EduDuck Privacy Policy
Your privacy is very important to us. This Privacy Policy explains what data we collect, how we use it, and your rights when using EduDuck AI study tools.
1. Information We Collect
1. Account information: Username, email address, and securely hashed passwords (Werkzeug password hashing). OAuth user IDs if you sign in via Google, GitHub, Discord, or Microsoft.
2. Uploaded content: Notes, PDFs, or images temporarily processed using Tesseract OCR and PIL for generating quizzes, flashcards, study plans, and enhanced notes.
3. Generated content: Quizzes, flashcards, study plans, enhanced notes, and note analyses stored in MongoDB with unique identifiers.
4. Usage data: Daily usage counters (reset at midnight UTC), user IDs, and timestamps to enforce the 3 free uses per day limit.
5. Cookies and browser storage: Session cookies (Flask-Login), CSRF tokens, theme preferences, and temporary session data for guest users.
6. Email verification tokens: Temporary tokens with 24-hour expiration sent via MailGun for account verification.
2. How We Use Your Data
1. To provide AI study services via Hugging Face, Google Gemini, and OpenAI APIs.
2. To authenticate users via session-based auth (Flask-Login) or OAuth (Authlib).
3. To track and enforce daily free-tier usage limits (3 uses per day).
4. To send verification emails via MailGun for password-based accounts.
5. To store and retrieve user-generated content (quizzes, flashcards, study plans, note analyses, duckai conversations , enhanced-notes) in MongoDB.
6. To improve and maintain the security and functionality of our site.
3. Legal Basis for Processing
For users in the EU and other regions with data protection laws, we process your data under the following bases:
• To fulfill our contract with you (providing AI study services).
• Under our legitimate interest to manage usage limits, prevent abuse, and maintain site functionality.
• With your consent for optional account features and OAuth authentication.
4. Data Storage and Retention
1. Database: User data and generated content are stored in MongoDB Atlas with secure connections (certifi SSL verification).
2. Uploaded files: PDFs and images are processed temporarily (usually within seconds) using pypdf and PIL, then discarded immediately after AI processing.
3. Generated content: Stored indefinitely for logged-in users until manually deleted. Guest users' content is stored temporarily in session storage.
4. Account deletion: Accounts marked for deletion are recoverable for 30 days. After 30 days, all associated data is permanently deleted from MongoDB.
5. Email verification tokens: Automatically expire after 24 hours.
5. Cookies & Tracking
EduDuck uses minimal cookies and browser storage:
• Session cookies: Required for login authentication (Flask-Login) and CSRF protection.
• Theme preference cookies: To remember your light/dark mode choice.
• Session storage: Temporary storage of generated content for guest users (cleared when browser closes).
No analytics or advertising tracking is performed. You can manage cookies through your browser settings.
6. Third-Party Services
EduDuck uses the following third-party services:
• AI Processing: Hugging Face Inference API, OpenAI API, and Google Gemini (2.5 Flash) process your uploaded content to generate study materials. Your data is sent temporarily via httpx (HTTP/2) and is not stored permanently by these services.
• OAuth Authentication: Authlib integrates with Google, GitHub, Discord, and Microsoft for secure sign-in. OAuth tokens are used only for authentication and not stored permanently.
• Email Services: MailGun sends verification emails for password-based accounts.
• Database Hosting: MongoDB Atlas (with certifi SSL) stores user accounts and generated content.
Please review their privacy policies:
7. Your Rights
If you are in the EU, UK, or California, you have the following rights:
• Access your personal data stored in MongoDB.
• Request correction of inaccurate data.
• Request deletion of your account and all associated content (recoverable for 30 days).
• Export your generated content (quizzes, flashcards, study plans, note analyses, duckai conversations) in JSON or text format.
• Withdraw consent to data processing at any time.
• Complain to a supervisory authority if you believe your data is mishandled.
To exercise these rights, contact us at team.eduduck@gmail.com.
8. Security
We take reasonable technical and organizational measures to protect your data:
• Passwords are hashed using Werkzeug's secure password hashing.
• MongoDB connections use SSL/TLS (certifi) for secure data transmission.
• CSRF protection on all forms.
• HTTP/2 connections (httpx) for improved security and performance.
However, no system is completely secure, and we cannot guarantee absolute protection.
9. International Data Transfers
EduDuck is hosted on Render, and data may be processed in various regions. We ensure adequate safeguards are in place when transferring data internationally.
10. Changes to This Policy
We may update this privacy policy from time to time. The latest version will always be available at /privacy.
11. Contact Us
If you have questions about your data or privacy, contact us at team.eduduck@gmail.com.
By using EduDuck, you agree to the practices described in this Privacy Policy.