Privacy Policy

Effective: 2026-04-19

1. Data We Collect

• Account data: email, display name, avatar (from GitHub OAuth).
• Usage data: WPM, accuracy, session timestamps, exercises completed.
• User content: code pasted into exercises, AI coach conversations.
• Payment data: processed by Stripe; we store only customer/subscription IDs and last-4 card digits.
• Technical data: IP, user-agent, device, coarse geolocation, cookies.

2. Legal Basis (GDPR Art. 6)

• Contract performance — delivering the Service you purchased.
• Legitimate interest — security, fraud prevention, analytics.
• Consent — marketing email, non-essential cookies.
• Legal obligation — tax, financial records.

3. How We Use It

• Provide, personalize, and improve the Service.
• Generate AI coaching and reports (data sent to OpenAI under DPA).
• Bill you via Stripe and comply with tax law.
• Send transactional email (Resend) and, with consent, product updates.

4. Sub-processors

5. Data Retention

• Account data: retained while account is active + 30 days after deletion.
• Typing sessions: 24 months (aggregated afterwards).
• Invoices: 7 years (legal requirement).
• Server logs: 30 days.

6. Your Rights (GDPR / CCPA / PIPL)

You may request: access, correction, deletion, portability, restriction, or objection to processing. Email privacy@aitypingcode.com or use the in-app “Export my data” button. We respond within 30 days.

7. International Transfers

Transfers outside the EEA rely on Standard Contractual Clauses (SCCs). Chinese user data is stored in a regional instance where available.

8. Children

Not intended for children under 13 (or 16 in EEA). We do not knowingly collect data from them.

9. Security

TLS in transit; AES-256 at rest; RLS enforced on all user tables; annual penetration testing.

10. Cookies

See our Cookie Policy.

11. Contact

Data Protection Officer: privacy@aitypingcode.com. EU representative: per Art. 27 GDPR — listed on the DPA page.