data with other users
• Use your data for targeted advertising (except aggregate anonymized insights)
• Rent or lease your personal information

How We Store Your Data

Data Infrastructure

Your data is stored in Supabase, a PostgreSQL database hosted on Amazon Web Services (AWS). Data is encrypted at rest using AES-256 encryption.

Data Encryption

• In transit: All connections use HTTPS/TLS 1.2+
• At rest: Database encrypted with AES-256; sensitive fields (passwords) use bcrypt hashing
• Backups: Supabase maintains daily backups, also encrypted

Access Controls

• Only authenticated Cerebryx backend processes can access your data
• Row-level security (RLS) enforces that users can only see their own data
• API calls are rate-limited and logged for security auditing
• We do not have direct access to raw data unless required for support (and only with explicit consent)

Third-Party Services

Cerebryx uses trusted third-party services to deliver the app and support your learning. Here's what each service does:

Supabase (Database & Auth)

• Stores all your account data, mastery scores, and learning history
• Provides secure authentication (email + Google sign-in)
• Privacy Policy: https://supabase.com/privacy

Anthropic — Claude API (AI Tutor)

• Processes your tutor requests and delivers explanations
• Your prompts are sent to Anthropic's servers for processing but are NOT used to train future Claude models (Anthropic's default policy)
• See AI Tutor & Claude API section below for details
• Privacy Policy: https://www.anthropic.com/privacy

Firebase (Analytics & Cloud Messaging)

• Firebase Analytics: Tracks anonymized usage events to help us improve the app
• Firebase Cloud Messaging (FCM): Delivers push notifications (streak reminders, learning tips)
• Privacy Policy: https://policies.google.com/privacy

Mixpanel (Product Analytics)

• Tracks user behavior and feature usage for product insights
• Collects event data with your user ID to help us understand learning patterns
• Privacy Policy: https://mixpanel.com/legal/privacy-policy/

RevenueCat (App Store & Play Store Billing)

• Manages subscriptions for the mobile app (Pro, Pro+Interview tiers)
• Handles in-app payment processing — Cerebryx never sees your credit card information
• Privacy Policy: https://www.revenuecat.com/privacy

Razorpay (Web Payments — India)

• Processes subscription payments made on cerebryx.ai (UPI, cards, netbanking, wallets)
• Receives your name, email, and payment instrument details at checkout — Cerebryx never stores full card numbers or UPI credentials
• Signature-verified webhooks update your subscription entitlement in our database
• Privacy Policy: https://razorpay.com/privacy/

Apple App Store & Google Play Store

• Distribute the Cerebryx app
• May collect additional diagnostic and usage data per their terms
• Apple Privacy Policy: https://www.apple.com/privacy/
• Google Privacy Policy: https://policies.google.com/privacy

AI Tutor & Claude API

How It Works

When you ask the AI tutor for help, your question is encrypted and sent to Anthropic's Claude API through a Supabase Edge Function (server-to-server, never directly from your device). The Claude model processes your request and returns an explanation, which we store in your session for context.

What Anthropic Receives

• Your question / prompt
• The concept you're studying (for context)
• Your current mastery level (to adjust explanation depth)
• Anonymous session ID (no personal identifiers sent to Anthropic)

What Anthropic Does NOT Do

• Does not train future models on your data. Anthropic's default policy excludes all customer inputs from model training
• Does not share your prompts with third parties
• Does not use your learning data for any purpose other than processing your request

Data Retention by Anthropic

Anthropic may retain prompts for up to 30 days for abuse detection, then deletes them. See their privacy policy for details.

Your AI Usage Quota

• Free tier: 3 AI messages per day
• Pro tier: Unlimited AI messages
• We track token usage server-side to enforce these limits

Data Retention

Account Deletion

When you delete your Cerebryx account, we will:

• Remove your email, password, and personal identifiers from our database
• Anonymize your learning data (so we can't connect it back to you) or delete it entirely per your request
• Stop sending push notifications
• Revoke your subscription (if applicable)

To request account deletion, email help@cerebryx.ai with your account email address.

Your Rights

You have the right to:

Access Your Data

Request a copy of all personal data we hold about you. Email help@cerebryx.ai with "Data Access Request" in the subject line.

Correct or Update Your Data

Update your email, password, or profile settings directly in the app. If you need changes we can't support, contact us.

Delete Your Data

Request full account deletion at any time. We'll remove your personal information and anonymize your learning data (unless you ask for complete deletion).

Opt Out of Analytics

You can opt out of Firebase Analytics and Mixpanel in the app settings under Privacy & Tracking. This limits our product insights but won't affect your learning experience.

Opt Out of Push Notifications

Disable notifications in your device settings or in the Cerebryx app under Notifications.

Withdraw Consent

If you've given consent for data processing, you can withdraw it by deleting your account or changing app settings.

Security

What We Do

• Encrypt all data in transit (HTTPS/TLS 1.2+) and at rest (AES-256)
• Use bcrypt hashing for passwords (salted, bcrypt cost factor 12)
• Implement row-level security (RLS) so users only see their own data
• Rate-limit API endpoints to prevent abuse
• Audit access logs for suspicious activity
• Keep server software and dependencies patched and updated
• Do NOT store payment information (delegated to RevenueCat & app stores)

What We Can't Guarantee

No system is 100% secure. While we take extensive precautions, we cannot guarantee absolute safety against determined attackers. If you suspect a security breach, please email help@cerebryx.ai immediately.

Your Responsibility

• Keep your password strong and unique
• Don't share your login credentials
• Sign out on shared devices
• Report suspicious account activity immediately

Changes to This Policy

We may update this Privacy Policy as Cerebryx evolves and as laws change. We will:

• Post the updated policy at cerebryx.ai/privacy with a new effective date
• Notify you in-app if there are material changes (changes that significantly expand data collection or use)
• Request your consent if required by law

Your continued use of Cerebryx after policy updates constitutes acceptance of the new terms. If you disagree with changes, please delete your account.

Governing Law

This Privacy Policy is governed by the laws of India. Any dispute arising out of or relating to this policy shall be resolved in accordance with the Arbitration and Conciliation Act, 1996, with the seat and venue of arbitration in Hyderabad, Telangana, India. Users outside India retain all rights and protections afforded to them under their local privacy laws (including GDPR for EU/UK residents and CCPA/CPRA for California residents).

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out: