Naukado Service Privacy Policy

Introduction

This Privacy Policy ("Policy") is a comprehensive informational document that defines the principles for collecting, processing, storing, sharing, and protecting the personal data of Users of the Naukado service ("Service"). This Policy has been prepared with the utmost care to ensure full transparency of activities related to personal data and compliance with applicable legal provisions, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

The privacy and security of Users' personal data are our priority. As the Personal Data Administrator, we make every effort to collect only necessary data and process it in accordance with the highest security standards and exclusively for the purposes clearly defined in this Policy. Our information security management system is regularly verified and adapted to changing technological and legal conditions.

This Policy has been formulated taking into account the specific nature of the X1 Technologies educational platform, which uses advanced artificial intelligence technologies. In particular, we draw attention to issues related to data processing in the context of User interactions with advanced AI systems that are an integral part of our educational services.

Please read this Policy carefully before using the Service. Using our services means accepting the principles described in the Policy. If you do not agree with any provision, please stop using the Service. This document may be periodically updated, and we will inform Users of any changes through the Service. We recommend regularly reviewing the current version of the Policy.

1. Personal Data Administrator

1.1. The administrator of the personal data of Users of the Naukado Service, available at naukado.pl and its associated subdomains, is X1 Technologies Łukasz Szczepocki, a sole proprietorship registered in the Central Register and Information on Economic Activity (CEIDG) under NIP: 1251792192, REGON: 542436628, with a business establishment date of 12.08.2025 ("Administrator"). The Administrator is an entrepreneur within the meaning of the law, providing educational services using artificial intelligence technology. Detailed company information is available at: x1technologies.pl.

1.2. The Administrator has appointed a person responsible for personal data protection, who can be contacted on all matters related to the processing of personal data and the exercise of Users' rights under data protection regulations.

1.3. Contact for data protection and children's accounts:

• Contact form available in the Service in the "Contact" section
• Email to: pomoc@naukado.pl with the note "Personal data"
• Traditional correspondence to the Administrator's registered address with the note "Personal data" (address available on request)

1.4. In case of contact regarding personal data protection, the Administrator undertakes to respond within no more than 30 days from the date of receiving the request. In particularly complex cases, this period may be extended to 90 days, of which the User will be informed.

1.5. User age and youth protection:

The Naukado Service is intended for users aged 13 and older. Young users (13-17 years) may use the service with the consent of a parent or legal guardian. Parents are encouraged to supervise their children's use of the application.

Parents/guardians can contact us at any time at pomoc@naukado.pl to obtain information about their child's account or to request its deletion.

2. Scope and Purposes of Personal Data Processing

2.1. Categories of collected personal data:

Account data:

• Email address (required to create an account) - used to verify the user, enable password recovery, and communicate with the user. Login to the application can be done using a username or email address.
• Username (pseudonym or first name)
• Encrypted password (stored as a secure hash)
• Account creation date and last login
• Information about user preferences regarding account settings

Data generated while using the Service:

• Content of personal notes and AI Notes
• Conversation history with AI Buddy, including questions asked by the User and responses from the AI system. All AI tools use the Google Gemini API, which may utilize the Ground Search feature to provide verified content and minimize inaccuracies.
• Flashcards and learning sets created by the User
• Results of quizzes and educational tests
• Learning statistics and educational progress
• Content of messages sent through the contact form

Technical and analytical data:

• User's IP address combined with browser identifier (User-Agent) for security purposes and protection against intrusion attempts
• Information about the browser and operating system
• Device information (type, model, screen resolution, system language)
• Session data, including the start and end time of using the Service
• Data on User activity in the Service (pages visited, clicks, time spent on individual features)
• Geographic location information (at the country or city level)
• Application performance data and page loading times
• Information about application errors and crashes

Data regarding AI tools usage:

• Complete interaction history with all AI tools (AI Buddy, Math, Podcasts, AI Notes, Flashcard Generator, Essays, Literature, Quiz Generator, Language Conversations, Sentence Analysis, Vocabulary Quiz).
• Uploaded images, PDF documents, and other files for analysis by artificial intelligence.
• Data on the frequency of use of individual tools.
• Accuracy statistics and learning progress.
• Preferences regarding task difficulty levels.
• History of errors and corrections in answers.

