Privacy Policy

1. Introduction

Praxis (“Praxis,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you access or use our AI-powered learning platform at prax.me, any associated subdomains, and any related applications (collectively, the “Service”).

By accessing or using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

This Privacy Policy should be read in conjunction with our Terms of Service. Capitalized terms not defined in this Privacy Policy have the meanings given to them in the Terms of Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for, access, or use the Service:

• Account Information: Email address, username (minimum 3 characters), and password (stored as a cryptographic hash, never in plain text).
• Profile Information: First name, last name, display name, user type (student, teacher, professional, or self-learner), grade level (if applicable), avatar color, and avatar expression.
• User Preferences and Settings: Text size, language preference, auto-save preferences, notification preferences (email and desktop), notification frequency (real-time, daily, or weekly), friend request visibility settings, tutorial completion status, and pinned dashboard items.
• User-Generated Content: Learning workflows and their configurations, Focus areas and associated content, notes and annotations (define, example, and clarity types), flashcard inputs, task descriptions and schedules, chat messages and conversations, feedback and bug reports (with category: bug, feature, or general), and profile customizations.
• Uploaded Files: Documents (PDF, DOCX, PPTX) and images (PNG, JPG, GIF, WebP, BMP) that you upload for AI processing. These files are processed in memory and are not permanently stored on our servers after processing.
• Payment Information: When you subscribe to a paid plan, your payment information (credit/debit card number, expiration date, billing address) is collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers. We receive from Stripe your Stripe customer ID, subscription status, billing interval, current period dates, and transaction metadata.
• Communications: Any information you provide when contacting us for support, submitting feedback, or communicating with us by email.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information:

• Device and Browser Information: IP address, browser type and version, operating system, device type, and device identifiers.
• Usage Data: Pages viewed, features used, time spent on pages, referring URLs, and navigation patterns.
• Authentication Tokens: Session tokens (access and refresh tokens) stored in your browser’s localStorage for maintaining your authenticated session.
• Online Status: Your real-time online/offline presence status, which may be visible to your friends on the platform.

2.3 Learning Analytics Data

To power our Praxis Scoring system and improve your learning experience, we collect learning behavior data during study sessions. This includes information such as time spent on activities, response patterns, session frequency, and other interaction metrics used to generate your Praxis Scores and track your learning progress. The specific data points and methodologies used are proprietary.

2.4 AI Usage Data

When you use AI-powered features, we log usage metadata to our internal database, including the feature used, token consumption, and your user ID for enforcing subscription tier limits. We do not log the actual content of your prompts or AI responses in our usage tracking database. However, your input content is transmitted to our AI service providers for processing as described in Section 4.

2.5 Social and Multiplayer Data

If you use social features, we collect:

• Friend request history (sender, recipient, status, timestamps)
• Group Focus membership information
• Party Game data (participant lists, answers, scores, game state, start/end times)
• Conversation and message content between users

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, authenticate your identity, deliver the features and functionality of the Service, and process your transactions.
• AI Content Generation: To transmit your inputs (text and uploaded files) to our AI service providers for generating educational content such as explanations, flashcards, quizzes, case studies, simulations, and other learning materials.
• Learning Analytics: To calculate Praxis Scores, track your learning progress, generate activity calendars and streak data, and provide personalized learning insights.
• Usage Enforcement: To track AI credit consumption, enforce subscription tier limits, and prevent abuse of the Service.
• Security and Fraud Prevention: To detect, investigate, and prevent prompt injection attacks, unauthorized access, fraudulent activity, and other security threats through our prompt guard and rate limiting systems.
• Communications: To send you account-related communications (e.g., email confirmations, password resets, subscription updates, payment receipts), respond to your support requests and feedback, and send notifications based on your notification preferences.
• Service Improvement: To analyze usage trends, monitor and improve the performance and reliability of the Service, develop new features, fix bugs, and optimize the user experience.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

4. Information Sharing and Third-Party Services

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only in the following circumstances:

4.1 Third-Party Service Providers

We share your information with the following third-party service providers who process data on our behalf:

• Supabase (Supabase Inc.): Provides our authentication, database hosting, and real-time data synchronization. All user data described in Section 2 is stored in Supabase-hosted databases with access controls ensuring users can only access their own data.
• Stripe (Stripe, Inc.): Processes all payment transactions, manages subscriptions, and handles billing. When you subscribe or make a purchase, Stripe receives your email address, payment card details, and billing information. Stripe may set cookies on your browser for fraud prevention purposes.
• OpenAI (OpenAI, L.L.C.): Provides AI content generation services. When you use AI-powered features, your input text and uploaded document contents are transmitted to OpenAI for processing. OpenAI’s data processing is governed by their API data usage policy, and API inputs are not used to train OpenAI’s models by default.
• Cloudflare (Cloudflare, Inc.): Provides CAPTCHA verification during account registration and login to prevent automated bot access. Cloudflare receives your IP address and browser information. Cloudflare may set cookies on your browser.
• Wikimedia Foundation: We query publicly available image APIs to enrich AI-generated content. Search queries based on your study topics may be sent to Wikimedia. No personal information is transmitted.

4.2 Other Users

Certain information is shared with other users through social features:

• Your display name, username, avatar (color and expression), and online status are visible to your friends.
• Your subscription tier may be visible to other users in shared contexts.
• Content within shared Focus areas is visible to all Focus members.
• Your answers, scores, and performance data in Party Games are visible to other participants in the same game session.
• Messages you send in conversations are visible to the recipients.

4.3 Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, subpoena, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users of the Service or the public; or (e) protect against legal liability.

