GDPR & Privacy

Last updated: 5 June 2026

Daetis OÜ ("Paidea", "we", "us") is committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR) and applicable privacy laws. This notice explains what we collect when you use paidea.ai and our learning platform, why we process it, how we protect it, and your rights. We collect only what we need to provide the Service. Paidea is free for learners; we do not operate paid subscriptions or in-app payments on the platform. We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

1. Data Controller

Data controller: Daetis OÜ, registry code 17048206, Ahtri tn 12, Tallinn, 15551, Estonia. Privacy contact: contact@daetis.ai For users in the EU/EEA, you may also lodge a complaint with your local supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

2. Personal Data We Process

Depending on how you use Paidea, we may process the following categories:

  • Account and identity data: Auth0 user identifier (sub), display name, profile picture, and email address processed through Auth0 for login; session authentication via a secure HttpOnly cookie
  • Conversation data: tutor conversations, message content, attachments metadata, and conversation titles needed to provide chat history and continuity
  • Learning data: adaptive learning profile, mastery scores, learning events, preferences, and goals inferred or stored to personalise tutoring
  • Project and collaboration data: studio projects, wireframes, notes, Co-Lab posts, and related artefacts you create in the platform
  • Preview chat (logged-out trial): message content and a one-way hash of IP address (raw IP is not stored) to enforce fair-use limits
  • Technical logs: security, error, and operational logs (may include truncated IP addresses and user agent) retained for a limited period

3. What We Do Not Collect

We do not ask for national ID numbers, passport numbers, government identifiers, or biometric data to create an account. We do not require school name as a mandatory registration field; school affiliation in pilot programmes may use school codes or dedicated links agreed with partner schools. We do not ask for postal addresses or phone numbers at registration (you may provide contact details voluntarily when contacting support). We do not run advertising trackers, behavioural ad profiles, or social-media pixels on the platform. We do not sell or rent your personal data.

4. Purposes of Processing

We process personal data only to:

  • Create and secure your account and authenticate you
  • Provide AI tutoring, studios, Co-Lab, and related learning features
  • Personalise learning pace and content through our adaptive engine
  • Produce anonymised, aggregated reports for school pilot programmes where agreed with partner institutions (no individually identifiable student data without a lawful basis)
  • Maintain security, prevent abuse, and improve reliability
  • Respond to support requests and legal obligations

5. Legal Bases (GDPR Article 6)

Performance of a contract (Art. 6(1)(b)): providing the free Service you sign up for, including storing conversations and project work necessary for your learning account. Consent (Art. 6(1)(a)): where required — for example, registration by or on behalf of a minor below the applicable digital age of consent. Legitimate interests (Art. 6(1)(f)): securing the platform, preventing fraud and abuse, and producing anonymised aggregated pilot reports agreed with partner institutions, balanced against your rights. Legal obligation (Art. 6(1)(c)): retaining certain records where required by applicable law.

6. Children and Parental Consent

Paidea may be used by secondary-school learners. If you are under 16 (the digital age of consent in Estonia and Romania), a parent or legal guardian must consent to your registration and use of the Service. School pilot programmes may require additional verifiable parental consent as described in programme materials. We minimise data collected from minors to what is necessary for the Service. We do not target minors with advertising and we do not sell children's data.

7. Security Measures

We apply defence-in-depth security aligned with common industry practice (including OWASP-oriented controls for web applications). Measures include, among others: • Authentication through Auth0 (OpenID Connect) with JWT verification and fail-closed configuration in production • Encrypted HTTPS for data in transit; HttpOnly, Secure session cookies • Security headers (Helmet), Content Security Policy, API rate limiting, and Origin verification on state-changing requests in production • Role-based access control on API routes; user data scoped to accounts in our application database • Internal security review of the backend/API surface (December 2025) with remediation of critical auth misconfiguration risks • Hashed (not raw) IP storage for anonymous preview sessions No online service can guarantee absolute security. If you believe your account has been compromised, contact contact@daetis.ai immediately.

8. Hosting and Location of Data

Paidea is hosted on infrastructure located in the European Union/European Economic Area (EU/EEA), operated on a secured virtual private server environment (Dokku on a European VPS provider such as Hostinger). Primary application data is stored in a PostgreSQL database under our control. We design our perimeter so that production database and application secrets are not exposed to the public internet. Access to production systems is limited to authorised personnel.

9. Data Retention

We keep personal data only as long as necessary for the purposes described above: • Account, conversation, learning, and project data: retained while your account is active to provide the Service • Preview sessions: retained for a limited period and purged according to automated cleanup rules • Security and operational logs: retained for a limited period, then deleted or aggregated When you delete your account (see Section 12), we delete or anonymise associated personal data except where retention is legally required.

10. Processors and Sub-processors

We use trusted processors who process data on our instructions and under appropriate data protection terms:

  • Auth0 (Okta) — authentication and identity
  • AI model providers (e.g. OpenAI and/or other configured providers) — generating tutor responses from your prompts; we configure services not to use your content to train their public models where such options exist
  • Infrastructure providers — EU/EEA hosting, email delivery, and operational tooling necessary to run the Service

11. International Transfers

Some processors (for example, Auth0 or AI providers) may process data outside the EU/EEA. Where this occurs, we rely on appropriate safeguards such as Standard Contractual Clauses and vendor security commitments, and we limit transferred data to what is necessary.

12. Account Deletion and Your Rights

You have the right to access, rectify, erase, restrict, object, and port your personal data, and to withdraw consent where processing is consent-based. To exercise these rights, email contact@daetis.ai. Account deletion: email us from your registered address or with sufficient identity verification. Upon a verified deletion request we will: • Delete or anonymise your account record, conversations, messages, learning profiles, mastery data, studio projects, and Co-Lab content linked to your account • Revoke active sessions and disable login • Delete or anonymise preview sessions linked to your account Exceptions: we may retain minimal records where required by law, or in encrypted backups for a limited period before automatic rotation. Aggregated, non-identifying statistics may remain. You may also request deletion of your Auth0 identity through us or directly via Auth0, subject to their processes.

13. AI Processing and Automated Decisions

The Service uses AI to generate educational responses and to infer learning preferences. These features support tutoring; they do not produce legal or similarly significant effects about you without human involvement. You may contact us if you have concerns about automated processing of your learning data.

14. Cookies and Similar Technologies

We use strictly necessary cookies and similar storage for authentication (session cookie), locale preference, and essential site function. We do not use marketing or analytics cookies on the learning platform. Theme or locale preferences may be stored locally in your browser.

15. No Advertising Tracking

We do not use third-party advertising networks, re-marketing pixels, or cross-site behavioural tracking on Paidea. We do not build advertising profiles from your learning activity.

16. Complaints

If you believe we have processed your data unlawfully, contact us first at contact@daetis.ai. You have the right to lodge a complaint with a supervisory authority in your EU/EEA country of residence or in Estonia.

17. Changes to This Notice

We may update this notice from time to time. We will publish the updated version at paidea.ai/gdpr and update the effective date. Material changes may be communicated by email or in-product notice where required by law.