Administrative and monitoring data:

• Logs of all user actions in the system with precise times and context
• Information about login attempts (successful and failed) along with the combination of IP address and browser identifier to protect against brute-force attacks
• Account security data and detected threats
• Temporary IP blocks in case of detected intrusion attempts (automatic removal after the threat subsides)
• Behavioral patterns used to detect abuse
• System resource usage statistics
• History of communication with technical support

Mobile applications and PWA data:

• Information about the installation of the Progressive Web App (PWA)
• Push notification data (endpoint, keys, preferences)
• Information on the use of offline features
• Cross-device synchronization data
• Usage statistics for the mobile application (TWA)

Payment and Premium access data:

• Information about purchases made through the Apple App Store or Google Play Store (transaction ID, purchase date, product type)
• Purchase confirmations (receipts) received from Apple/Google for Premium access verification
• Premium access status (active/expired, expiration date, plan type: monthly/quarterly/annual)
• Purchase platform (iOS/Android)
• Premium purchase history (dates, plan types, validity periods)
• IMPORTANT: The Administrator does NOT store credit card data or other sensitive financial information - all payments are processed directly by Apple/Google

Feature Access Data:

• Information about user entitlements to use individual functions (FREE vs PREMIUM)
• History of access to locked and unlocked functions
• Data used to verify Premium entitlements for specific tools

2.2. Purposes of personal data processing:

• Providing educational services: enabling the User to use the Service's functionalities, including AI chat, flashcards, quizzes, literature analysis tools, and other educational tools
• User account management: creating, maintaining, and managing the User's account, identity verification, and ensuring account security
• Experience personalization: adapting content, functionalities, and recommendations to the individual needs and preferences of the User
• Technical support and handling requests: solving technical problems, responding to User questions and complaints
• Service quality improvement: analyzing Service usage patterns to optimize it, identify errors, and introduce improvements
• AI model improvement: analyzing interactions with X1 Technologies' artificial intelligence systems to improve the effectiveness and accuracy of responses generated by the AI models used through OpenRouter
• System monitoring and administration: tracking user activity to ensure security, detect abuse, optimize performance, and manage technical infrastructure
• Learning pattern analysis: studying users' educational behaviors to personalize the learning experience, recommend content, and optimize educational paths
• Mobile application management: handling the Progressive Web App (PWA), Trusted Web Activity (TWA), push notifications, and data synchronization between devices
• Content quality assurance: moderating content generated by users and AI, enforcing service rules, and maintaining high educational standards
• Security: detecting and preventing fraud, unauthorized access, and other potential security breaches, including protection against brute-force attacks by temporarily tracking the IP + browser identifier combination
• Communication: informing about changes in the Service, new functionalities, and important matters related to the use of the Service
• Statistical and research purposes: conducting statistical analyses and research related to the functioning of the educational platform
• Legal obligations: fulfilling obligations arising from legal provisions, including tax and accounting regulations
• Payment management and Premium access: verifying purchases made through the Apple App Store or Google Play Store, granting Premium access, managing advanced feature unlocking and access validity periods
• Verification of feature entitlements: monitoring account status (FREE/PREMIUM) to ensure appropriate access to service functionalities
• Service model development and pricing planning: analyzing usage patterns, user preferences, and functionality utilization to plan future platform development, including potential changes to the pricing model. This data helps in making decisions about service development directions and ensuring appropriate communication with users regarding future changes

3. Legal Basis for Data Processing

We process Users' personal data on the following legal bases:

User Consent (Art. 6(1)(a) GDPR):

• Expressed during account registration
• Expressed during acceptance of the terms and privacy policy
• Expressed in specific cases when using additional Service functionalities
• The User has the right to withdraw consent at any time, which does not affect the lawfulness of processing performed before its withdrawal

Necessity for contract performance (Art. 6(1)(b) GDPR):

• Providing educational services specified in the Terms
• User account management
• Ensuring the functioning of interactive Service features, including AI chat, flashcards, and quizzes
• Handling User reports and inquiries

Administrator's legitimate interest (Art. 6(1)(f) GDPR):

• Improving, developing, and optimizing the Service
• Analyzing User activity to improve service quality
• Ensuring the security of the Service and User data
• Direct marketing of own products and services
• Pursuing, establishing, and defending against claims
• Conducting statistical analyses and scientific research
• Planning service development and business model, including analyzing the possibility of introducing future pricing changes based on usage patterns and user community needs

Fulfilling a legal obligation (Art. 6(1)(c) GDPR):

• Storing data for tax and accounting purposes (if applicable)
• Responding to requests from authorized state authorities
• Implementing the rights of data subjects (e.g., right of access, erasure)
• Performing obligations in the field of personal data protection

3.1. Consequences of not providing data:

• Providing personal data required during registration (email address, username, password) is voluntary but necessary to create an account and use the full functionality of the Service
• Failure to provide the required data prevents account registration and the use of functionalities available exclusively to registered Users
• For some Service functions, providing additional data may be optional - in such a case, failure to provide it may only limit the ability to use these functions

3.2. Automated decision-making and profiling:

• As part of providing educational services, we may use automated data analysis methods, including profiling, to personalize the learning experience
• Profiling may include analysis of learning progress, educational preferences, quiz and test results, and interaction history with the Service
• The purpose of profiling is to adapt content, task difficulty, recommendations, and learning paths to the individual needs and capabilities of the User
• Profiling does not cause legal effects for the User nor significantly affect them, except for the potential improvement of the educational experience
• The User has the right to object to profiling at any time by contacting the Administrator