4.4 Business Transfers

If Praxis is involved in a merger, acquisition, asset sale, bankruptcy, reorganization, or similar business transaction, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

5. Cookies, Local Storage, and Tracking Technologies

We use the following client-side storage mechanisms and tracking technologies:

• localStorage (Authentication): We store authentication tokens in your browser’s localStorage to keep you logged in across sessions. You can clear these by logging out or clearing your browser’s localStorage.
• Session Cookies: Our authentication and service providers may set session cookies for authentication management.
• Third-Party Cookies: Cloudflare and Stripe may set cookies for bot prevention, security, and fraud detection purposes.

We do not currently use third-party analytics services (e.g., Google Analytics) or advertising trackers. We do not serve targeted advertisements.

You can configure your browser to refuse cookies or to alert you when cookies are being sent. However, disabling cookies or localStorage may prevent certain features of the Service from functioning properly, particularly authentication.

6. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your personal information, including encryption of data in transit, secure password storage, database-level access controls, and bot prevention mechanisms.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention periods include:

• Account and Profile Data: Retained for the duration of your account. Deleted upon account deletion.
• Learning Analytics and Praxis Scores: Retained for the duration of your account.
• AI Usage Logs: Usage data is retained for the duration of your account for billing and usage enforcement purposes.
• Uploaded Files: Processed in memory and not permanently stored on our servers. Transmitted to our AI provider for processing during the request only.
• Conversations and Messages: Retained for the duration of your account.
• Payment Records: Transaction and subscription records are retained as required for financial, tax, and legal compliance purposes, even after account deletion.
• Security Logs: Security-related records may be retained for abuse prevention purposes.

Upon account deletion, all data associated with your account is permanently deleted through cascading database deletions, except as noted above for legal and compliance purposes.

8. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

8.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of that information in a structured, commonly used, and machine-readable format. You can view and access much of your data directly through the Service (profile, settings, workflows, Focus areas, learning history). For a comprehensive data export, contact us at support@prax.me.

8.2 Correction

You can update and correct your profile information, settings, and preferences directly through the Service at any time. If you need to correct other information, contact us at support@prax.me.

8.3 Deletion

You have the right to request deletion of your personal information. To delete your account and all associated data, contact us at support@prax.me. Upon deletion, all data associated with your account will be permanently and irreversibly removed through cascading database deletions, including your profile, workflows, Focus areas, study sessions, conversations, learning analytics, notifications, friend connections, and all other User Content. This action cannot be undone.

8.4 Notification Preferences

You can manage your notification preferences through your account settings, including:

• Enabling or disabling email notifications
• Enabling or disabling desktop notifications
• Setting notification frequency (real-time, daily, or weekly)
• Controlling who can send you friend requests (everyone, friends of friends, or nobody)

8.5 Restriction and Objection

You have the right to request that we restrict the processing of your personal information or to object to our processing in certain circumstances. Note that restricting certain data processing may limit your ability to use features of the Service.

8.6 Exercising Your Rights

To exercise any of these rights, contact us at support@prax.me. We will respond to your request within thirty (30) days. We may request additional information to verify your identity before processing your request. We will not discriminate against you for exercising any of your privacy rights.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which information is collected, the business purpose for collecting the information, and the categories of third parties with whom we share information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, contact us at support@prax.me with the subject line “California Privacy Request.”

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your personal data based on: (a) your consent (e.g., when you create an account or opt into notifications); (b) performance of our contract with you (e.g., providing the Service); (c) our legitimate interests (e.g., security, fraud prevention, service improvement); and (d) legal compliance.
• Right to Withdraw Consent: Where we rely on consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.
• Data Protection Officer: For GDPR-related inquiries, contact us at support@prax.me.

11. International Data Transfers

Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

Specifically, your data may be processed in the following locations:

• Supabase: Database hosting location (United States)
• Stripe: Payment processing (United States, with global presence)
• OpenAI: AI processing (United States)
• Cloudflare: CAPTCHA verification (global edge network)

By using the Service, you consent to the transfer of your information to these locations. Where required by applicable law, we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses or the service provider’s certification under relevant data transfer frameworks.

12. Children’s Privacy

For individual accounts, the Service is not intended for children under the age of thirteen (13). We do not knowingly collect, solicit, or maintain personal information from children under 13 through individual account registration. If you are a parent or guardian and believe that your child under 13 has provided us with personal information without authorization, please contact us immediately at support@prax.me, and we will promptly delete such information.

Users between the ages of 13 and 18 may use the Service only with the involvement and consent of a parent or legal guardian. We provide a “student” user type with grade level selection (Elementary through Graduate/PhD) for informational purposes only and do not use this information to target content to minors.

Where the Service is accessed through an educational institution under a separate data processing agreement, students under the age of 13 may use the Service when access is provisioned by an authorized educator or administrator who has obtained all required parental or guardian consents in compliance with COPPA and FERPA. In such cases, the educational institution is responsible for obtaining and maintaining appropriate consent, and data collection is limited to what is necessary for the educational purpose as defined in the institutional agreement.

13. Third-Party Links and Content

The Service may contain links to third-party websites, services, or content that are not owned or controlled by Praxis. This includes images retrieved from Wikimedia and links within AI-generated content. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services.

We strongly encourage you to review the privacy policies of any third-party websites or services that you visit. Your interaction with any third-party website or service is governed by that third party’s terms and privacy policy.

14. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no universally accepted standard for interpreting DNT signals, the Service does not currently respond to DNT browser signals. However, as stated in Section 5, we do not use third-party advertising trackers or serve targeted advertisements.

15. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by applicable law. Notification will be made via email to the address associated with your account and/or via a prominent notice on the Service. We will provide information about the nature of the breach, the data affected, steps we are taking in response, and recommended actions you can take to protect yourself.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you by email to the address associated with your account.
• Post a prominent notice on the Service.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

17. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

support@prax.me