Privacy Policy
Last updated: 2026-07-15 · Template — to be finalized with counsel before public launch.
This Privacy Policy describes what personal information Heading360 ("the Service", "we", "us") collects, how we use it, the parties to whom we disclose it, the methods by which it is disclosed, and the security practices we use to safeguard it. It is written to support GDPR (EU/UK) and comparable privacy regimes.
Data controller: {{LEGAL_ENTITY_NAME}}, {{ADDRESS}}. Privacy contact: privacy@heading360.io.
We do not sell your personal data.
1. Information we collect
We collect only what is needed to operate the Service:
- Account data — email address, display name, authentication identifiers (via Supabase Auth), and, if you use a referral, your referral relationship.
- Learning content you create or upload — objectives, study plans, milestones, steps, course notes, workbench content (text, code, equations, attachments), quiz and Mastery-check answers, chat messages with your mentor, and any documents or links you attach to a quest.
- Usage and billing metadata — per-request LLM usage records (model, token counts, computed cost) for metering and your credit balance; subscription and top-up records processed through Stripe (we do not store full payment-card numbers).
- Technical and security data — IP address, browser and device metadata in request logs, a per-request identifier, rate-limit counters, authentication session cookies required to keep you signed in, and a last-activity timestamp cookie that enforces a 1-hour idle timeout (you must sign in again after 1 hour without using the Service).
- Consent records — timestamp of your acceptance of these Terms and this Privacy Policy at sign-up, including consent to third-party AI processing.
We do not use third-party advertising trackers or sell data to data brokers.
2. How we use your information
- Provide the tutoring service — we use account data, learning content, and usage metadata to deliver your quest, courses, drills, and mentor chat. Legal basis: performance of a contract.
- Generate courses, grading, and mentor answers — we send learning content and prompts to LLM providers. Legal basis: performance of a contract and your explicit consent at sign-up.
- Meter credits and process payments — we use usage metadata and billing identifiers for your credit balance and Stripe transactions. Legal basis: performance of a contract; legal obligation.
- Prevent abuse, secure the Service, and debug incidents — we use technical data and logs. Legal basis: legitimate interests; legal obligation.
- Referral credits — we use referral relationship data when a friend signs up with your code. Legal basis: performance of a contract.
- Notify you of material policy changes — we may email your account address. Legal basis: legitimate interests / legal obligation.
Withdrawing consent to third-party AI processing means we cannot generate tutoring output; this effectively ends your use of the Service.
3. Parties to whom we disclose information
We share the minimum data necessary with the following categories of recipients:
Large Language Model (LLM) providers — to generate tutoring, your learning content and prompts are sent to:
- Anthropic (Claude) — generation and grading; US-based
- OpenAI — intake, contract, embeddings, and synthesis; US-based
- DeepSeek — cost-efficient extraction and grading; operated from the People's Republic of China; content may be processed on servers in the PRC under PRC law
- Google (Gemini) — optional models; US-based
Infrastructure and payment processors:
- Supabase — Postgres database, authentication, and private file storage (account and learning content at rest)
- Stripe — payment processing (Stripe holds card data; we receive billing metadata only)
- Render / Vercel — application hosting (requests in transit and server logs)
- Cloudflare — CDN, WAF, and bot protection (request metadata and IP address)
We may also disclose information when required by law, to protect our rights or users' safety, or in connection with a merger or acquisition (with notice where required).
4. Methods of disclosure
Information leaves your device and reaches the parties above through the following channels:
- Encrypted HTTPS API calls — when you use the Service, your browser or app sends requests over TLS to our hosted application. Learning content and prompts derived from it are transmitted from our servers to LLM provider APIs over TLS for generation, grading, and embeddings.
- Database and file storage — account and learning data are written to Supabase Postgres and, for uploads, to a private per-user storage bucket scoped by Row-Level Security.
- Payment processing — billing actions redirect to or call Stripe's PCI-DSS-compliant APIs; card numbers are entered on Stripe-hosted flows and are not stored on our servers.
- Hosting and edge logs — request metadata passes through Vercel/Render and Cloudflare as part of normal HTTP delivery, WAF inspection, and rate limiting.
- Email — we may send service or policy-update emails to your account email address via our email provider when configured.
- In-app disclosure — this Privacy Policy, signup consent checkbox, and Settings → Your data flows (export / delete) are the primary ways we inform you about processing.
We do not disclose your learning content to other users. Multi-tenant isolation is enforced at the database layer (see §6).
5. Security practices
We apply technical and organizational measures to protect your data, including:
- Row-Level Security (RLS) — every user-owned table is policy-gated so queries run under your
authenticated identity (
user_id = auth.uid()); you cannot read or modify another user's data. - Private file storage — uploaded documents and sources are stored in a per-user access-controlled bucket, not in a public CDN path.
- Encryption in transit — all client and server communication uses TLS.
- Secrets management — API keys and credentials are held in environment/secrets stores, not in source code or client bundles.
- Rate limiting and abuse prevention — per-IP and per-user throttles at the web edge and API service; optional Cloudflare WAF and bot protection at the public origin.
- SSRF protections — user-supplied URLs for source enrichment are validated before server-side fetch.
- Spend caps — per-user credit limits reduce the impact of compromised accounts.
- Access minimization — production database access is limited; the hosted service does not use a service-role bypass for user data paths.
No system is perfectly secure. We work continuously to protect your data but cannot guarantee absolute security. Report concerns to privacy@heading360.io.
6. International transfers
Some processors are outside your country. In particular, DeepSeek may process content in the People's Republic of China. If you prefer not to use DeepSeek, select only non-DeepSeek models in Settings. Where required, transfers rely on appropriate safeguards (e.g. Standard Contractual Clauses) — {{CONFIRM_SCC}}.
7. Retention
We retain your account and learning content until you delete it or close your account. Usage and billing records are retained as required for accounting and tax ({{RETENTION_PERIOD}}). Security logs are retained for {{LOG_RETENTION}}. On account deletion, your content is erased; residual copies in backups age out within {{BACKUP_WINDOW}}.
8. Your rights
You can exercise these rights in-app or by contacting privacy@heading360.io:
- Access / portability — Settings → Your data → Export downloads a machine-readable JSON export of your rows, scoped to your account by RLS.
- Erasure — Settings → Your data → Delete account removes your auth identity and cascade-deletes your learning content, chats, uploads, and billing history keyed to your account.
- Rectification — edit your profile and content in-app.
- Objection / restriction / withdraw consent — contact us; note that withdrawing AI-processing consent ends use of the Service.
- Complaint — you may lodge a complaint with your data-protection supervisory authority.
9. Children
The Service is not directed to children under 16 and we do not knowingly collect their data.
10. Changes to this policy
We may update this Privacy Policy. Material changes will be notified by email and/or in-app notice before they take effect. The "Last updated" date at the top reflects the latest revision.
11. Contact
Questions about this Privacy Policy or our data practices: privacy@heading360.io.
Data controller: {{LEGAL_ENTITY_NAME}}, {{ADDRESS}}.
See also our Terms of Service and Customer support.