4. User Rights

4.1. In accordance with GDPR provisions, each User has the right to:

• Right of access to data (Art. 15 GDPR): The User has the right to obtain confirmation from the Administrator as to whether personal data concerning them is being processed, and if so, to obtain access to it and a range of information, including about the purposes of processing, data categories, data recipients, and the planned storage period.
• Right to rectification of data (Art. 16 GDPR): The User has the right to request immediate rectification of inaccurate personal data concerning them, as well as the completion of incomplete personal data.
• Right to erasure of data (Art. 17 GDPR): The User has the right to request the immediate erasure of personal data concerning them ("right to be forgotten") if one of the circumstances mentioned in the GDPR occurs, e.g., when the personal data is no longer necessary for the purposes for which it was collected.
• Right to restriction of processing (Art. 18 GDPR): The User has the right to request the restriction of processing in cases specified in the GDPR, e.g., when contesting the accuracy of personal data - for a period allowing the Administrator to verify the accuracy of such data.
• Right to data portability (Art. 20 GDPR): The User has the right to receive the personal data that they provided to the Administrator in a structured, commonly used, machine-readable format, and has the right to transmit this data to another administrator without hindrance from the Administrator to whom the data was provided.
• Right to object (Art. 21 GDPR): The User has the right to object at any time to the processing of personal data concerning them based on Art. 6(1)(e) or (f) of the GDPR, including profiling. After an objection, the Administrator will no longer process such personal data unless it demonstrates compelling legitimate grounds for the processing that override the User's interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
• Right to withdraw consent (Art. 7(3) GDPR): If the processing of personal data is based on consent, the User has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to lodge a complaint: The User has the right to lodge a complaint with a supervisory authority, i.e., the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw), if they consider that the processing of personal data concerning them violates the provisions of the GDPR.

4.2. Implementation of User rights:

• To exercise the above rights, contact the Administrator through available communication channels, in particular through the contact form or email address: pomoc@naukado.pl
• The Administrator implements User rights with due diligence, taking into account all legal and technical conditions related to data processing
• The Administrator reserves the right to verify the identity of the person submitting a request to exercise rights to personal data to ensure the security of the processed data
• The Administrator responds to requests related to the implementation of User rights without undue delay, no later than within one month of receiving the request. If necessary, this period may be extended by an additional two months due to the complex nature of the request or the number of requests
• If the Administrator does not take action in connection with the request, it informs the User about the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and using legal remedies before a court

4.3. Limitations of User rights:

In some cases, in accordance with the GDPR and other laws, the Administrator may refuse to implement some User rights, in particular when:

• Exercising the right could prevent or significantly hinder the proper performance of the contract
• There are legal grounds limiting the possibility of exercising the right, e.g., an obligation to store data arising from legal provisions
• Exercising the right could negatively affect the rights and freedoms of other persons

In case of refusal to exercise a right, the Administrator will inform the User about the reasons for the refusal and their rights, including the possibility of lodging a complaint with a supervisory authority.

5. Data Security

5.1. Technical and organizational measures:

• Data encryption - The Administrator uses advanced data encryption methods, including connection encryption (HTTPS protocol) and secure password storage (using advanced hashing algorithms)
• Infrastructure protection - Servers and technical infrastructure are protected by physical and logical security systems, including firewalls, intrusion detection systems, and regular security updates
• Backups - Regular creation of data backups with the possibility of quick recovery in case of system failure
• Access control - Limiting access to personal data exclusively to authorized persons who need this access as part of performing their duties
• Security monitoring - Continuous monitoring of systems for potential threats and unauthorized access attempts
• Security updates - Regular installation of software and operating system updates to eliminate known security vulnerabilities
• Security audits - Periodic reviews and security tests of systems and data protection procedures

5.2. Organizational measures:

• Staff training - All employees and collaborators with access to personal data undergo regular training in personal data protection and information security
• Security policies - Implementation and compliance with internal information security policies and procedures
• Confidentiality agreements - Obligation for all persons with access to personal data to maintain confidentiality
• Incident response procedures - Development and implementation of procedures for responding to potential personal data breaches
• Risk analysis - Regular assessment of risks related to personal data processing and introduction of appropriate remedial measures

5.3. Breach response procedures:

• In case of detecting a personal data breach, the Administrator immediately takes actions aimed at minimizing the breach's consequences
• If the breach may cause a high risk to the rights and freedoms of natural persons, the Administrator will notify Users about it no later than 72 hours from the breach detection
• The Administrator will notify the appropriate supervisory authority (Personal Data Protection Office) about the breach in accordance with GDPR requirements
• All security incidents are documented and analyzed to introduce improvements in data protection systems

6. Data Retention Period

6.1. The Administrator stores Users' personal data for the period necessary to achieve the purposes for which they were collected, taking into account the legal bases for processing and applicable legal provisions.

