Privacy Policy

0. Data Controller

The Data Controller for personal data collected through StudyFlow is William Casotto, developer and operator of the platform, based in Italy (EEA).

For any privacy-related questions, please contact us at: studyflow@study-flow.cloud.

For general support: studyflow@study-flow.cloud.

Note: StudyFlow has not appointed a DPO as the conditions for mandatory appointment under GDPR Art. 37 are not currently met (no large-scale systematic monitoring, no special category data processing).

1. Data we collect

StudyFlow may collect account data (name, email), technical data (IP address, device, session logs), and platform usage data.

Data may include content uploaded by users (notes, concept maps, flashcards) to deliver requested features.

At registration, we collect the user's birth year to ensure compliance with applicable age restrictions (GDPR Art. 8).

2. Why we process data

Data is processed to provide the service, manage user accounts, improve product quality, prevent abuse, and meet legal obligations.

Information may also be used for account-related operational communication (email confirmation, password reset, security notifications).

3. Legal basis

Processing is based on contract performance (Art. 6(1)(b) GDPR), legitimate interest for security and service improvement (Art. 6(1)(f) GDPR), and — for non-essential cookies and tracking — explicit user consent (Art. 6(1)(a) GDPR).

AI processing is based on contract performance, as it constitutes the core service requested by the user.

4. Data retention

Data is retained only as long as necessary for the listed purposes, in compliance with the storage limitation principle (GDPR Art. 5(1)(e)).

Account data (name, email, profile): duration of contract + 5 years for legal obligations.

User content (notes, maps, flashcards): active account duration; deleted immediately upon account deletion.

Privacy consent logs: 5 years from consent date (legal proof under GDPR Art. 7).

Session and authentication logs: 90 days.

AI interaction logs: 12 months (anonymized after 30 days).

Analytics data (GA4): 14 months (standard Google Analytics setting).

Upon account closure, data is deleted within 30 days from the request, subject to legal obligations (e.g., billing data: 10 years for fiscal compliance).

Technical records required for legal accountability (e.g., consent logs and privacy request logs) may be retained after account deletion for the minimum period required by law.

5. Third parties and international transfers

StudyFlow uses third-party providers (data processors) to deliver its services. Each processor has a Data Processing Agreement (DPA) in place, compliant with GDPR Art. 28.

Supabase (database and authentication): US servers, transfer covered by Standard Contractual Clauses (SCCs).

Google Analytics 4 and Google Ads (measurement and advertising): US, transfer covered by the EU-US Data Privacy Framework (adopted July 2023). Google is certified under the framework.

AI provider — OpenAI / Anthropic (Nexus content processing): US, transfer covered by SCCs and specific DPAs. User prompts are not used to train models (zero data retention option applied where available).

Vercel (hosting and edge network): US and global, transfer covered by EU-US Data Privacy Framework and SCCs.

5-bis. Cookies and tracking

The use of cookies and similar technologies is also governed by the dedicated Cookie Policy, which details categories, purposes, and consent controls.

Consent for non-essential cookies can be changed or withdrawn at any time via the preferences panel accessible from the banner or site footer.

5-ter. Artificial Intelligence Systems (EU AI Act)

StudyFlow uses artificial intelligence systems to generate concept maps, summaries, and tests. In compliance with the EU AI Act and the principle of transparency, we inform users that such content is algorithmically generated.

StudyFlow's AI systems are classified as limited risk under the EU AI Act (Annex III not applicable as there is no automated decision-making affecting user rights). Users always retain control over generated content.

User inputs are processed securely and are not used to train third-party models without explicit consent.

5-quater. Protection of minors

StudyFlow is intended for users who are at least 14 years old, in compliance with GDPR Art. 8.

Users between 14 and 17 years old may access the service with parental or guardian consent, confirmed during registration.

If we become aware that a user under 14 has created an account without the required authorization, we will delete the account and associated data.

6. User rights

As a data subject, you have the right to: access your data (Art. 15), rectify it (Art. 16), erase it (Art. 17), restrict processing (Art. 18), receive it in portable format (Art. 20), and object to processing (Art. 21).

To exercise your rights, send a request to: studyflow@study-flow.cloud. We will respond within 30 days.

You can also exercise export and deletion rights directly from your account settings (Privacy & Data section).

You have the right to lodge a complaint with the competent data protection authority — in Italy: Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

7. Legal references

This Privacy Policy is drawn up in compliance with: EU Regulation 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018, Italian DPA Cookie Guidelines of June 9, 2022, EU Regulation 2024/1689 (EU AI Act), Italian Law 132/2025 (national AI Act implementation).