6.2. Account data (username, email, password) is stored throughout the account's activity period and additionally for 3 years from the last login to enable potential account restoration upon User request.

6.3. Data regarding educational activity (AI conversation history, flashcards, notes, quiz results) is stored throughout the account's activity period and additionally for 1 year from the last login.

6.4. Technical and analytical data (system logs, session data, statistics) is stored for a maximum of 2 years from collection, except for data necessary to ensure system security, which may be stored longer.

6.5. Data related to handling reports and communication with the Administrator is stored for 5 years from the last communication or until the definitive resolution of the case.

6.6. Special cases:

• In case of account deletion by the User, most personal data will be immediately deleted, except for data that the Administrator is obligated to store based on legal provisions
• Data may be stored for a longer period if necessary to pursue, establish, or defend against legal claims
• Some data may be anonymized and used for statistical and research purposes without the possibility of identifying specific Users

7. Personal Data Sharing

7.1. The Administrator does not share Users' personal data with third parties, except in the cases described below.

7.2. Cases of data sharing:

Technical service providers:

• Hosting and technical infrastructure service providers - to the extent necessary to ensure the Service's functioning.
• AI service providers (Google Gemini API, OpenRouter) - to the extent necessary to provide artificial intelligence services. The privacy policies of our main AI providers are available here: Google Privacy Policy, OpenRouter Privacy Policy.
• Analytics service providers - to the extent necessary to analyze the Service's functioning.
• Apple Inc. (App Store) and Google LLC (Google Play Store) - to the extent necessary to process payments, verify purchases, and manage Premium access in mobile applications. Their privacy policies are available here: Apple Privacy Policy, Google Privacy Policy.
• All service providers are bound by data processing agreements ensuring an appropriate level of personal data protection.

Legal requirements:

• To authorized state authorities based on applicable legal provisions.
• In case of court or administrative proceedings.
• To fulfill legal obligations incumbent on the Administrator.

7.3. In all cases of personal data sharing, the Administrator ensures appropriate protection measures and limits the scope of shared data to the minimum necessary to achieve the specified purpose.

7.4. The Administrator does not sell or share personal data for marketing purposes with third parties.

7.5. The Naukado application does not track user activity across other companies' applications or websites for advertising purposes.

8. Data Transfers to Third Countries

8.1. The Administrator may transfer personal data to third countries (outside the European Economic Area) only in cases justified by the provision of services and ensuring an appropriate level of data protection.

8.2. Data transfer may mainly concern artificial intelligence services provided by suppliers outside the EEA, in particular AI platforms available through the Google Gemini API and OpenRouter.

8.3. In case of transferring data to third countries, the Administrator ensures that:

• The third country ensures an appropriate level of data protection according to a European Commission decision, or
• The transfer is based on appropriate safeguards, such as standard contractual clauses approved by the European Commission, or
• There are other legal bases for data transfer in accordance with the GDPR

8.4. The User may obtain a copy of the applied safeguards or information about their availability by contacting the Administrator.

9. Cookies and Similar Technologies

9.1. The Service uses cookies and similar technologies to ensure the proper functioning of the platform, improve user experience, and for analytical purposes.

9.2. Types of cookies used:

Necessary cookies:

Enable basic Service functioning, including login, session management, and security. They cannot be disabled without affecting the Service's functionality.

Functional cookies:

Provide additional functionalities, such as remembering user preferences, language settings, and interface personalization.

Analytical cookies:

Used to analyze Service usage patterns, collect visit statistics, and optimize platform functionality.

9.3. Cookie management:

• The User can manage cookie settings through their web browser settings
• Disabling cookies may affect the functionality of some Service elements
• Detailed information about cookie management in individual browsers is available in their documentation

10. Privacy Policy Changes

10.1. The Administrator reserves the right to introduce changes to this Privacy Policy to adapt it to changing legal provisions, technological development, or modifications of the Service's functionality.

10.2. Users will be informed about significant Privacy Policy changes through the Service and, if necessary, electronically to the email address assigned to their account.

10.3. Changes take effect from the moment of publishing the updated Policy version in the Service, unless the content of the changes indicates otherwise.

10.4. Continued use of the Service after the introduction of changes means acceptance of the new Privacy Policy version.

11. Contact

11.1. In case of questions regarding this Privacy Policy or personal data processing, please contact:

• Email: pomoc@naukado.pl (with the note "Personal data")
• Contact form available in the Service
• Traditional correspondence to the Administrator's registered address (available on request)

11.2. The Administrator undertakes to respond to personal data protection inquiries within no more than 30 days from the date of receiving the inquiry.

Effective date: 26.10.2025